Analysis
-
max time kernel
154s -
max time network
159s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
22-01-2022 00:06
Static task
static1
Behavioral task
behavioral1
Sample
SKM-97116373-PDF.exe
Resource
win7-en-20211208
General
-
Target
SKM-97116373-PDF.exe
-
Size
322KB
-
MD5
49fd93fb9699d57c47b6c1ae98282170
-
SHA1
2ceb5be3f5cc5f91862d866c2b6b695b144cfa56
-
SHA256
d6fce7f4f6a8c7c7ec013bd177f42ab0a9ef8d8ce6f505245ea09e41d33201e0
-
SHA512
a2c41afc8a7fa52f309efeba8e31966ea376e6ef18870f59adf4531469c07cf2d55ed5ce46c0ea988da6d0e7cbb401cd8dbcf956ae27b21ad22259d1cdc8950f
Malware Config
Extracted
xloader
2.5
uar3
sgadvocats.com
mjscannabus.com
hilldaley.com
ksdollhouse.com
hotgiftboutique.com
purebloodsmeet.com
relaunched.info
cap-glove.com
productcollection.store
fulikyy.xyz
remoteaviationjobs.com
bestcleancrystal.com
virtualorganizationpartner.com
bookgocar.com
hattuafhv.quest
makonigroup.com
officecom-myaccount.com
malgorzata-lac.com
e-learningeducators.com
hygilaur.com
kgv-lachswehr.com
salazarcomunicacion.com
robopython.com
corporateequity.online
complianceservicegroup.com
aperza-ex.com
webflowusa.com
asesoriasfinancieras.xyz
missolivesbranches.com
numiquest.com
criskconsultancy.com
gotemup.com
themaptalk.com
lakebalboahalf.com
cateringfrenchcroissant.com
paddocklakerealestate.com
lojaquerosurprezza.store
courtneywhitearmusic.com
geovannimaquinadevendas.online
pricklypairjazz.com
engagedigi.com
conduitforthespirit.com
anaheimaletrail.com
wholesalemall.store
alertsbecu.com
gestion-kayfra.com
youcanstores.com
qsuo.net
formadv.info
dihesia.xyz
carrreir.com
twenteeminuteswithtee.com
realliferenewal.com
officialprokodsukses.icu
stanfordgrouploscabos.com
maxicashpromir.xyz
zysqshjs.com
trc-clicks.com
chsclbd.com
amdproduce.net
republicoflies.com
beaux-parents.com
lucrativeapp.com
milbombas.com
alexanderplaywear.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2332-116-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/3164-122-0x0000000003270000-0x0000000003299000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
SKM-97116373-PDF.exepid process 2800 SKM-97116373-PDF.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
SKM-97116373-PDF.exeSKM-97116373-PDF.execolorcpl.exedescription pid process target process PID 2800 set thread context of 2332 2800 SKM-97116373-PDF.exe SKM-97116373-PDF.exe PID 2332 set thread context of 2892 2332 SKM-97116373-PDF.exe Explorer.EXE PID 3164 set thread context of 2892 3164 colorcpl.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
SKM-97116373-PDF.execolorcpl.exepid process 2332 SKM-97116373-PDF.exe 2332 SKM-97116373-PDF.exe 2332 SKM-97116373-PDF.exe 2332 SKM-97116373-PDF.exe 3164 colorcpl.exe 3164 colorcpl.exe 3164 colorcpl.exe 3164 colorcpl.exe 3164 colorcpl.exe 3164 colorcpl.exe 3164 colorcpl.exe 3164 colorcpl.exe 3164 colorcpl.exe 3164 colorcpl.exe 3164 colorcpl.exe 3164 colorcpl.exe 3164 colorcpl.exe 3164 colorcpl.exe 3164 colorcpl.exe 3164 colorcpl.exe 3164 colorcpl.exe 3164 colorcpl.exe 3164 colorcpl.exe 3164 colorcpl.exe 3164 colorcpl.exe 3164 colorcpl.exe 3164 colorcpl.exe 3164 colorcpl.exe 3164 colorcpl.exe 3164 colorcpl.exe 3164 colorcpl.exe 3164 colorcpl.exe 3164 colorcpl.exe 3164 colorcpl.exe 3164 colorcpl.exe 3164 colorcpl.exe 3164 colorcpl.exe 3164 colorcpl.exe 3164 colorcpl.exe 3164 colorcpl.exe 3164 colorcpl.exe 3164 colorcpl.exe 3164 colorcpl.exe 3164 colorcpl.exe 3164 colorcpl.exe 3164 colorcpl.exe 3164 colorcpl.exe 3164 colorcpl.exe 3164 colorcpl.exe 3164 colorcpl.exe 3164 colorcpl.exe 3164 colorcpl.exe 3164 colorcpl.exe 3164 colorcpl.exe 3164 colorcpl.exe 3164 colorcpl.exe 3164 colorcpl.exe 3164 colorcpl.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2892 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
SKM-97116373-PDF.execolorcpl.exepid process 2332 SKM-97116373-PDF.exe 2332 SKM-97116373-PDF.exe 2332 SKM-97116373-PDF.exe 3164 colorcpl.exe 3164 colorcpl.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
SKM-97116373-PDF.execolorcpl.exedescription pid process Token: SeDebugPrivilege 2332 SKM-97116373-PDF.exe Token: SeDebugPrivilege 3164 colorcpl.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
SKM-97116373-PDF.exeExplorer.EXEcolorcpl.exedescription pid process target process PID 2800 wrote to memory of 2332 2800 SKM-97116373-PDF.exe SKM-97116373-PDF.exe PID 2800 wrote to memory of 2332 2800 SKM-97116373-PDF.exe SKM-97116373-PDF.exe PID 2800 wrote to memory of 2332 2800 SKM-97116373-PDF.exe SKM-97116373-PDF.exe PID 2800 wrote to memory of 2332 2800 SKM-97116373-PDF.exe SKM-97116373-PDF.exe PID 2800 wrote to memory of 2332 2800 SKM-97116373-PDF.exe SKM-97116373-PDF.exe PID 2800 wrote to memory of 2332 2800 SKM-97116373-PDF.exe SKM-97116373-PDF.exe PID 2892 wrote to memory of 3164 2892 Explorer.EXE colorcpl.exe PID 2892 wrote to memory of 3164 2892 Explorer.EXE colorcpl.exe PID 2892 wrote to memory of 3164 2892 Explorer.EXE colorcpl.exe PID 3164 wrote to memory of 816 3164 colorcpl.exe cmd.exe PID 3164 wrote to memory of 816 3164 colorcpl.exe cmd.exe PID 3164 wrote to memory of 816 3164 colorcpl.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SKM-97116373-PDF.exe"C:\Users\Admin\AppData\Local\Temp\SKM-97116373-PDF.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SKM-97116373-PDF.exe"C:\Users\Admin\AppData\Local\Temp\SKM-97116373-PDF.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\colorcpl.exe"C:\Windows\SysWOW64\colorcpl.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\SKM-97116373-PDF.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsbC5F3.tmp\rwam.dllMD5
33a74a4b53cd8dff8593605ea8308f77
SHA18cca33ee4e2079d196f4b4be2a42a537c3f00b13
SHA256091beda14bcaac53625f006d1f77f6c8bfc07aa45174762057ae4d698a854e1b
SHA5128843daad9fc93451eba9371b8dce2c975b81f7a94aa5cd402854a633092fac3815c585fa2dc1a26a76b9ed7709ea176f70b19392a5ca1144743e182aacdbfaad
-
memory/2332-116-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2332-118-0x0000000000B30000-0x0000000000E50000-memory.dmpFilesize
3.1MB
-
memory/2332-119-0x00000000006D0000-0x00000000006E1000-memory.dmpFilesize
68KB
-
memory/2892-120-0x00000000031A0000-0x0000000003291000-memory.dmpFilesize
964KB
-
memory/2892-125-0x0000000005510000-0x00000000055D5000-memory.dmpFilesize
788KB
-
memory/3164-121-0x00000000000B0000-0x00000000000C9000-memory.dmpFilesize
100KB
-
memory/3164-122-0x0000000003270000-0x0000000003299000-memory.dmpFilesize
164KB
-
memory/3164-123-0x00000000047A0000-0x0000000004AC0000-memory.dmpFilesize
3.1MB
-
memory/3164-124-0x0000000004B50000-0x0000000004BE0000-memory.dmpFilesize
576KB