Analysis
-
max time kernel
152s -
max time network
154s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
25-01-2022 09:29
Static task
static1
Behavioral task
behavioral1
Sample
vsl_rfq01209800122.exe
Resource
win7-en-20211208
General
-
Target
vsl_rfq01209800122.exe
-
Size
249KB
-
MD5
c348f7fa655d92a8af86e74aa75821e6
-
SHA1
3b9a060bb64b880595287fcc300d4b5513acb879
-
SHA256
fd86ed836eaae451df45e757be525d3c9260d72e0c8af2eb85f1832a8499eac1
-
SHA512
65b4275494e326fa96b9e89e95c9688097eaddde8af4b57cbe01471f01986239fc314b914952286d0e1fe9543f93c44964e9191cc95bea7b345be606862495b4
Malware Config
Extracted
xloader
2.5
igwa
listingswithalex.com
funtabse.com
aydenwalling.com
prochal.net
superfoodsnederland.com
moldluck.com
dianekgordon.store
regionalhomescommercial.com
mysecuritymadesimple.com
malwaremastery.com
kodaikeiko.com
jrzg996.com
agricurve.net
songlingjiu.com
virginianundahfishingclub.com
friendschance.com
pastelpresents.com
answertitles.com
survival-hunter.com
nxfddl.com
traditionnevertrend.com
agrovessel.com
unicorm.digital
cucumboy.com
alemdogarimpo.com
laraful.com
hexwaa.com
hanu21st.com
knoycia.com
qishengxing.com
gopipurespices.com
fdkkrfidkdslsieofkld.info
elephantspublications.online
valeriebeijing.com
xn--42cg2czax6ptae6a.com
2shengman.com
sfcshavedice.com
ragworkhouse.com
stardomfrokch.xyz
exoticcenterfold.com
eventosartifice.com
test-order-noren.com
110bao.com
face-pro.online
freedomoff.com
futuresep.com
tremblock.com
chocolat-gillotte.com
speclove.com
ddflsl.com
goodnewsmbc.net
cloudtotaal.com
goapps-auth.com
ouch247max.com
sabra-sd.com
luxuryneverhurt.art
rxvendorpills.online
ludowinners.online
placemyorder.online
skyrim.company
monsterlecturer.com
controle-fiscal.com
phoenixinjurylawyer.online
nanoheadgames.com
toposales.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/488-116-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/488-121-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/1188-125-0x0000000000E00000-0x0000000000E29000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
vsl_rfq01209800122.exepid process 1840 vsl_rfq01209800122.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
vsl_rfq01209800122.exevsl_rfq01209800122.exechkdsk.exedescription pid process target process PID 1840 set thread context of 488 1840 vsl_rfq01209800122.exe vsl_rfq01209800122.exe PID 488 set thread context of 3064 488 vsl_rfq01209800122.exe Explorer.EXE PID 488 set thread context of 3064 488 vsl_rfq01209800122.exe Explorer.EXE PID 1188 set thread context of 3064 1188 chkdsk.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
chkdsk.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
vsl_rfq01209800122.exechkdsk.exepid process 488 vsl_rfq01209800122.exe 488 vsl_rfq01209800122.exe 488 vsl_rfq01209800122.exe 488 vsl_rfq01209800122.exe 488 vsl_rfq01209800122.exe 488 vsl_rfq01209800122.exe 1188 chkdsk.exe 1188 chkdsk.exe 1188 chkdsk.exe 1188 chkdsk.exe 1188 chkdsk.exe 1188 chkdsk.exe 1188 chkdsk.exe 1188 chkdsk.exe 1188 chkdsk.exe 1188 chkdsk.exe 1188 chkdsk.exe 1188 chkdsk.exe 1188 chkdsk.exe 1188 chkdsk.exe 1188 chkdsk.exe 1188 chkdsk.exe 1188 chkdsk.exe 1188 chkdsk.exe 1188 chkdsk.exe 1188 chkdsk.exe 1188 chkdsk.exe 1188 chkdsk.exe 1188 chkdsk.exe 1188 chkdsk.exe 1188 chkdsk.exe 1188 chkdsk.exe 1188 chkdsk.exe 1188 chkdsk.exe 1188 chkdsk.exe 1188 chkdsk.exe 1188 chkdsk.exe 1188 chkdsk.exe 1188 chkdsk.exe 1188 chkdsk.exe 1188 chkdsk.exe 1188 chkdsk.exe 1188 chkdsk.exe 1188 chkdsk.exe 1188 chkdsk.exe 1188 chkdsk.exe 1188 chkdsk.exe 1188 chkdsk.exe 1188 chkdsk.exe 1188 chkdsk.exe 1188 chkdsk.exe 1188 chkdsk.exe 1188 chkdsk.exe 1188 chkdsk.exe 1188 chkdsk.exe 1188 chkdsk.exe 1188 chkdsk.exe 1188 chkdsk.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3064 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
vsl_rfq01209800122.exechkdsk.exepid process 488 vsl_rfq01209800122.exe 488 vsl_rfq01209800122.exe 488 vsl_rfq01209800122.exe 488 vsl_rfq01209800122.exe 1188 chkdsk.exe 1188 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
vsl_rfq01209800122.exechkdsk.exedescription pid process Token: SeDebugPrivilege 488 vsl_rfq01209800122.exe Token: SeDebugPrivilege 1188 chkdsk.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
vsl_rfq01209800122.exeExplorer.EXEchkdsk.exedescription pid process target process PID 1840 wrote to memory of 488 1840 vsl_rfq01209800122.exe vsl_rfq01209800122.exe PID 1840 wrote to memory of 488 1840 vsl_rfq01209800122.exe vsl_rfq01209800122.exe PID 1840 wrote to memory of 488 1840 vsl_rfq01209800122.exe vsl_rfq01209800122.exe PID 1840 wrote to memory of 488 1840 vsl_rfq01209800122.exe vsl_rfq01209800122.exe PID 1840 wrote to memory of 488 1840 vsl_rfq01209800122.exe vsl_rfq01209800122.exe PID 1840 wrote to memory of 488 1840 vsl_rfq01209800122.exe vsl_rfq01209800122.exe PID 3064 wrote to memory of 1188 3064 Explorer.EXE chkdsk.exe PID 3064 wrote to memory of 1188 3064 Explorer.EXE chkdsk.exe PID 3064 wrote to memory of 1188 3064 Explorer.EXE chkdsk.exe PID 1188 wrote to memory of 1492 1188 chkdsk.exe cmd.exe PID 1188 wrote to memory of 1492 1188 chkdsk.exe cmd.exe PID 1188 wrote to memory of 1492 1188 chkdsk.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vsl_rfq01209800122.exe"C:\Users\Admin\AppData\Local\Temp\vsl_rfq01209800122.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vsl_rfq01209800122.exe"C:\Users\Admin\AppData\Local\Temp\vsl_rfq01209800122.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\vsl_rfq01209800122.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsv1CEC.tmp\rgyunbk.dllMD5
102bdaa73ca322fbf4ceca5a598869f7
SHA1b88c98aba6bc55637782a9e78a49ca3f32ef150c
SHA25684c4f3dcd65df355ed10044404c126697b8c1e55a9b1c37e4b43b35c77ae10a1
SHA512aad7fcc36fd66722ca027d689536d32c9ce6994ba5f34d6e891ae973963b7c85cea33b05fdcde140bf087ff98c7dc23c643c07a14baead7404a39a3b99a93d77
-
memory/488-122-0x0000000000510000-0x0000000000EA0000-memory.dmpFilesize
9.6MB
-
memory/488-118-0x0000000000A20000-0x0000000000D40000-memory.dmpFilesize
3.1MB
-
memory/488-119-0x0000000000880000-0x0000000000A1C000-memory.dmpFilesize
1.6MB
-
memory/488-121-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/488-116-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1188-124-0x0000000001070000-0x000000000107A000-memory.dmpFilesize
40KB
-
memory/1188-125-0x0000000000E00000-0x0000000000E29000-memory.dmpFilesize
164KB
-
memory/1188-126-0x00000000055B0000-0x00000000058D0000-memory.dmpFilesize
3.1MB
-
memory/1188-127-0x0000000005270000-0x0000000005404000-memory.dmpFilesize
1.6MB
-
memory/3064-120-0x00000000062A0000-0x00000000063B3000-memory.dmpFilesize
1.1MB
-
memory/3064-123-0x0000000002C60000-0x0000000002D59000-memory.dmpFilesize
996KB
-
memory/3064-128-0x0000000002DE0000-0x0000000002EB8000-memory.dmpFilesize
864KB