Analysis
-
max time kernel
154s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
28-01-2022 07:33
Static task
static1
Behavioral task
behavioral1
Sample
BANK DETAILS-26012022-971332pdf.exe
Resource
win7-en-20211208
General
-
Target
BANK DETAILS-26012022-971332pdf.exe
-
Size
234KB
-
MD5
915102405b44b4eb490450935905b4c5
-
SHA1
cc89138f906776cc8ceb6135753bd1bfdc423846
-
SHA256
234d944f1c4d9dcb90a6797dc13bf50fa2290da2230d134ee70bc4b7c4143ab8
-
SHA512
d34136c97136cdb01cde174506dd02b250894f4427dcac3c0d98dbc2a417db0b1fd15ad950b491b5795fb345ebe4eba175baac23252d3222eb0e5d253adf4615
Malware Config
Extracted
xloader
2.5
be4o
neonewway.club
kuanghong.club
7bkj.com
ooo-club.com
kamchatka-agency.com
sjsndtvitzru.mobi
noireimpactcollective.net
justbe-event.com
easypeasy.community
southcoast.glass
janhenningsen.com
jmxyjj.com
tarihibilet.com
nagradi7.com
percentrostered.net
certvaxid.com
kingseafoodsydney.com
blacksheepwalk.com
waktuk.com
inteligenciaenrefrigeracion.com
marvinhull.com
fikretbayrakdar.com
rsxrsh.com
vastukalabid.com
belindahulett.com
aibet888.club
icarus-groupe.com
vendasdigitaisonline.com
fairytalepageants.com
imaginativeprint.com
quanqiu55555.com
owensigns.com
kaikkistore.com
dreamintelligent.com
piqqekqqbpjpajbzvvfqapwr.store
mariachinuevozacatecas24-7.com
glenndcp.com
vaughnediting.com
10dian-3.com
buresdx.com
itservon.com
buyingusedfurniture.com
elektropanjur.com
logotzo.com
eaglesaviationexperience.com
antoniopasciuti.com
personas1web.com
hvbatterystore.com
ksustudyabroad.com
4huav946.com
gojajix.xyz
kennycheng.tech
traditionnevertrend.com
mytrainermatrix.online
basculasperu.com
eljkj.com
teleconstructiongroup.com
28682df.com
altimiravet.com
worldplantaward.com
mydxza.com
josiemaran-supernatural.com
brainymortgage.info
diffamr.net
istemnetwork.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1008-120-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/1008-125-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/572-129-0x0000000002D40000-0x0000000002D69000-memory.dmp xloader -
Blocklisted process makes network request 5 IoCs
Processes:
rundll32.exeflow pid process 35 572 rundll32.exe 36 572 rundll32.exe 38 572 rundll32.exe 40 572 rundll32.exe 42 572 rundll32.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
BANK DETAILS-26012022-971332pdf.exeaspnet_compiler.exerundll32.exedescription pid process target process PID 2620 set thread context of 1008 2620 BANK DETAILS-26012022-971332pdf.exe aspnet_compiler.exe PID 1008 set thread context of 3040 1008 aspnet_compiler.exe Explorer.EXE PID 1008 set thread context of 3040 1008 aspnet_compiler.exe Explorer.EXE PID 572 set thread context of 3040 572 rundll32.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
aspnet_compiler.exerundll32.exepid process 1008 aspnet_compiler.exe 1008 aspnet_compiler.exe 1008 aspnet_compiler.exe 1008 aspnet_compiler.exe 1008 aspnet_compiler.exe 1008 aspnet_compiler.exe 572 rundll32.exe 572 rundll32.exe 572 rundll32.exe 572 rundll32.exe 572 rundll32.exe 572 rundll32.exe 572 rundll32.exe 572 rundll32.exe 572 rundll32.exe 572 rundll32.exe 572 rundll32.exe 572 rundll32.exe 572 rundll32.exe 572 rundll32.exe 572 rundll32.exe 572 rundll32.exe 572 rundll32.exe 572 rundll32.exe 572 rundll32.exe 572 rundll32.exe 572 rundll32.exe 572 rundll32.exe 572 rundll32.exe 572 rundll32.exe 572 rundll32.exe 572 rundll32.exe 572 rundll32.exe 572 rundll32.exe 572 rundll32.exe 572 rundll32.exe 572 rundll32.exe 572 rundll32.exe 572 rundll32.exe 572 rundll32.exe 572 rundll32.exe 572 rundll32.exe 572 rundll32.exe 572 rundll32.exe 572 rundll32.exe 572 rundll32.exe 572 rundll32.exe 572 rundll32.exe 572 rundll32.exe 572 rundll32.exe 572 rundll32.exe 572 rundll32.exe 572 rundll32.exe 572 rundll32.exe 572 rundll32.exe 572 rundll32.exe 572 rundll32.exe 572 rundll32.exe 572 rundll32.exe 572 rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3040 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
aspnet_compiler.exerundll32.exepid process 1008 aspnet_compiler.exe 1008 aspnet_compiler.exe 1008 aspnet_compiler.exe 1008 aspnet_compiler.exe 572 rundll32.exe 572 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
BANK DETAILS-26012022-971332pdf.exeaspnet_compiler.exerundll32.exedescription pid process Token: SeDebugPrivilege 2620 BANK DETAILS-26012022-971332pdf.exe Token: SeDebugPrivilege 1008 aspnet_compiler.exe Token: SeDebugPrivilege 572 rundll32.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
BANK DETAILS-26012022-971332pdf.exeExplorer.EXErundll32.exedescription pid process target process PID 2620 wrote to memory of 1008 2620 BANK DETAILS-26012022-971332pdf.exe aspnet_compiler.exe PID 2620 wrote to memory of 1008 2620 BANK DETAILS-26012022-971332pdf.exe aspnet_compiler.exe PID 2620 wrote to memory of 1008 2620 BANK DETAILS-26012022-971332pdf.exe aspnet_compiler.exe PID 2620 wrote to memory of 1008 2620 BANK DETAILS-26012022-971332pdf.exe aspnet_compiler.exe PID 2620 wrote to memory of 1008 2620 BANK DETAILS-26012022-971332pdf.exe aspnet_compiler.exe PID 2620 wrote to memory of 1008 2620 BANK DETAILS-26012022-971332pdf.exe aspnet_compiler.exe PID 3040 wrote to memory of 572 3040 Explorer.EXE rundll32.exe PID 3040 wrote to memory of 572 3040 Explorer.EXE rundll32.exe PID 3040 wrote to memory of 572 3040 Explorer.EXE rundll32.exe PID 572 wrote to memory of 988 572 rundll32.exe cmd.exe PID 572 wrote to memory of 988 572 rundll32.exe cmd.exe PID 572 wrote to memory of 988 572 rundll32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\BANK DETAILS-26012022-971332pdf.exe"C:\Users\Admin\AppData\Local\Temp\BANK DETAILS-26012022-971332pdf.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/572-128-0x0000000000B20000-0x0000000000B33000-memory.dmpFilesize
76KB
-
memory/572-131-0x0000000004A00000-0x0000000004B97000-memory.dmpFilesize
1.6MB
-
memory/572-130-0x0000000004D40000-0x0000000005060000-memory.dmpFilesize
3.1MB
-
memory/572-129-0x0000000002D40000-0x0000000002D69000-memory.dmpFilesize
164KB
-
memory/1008-124-0x0000000000E90000-0x000000000102B000-memory.dmpFilesize
1.6MB
-
memory/1008-125-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1008-126-0x0000000001560000-0x0000000001571000-memory.dmpFilesize
68KB
-
memory/1008-122-0x0000000001030000-0x0000000001350000-memory.dmpFilesize
3.1MB
-
memory/1008-120-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2620-117-0x0000016ABA200000-0x0000016ABA240000-memory.dmpFilesize
256KB
-
memory/2620-119-0x0000016ABBE80000-0x0000016ABBE8E000-memory.dmpFilesize
56KB
-
memory/2620-118-0x0000016ABC180000-0x0000016ABC182000-memory.dmpFilesize
8KB
-
memory/3040-123-0x0000000005410000-0x0000000005519000-memory.dmpFilesize
1.0MB
-
memory/3040-127-0x0000000006680000-0x0000000006806000-memory.dmpFilesize
1.5MB
-
memory/3040-132-0x00000000064C0000-0x00000000065DD000-memory.dmpFilesize
1.1MB