Analysis
-
max time kernel
148s -
max time network
159s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
28-01-2022 15:18
Static task
static1
Behavioral task
behavioral1
Sample
CTM ARRANGMENT.exe
Resource
win7-en-20211208
General
-
Target
CTM ARRANGMENT.exe
-
Size
249KB
-
MD5
a2046a5aeb81e1fc98cbbc9a2aff19b1
-
SHA1
6fb0f2848d25ffb9ea2c4441552c466539a0f0e0
-
SHA256
d0a2b78cdc16ebd07adf6aacd4b6e2d639dcdebd28f0e3eb4ca3e6b73cc1add8
-
SHA512
90bd09bed2fd4bb5eae4281fa9fae0df1164a36bb37b7ea2e8e70b034436461966d1b317f1e5ec610055acd7e28372b4bbafe96154e32c182aa93ba05fdf8640
Malware Config
Extracted
xloader
2.5
dtt3
edilononlineshop.com
cursosd.com
viellacharteredland.com
increasey0urenergylevels.codes
yjy-hotel.com
claym.xyz
reelsguide.com
gives-cardano.com
ashrafannuar.com
mammalians.com
rocketleaguedads.com
yubierp.com
minimi36.com
chn-chn.com
jagojp888.com
parsian-shetab.com
273351.com
mdtouhid.com
babedads.com
vallinam2.com
buro-tic.com
az-rent.net
shifaebio.xyz
circuitoalberghiero.com
xn--b1afb9b.xn--p1acf
canlioyundasin.online
sachainchirajaomega.com
scandinest.com
pluky.net
tpxcy.com
nbg.global
automountproducts.com
hghbj.com
beachsidecoatings.com
householdertips.com
coworkingspace.online
doujyou.com
tenloe053.xyz
udpbkp.biz
kondanginyuk.online
zipiter.com
christiankrog.com
reliantrecruitinggroup.com
acrylicus.com
cruelgirls.biz
oeinsulation.com
mapnft.xyz
leadersfort.com
foodroutine.com
mayerohio.info
systemofsolutions.com
gideonajibike.com
bigboobz.net
townofis.com
mhkxlgs.com
sussaautocare.com
quicktle.com
boutiquedangel.com
garrisonroadhouse.com
stiff-pols.art
cabalaconsultores.com
theweddinggame.net
themoneymagicians.com
overtonesa.com
janasflannels.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/716-57-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1332-63-0x00000000000D0000-0x00000000000F9000-memory.dmp xloader -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 568 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
CTM ARRANGMENT.exepid process 1264 CTM ARRANGMENT.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
CTM ARRANGMENT.exeCTM ARRANGMENT.exewuapp.exedescription pid process target process PID 1264 set thread context of 716 1264 CTM ARRANGMENT.exe CTM ARRANGMENT.exe PID 716 set thread context of 1232 716 CTM ARRANGMENT.exe Explorer.EXE PID 1332 set thread context of 1232 1332 wuapp.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
CTM ARRANGMENT.exewuapp.exepid process 716 CTM ARRANGMENT.exe 716 CTM ARRANGMENT.exe 1332 wuapp.exe 1332 wuapp.exe 1332 wuapp.exe 1332 wuapp.exe 1332 wuapp.exe 1332 wuapp.exe 1332 wuapp.exe 1332 wuapp.exe 1332 wuapp.exe 1332 wuapp.exe 1332 wuapp.exe 1332 wuapp.exe 1332 wuapp.exe 1332 wuapp.exe 1332 wuapp.exe 1332 wuapp.exe 1332 wuapp.exe 1332 wuapp.exe 1332 wuapp.exe 1332 wuapp.exe 1332 wuapp.exe 1332 wuapp.exe 1332 wuapp.exe 1332 wuapp.exe 1332 wuapp.exe 1332 wuapp.exe 1332 wuapp.exe 1332 wuapp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1232 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
CTM ARRANGMENT.exewuapp.exepid process 716 CTM ARRANGMENT.exe 716 CTM ARRANGMENT.exe 716 CTM ARRANGMENT.exe 1332 wuapp.exe 1332 wuapp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
CTM ARRANGMENT.exewuapp.exedescription pid process Token: SeDebugPrivilege 716 CTM ARRANGMENT.exe Token: SeDebugPrivilege 1332 wuapp.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1232 Explorer.EXE 1232 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1232 Explorer.EXE 1232 Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
CTM ARRANGMENT.exeExplorer.EXEwuapp.exedescription pid process target process PID 1264 wrote to memory of 716 1264 CTM ARRANGMENT.exe CTM ARRANGMENT.exe PID 1264 wrote to memory of 716 1264 CTM ARRANGMENT.exe CTM ARRANGMENT.exe PID 1264 wrote to memory of 716 1264 CTM ARRANGMENT.exe CTM ARRANGMENT.exe PID 1264 wrote to memory of 716 1264 CTM ARRANGMENT.exe CTM ARRANGMENT.exe PID 1264 wrote to memory of 716 1264 CTM ARRANGMENT.exe CTM ARRANGMENT.exe PID 1264 wrote to memory of 716 1264 CTM ARRANGMENT.exe CTM ARRANGMENT.exe PID 1264 wrote to memory of 716 1264 CTM ARRANGMENT.exe CTM ARRANGMENT.exe PID 1232 wrote to memory of 1332 1232 Explorer.EXE wuapp.exe PID 1232 wrote to memory of 1332 1232 Explorer.EXE wuapp.exe PID 1232 wrote to memory of 1332 1232 Explorer.EXE wuapp.exe PID 1232 wrote to memory of 1332 1232 Explorer.EXE wuapp.exe PID 1232 wrote to memory of 1332 1232 Explorer.EXE wuapp.exe PID 1232 wrote to memory of 1332 1232 Explorer.EXE wuapp.exe PID 1232 wrote to memory of 1332 1232 Explorer.EXE wuapp.exe PID 1332 wrote to memory of 568 1332 wuapp.exe cmd.exe PID 1332 wrote to memory of 568 1332 wuapp.exe cmd.exe PID 1332 wrote to memory of 568 1332 wuapp.exe cmd.exe PID 1332 wrote to memory of 568 1332 wuapp.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CTM ARRANGMENT.exe"C:\Users\Admin\AppData\Local\Temp\CTM ARRANGMENT.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CTM ARRANGMENT.exe"C:\Users\Admin\AppData\Local\Temp\CTM ARRANGMENT.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wuapp.exe"C:\Windows\SysWOW64\wuapp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\CTM ARRANGMENT.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsnE2F1.tmp\kykgewxkrv.dllMD5
638d655f837f80df4b70fe17a5ea86b4
SHA151c0d3eed56c7c87fc1371bfcdfb02ce707bc36b
SHA256c106ca97813ad904efc3bebae18ad42c6787c725cbbdf966da5ffc2888b8e384
SHA512a6881256779c3fe37f4170ebc9e08c9d5a5db2c06419bee67f35cf0107e91e8e83e3a106a8546b75eae54abf3295148ee9d95de82fa406f591c90982917aadd8
-
memory/716-57-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/716-59-0x00000000008A0000-0x0000000000BA3000-memory.dmpFilesize
3.0MB
-
memory/716-61-0x0000000000340000-0x0000000000351000-memory.dmpFilesize
68KB
-
memory/1232-60-0x00000000068B0000-0x00000000069F3000-memory.dmpFilesize
1.3MB
-
memory/1232-66-0x0000000004160000-0x000000000422D000-memory.dmpFilesize
820KB
-
memory/1264-55-0x0000000075191000-0x0000000075193000-memory.dmpFilesize
8KB
-
memory/1332-62-0x00000000010B0000-0x00000000010BB000-memory.dmpFilesize
44KB
-
memory/1332-63-0x00000000000D0000-0x00000000000F9000-memory.dmpFilesize
164KB
-
memory/1332-64-0x00000000009C0000-0x0000000000CC3000-memory.dmpFilesize
3.0MB
-
memory/1332-65-0x00000000007E0000-0x0000000000870000-memory.dmpFilesize
576KB