Analysis
-
max time kernel
156s -
max time network
163s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
28-01-2022 15:18
Static task
static1
Behavioral task
behavioral1
Sample
CTM ARRANGMENT.exe
Resource
win7-en-20211208
General
-
Target
CTM ARRANGMENT.exe
-
Size
249KB
-
MD5
a2046a5aeb81e1fc98cbbc9a2aff19b1
-
SHA1
6fb0f2848d25ffb9ea2c4441552c466539a0f0e0
-
SHA256
d0a2b78cdc16ebd07adf6aacd4b6e2d639dcdebd28f0e3eb4ca3e6b73cc1add8
-
SHA512
90bd09bed2fd4bb5eae4281fa9fae0df1164a36bb37b7ea2e8e70b034436461966d1b317f1e5ec610055acd7e28372b4bbafe96154e32c182aa93ba05fdf8640
Malware Config
Extracted
xloader
2.5
dtt3
edilononlineshop.com
cursosd.com
viellacharteredland.com
increasey0urenergylevels.codes
yjy-hotel.com
claym.xyz
reelsguide.com
gives-cardano.com
ashrafannuar.com
mammalians.com
rocketleaguedads.com
yubierp.com
minimi36.com
chn-chn.com
jagojp888.com
parsian-shetab.com
273351.com
mdtouhid.com
babedads.com
vallinam2.com
buro-tic.com
az-rent.net
shifaebio.xyz
circuitoalberghiero.com
xn--b1afb9b.xn--p1acf
canlioyundasin.online
sachainchirajaomega.com
scandinest.com
pluky.net
tpxcy.com
nbg.global
automountproducts.com
hghbj.com
beachsidecoatings.com
householdertips.com
coworkingspace.online
doujyou.com
tenloe053.xyz
udpbkp.biz
kondanginyuk.online
zipiter.com
christiankrog.com
reliantrecruitinggroup.com
acrylicus.com
cruelgirls.biz
oeinsulation.com
mapnft.xyz
leadersfort.com
foodroutine.com
mayerohio.info
systemofsolutions.com
gideonajibike.com
bigboobz.net
townofis.com
mhkxlgs.com
sussaautocare.com
quicktle.com
boutiquedangel.com
garrisonroadhouse.com
stiff-pols.art
cabalaconsultores.com
theweddinggame.net
themoneymagicians.com
overtonesa.com
janasflannels.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2284-116-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/2284-119-0x00000000007E0000-0x0000000000973000-memory.dmp xloader behavioral2/memory/1892-122-0x0000000000A10000-0x0000000000A39000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
CTM ARRANGMENT.exepid process 2400 CTM ARRANGMENT.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
CTM ARRANGMENT.exeCTM ARRANGMENT.exemstsc.exedescription pid process target process PID 2400 set thread context of 2284 2400 CTM ARRANGMENT.exe CTM ARRANGMENT.exe PID 2284 set thread context of 2720 2284 CTM ARRANGMENT.exe Explorer.EXE PID 1892 set thread context of 2720 1892 mstsc.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
CTM ARRANGMENT.exemstsc.exepid process 2284 CTM ARRANGMENT.exe 2284 CTM ARRANGMENT.exe 2284 CTM ARRANGMENT.exe 2284 CTM ARRANGMENT.exe 1892 mstsc.exe 1892 mstsc.exe 1892 mstsc.exe 1892 mstsc.exe 1892 mstsc.exe 1892 mstsc.exe 1892 mstsc.exe 1892 mstsc.exe 1892 mstsc.exe 1892 mstsc.exe 1892 mstsc.exe 1892 mstsc.exe 1892 mstsc.exe 1892 mstsc.exe 1892 mstsc.exe 1892 mstsc.exe 1892 mstsc.exe 1892 mstsc.exe 1892 mstsc.exe 1892 mstsc.exe 1892 mstsc.exe 1892 mstsc.exe 1892 mstsc.exe 1892 mstsc.exe 1892 mstsc.exe 1892 mstsc.exe 1892 mstsc.exe 1892 mstsc.exe 1892 mstsc.exe 1892 mstsc.exe 1892 mstsc.exe 1892 mstsc.exe 1892 mstsc.exe 1892 mstsc.exe 1892 mstsc.exe 1892 mstsc.exe 1892 mstsc.exe 1892 mstsc.exe 1892 mstsc.exe 1892 mstsc.exe 1892 mstsc.exe 1892 mstsc.exe 1892 mstsc.exe 1892 mstsc.exe 1892 mstsc.exe 1892 mstsc.exe 1892 mstsc.exe 1892 mstsc.exe 1892 mstsc.exe 1892 mstsc.exe 1892 mstsc.exe 1892 mstsc.exe 1892 mstsc.exe 1892 mstsc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2720 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
CTM ARRANGMENT.exemstsc.exepid process 2284 CTM ARRANGMENT.exe 2284 CTM ARRANGMENT.exe 2284 CTM ARRANGMENT.exe 1892 mstsc.exe 1892 mstsc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
CTM ARRANGMENT.exemstsc.exedescription pid process Token: SeDebugPrivilege 2284 CTM ARRANGMENT.exe Token: SeDebugPrivilege 1892 mstsc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
CTM ARRANGMENT.exeExplorer.EXEmstsc.exedescription pid process target process PID 2400 wrote to memory of 2284 2400 CTM ARRANGMENT.exe CTM ARRANGMENT.exe PID 2400 wrote to memory of 2284 2400 CTM ARRANGMENT.exe CTM ARRANGMENT.exe PID 2400 wrote to memory of 2284 2400 CTM ARRANGMENT.exe CTM ARRANGMENT.exe PID 2400 wrote to memory of 2284 2400 CTM ARRANGMENT.exe CTM ARRANGMENT.exe PID 2400 wrote to memory of 2284 2400 CTM ARRANGMENT.exe CTM ARRANGMENT.exe PID 2400 wrote to memory of 2284 2400 CTM ARRANGMENT.exe CTM ARRANGMENT.exe PID 2720 wrote to memory of 1892 2720 Explorer.EXE mstsc.exe PID 2720 wrote to memory of 1892 2720 Explorer.EXE mstsc.exe PID 2720 wrote to memory of 1892 2720 Explorer.EXE mstsc.exe PID 1892 wrote to memory of 3360 1892 mstsc.exe cmd.exe PID 1892 wrote to memory of 3360 1892 mstsc.exe cmd.exe PID 1892 wrote to memory of 3360 1892 mstsc.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CTM ARRANGMENT.exe"C:\Users\Admin\AppData\Local\Temp\CTM ARRANGMENT.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CTM ARRANGMENT.exe"C:\Users\Admin\AppData\Local\Temp\CTM ARRANGMENT.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\mstsc.exe"C:\Windows\SysWOW64\mstsc.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\CTM ARRANGMENT.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsm6D5E.tmp\kykgewxkrv.dllMD5
638d655f837f80df4b70fe17a5ea86b4
SHA151c0d3eed56c7c87fc1371bfcdfb02ce707bc36b
SHA256c106ca97813ad904efc3bebae18ad42c6787c725cbbdf966da5ffc2888b8e384
SHA512a6881256779c3fe37f4170ebc9e08c9d5a5db2c06419bee67f35cf0107e91e8e83e3a106a8546b75eae54abf3295148ee9d95de82fa406f591c90982917aadd8
-
memory/1892-121-0x0000000000D60000-0x000000000105C000-memory.dmpFilesize
3.0MB
-
memory/1892-122-0x0000000000A10000-0x0000000000A39000-memory.dmpFilesize
164KB
-
memory/1892-123-0x0000000004C50000-0x0000000004F70000-memory.dmpFilesize
3.1MB
-
memory/1892-124-0x0000000004910000-0x0000000004AAC000-memory.dmpFilesize
1.6MB
-
memory/2284-116-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2284-118-0x0000000000980000-0x0000000000CA0000-memory.dmpFilesize
3.1MB
-
memory/2284-119-0x00000000007E0000-0x0000000000973000-memory.dmpFilesize
1.6MB
-
memory/2720-120-0x0000000002FE0000-0x00000000030D2000-memory.dmpFilesize
968KB
-
memory/2720-125-0x0000000006830000-0x0000000006980000-memory.dmpFilesize
1.3MB