Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
30-01-2022 00:19
Static task
static1
Behavioral task
behavioral1
Sample
PO6312.exe
Resource
win7-en-20211208
General
-
Target
PO6312.exe
-
Size
286KB
-
MD5
6dca73a65b62eb5f40cc45ec4085f695
-
SHA1
5a478b2dd4ba1bcfaeec8cde0d5ff7f6e8bd9798
-
SHA256
9fe9d14b0dfe4fd0006b432eb8acb4bbba782da6071fb4ca50676a1ebb73958f
-
SHA512
9a23ab54b531436b52f870ad80241eefa843f66f18279dfdf1f263a4008b98aba2f30f37d55e497d4b2de9259217687feef5f59c0d978d969f4b7509d8d44800
Malware Config
Extracted
xloader
2.5
hpin
lalashealingplace.com
melaniealdridgephotography.com
ss3369.com
career-bliss.com
handelbabu.quest
larryhover.com
xyz-vr.xyz
telvicedemo.net
aaakk95.com
follow-er.com
thepiwarrior.com
dgltqd.com
dailyswee.com
tonymoney.net
earthsidesoulalchemist.com
meditatieleeuwarden.online
blancorealtor.com
xn--erhardlohmller-psb.gmbh
coachtobetter.info
singpost.agency
cryptovikings.art
abovetherootsgrower.com
steeltoilets.com
ugearup.com
catchotter.com
jamesstewartjr.com
jaysmhp.com
emotionfocusedapproaches.com
asamanagement.xyz
gillbane.com
supremepeak.net
logicalstrength.com
kuaiyicai.net
lappajarvi-info.com
babyfaceskincare86.com
luxuryhomesinpinellas.com
fitnessbymargaret.com
combatcollective.com
tremas25.com
ytfusion.com
les-ptites-pepites.com
gritnail.store
endosstore.com
deeznft.com
bits-clicks.com
reviewercasino.com
bets-bc-pvitt.xyz
mussten-viva.com
vegan-mexican.com
allsystemnow.online
mylimitlesssuccess.com
su458.com
gombc-a02.com
revuedrh.com
presidentfun.com
aragonproductions.com
iphone13.computer
codingnesia.tech
taiycwyb.com
asesoriasfinancieras.xyz
gxystgs.com
brilliantyard.com
mediationmattersgc.com
healingprotection.com
smgraphicdesign.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/528-57-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/756-64-0x0000000000090000-0x00000000000B9000-memory.dmp xloader -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1648 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
PO6312.exepid process 612 PO6312.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
PO6312.exePO6312.exerundll32.exedescription pid process target process PID 612 set thread context of 528 612 PO6312.exe PO6312.exe PID 528 set thread context of 1380 528 PO6312.exe Explorer.EXE PID 756 set thread context of 1380 756 rundll32.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
PO6312.exerundll32.exepid process 528 PO6312.exe 528 PO6312.exe 756 rundll32.exe 756 rundll32.exe 756 rundll32.exe 756 rundll32.exe 756 rundll32.exe 756 rundll32.exe 756 rundll32.exe 756 rundll32.exe 756 rundll32.exe 756 rundll32.exe 756 rundll32.exe 756 rundll32.exe 756 rundll32.exe 756 rundll32.exe 756 rundll32.exe 756 rundll32.exe 756 rundll32.exe 756 rundll32.exe 756 rundll32.exe 756 rundll32.exe 756 rundll32.exe 756 rundll32.exe 756 rundll32.exe 756 rundll32.exe 756 rundll32.exe 756 rundll32.exe 756 rundll32.exe 756 rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1380 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
PO6312.exerundll32.exepid process 528 PO6312.exe 528 PO6312.exe 528 PO6312.exe 756 rundll32.exe 756 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PO6312.exerundll32.exedescription pid process Token: SeDebugPrivilege 528 PO6312.exe Token: SeDebugPrivilege 756 rundll32.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1380 Explorer.EXE 1380 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1380 Explorer.EXE 1380 Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
PO6312.exeExplorer.EXErundll32.exedescription pid process target process PID 612 wrote to memory of 528 612 PO6312.exe PO6312.exe PID 612 wrote to memory of 528 612 PO6312.exe PO6312.exe PID 612 wrote to memory of 528 612 PO6312.exe PO6312.exe PID 612 wrote to memory of 528 612 PO6312.exe PO6312.exe PID 612 wrote to memory of 528 612 PO6312.exe PO6312.exe PID 612 wrote to memory of 528 612 PO6312.exe PO6312.exe PID 612 wrote to memory of 528 612 PO6312.exe PO6312.exe PID 1380 wrote to memory of 756 1380 Explorer.EXE rundll32.exe PID 1380 wrote to memory of 756 1380 Explorer.EXE rundll32.exe PID 1380 wrote to memory of 756 1380 Explorer.EXE rundll32.exe PID 1380 wrote to memory of 756 1380 Explorer.EXE rundll32.exe PID 1380 wrote to memory of 756 1380 Explorer.EXE rundll32.exe PID 1380 wrote to memory of 756 1380 Explorer.EXE rundll32.exe PID 1380 wrote to memory of 756 1380 Explorer.EXE rundll32.exe PID 756 wrote to memory of 1648 756 rundll32.exe cmd.exe PID 756 wrote to memory of 1648 756 rundll32.exe cmd.exe PID 756 wrote to memory of 1648 756 rundll32.exe cmd.exe PID 756 wrote to memory of 1648 756 rundll32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PO6312.exe"C:\Users\Admin\AppData\Local\Temp\PO6312.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PO6312.exe"C:\Users\Admin\AppData\Local\Temp\PO6312.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\PO6312.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsyF529.tmp\ibwyftbm.dllMD5
93ce7ab994c53abf143cbef9bfa7b1d7
SHA1f3ea2dfb85164c5250569d30d49a73630c4077a1
SHA25612b6aacfc7ef2ad9053d0d936fa75553d7a2081dbb61fdd33c78f75db3a0fe28
SHA5128c212e68878587b1181cd94e333ebd4de77b26ff4fff0ae2fe71e1cc77fce90b05e8edbda3fe049d60cd4d0bff53e0ba35e2869e304c541f4553a1ed353a6a3a
-
memory/528-57-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/528-59-0x0000000000990000-0x0000000000C93000-memory.dmpFilesize
3.0MB
-
memory/528-60-0x00000000002C0000-0x00000000002D1000-memory.dmpFilesize
68KB
-
memory/612-55-0x0000000075D61000-0x0000000075D63000-memory.dmpFilesize
8KB
-
memory/756-64-0x0000000000090000-0x00000000000B9000-memory.dmpFilesize
164KB
-
memory/756-63-0x0000000000940000-0x000000000094E000-memory.dmpFilesize
56KB
-
memory/756-65-0x0000000002160000-0x0000000002463000-memory.dmpFilesize
3.0MB
-
memory/756-66-0x0000000001E80000-0x0000000001F10000-memory.dmpFilesize
576KB
-
memory/1380-61-0x0000000006BA0000-0x0000000006CAC000-memory.dmpFilesize
1.0MB
-
memory/1380-67-0x0000000004170000-0x000000000420C000-memory.dmpFilesize
624KB