Analysis
-
max time kernel
161s -
max time network
163s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
31-01-2022 01:37
Static task
static1
Behavioral task
behavioral1
Sample
CTM REQUEST.exe
Resource
win7-en-20211208
General
-
Target
CTM REQUEST.exe
-
Size
265KB
-
MD5
64477dc3ce0b183b116147707d6f6928
-
SHA1
a2859ec6076ff22a0a45a20c056be9d380cb5c54
-
SHA256
01222693e4698149f19d31ac66567a9815f89509bac13d690de8a5afda2bee08
-
SHA512
9de95fb485a2dd4554a88cf78faeb5e01bd9073632322804403ab61cde027739750c28a3a036228cbb2f8a432017a0dfd09a3e4cf5dc5da2f7273437be402699
Malware Config
Extracted
xloader
2.5
3a4h
mohamedmansour.net
asap.green
influxair.com
45mpt.xyz
cablerailingdesign.com
salesdisrupter.com
cxfarms.com
enerconfederal.com
pl1x.top
nyoz.top
fitnesz.website
minimi36.com
borealiselectricalrepair.com
miskalqurashi.com
importacionesdelfuturo.com
cigfinanacial.com
luxamata.xyz
digicoin724.com
gozabank.com
tribal-treasures.com
hose.center
myzipe.com
cqi2zp.biz
prodello.com
faciso.com
budgethoortoestellen.info
toddlyonsfishing.com
phhmrotgage.com
wcf888.xyz
paypal-caseid194.com
bobstranz.com
aerthlabel.com
echotrailliving.com
dysmict.com
ijoimr.com
excellentcreation.store
at-commercial-co.com
aeczpx99pxgd.biz
khuj1.com
reactivephysiorehab.com
trup.club
barber-king.online
shippingcontainerhomeus.com
sumanita.network
alyssaandrobert2022.com
greatamericanlandworks.com
fortlauderdalepartyboats.com
lqmrfw.com
industrionaires.com
potholepatrol.club
lagardeningsolutions.com
bigceme3.com
rebuildgomnmf.xyz
chimneysweepdetroit.com
tucochepordinero.com
companyintel.systems
xn--snabbtkrkortonline-j3b.com
fermentvmkwjm.online
cnywocean.com
tadrosmortgages.com
healthylifefit.com
smartcapitalpay.online
hiratasistemaseassociados.com
nowidza.com
oshirohego.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/528-57-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1300-63-0x0000000000080000-0x00000000000A9000-memory.dmp xloader -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 904 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
CTM REQUEST.exepid process 752 CTM REQUEST.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
CTM REQUEST.exeCTM REQUEST.exechkdsk.exedescription pid process target process PID 752 set thread context of 528 752 CTM REQUEST.exe CTM REQUEST.exe PID 528 set thread context of 1424 528 CTM REQUEST.exe Explorer.EXE PID 1300 set thread context of 1424 1300 chkdsk.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
chkdsk.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
CTM REQUEST.exechkdsk.exepid process 528 CTM REQUEST.exe 528 CTM REQUEST.exe 1300 chkdsk.exe 1300 chkdsk.exe 1300 chkdsk.exe 1300 chkdsk.exe 1300 chkdsk.exe 1300 chkdsk.exe 1300 chkdsk.exe 1300 chkdsk.exe 1300 chkdsk.exe 1300 chkdsk.exe 1300 chkdsk.exe 1300 chkdsk.exe 1300 chkdsk.exe 1300 chkdsk.exe 1300 chkdsk.exe 1300 chkdsk.exe 1300 chkdsk.exe 1300 chkdsk.exe 1300 chkdsk.exe 1300 chkdsk.exe 1300 chkdsk.exe 1300 chkdsk.exe 1300 chkdsk.exe 1300 chkdsk.exe 1300 chkdsk.exe 1300 chkdsk.exe 1300 chkdsk.exe 1300 chkdsk.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1424 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
CTM REQUEST.exechkdsk.exepid process 528 CTM REQUEST.exe 528 CTM REQUEST.exe 528 CTM REQUEST.exe 1300 chkdsk.exe 1300 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
CTM REQUEST.exechkdsk.exedescription pid process Token: SeDebugPrivilege 528 CTM REQUEST.exe Token: SeDebugPrivilege 1300 chkdsk.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1424 Explorer.EXE 1424 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1424 Explorer.EXE 1424 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
CTM REQUEST.exeExplorer.EXEchkdsk.exedescription pid process target process PID 752 wrote to memory of 528 752 CTM REQUEST.exe CTM REQUEST.exe PID 752 wrote to memory of 528 752 CTM REQUEST.exe CTM REQUEST.exe PID 752 wrote to memory of 528 752 CTM REQUEST.exe CTM REQUEST.exe PID 752 wrote to memory of 528 752 CTM REQUEST.exe CTM REQUEST.exe PID 752 wrote to memory of 528 752 CTM REQUEST.exe CTM REQUEST.exe PID 752 wrote to memory of 528 752 CTM REQUEST.exe CTM REQUEST.exe PID 752 wrote to memory of 528 752 CTM REQUEST.exe CTM REQUEST.exe PID 1424 wrote to memory of 1300 1424 Explorer.EXE chkdsk.exe PID 1424 wrote to memory of 1300 1424 Explorer.EXE chkdsk.exe PID 1424 wrote to memory of 1300 1424 Explorer.EXE chkdsk.exe PID 1424 wrote to memory of 1300 1424 Explorer.EXE chkdsk.exe PID 1300 wrote to memory of 904 1300 chkdsk.exe cmd.exe PID 1300 wrote to memory of 904 1300 chkdsk.exe cmd.exe PID 1300 wrote to memory of 904 1300 chkdsk.exe cmd.exe PID 1300 wrote to memory of 904 1300 chkdsk.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CTM REQUEST.exe"C:\Users\Admin\AppData\Local\Temp\CTM REQUEST.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CTM REQUEST.exe"C:\Users\Admin\AppData\Local\Temp\CTM REQUEST.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\CTM REQUEST.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nst5CF1.tmp\hshes.dllMD5
86a3e22c21ce1ada9fde3e7f8ec9749f
SHA12b3c20db5bc50bc6edd96a01c733cb18e9f0a081
SHA256c4769e61329e6fa9800e79992f9dd38f63a8b2b19f82a2bc0f5cd216bf338db1
SHA512f6c811fa96f122f8267132a4cefe4b4bc4aaa79d4b1cae8b2531695b3534a59615131af0b755c4ba1f98ad454ad03c95817b05c8b97eac00723f14a935a1b4ac
-
memory/528-57-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/528-59-0x0000000000770000-0x0000000000A73000-memory.dmpFilesize
3.0MB
-
memory/528-60-0x00000000002E0000-0x0000000000429000-memory.dmpFilesize
1.3MB
-
memory/752-54-0x0000000075431000-0x0000000075433000-memory.dmpFilesize
8KB
-
memory/752-56-0x0000000000350000-0x0000000000352000-memory.dmpFilesize
8KB
-
memory/1300-62-0x00000000008F0000-0x00000000008F7000-memory.dmpFilesize
28KB
-
memory/1300-63-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/1300-64-0x00000000020D0000-0x00000000023D3000-memory.dmpFilesize
3.0MB
-
memory/1300-65-0x0000000001D00000-0x0000000001F3C000-memory.dmpFilesize
2.2MB
-
memory/1424-61-0x0000000006A40000-0x0000000006BA1000-memory.dmpFilesize
1.4MB
-
memory/1424-66-0x0000000006BB0000-0x0000000006CC0000-memory.dmpFilesize
1.1MB