Analysis
-
max time kernel
173s -
max time network
175s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
31-01-2022 01:37
Static task
static1
Behavioral task
behavioral1
Sample
CTM REQUEST.exe
Resource
win7-en-20211208
General
-
Target
CTM REQUEST.exe
-
Size
265KB
-
MD5
64477dc3ce0b183b116147707d6f6928
-
SHA1
a2859ec6076ff22a0a45a20c056be9d380cb5c54
-
SHA256
01222693e4698149f19d31ac66567a9815f89509bac13d690de8a5afda2bee08
-
SHA512
9de95fb485a2dd4554a88cf78faeb5e01bd9073632322804403ab61cde027739750c28a3a036228cbb2f8a432017a0dfd09a3e4cf5dc5da2f7273437be402699
Malware Config
Extracted
xloader
2.5
3a4h
mohamedmansour.net
asap.green
influxair.com
45mpt.xyz
cablerailingdesign.com
salesdisrupter.com
cxfarms.com
enerconfederal.com
pl1x.top
nyoz.top
fitnesz.website
minimi36.com
borealiselectricalrepair.com
miskalqurashi.com
importacionesdelfuturo.com
cigfinanacial.com
luxamata.xyz
digicoin724.com
gozabank.com
tribal-treasures.com
hose.center
myzipe.com
cqi2zp.biz
prodello.com
faciso.com
budgethoortoestellen.info
toddlyonsfishing.com
phhmrotgage.com
wcf888.xyz
paypal-caseid194.com
bobstranz.com
aerthlabel.com
echotrailliving.com
dysmict.com
ijoimr.com
excellentcreation.store
at-commercial-co.com
aeczpx99pxgd.biz
khuj1.com
reactivephysiorehab.com
trup.club
barber-king.online
shippingcontainerhomeus.com
sumanita.network
alyssaandrobert2022.com
greatamericanlandworks.com
fortlauderdalepartyboats.com
lqmrfw.com
industrionaires.com
potholepatrol.club
lagardeningsolutions.com
bigceme3.com
rebuildgomnmf.xyz
chimneysweepdetroit.com
tucochepordinero.com
companyintel.systems
xn--snabbtkrkortonline-j3b.com
fermentvmkwjm.online
cnywocean.com
tadrosmortgages.com
healthylifefit.com
smartcapitalpay.online
hiratasistemaseassociados.com
nowidza.com
oshirohego.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2868-117-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/2868-120-0x0000000000890000-0x0000000000A29000-memory.dmp xloader behavioral2/memory/2200-123-0x0000000000120000-0x0000000000149000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
CTM REQUEST.exepid process 4056 CTM REQUEST.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
CTM REQUEST.exeCTM REQUEST.execmstp.exedescription pid process target process PID 4056 set thread context of 2868 4056 CTM REQUEST.exe CTM REQUEST.exe PID 2868 set thread context of 2880 2868 CTM REQUEST.exe Explorer.EXE PID 2200 set thread context of 2880 2200 cmstp.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 52 IoCs
Processes:
CTM REQUEST.execmstp.exepid process 2868 CTM REQUEST.exe 2868 CTM REQUEST.exe 2868 CTM REQUEST.exe 2868 CTM REQUEST.exe 2200 cmstp.exe 2200 cmstp.exe 2200 cmstp.exe 2200 cmstp.exe 2200 cmstp.exe 2200 cmstp.exe 2200 cmstp.exe 2200 cmstp.exe 2200 cmstp.exe 2200 cmstp.exe 2200 cmstp.exe 2200 cmstp.exe 2200 cmstp.exe 2200 cmstp.exe 2200 cmstp.exe 2200 cmstp.exe 2200 cmstp.exe 2200 cmstp.exe 2200 cmstp.exe 2200 cmstp.exe 2200 cmstp.exe 2200 cmstp.exe 2200 cmstp.exe 2200 cmstp.exe 2200 cmstp.exe 2200 cmstp.exe 2200 cmstp.exe 2200 cmstp.exe 2200 cmstp.exe 2200 cmstp.exe 2200 cmstp.exe 2200 cmstp.exe 2200 cmstp.exe 2200 cmstp.exe 2200 cmstp.exe 2200 cmstp.exe 2200 cmstp.exe 2200 cmstp.exe 2200 cmstp.exe 2200 cmstp.exe 2200 cmstp.exe 2200 cmstp.exe 2200 cmstp.exe 2200 cmstp.exe 2200 cmstp.exe 2200 cmstp.exe 2200 cmstp.exe 2200 cmstp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2880 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
CTM REQUEST.execmstp.exepid process 2868 CTM REQUEST.exe 2868 CTM REQUEST.exe 2868 CTM REQUEST.exe 2200 cmstp.exe 2200 cmstp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
CTM REQUEST.execmstp.exedescription pid process Token: SeDebugPrivilege 2868 CTM REQUEST.exe Token: SeDebugPrivilege 2200 cmstp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
CTM REQUEST.exeExplorer.EXEcmstp.exedescription pid process target process PID 4056 wrote to memory of 2868 4056 CTM REQUEST.exe CTM REQUEST.exe PID 4056 wrote to memory of 2868 4056 CTM REQUEST.exe CTM REQUEST.exe PID 4056 wrote to memory of 2868 4056 CTM REQUEST.exe CTM REQUEST.exe PID 4056 wrote to memory of 2868 4056 CTM REQUEST.exe CTM REQUEST.exe PID 4056 wrote to memory of 2868 4056 CTM REQUEST.exe CTM REQUEST.exe PID 4056 wrote to memory of 2868 4056 CTM REQUEST.exe CTM REQUEST.exe PID 2880 wrote to memory of 2200 2880 Explorer.EXE cmstp.exe PID 2880 wrote to memory of 2200 2880 Explorer.EXE cmstp.exe PID 2880 wrote to memory of 2200 2880 Explorer.EXE cmstp.exe PID 2200 wrote to memory of 364 2200 cmstp.exe cmd.exe PID 2200 wrote to memory of 364 2200 cmstp.exe cmd.exe PID 2200 wrote to memory of 364 2200 cmstp.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CTM REQUEST.exe"C:\Users\Admin\AppData\Local\Temp\CTM REQUEST.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CTM REQUEST.exe"C:\Users\Admin\AppData\Local\Temp\CTM REQUEST.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\CTM REQUEST.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nslDCB2.tmp\hshes.dllMD5
86a3e22c21ce1ada9fde3e7f8ec9749f
SHA12b3c20db5bc50bc6edd96a01c733cb18e9f0a081
SHA256c4769e61329e6fa9800e79992f9dd38f63a8b2b19f82a2bc0f5cd216bf338db1
SHA512f6c811fa96f122f8267132a4cefe4b4bc4aaa79d4b1cae8b2531695b3534a59615131af0b755c4ba1f98ad454ad03c95817b05c8b97eac00723f14a935a1b4ac
-
memory/2200-122-0x00000000001B0000-0x00000000001C6000-memory.dmpFilesize
88KB
-
memory/2200-123-0x0000000000120000-0x0000000000149000-memory.dmpFilesize
164KB
-
memory/2200-124-0x00000000042D0000-0x00000000045F0000-memory.dmpFilesize
3.1MB
-
memory/2200-125-0x0000000003F90000-0x0000000004126000-memory.dmpFilesize
1.6MB
-
memory/2868-117-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2868-118-0x0000000000A30000-0x0000000000D50000-memory.dmpFilesize
3.1MB
-
memory/2868-120-0x0000000000890000-0x0000000000A29000-memory.dmpFilesize
1.6MB
-
memory/2880-121-0x0000000005A00000-0x0000000005B0C000-memory.dmpFilesize
1.0MB
-
memory/2880-126-0x00000000053F0000-0x000000000552B000-memory.dmpFilesize
1.2MB
-
memory/4056-116-0x000000001AE50000-0x000000001AE52000-memory.dmpFilesize
8KB