Analysis
-
max time kernel
300s -
max time network
303s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
09-02-2022 16:23
Static task
static1
Behavioral task
behavioral1
Sample
09022022-739651826-pdf.exe
Resource
win7-en-20211208
General
-
Target
09022022-739651826-pdf.exe
-
Size
265KB
-
MD5
37c86eea298f12684500f2083a2e4e7d
-
SHA1
4c84e078d068e2a79ddbc48d03459e87390cb756
-
SHA256
46adc5850ed556d130d5d35db220fc303d45d719960e7e4b4b56174e9cdd3850
-
SHA512
8a9ea9cf85e375a5b4b50789c6cf1041172400916a045c735987929c52081ff25748bfa404472c580261f8251f37973ba30ecdbc464f0546f702518ff87cd09a
Malware Config
Extracted
xloader
2.5
uar3
sgadvocats.com
mjscannabus.com
hilldaley.com
ksdollhouse.com
hotgiftboutique.com
purebloodsmeet.com
relaunched.info
cap-glove.com
productcollection.store
fulikyy.xyz
remoteaviationjobs.com
bestcleancrystal.com
virtualorganizationpartner.com
bookgocar.com
hattuafhv.quest
makonigroup.com
officecom-myaccount.com
malgorzata-lac.com
e-learningeducators.com
hygilaur.com
kgv-lachswehr.com
salazarcomunicacion.com
robopython.com
corporateequity.online
complianceservicegroup.com
aperza-ex.com
webflowusa.com
asesoriasfinancieras.xyz
missolivesbranches.com
numiquest.com
criskconsultancy.com
gotemup.com
themaptalk.com
lakebalboahalf.com
cateringfrenchcroissant.com
paddocklakerealestate.com
lojaquerosurprezza.store
courtneywhitearmusic.com
geovannimaquinadevendas.online
pricklypairjazz.com
engagedigi.com
conduitforthespirit.com
anaheimaletrail.com
wholesalemall.store
alertsbecu.com
gestion-kayfra.com
youcanstores.com
qsuo.net
formadv.info
dihesia.xyz
carrreir.com
twenteeminuteswithtee.com
realliferenewal.com
officialprokodsukses.icu
stanfordgrouploscabos.com
maxicashpromir.xyz
zysqshjs.com
trc-clicks.com
chsclbd.com
amdproduce.net
republicoflies.com
beaux-parents.com
lucrativeapp.com
milbombas.com
alexanderplaywear.com
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3440-118-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/3400-126-0x0000000000B70000-0x0000000000B99000-memory.dmp xloader -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
chkdsk.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run chkdsk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ZLNTRJTHWRM = "C:\\Program Files (x86)\\Maprl7\\lhihzliobpdcbc.exe" chkdsk.exe -
Executes dropped EXE 4 IoCs
Processes:
qgerjshzns.exeqgerjshzns.exelhihzliobpdcbc.exelhihzliobpdcbc.exepid process 1016 qgerjshzns.exe 3440 qgerjshzns.exe 4284 lhihzliobpdcbc.exe 4292 lhihzliobpdcbc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
qgerjshzns.exeqgerjshzns.exechkdsk.exelhihzliobpdcbc.exedescription pid process target process PID 1016 set thread context of 3440 1016 qgerjshzns.exe qgerjshzns.exe PID 3440 set thread context of 3052 3440 qgerjshzns.exe Explorer.EXE PID 3400 set thread context of 3052 3400 chkdsk.exe Explorer.EXE PID 4284 set thread context of 4292 4284 lhihzliobpdcbc.exe lhihzliobpdcbc.exe -
Drops file in Program Files directory 4 IoCs
Processes:
chkdsk.exeExplorer.EXEdescription ioc process File opened for modification C:\Program Files (x86)\Maprl7\lhihzliobpdcbc.exe chkdsk.exe File opened for modification C:\Program Files (x86)\Maprl7 Explorer.EXE File created C:\Program Files (x86)\Maprl7\lhihzliobpdcbc.exe Explorer.EXE File opened for modification C:\Program Files (x86)\Maprl7\lhihzliobpdcbc.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
chkdsk.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Processes:
chkdsk.exedescription ioc process Key created \Registry\User\S-1-5-21-369956170-74428499-1628131376-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 chkdsk.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
qgerjshzns.exechkdsk.exepid process 3440 qgerjshzns.exe 3440 qgerjshzns.exe 3440 qgerjshzns.exe 3440 qgerjshzns.exe 3400 chkdsk.exe 3400 chkdsk.exe 3400 chkdsk.exe 3400 chkdsk.exe 3400 chkdsk.exe 3400 chkdsk.exe 3400 chkdsk.exe 3400 chkdsk.exe 3400 chkdsk.exe 3400 chkdsk.exe 3400 chkdsk.exe 3400 chkdsk.exe 3400 chkdsk.exe 3400 chkdsk.exe 3400 chkdsk.exe 3400 chkdsk.exe 3400 chkdsk.exe 3400 chkdsk.exe 3400 chkdsk.exe 3400 chkdsk.exe 3400 chkdsk.exe 3400 chkdsk.exe 3400 chkdsk.exe 3400 chkdsk.exe 3400 chkdsk.exe 3400 chkdsk.exe 3400 chkdsk.exe 3400 chkdsk.exe 3400 chkdsk.exe 3400 chkdsk.exe 3400 chkdsk.exe 3400 chkdsk.exe 3400 chkdsk.exe 3400 chkdsk.exe 3400 chkdsk.exe 3400 chkdsk.exe 3400 chkdsk.exe 3400 chkdsk.exe 3400 chkdsk.exe 3400 chkdsk.exe 3400 chkdsk.exe 3400 chkdsk.exe 3400 chkdsk.exe 3400 chkdsk.exe 3400 chkdsk.exe 3400 chkdsk.exe 3400 chkdsk.exe 3400 chkdsk.exe 3400 chkdsk.exe 3400 chkdsk.exe 3400 chkdsk.exe 3400 chkdsk.exe 3400 chkdsk.exe 3400 chkdsk.exe 3400 chkdsk.exe 3400 chkdsk.exe 3400 chkdsk.exe 3400 chkdsk.exe 3400 chkdsk.exe 3400 chkdsk.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3052 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
qgerjshzns.exechkdsk.exepid process 3440 qgerjshzns.exe 3440 qgerjshzns.exe 3440 qgerjshzns.exe 3400 chkdsk.exe 3400 chkdsk.exe 3400 chkdsk.exe 3400 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
qgerjshzns.exechkdsk.exelhihzliobpdcbc.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 3440 qgerjshzns.exe Token: SeDebugPrivilege 3400 chkdsk.exe Token: SeDebugPrivilege 4292 lhihzliobpdcbc.exe Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
09022022-739651826-pdf.exeqgerjshzns.exeExplorer.EXEchkdsk.exelhihzliobpdcbc.exedescription pid process target process PID 2500 wrote to memory of 1016 2500 09022022-739651826-pdf.exe qgerjshzns.exe PID 2500 wrote to memory of 1016 2500 09022022-739651826-pdf.exe qgerjshzns.exe PID 2500 wrote to memory of 1016 2500 09022022-739651826-pdf.exe qgerjshzns.exe PID 1016 wrote to memory of 3440 1016 qgerjshzns.exe qgerjshzns.exe PID 1016 wrote to memory of 3440 1016 qgerjshzns.exe qgerjshzns.exe PID 1016 wrote to memory of 3440 1016 qgerjshzns.exe qgerjshzns.exe PID 1016 wrote to memory of 3440 1016 qgerjshzns.exe qgerjshzns.exe PID 1016 wrote to memory of 3440 1016 qgerjshzns.exe qgerjshzns.exe PID 1016 wrote to memory of 3440 1016 qgerjshzns.exe qgerjshzns.exe PID 3052 wrote to memory of 3400 3052 Explorer.EXE chkdsk.exe PID 3052 wrote to memory of 3400 3052 Explorer.EXE chkdsk.exe PID 3052 wrote to memory of 3400 3052 Explorer.EXE chkdsk.exe PID 3400 wrote to memory of 3800 3400 chkdsk.exe cmd.exe PID 3400 wrote to memory of 3800 3400 chkdsk.exe cmd.exe PID 3400 wrote to memory of 3800 3400 chkdsk.exe cmd.exe PID 3400 wrote to memory of 3228 3400 chkdsk.exe cmd.exe PID 3400 wrote to memory of 3228 3400 chkdsk.exe cmd.exe PID 3400 wrote to memory of 3228 3400 chkdsk.exe cmd.exe PID 3400 wrote to memory of 4276 3400 chkdsk.exe Firefox.exe PID 3400 wrote to memory of 4276 3400 chkdsk.exe Firefox.exe PID 3052 wrote to memory of 4284 3052 Explorer.EXE lhihzliobpdcbc.exe PID 3052 wrote to memory of 4284 3052 Explorer.EXE lhihzliobpdcbc.exe PID 3052 wrote to memory of 4284 3052 Explorer.EXE lhihzliobpdcbc.exe PID 4284 wrote to memory of 4292 4284 lhihzliobpdcbc.exe lhihzliobpdcbc.exe PID 4284 wrote to memory of 4292 4284 lhihzliobpdcbc.exe lhihzliobpdcbc.exe PID 4284 wrote to memory of 4292 4284 lhihzliobpdcbc.exe lhihzliobpdcbc.exe PID 4284 wrote to memory of 4292 4284 lhihzliobpdcbc.exe lhihzliobpdcbc.exe PID 4284 wrote to memory of 4292 4284 lhihzliobpdcbc.exe lhihzliobpdcbc.exe PID 4284 wrote to memory of 4292 4284 lhihzliobpdcbc.exe lhihzliobpdcbc.exe PID 3400 wrote to memory of 4276 3400 chkdsk.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\09022022-739651826-pdf.exe"C:\Users\Admin\AppData\Local\Temp\09022022-739651826-pdf.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\qgerjshzns.exeC:\Users\Admin\AppData\Local\Temp\qgerjshzns.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\qgerjshzns.exeC:\Users\Admin\AppData\Local\Temp\qgerjshzns.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\qgerjshzns.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Program Files (x86)\Maprl7\lhihzliobpdcbc.exe"C:\Program Files (x86)\Maprl7\lhihzliobpdcbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Maprl7\lhihzliobpdcbc.exe"C:\Program Files (x86)\Maprl7\lhihzliobpdcbc.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Maprl7\lhihzliobpdcbc.exeMD5
61c6afe8eb1faafafbe8ee85d527d30e
SHA1c3ec3a8a18ab801d7191ae3c3fc08d1dae3bdf46
SHA256034f1d54ff9954dba589f77cf229352e339424a9f35199f23cb979c05bb889ed
SHA5124eff030db73d65b490ab20e58034f116dc123a24b22dfb9e7d82676544085b314e52148d868f1135b8e9d80ec78c4757b4461ec1fdd42f29fcac1a5e4e5a9591
-
C:\Program Files (x86)\Maprl7\lhihzliobpdcbc.exeMD5
61c6afe8eb1faafafbe8ee85d527d30e
SHA1c3ec3a8a18ab801d7191ae3c3fc08d1dae3bdf46
SHA256034f1d54ff9954dba589f77cf229352e339424a9f35199f23cb979c05bb889ed
SHA5124eff030db73d65b490ab20e58034f116dc123a24b22dfb9e7d82676544085b314e52148d868f1135b8e9d80ec78c4757b4461ec1fdd42f29fcac1a5e4e5a9591
-
C:\Program Files (x86)\Maprl7\lhihzliobpdcbc.exeMD5
61c6afe8eb1faafafbe8ee85d527d30e
SHA1c3ec3a8a18ab801d7191ae3c3fc08d1dae3bdf46
SHA256034f1d54ff9954dba589f77cf229352e339424a9f35199f23cb979c05bb889ed
SHA5124eff030db73d65b490ab20e58034f116dc123a24b22dfb9e7d82676544085b314e52148d868f1135b8e9d80ec78c4757b4461ec1fdd42f29fcac1a5e4e5a9591
-
C:\Users\Admin\AppData\Local\Temp\DB1MD5
b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
C:\Users\Admin\AppData\Local\Temp\akvjxtp6f43vMD5
14823dd88a486c9049dc8e39e95e8d6c
SHA1fe4faa49db61f5e4dce75a41bd4e3006b0f2fed8
SHA256ee11c5923f5ec6cc1c3db829cd59d9ee4a3cc85404c68e4ab90177f010eb13c8
SHA512e43f375eb42952580dab5f8acdd81a88e0b8c4de659b0406afd1599bbb044b71a53b353d67615fa4d2a1c7191e1e35d9e58d5ce6bdd18311e74df0f41201b560
-
C:\Users\Admin\AppData\Local\Temp\qgerjshzns.exeMD5
61c6afe8eb1faafafbe8ee85d527d30e
SHA1c3ec3a8a18ab801d7191ae3c3fc08d1dae3bdf46
SHA256034f1d54ff9954dba589f77cf229352e339424a9f35199f23cb979c05bb889ed
SHA5124eff030db73d65b490ab20e58034f116dc123a24b22dfb9e7d82676544085b314e52148d868f1135b8e9d80ec78c4757b4461ec1fdd42f29fcac1a5e4e5a9591
-
C:\Users\Admin\AppData\Local\Temp\qgerjshzns.exeMD5
61c6afe8eb1faafafbe8ee85d527d30e
SHA1c3ec3a8a18ab801d7191ae3c3fc08d1dae3bdf46
SHA256034f1d54ff9954dba589f77cf229352e339424a9f35199f23cb979c05bb889ed
SHA5124eff030db73d65b490ab20e58034f116dc123a24b22dfb9e7d82676544085b314e52148d868f1135b8e9d80ec78c4757b4461ec1fdd42f29fcac1a5e4e5a9591
-
C:\Users\Admin\AppData\Local\Temp\qgerjshzns.exeMD5
61c6afe8eb1faafafbe8ee85d527d30e
SHA1c3ec3a8a18ab801d7191ae3c3fc08d1dae3bdf46
SHA256034f1d54ff9954dba589f77cf229352e339424a9f35199f23cb979c05bb889ed
SHA5124eff030db73d65b490ab20e58034f116dc123a24b22dfb9e7d82676544085b314e52148d868f1135b8e9d80ec78c4757b4461ec1fdd42f29fcac1a5e4e5a9591
-
C:\Users\Admin\AppData\Local\Temp\uxxvuqyvjaMD5
43572ef3180d3c5c33a5cf9d62a6d696
SHA1e079bf345f9b9133ecc1813839c4182ee6285802
SHA2563a09220007d41f44063d266b9cf59c30e85b22e3bf33546c272046f32ea32abe
SHA5129045ef3ea42ed91767e7b70c1e7641aaa44f2c6bd9a83f6db301a691b88e4e7e015e77fc6f578f49fad51f8e582563fa3fb68d8013c4078e3a62078b7684d7bd
-
memory/3052-124-0x0000000006E40000-0x0000000006F97000-memory.dmpFilesize
1.3MB
-
memory/3052-129-0x00000000053B0000-0x0000000005462000-memory.dmpFilesize
712KB
-
memory/3400-125-0x0000000000BA0000-0x0000000000BAA000-memory.dmpFilesize
40KB
-
memory/3400-127-0x0000000004EC0000-0x00000000051E0000-memory.dmpFilesize
3.1MB
-
memory/3400-126-0x0000000000B70000-0x0000000000B99000-memory.dmpFilesize
164KB
-
memory/3400-128-0x0000000005270000-0x0000000005300000-memory.dmpFilesize
576KB
-
memory/3440-123-0x0000000000D00000-0x0000000000D11000-memory.dmpFilesize
68KB
-
memory/3440-122-0x000000000041D000-0x000000000041E000-memory.dmpFilesize
4KB
-
memory/3440-121-0x00000000009C0000-0x0000000000CE0000-memory.dmpFilesize
3.1MB
-
memory/3440-118-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4292-135-0x0000000000B20000-0x0000000000E40000-memory.dmpFilesize
3.1MB