Analysis
-
max time kernel
152s -
max time network
164s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
14-02-2022 07:17
Static task
static1
Behavioral task
behavioral1
Sample
d6ff1bf3d769e567a0e41f7651a56c07.exe
Resource
win7-en-20211208
General
-
Target
d6ff1bf3d769e567a0e41f7651a56c07.exe
-
Size
293KB
-
MD5
d6ff1bf3d769e567a0e41f7651a56c07
-
SHA1
291bcef2a4335eaac400271209d0c0e99486b64c
-
SHA256
4d854fee4f2e2a7b2afb2c13b28207f5388b095d0f7f053b90e03cf5873904e9
-
SHA512
aeaf170b6771653c13140aace7c4803ecdeee1dab95c2986f1893f63aaddab84ae7255095cb55b0c86c857684c90b5e5f8c764ec7e69dc3a7c6f9340cbc080e6
Malware Config
Extracted
xloader
2.5
o6tg
turkscaicosonline.com
novelfoodtech.com
zgrmfww.com
gestionalcliente24hrs.store
postrojka.com
tapissier-uzes.com
tobytram.one
preamblegames.com
clicklinkzs.com
franksenen.com
beautygateway.net
foils-online.com
aout.us
promarkoperations.com
alignatura.com
changemylifefast.info
minbex.icu
internethustlersociety.com
chinacqn.com
fibsh.com
878971.com
diy-shisha.com
smarthomesecurity.online
orimsglow.com
platterwax.xyz
ipinksheets.com
robertatoschi.com
mieventi.com
qumuras.info
anyoneh.com
lovegasboutique.com
elimchambers.com
nanopicomedia.com
getoken.net
thechristmaslightingstore.com
progressivecapital.net
ott-leszek.com
flaneur.city
srikrishnadental.com
bantasis.com
forhims.jobs
sscmdpt.com
americanpawnaz.com
greatdayplumbing.com
skinstorecenter.com
chaoticcomicscrafts.com
farhadhossain.us
c-soi.com
http01.com
tjweifukeji.com
controldatasa.com
fitlearningphoenix.solutions
polecatroofing.com
xrxgqf.website
helmettips.com
caesarscasiono.com
dmfcommercialrealty.com
risecards.com
energycolumbus.com
slot138gacor.com
votenoahring.com
trigatefinancial.com
cuework.com
victorianalpine.com
makvik.online
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/524-62-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/524-69-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/336-75-0x0000000000090000-0x00000000000B9000-memory.dmp xloader -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 28 336 rundll32.exe -
Executes dropped EXE 2 IoCs
Processes:
ugdlxyklyf.exeugdlxyklyf.exepid process 964 ugdlxyklyf.exe 524 ugdlxyklyf.exe -
Loads dropped DLL 2 IoCs
Processes:
d6ff1bf3d769e567a0e41f7651a56c07.exeugdlxyklyf.exepid process 1396 d6ff1bf3d769e567a0e41f7651a56c07.exe 964 ugdlxyklyf.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
ugdlxyklyf.exeugdlxyklyf.exerundll32.exedescription pid process target process PID 964 set thread context of 524 964 ugdlxyklyf.exe ugdlxyklyf.exe PID 524 set thread context of 1404 524 ugdlxyklyf.exe Explorer.EXE PID 524 set thread context of 1404 524 ugdlxyklyf.exe Explorer.EXE PID 336 set thread context of 1404 336 rundll32.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
ugdlxyklyf.exerundll32.exepid process 524 ugdlxyklyf.exe 524 ugdlxyklyf.exe 524 ugdlxyklyf.exe 336 rundll32.exe 336 rundll32.exe 336 rundll32.exe 336 rundll32.exe 336 rundll32.exe 336 rundll32.exe 336 rundll32.exe 336 rundll32.exe 336 rundll32.exe 336 rundll32.exe 336 rundll32.exe 336 rundll32.exe 336 rundll32.exe 336 rundll32.exe 336 rundll32.exe 336 rundll32.exe 336 rundll32.exe 336 rundll32.exe 336 rundll32.exe 336 rundll32.exe 336 rundll32.exe 336 rundll32.exe 336 rundll32.exe 336 rundll32.exe 336 rundll32.exe 336 rundll32.exe 336 rundll32.exe 336 rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1404 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
ugdlxyklyf.exerundll32.exepid process 524 ugdlxyklyf.exe 524 ugdlxyklyf.exe 524 ugdlxyklyf.exe 524 ugdlxyklyf.exe 336 rundll32.exe 336 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ugdlxyklyf.exerundll32.exedescription pid process Token: SeDebugPrivilege 524 ugdlxyklyf.exe Token: SeDebugPrivilege 336 rundll32.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1404 Explorer.EXE 1404 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1404 Explorer.EXE 1404 Explorer.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
d6ff1bf3d769e567a0e41f7651a56c07.exeugdlxyklyf.exeExplorer.EXErundll32.exedescription pid process target process PID 1396 wrote to memory of 964 1396 d6ff1bf3d769e567a0e41f7651a56c07.exe ugdlxyklyf.exe PID 1396 wrote to memory of 964 1396 d6ff1bf3d769e567a0e41f7651a56c07.exe ugdlxyklyf.exe PID 1396 wrote to memory of 964 1396 d6ff1bf3d769e567a0e41f7651a56c07.exe ugdlxyklyf.exe PID 1396 wrote to memory of 964 1396 d6ff1bf3d769e567a0e41f7651a56c07.exe ugdlxyklyf.exe PID 964 wrote to memory of 524 964 ugdlxyklyf.exe ugdlxyklyf.exe PID 964 wrote to memory of 524 964 ugdlxyklyf.exe ugdlxyklyf.exe PID 964 wrote to memory of 524 964 ugdlxyklyf.exe ugdlxyklyf.exe PID 964 wrote to memory of 524 964 ugdlxyklyf.exe ugdlxyklyf.exe PID 964 wrote to memory of 524 964 ugdlxyklyf.exe ugdlxyklyf.exe PID 964 wrote to memory of 524 964 ugdlxyklyf.exe ugdlxyklyf.exe PID 964 wrote to memory of 524 964 ugdlxyklyf.exe ugdlxyklyf.exe PID 1404 wrote to memory of 336 1404 Explorer.EXE rundll32.exe PID 1404 wrote to memory of 336 1404 Explorer.EXE rundll32.exe PID 1404 wrote to memory of 336 1404 Explorer.EXE rundll32.exe PID 1404 wrote to memory of 336 1404 Explorer.EXE rundll32.exe PID 1404 wrote to memory of 336 1404 Explorer.EXE rundll32.exe PID 1404 wrote to memory of 336 1404 Explorer.EXE rundll32.exe PID 1404 wrote to memory of 336 1404 Explorer.EXE rundll32.exe PID 336 wrote to memory of 1272 336 rundll32.exe cmd.exe PID 336 wrote to memory of 1272 336 rundll32.exe cmd.exe PID 336 wrote to memory of 1272 336 rundll32.exe cmd.exe PID 336 wrote to memory of 1272 336 rundll32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Users\Admin\AppData\Local\Temp\d6ff1bf3d769e567a0e41f7651a56c07.exe"C:\Users\Admin\AppData\Local\Temp\d6ff1bf3d769e567a0e41f7651a56c07.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Users\Admin\AppData\Local\Temp\ugdlxyklyf.exeC:\Users\Admin\AppData\Local\Temp\ugdlxyklyf.exe C:\Users\Admin\AppData\Local\Temp\zzyuvlggsv3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Users\Admin\AppData\Local\Temp\ugdlxyklyf.exeC:\Users\Admin\AppData\Local\Temp\ugdlxyklyf.exe C:\Users\Admin\AppData\Local\Temp\zzyuvlggsv4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:524 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:336 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\ugdlxyklyf.exe"3⤵PID:1272
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ugdlxyklyf.exeMD5
e6edbf0a9ffeb3998434ca4019d293d1
SHA1aefb354b4a41a9890d8cb0f597feb37d5776346d
SHA256256d4603e58efac93fdde34cf68f44987534a2264201db068127b1f895b4406b
SHA51210afaf42aaa25190e236fda36b85e706bd262a7393ed8e944ed1d7a58865c234a015da32bf6da336e602999812b097208a82f2c943d91a12953435d97caffaf5
-
C:\Users\Admin\AppData\Local\Temp\ugdlxyklyf.exeMD5
e6edbf0a9ffeb3998434ca4019d293d1
SHA1aefb354b4a41a9890d8cb0f597feb37d5776346d
SHA256256d4603e58efac93fdde34cf68f44987534a2264201db068127b1f895b4406b
SHA51210afaf42aaa25190e236fda36b85e706bd262a7393ed8e944ed1d7a58865c234a015da32bf6da336e602999812b097208a82f2c943d91a12953435d97caffaf5
-
C:\Users\Admin\AppData\Local\Temp\ugdlxyklyf.exeMD5
e6edbf0a9ffeb3998434ca4019d293d1
SHA1aefb354b4a41a9890d8cb0f597feb37d5776346d
SHA256256d4603e58efac93fdde34cf68f44987534a2264201db068127b1f895b4406b
SHA51210afaf42aaa25190e236fda36b85e706bd262a7393ed8e944ed1d7a58865c234a015da32bf6da336e602999812b097208a82f2c943d91a12953435d97caffaf5
-
C:\Users\Admin\AppData\Local\Temp\wxjvir5wwgz496elm3y9MD5
bbe94bdaf91779f7986662a6ac131393
SHA1a92a54050477f056fd7e8988f8f1227cdacf44d1
SHA256bd41d15e50f0f3d50df77ebfa4fc3c889f5d32587caf45bb4153a94b926afdad
SHA512f13669421abf38581d92c84f59606f8c3ad8653279404dd8e3e60000d8d20bdf4d332e7f68593ee2ee9f8c736b682e29847702e02744854ec5f3ad89b9d87a41
-
C:\Users\Admin\AppData\Local\Temp\zzyuvlggsvMD5
b1f4b4df1d2f1ab1af796352b7f7f378
SHA18573d9772eeda929a21ed1b62bb364b6ec2c0ceb
SHA256e29d73dad0b0c8c58994505e18a37e97a0ea4edf692544c57f7cf95b034c802c
SHA512c154d9a51c2700b13dd975720b12ba9fd97b7afac7b9cf72d1373174ee9185a2d0b7a571055a98372a185a51fab308cf47ef5c6f861b1f7679b13101990a7586
-
\Users\Admin\AppData\Local\Temp\ugdlxyklyf.exeMD5
e6edbf0a9ffeb3998434ca4019d293d1
SHA1aefb354b4a41a9890d8cb0f597feb37d5776346d
SHA256256d4603e58efac93fdde34cf68f44987534a2264201db068127b1f895b4406b
SHA51210afaf42aaa25190e236fda36b85e706bd262a7393ed8e944ed1d7a58865c234a015da32bf6da336e602999812b097208a82f2c943d91a12953435d97caffaf5
-
\Users\Admin\AppData\Local\Temp\ugdlxyklyf.exeMD5
e6edbf0a9ffeb3998434ca4019d293d1
SHA1aefb354b4a41a9890d8cb0f597feb37d5776346d
SHA256256d4603e58efac93fdde34cf68f44987534a2264201db068127b1f895b4406b
SHA51210afaf42aaa25190e236fda36b85e706bd262a7393ed8e944ed1d7a58865c234a015da32bf6da336e602999812b097208a82f2c943d91a12953435d97caffaf5
-
memory/336-74-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/336-77-0x00000000004A0000-0x0000000000530000-memory.dmpFilesize
576KB
-
memory/336-76-0x0000000002170000-0x0000000002473000-memory.dmpFilesize
3.0MB
-
memory/336-75-0x0000000000090000-0x00000000000B9000-memory.dmpFilesize
164KB
-
memory/524-65-0x0000000000820000-0x0000000000B23000-memory.dmpFilesize
3.0MB
-
memory/524-69-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/524-70-0x000000000041D000-0x000000000041E000-memory.dmpFilesize
4KB
-
memory/524-71-0x0000000000350000-0x0000000000361000-memory.dmpFilesize
68KB
-
memory/524-67-0x0000000000200000-0x0000000000211000-memory.dmpFilesize
68KB
-
memory/524-66-0x000000000041D000-0x000000000041E000-memory.dmpFilesize
4KB
-
memory/524-62-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1396-54-0x0000000075D61000-0x0000000075D63000-memory.dmpFilesize
8KB
-
memory/1404-68-0x0000000006CF0000-0x0000000006DE7000-memory.dmpFilesize
988KB
-
memory/1404-72-0x0000000006DF0000-0x0000000006ED1000-memory.dmpFilesize
900KB
-
memory/1404-78-0x0000000004990000-0x0000000004A26000-memory.dmpFilesize
600KB