Analysis
-
max time kernel
158s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
14-02-2022 07:17
Static task
static1
Behavioral task
behavioral1
Sample
d6ff1bf3d769e567a0e41f7651a56c07.exe
Resource
win7-en-20211208
General
-
Target
d6ff1bf3d769e567a0e41f7651a56c07.exe
-
Size
293KB
-
MD5
d6ff1bf3d769e567a0e41f7651a56c07
-
SHA1
291bcef2a4335eaac400271209d0c0e99486b64c
-
SHA256
4d854fee4f2e2a7b2afb2c13b28207f5388b095d0f7f053b90e03cf5873904e9
-
SHA512
aeaf170b6771653c13140aace7c4803ecdeee1dab95c2986f1893f63aaddab84ae7255095cb55b0c86c857684c90b5e5f8c764ec7e69dc3a7c6f9340cbc080e6
Malware Config
Extracted
xloader
2.5
o6tg
turkscaicosonline.com
novelfoodtech.com
zgrmfww.com
gestionalcliente24hrs.store
postrojka.com
tapissier-uzes.com
tobytram.one
preamblegames.com
clicklinkzs.com
franksenen.com
beautygateway.net
foils-online.com
aout.us
promarkoperations.com
alignatura.com
changemylifefast.info
minbex.icu
internethustlersociety.com
chinacqn.com
fibsh.com
878971.com
diy-shisha.com
smarthomesecurity.online
orimsglow.com
platterwax.xyz
ipinksheets.com
robertatoschi.com
mieventi.com
qumuras.info
anyoneh.com
lovegasboutique.com
elimchambers.com
nanopicomedia.com
getoken.net
thechristmaslightingstore.com
progressivecapital.net
ott-leszek.com
flaneur.city
srikrishnadental.com
bantasis.com
forhims.jobs
sscmdpt.com
americanpawnaz.com
greatdayplumbing.com
skinstorecenter.com
chaoticcomicscrafts.com
farhadhossain.us
c-soi.com
http01.com
tjweifukeji.com
controldatasa.com
fitlearningphoenix.solutions
polecatroofing.com
xrxgqf.website
helmettips.com
caesarscasiono.com
dmfcommercialrealty.com
risecards.com
energycolumbus.com
slot138gacor.com
votenoahring.com
trigatefinancial.com
cuework.com
victorianalpine.com
makvik.online
Signatures
-
suricata: ET MALWARE APT-C-23 Activity (GET)
suricata: ET MALWARE APT-C-23 Activity (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2460-137-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/1200-145-0x0000000000380000-0x00000000003A9000-memory.dmp xloader -
Executes dropped EXE 2 IoCs
Processes:
ugdlxyklyf.exeugdlxyklyf.exepid process 2480 ugdlxyklyf.exe 2460 ugdlxyklyf.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
ugdlxyklyf.exeugdlxyklyf.exesystray.exedescription pid process target process PID 2480 set thread context of 2460 2480 ugdlxyklyf.exe ugdlxyklyf.exe PID 2460 set thread context of 896 2460 ugdlxyklyf.exe Explorer.EXE PID 1200 set thread context of 896 1200 systray.exe Explorer.EXE -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
ugdlxyklyf.exesystray.exepid process 2460 ugdlxyklyf.exe 2460 ugdlxyklyf.exe 2460 ugdlxyklyf.exe 2460 ugdlxyklyf.exe 1200 systray.exe 1200 systray.exe 1200 systray.exe 1200 systray.exe 1200 systray.exe 1200 systray.exe 1200 systray.exe 1200 systray.exe 1200 systray.exe 1200 systray.exe 1200 systray.exe 1200 systray.exe 1200 systray.exe 1200 systray.exe 1200 systray.exe 1200 systray.exe 1200 systray.exe 1200 systray.exe 1200 systray.exe 1200 systray.exe 1200 systray.exe 1200 systray.exe 1200 systray.exe 1200 systray.exe 1200 systray.exe 1200 systray.exe 1200 systray.exe 1200 systray.exe 1200 systray.exe 1200 systray.exe 1200 systray.exe 1200 systray.exe 1200 systray.exe 1200 systray.exe 1200 systray.exe 1200 systray.exe 1200 systray.exe 1200 systray.exe 1200 systray.exe 1200 systray.exe 1200 systray.exe 1200 systray.exe 1200 systray.exe 1200 systray.exe 1200 systray.exe 1200 systray.exe 1200 systray.exe 1200 systray.exe 1200 systray.exe 1200 systray.exe 1200 systray.exe 1200 systray.exe 1200 systray.exe 1200 systray.exe 1200 systray.exe 1200 systray.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 896 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
ugdlxyklyf.exesystray.exepid process 2460 ugdlxyklyf.exe 2460 ugdlxyklyf.exe 2460 ugdlxyklyf.exe 1200 systray.exe 1200 systray.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
ugdlxyklyf.exesystray.exesvchost.exeTiWorker.exedescription pid process Token: SeDebugPrivilege 2460 ugdlxyklyf.exe Token: SeDebugPrivilege 1200 systray.exe Token: SeShutdownPrivilege 3220 svchost.exe Token: SeCreatePagefilePrivilege 3220 svchost.exe Token: SeShutdownPrivilege 3220 svchost.exe Token: SeCreatePagefilePrivilege 3220 svchost.exe Token: SeShutdownPrivilege 3220 svchost.exe Token: SeCreatePagefilePrivilege 3220 svchost.exe Token: SeSecurityPrivilege 2320 TiWorker.exe Token: SeRestorePrivilege 2320 TiWorker.exe Token: SeBackupPrivilege 2320 TiWorker.exe Token: SeBackupPrivilege 2320 TiWorker.exe Token: SeRestorePrivilege 2320 TiWorker.exe Token: SeSecurityPrivilege 2320 TiWorker.exe Token: SeBackupPrivilege 2320 TiWorker.exe Token: SeRestorePrivilege 2320 TiWorker.exe Token: SeSecurityPrivilege 2320 TiWorker.exe Token: SeBackupPrivilege 2320 TiWorker.exe Token: SeRestorePrivilege 2320 TiWorker.exe Token: SeSecurityPrivilege 2320 TiWorker.exe Token: SeBackupPrivilege 2320 TiWorker.exe Token: SeRestorePrivilege 2320 TiWorker.exe Token: SeSecurityPrivilege 2320 TiWorker.exe Token: SeBackupPrivilege 2320 TiWorker.exe Token: SeRestorePrivilege 2320 TiWorker.exe Token: SeSecurityPrivilege 2320 TiWorker.exe Token: SeBackupPrivilege 2320 TiWorker.exe Token: SeRestorePrivilege 2320 TiWorker.exe Token: SeSecurityPrivilege 2320 TiWorker.exe Token: SeBackupPrivilege 2320 TiWorker.exe Token: SeRestorePrivilege 2320 TiWorker.exe Token: SeSecurityPrivilege 2320 TiWorker.exe Token: SeBackupPrivilege 2320 TiWorker.exe Token: SeRestorePrivilege 2320 TiWorker.exe Token: SeSecurityPrivilege 2320 TiWorker.exe Token: SeBackupPrivilege 2320 TiWorker.exe Token: SeRestorePrivilege 2320 TiWorker.exe Token: SeSecurityPrivilege 2320 TiWorker.exe Token: SeBackupPrivilege 2320 TiWorker.exe Token: SeRestorePrivilege 2320 TiWorker.exe Token: SeSecurityPrivilege 2320 TiWorker.exe Token: SeBackupPrivilege 2320 TiWorker.exe Token: SeRestorePrivilege 2320 TiWorker.exe Token: SeSecurityPrivilege 2320 TiWorker.exe Token: SeBackupPrivilege 2320 TiWorker.exe Token: SeRestorePrivilege 2320 TiWorker.exe Token: SeSecurityPrivilege 2320 TiWorker.exe Token: SeBackupPrivilege 2320 TiWorker.exe Token: SeRestorePrivilege 2320 TiWorker.exe Token: SeSecurityPrivilege 2320 TiWorker.exe Token: SeBackupPrivilege 2320 TiWorker.exe Token: SeRestorePrivilege 2320 TiWorker.exe Token: SeSecurityPrivilege 2320 TiWorker.exe Token: SeBackupPrivilege 2320 TiWorker.exe Token: SeRestorePrivilege 2320 TiWorker.exe Token: SeSecurityPrivilege 2320 TiWorker.exe Token: SeBackupPrivilege 2320 TiWorker.exe Token: SeRestorePrivilege 2320 TiWorker.exe Token: SeSecurityPrivilege 2320 TiWorker.exe Token: SeBackupPrivilege 2320 TiWorker.exe Token: SeRestorePrivilege 2320 TiWorker.exe Token: SeSecurityPrivilege 2320 TiWorker.exe Token: SeBackupPrivilege 2320 TiWorker.exe Token: SeRestorePrivilege 2320 TiWorker.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 896 Explorer.EXE 896 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
d6ff1bf3d769e567a0e41f7651a56c07.exeugdlxyklyf.exeExplorer.EXEsystray.exedescription pid process target process PID 3084 wrote to memory of 2480 3084 d6ff1bf3d769e567a0e41f7651a56c07.exe ugdlxyklyf.exe PID 3084 wrote to memory of 2480 3084 d6ff1bf3d769e567a0e41f7651a56c07.exe ugdlxyklyf.exe PID 3084 wrote to memory of 2480 3084 d6ff1bf3d769e567a0e41f7651a56c07.exe ugdlxyklyf.exe PID 2480 wrote to memory of 2460 2480 ugdlxyklyf.exe ugdlxyklyf.exe PID 2480 wrote to memory of 2460 2480 ugdlxyklyf.exe ugdlxyklyf.exe PID 2480 wrote to memory of 2460 2480 ugdlxyklyf.exe ugdlxyklyf.exe PID 2480 wrote to memory of 2460 2480 ugdlxyklyf.exe ugdlxyklyf.exe PID 2480 wrote to memory of 2460 2480 ugdlxyklyf.exe ugdlxyklyf.exe PID 2480 wrote to memory of 2460 2480 ugdlxyklyf.exe ugdlxyklyf.exe PID 896 wrote to memory of 1200 896 Explorer.EXE systray.exe PID 896 wrote to memory of 1200 896 Explorer.EXE systray.exe PID 896 wrote to memory of 1200 896 Explorer.EXE systray.exe PID 1200 wrote to memory of 2004 1200 systray.exe cmd.exe PID 1200 wrote to memory of 2004 1200 systray.exe cmd.exe PID 1200 wrote to memory of 2004 1200 systray.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\d6ff1bf3d769e567a0e41f7651a56c07.exe"C:\Users\Admin\AppData\Local\Temp\d6ff1bf3d769e567a0e41f7651a56c07.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ugdlxyklyf.exeC:\Users\Admin\AppData\Local\Temp\ugdlxyklyf.exe C:\Users\Admin\AppData\Local\Temp\zzyuvlggsv3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ugdlxyklyf.exeC:\Users\Admin\AppData\Local\Temp\ugdlxyklyf.exe C:\Users\Admin\AppData\Local\Temp\zzyuvlggsv4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\systray.exe"C:\Windows\SysWOW64\systray.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\ugdlxyklyf.exe"3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ugdlxyklyf.exeMD5
e6edbf0a9ffeb3998434ca4019d293d1
SHA1aefb354b4a41a9890d8cb0f597feb37d5776346d
SHA256256d4603e58efac93fdde34cf68f44987534a2264201db068127b1f895b4406b
SHA51210afaf42aaa25190e236fda36b85e706bd262a7393ed8e944ed1d7a58865c234a015da32bf6da336e602999812b097208a82f2c943d91a12953435d97caffaf5
-
C:\Users\Admin\AppData\Local\Temp\ugdlxyklyf.exeMD5
e6edbf0a9ffeb3998434ca4019d293d1
SHA1aefb354b4a41a9890d8cb0f597feb37d5776346d
SHA256256d4603e58efac93fdde34cf68f44987534a2264201db068127b1f895b4406b
SHA51210afaf42aaa25190e236fda36b85e706bd262a7393ed8e944ed1d7a58865c234a015da32bf6da336e602999812b097208a82f2c943d91a12953435d97caffaf5
-
C:\Users\Admin\AppData\Local\Temp\ugdlxyklyf.exeMD5
e6edbf0a9ffeb3998434ca4019d293d1
SHA1aefb354b4a41a9890d8cb0f597feb37d5776346d
SHA256256d4603e58efac93fdde34cf68f44987534a2264201db068127b1f895b4406b
SHA51210afaf42aaa25190e236fda36b85e706bd262a7393ed8e944ed1d7a58865c234a015da32bf6da336e602999812b097208a82f2c943d91a12953435d97caffaf5
-
C:\Users\Admin\AppData\Local\Temp\wxjvir5wwgz496elm3y9MD5
bbe94bdaf91779f7986662a6ac131393
SHA1a92a54050477f056fd7e8988f8f1227cdacf44d1
SHA256bd41d15e50f0f3d50df77ebfa4fc3c889f5d32587caf45bb4153a94b926afdad
SHA512f13669421abf38581d92c84f59606f8c3ad8653279404dd8e3e60000d8d20bdf4d332e7f68593ee2ee9f8c736b682e29847702e02744854ec5f3ad89b9d87a41
-
C:\Users\Admin\AppData\Local\Temp\zzyuvlggsvMD5
b1f4b4df1d2f1ab1af796352b7f7f378
SHA18573d9772eeda929a21ed1b62bb364b6ec2c0ceb
SHA256e29d73dad0b0c8c58994505e18a37e97a0ea4edf692544c57f7cf95b034c802c
SHA512c154d9a51c2700b13dd975720b12ba9fd97b7afac7b9cf72d1373174ee9185a2d0b7a571055a98372a185a51fab308cf47ef5c6f861b1f7679b13101990a7586
-
memory/896-151-0x0000000008DA0000-0x0000000008EC4000-memory.dmpFilesize
1.1MB
-
memory/896-143-0x00000000075F0000-0x000000000776C000-memory.dmpFilesize
1.5MB
-
memory/1200-146-0x0000000002640000-0x000000000298A000-memory.dmpFilesize
3.3MB
-
memory/1200-150-0x00000000022A0000-0x0000000002330000-memory.dmpFilesize
576KB
-
memory/1200-145-0x0000000000380000-0x00000000003A9000-memory.dmpFilesize
164KB
-
memory/1200-144-0x0000000000E80000-0x0000000000E86000-memory.dmpFilesize
24KB
-
memory/2460-137-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2460-142-0x00000000019E0000-0x00000000019F1000-memory.dmpFilesize
68KB
-
memory/2460-140-0x0000000001510000-0x000000000185A000-memory.dmpFilesize
3.3MB
-
memory/2460-141-0x000000000041D000-0x000000000041E000-memory.dmpFilesize
4KB
-
memory/3220-147-0x000002ABF0B90000-0x000002ABF0BA0000-memory.dmpFilesize
64KB
-
memory/3220-148-0x000002ABF1360000-0x000002ABF1370000-memory.dmpFilesize
64KB
-
memory/3220-149-0x000002ABF3F70000-0x000002ABF3F74000-memory.dmpFilesize
16KB