Analysis
-
max time kernel
155s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
14-02-2022 06:58
Static task
static1
Behavioral task
behavioral1
Sample
Statement of account, 2021 to 2021.PDF.exe
Resource
win7-en-20211208
General
-
Target
Statement of account, 2021 to 2021.PDF.exe
-
Size
720KB
-
MD5
2295e8293ae10777216f7593f336d23f
-
SHA1
ef7b9b766c61202ee17e2ffbc294f54210609d79
-
SHA256
ea222f4ca18d4bd57e605742a68c0f6b40436d9219700a75ade966e9488db34e
-
SHA512
d3b5b52083411113d731266ffd5a37e20f43e23dc9d4f3b9b791ef8cb5ab42520b3134a8539650e17e62b5da754dbea99f1cfb4fea72ffd74fa74a3c58e43396
Malware Config
Extracted
xloader
2.5
pvxz
imt-token.club
abravewayocen.online
shcloudcar.com
mshoppingworld.online
ncgf08.xyz
stuinfo.xyz
wesavetheplanetofficial.com
tourbox.xyz
believeinyourselftraining.com
jsboyat.com
aaeconomy.info
9etmorea.info
purosepeti7.com
goticketly.com
pinkmemorypt.com
mylifewellnesscentre.com
iridina.online
petrestore.online
neema.xyz
novelfooditalia.com
enterprisedaas.computer
tzkaxh.com
brainfarter.com
youniquegal.com
piiqrio.com
mdaszb.com
boldmale.com
era636.com
castleinsuranceco.com
woodennickelmusicfortwayne.com
customer-servis-kredivo.com
high-clicks.com
greetwithgadgets.com
hfsd1.com
insureagainstearthquakes.net
ultimatejump.rest
parivartanyogeshstore.com
handmanagementblog.com
meishangtianhua.com
michaelscottinsurance.net
kershoes.com
atomiccharmworks.com
conciergecompare.com
zeal-hashima.com
coachianscott.com
hwkm.net
019skz.xyz
jardingenesis.com
sumikkoremon.com
tjpengyun.com
sectionpor.xyz
46t.xyz
sa-pontianak.com
localproperty.team
dotexposed.com
cis136-tgarza.com
eiestilo.com
youknowhowtolive.com
phalcosnusa.com
qaticv93iy.com
hbjngs.com
ocean-nettoyage.com
jenuwinclothes.net
anadoluatvoffroad.com
finetipster.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2172-139-0x0000000072480000-0x00000000724A9000-memory.dmp xloader behavioral2/memory/2172-144-0x0000000072480000-0x00000000724A9000-memory.dmp xloader behavioral2/memory/4264-147-0x0000000000720000-0x0000000000749000-memory.dmp xloader -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\KPYP9ZIXX0M = "C:\\Program Files (x86)\\G8p6\\e6rdp02qnsdl2e.exe" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rundll32.exe -
Executes dropped EXE 1 IoCs
Processes:
e6rdp02qnsdl2e.exepid process 4924 e6rdp02qnsdl2e.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Statement of account, 2021 to 2021.PDF.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Jvfziqgz = "C:\\Users\\Admin\\zgqizfvJ.url" Statement of account, 2021 to 2021.PDF.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
logagent.exerundll32.exedescription pid process target process PID 2172 set thread context of 676 2172 logagent.exe Explorer.EXE PID 4264 set thread context of 676 4264 rundll32.exe Explorer.EXE -
Drops file in Program Files directory 4 IoCs
Processes:
rundll32.exeExplorer.EXEdescription ioc process File opened for modification C:\Program Files (x86)\G8p6\e6rdp02qnsdl2e.exe rundll32.exe File opened for modification C:\Program Files (x86)\G8p6 Explorer.EXE File created C:\Program Files (x86)\G8p6\e6rdp02qnsdl2e.exe Explorer.EXE File opened for modification C:\Program Files (x86)\G8p6\e6rdp02qnsdl2e.exe Explorer.EXE -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Processes:
rundll32.exedescription ioc process Key created \Registry\User\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 50 IoCs
Processes:
logagent.exerundll32.exepid process 2172 logagent.exe 2172 logagent.exe 2172 logagent.exe 2172 logagent.exe 4264 rundll32.exe 4264 rundll32.exe 4264 rundll32.exe 4264 rundll32.exe 4264 rundll32.exe 4264 rundll32.exe 4264 rundll32.exe 4264 rundll32.exe 4264 rundll32.exe 4264 rundll32.exe 4264 rundll32.exe 4264 rundll32.exe 4264 rundll32.exe 4264 rundll32.exe 4264 rundll32.exe 4264 rundll32.exe 4264 rundll32.exe 4264 rundll32.exe 4264 rundll32.exe 4264 rundll32.exe 4264 rundll32.exe 4264 rundll32.exe 4264 rundll32.exe 4264 rundll32.exe 4264 rundll32.exe 4264 rundll32.exe 4264 rundll32.exe 4264 rundll32.exe 4264 rundll32.exe 4264 rundll32.exe 4264 rundll32.exe 4264 rundll32.exe 4264 rundll32.exe 4264 rundll32.exe 4264 rundll32.exe 4264 rundll32.exe 4264 rundll32.exe 4264 rundll32.exe 4264 rundll32.exe 4264 rundll32.exe 4264 rundll32.exe 4264 rundll32.exe 4264 rundll32.exe 4264 rundll32.exe 4264 rundll32.exe 4264 rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 676 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
logagent.exerundll32.exepid process 2172 logagent.exe 2172 logagent.exe 2172 logagent.exe 4264 rundll32.exe 4264 rundll32.exe 4264 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exelogagent.exerundll32.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 3196 svchost.exe Token: SeCreatePagefilePrivilege 3196 svchost.exe Token: SeShutdownPrivilege 3196 svchost.exe Token: SeCreatePagefilePrivilege 3196 svchost.exe Token: SeShutdownPrivilege 3196 svchost.exe Token: SeCreatePagefilePrivilege 3196 svchost.exe Token: SeDebugPrivilege 2172 logagent.exe Token: SeDebugPrivilege 4264 rundll32.exe Token: SeSecurityPrivilege 1888 TiWorker.exe Token: SeRestorePrivilege 1888 TiWorker.exe Token: SeBackupPrivilege 1888 TiWorker.exe Token: SeBackupPrivilege 1888 TiWorker.exe Token: SeRestorePrivilege 1888 TiWorker.exe Token: SeSecurityPrivilege 1888 TiWorker.exe Token: SeBackupPrivilege 1888 TiWorker.exe Token: SeRestorePrivilege 1888 TiWorker.exe Token: SeSecurityPrivilege 1888 TiWorker.exe Token: SeBackupPrivilege 1888 TiWorker.exe Token: SeRestorePrivilege 1888 TiWorker.exe Token: SeSecurityPrivilege 1888 TiWorker.exe Token: SeBackupPrivilege 1888 TiWorker.exe Token: SeRestorePrivilege 1888 TiWorker.exe Token: SeSecurityPrivilege 1888 TiWorker.exe Token: SeBackupPrivilege 1888 TiWorker.exe Token: SeRestorePrivilege 1888 TiWorker.exe Token: SeSecurityPrivilege 1888 TiWorker.exe Token: SeBackupPrivilege 1888 TiWorker.exe Token: SeRestorePrivilege 1888 TiWorker.exe Token: SeSecurityPrivilege 1888 TiWorker.exe Token: SeBackupPrivilege 1888 TiWorker.exe Token: SeRestorePrivilege 1888 TiWorker.exe Token: SeSecurityPrivilege 1888 TiWorker.exe Token: SeBackupPrivilege 1888 TiWorker.exe Token: SeRestorePrivilege 1888 TiWorker.exe Token: SeSecurityPrivilege 1888 TiWorker.exe Token: SeBackupPrivilege 1888 TiWorker.exe Token: SeRestorePrivilege 1888 TiWorker.exe Token: SeSecurityPrivilege 1888 TiWorker.exe Token: SeBackupPrivilege 1888 TiWorker.exe Token: SeRestorePrivilege 1888 TiWorker.exe Token: SeSecurityPrivilege 1888 TiWorker.exe Token: SeBackupPrivilege 1888 TiWorker.exe Token: SeRestorePrivilege 1888 TiWorker.exe Token: SeSecurityPrivilege 1888 TiWorker.exe Token: SeBackupPrivilege 1888 TiWorker.exe Token: SeRestorePrivilege 1888 TiWorker.exe Token: SeSecurityPrivilege 1888 TiWorker.exe Token: SeBackupPrivilege 1888 TiWorker.exe Token: SeRestorePrivilege 1888 TiWorker.exe Token: SeSecurityPrivilege 1888 TiWorker.exe Token: SeBackupPrivilege 1888 TiWorker.exe Token: SeRestorePrivilege 1888 TiWorker.exe Token: SeSecurityPrivilege 1888 TiWorker.exe Token: SeBackupPrivilege 1888 TiWorker.exe Token: SeRestorePrivilege 1888 TiWorker.exe Token: SeSecurityPrivilege 1888 TiWorker.exe Token: SeBackupPrivilege 1888 TiWorker.exe Token: SeRestorePrivilege 1888 TiWorker.exe Token: SeSecurityPrivilege 1888 TiWorker.exe Token: SeBackupPrivilege 1888 TiWorker.exe Token: SeRestorePrivilege 1888 TiWorker.exe Token: SeSecurityPrivilege 1888 TiWorker.exe Token: SeBackupPrivilege 1888 TiWorker.exe Token: SeRestorePrivilege 1888 TiWorker.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
Statement of account, 2021 to 2021.PDF.exeExplorer.EXErundll32.exedescription pid process target process PID 4060 wrote to memory of 2172 4060 Statement of account, 2021 to 2021.PDF.exe logagent.exe PID 4060 wrote to memory of 2172 4060 Statement of account, 2021 to 2021.PDF.exe logagent.exe PID 4060 wrote to memory of 2172 4060 Statement of account, 2021 to 2021.PDF.exe logagent.exe PID 4060 wrote to memory of 2172 4060 Statement of account, 2021 to 2021.PDF.exe logagent.exe PID 4060 wrote to memory of 2172 4060 Statement of account, 2021 to 2021.PDF.exe logagent.exe PID 4060 wrote to memory of 2172 4060 Statement of account, 2021 to 2021.PDF.exe logagent.exe PID 676 wrote to memory of 4264 676 Explorer.EXE rundll32.exe PID 676 wrote to memory of 4264 676 Explorer.EXE rundll32.exe PID 676 wrote to memory of 4264 676 Explorer.EXE rundll32.exe PID 4264 wrote to memory of 4144 4264 rundll32.exe cmd.exe PID 4264 wrote to memory of 4144 4264 rundll32.exe cmd.exe PID 4264 wrote to memory of 4144 4264 rundll32.exe cmd.exe PID 4264 wrote to memory of 3916 4264 rundll32.exe cmd.exe PID 4264 wrote to memory of 3916 4264 rundll32.exe cmd.exe PID 4264 wrote to memory of 3916 4264 rundll32.exe cmd.exe PID 4264 wrote to memory of 4912 4264 rundll32.exe Firefox.exe PID 4264 wrote to memory of 4912 4264 rundll32.exe Firefox.exe PID 676 wrote to memory of 4924 676 Explorer.EXE e6rdp02qnsdl2e.exe PID 676 wrote to memory of 4924 676 Explorer.EXE e6rdp02qnsdl2e.exe PID 676 wrote to memory of 4924 676 Explorer.EXE e6rdp02qnsdl2e.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer rundll32.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Statement of account, 2021 to 2021.PDF.exe"C:\Users\Admin\AppData\Local\Temp\Statement of account, 2021 to 2021.PDF.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\logagent.exeC:\Windows\System32\logagent.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\logagent.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Program Files (x86)\G8p6\e6rdp02qnsdl2e.exe"C:\Program Files (x86)\G8p6\e6rdp02qnsdl2e.exe"2⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\G8p6\e6rdp02qnsdl2e.exeMD5
523a40703dd9e7da957aa92a204cb1c4
SHA12a069bff58a87f7d2b405fdf87634fb2ce213b21
SHA256058e1a4389ae837fafc6a7bdfca2abf33ceb6915410edbc4b2ebca052e4f13a6
SHA512ca5002ebddb39acd0dbbeb77297ffb719a36bc8288ad6f2732247a28cbf1a6fe7cd238ef126f6b1cca3f259cab55a5c01e3bfcd9bda3d25097233093bdb940bf
-
C:\Users\Admin\AppData\Local\Temp\DB1MD5
b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
memory/676-145-0x0000000008B10000-0x0000000008C42000-memory.dmpFilesize
1.2MB
-
memory/676-150-0x0000000007D30000-0x0000000007E95000-memory.dmpFilesize
1.4MB
-
memory/2172-144-0x0000000072480000-0x00000000724A9000-memory.dmpFilesize
164KB
-
memory/2172-141-0x000000007249D000-0x000000007249E000-memory.dmpFilesize
4KB
-
memory/2172-142-0x0000000001720000-0x0000000001731000-memory.dmpFilesize
68KB
-
memory/2172-140-0x00000000030C0000-0x000000000340A000-memory.dmpFilesize
3.3MB
-
memory/2172-143-0x0000000000F80000-0x0000000000F81000-memory.dmpFilesize
4KB
-
memory/2172-139-0x0000000072480000-0x00000000724A9000-memory.dmpFilesize
164KB
-
memory/3196-137-0x0000028752DB0000-0x0000028752DB4000-memory.dmpFilesize
16KB
-
memory/3196-135-0x0000028750160000-0x0000028750170000-memory.dmpFilesize
64KB
-
memory/3196-136-0x0000028750720000-0x0000028750730000-memory.dmpFilesize
64KB
-
memory/4060-133-0x0000000002120000-0x0000000002121000-memory.dmpFilesize
4KB
-
memory/4264-148-0x00000000028F0000-0x0000000002C3A000-memory.dmpFilesize
3.3MB
-
memory/4264-149-0x0000000002680000-0x0000000002710000-memory.dmpFilesize
576KB
-
memory/4264-146-0x0000000000690000-0x00000000006A4000-memory.dmpFilesize
80KB
-
memory/4264-147-0x0000000000720000-0x0000000000749000-memory.dmpFilesize
164KB