xloader | dfe742ea984310b86ce1d553b87e63f4cdefcf8485b7c860438234377a10a358

General

Target

DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe
Size

30KB
MD5

c2ed847cba51543076504a7150261f22
SHA1

93e063e8f777b42cab7f7ed8fa45a2397942dead
SHA256

dfe742ea984310b86ce1d553b87e63f4cdefcf8485b7c860438234377a10a358
SHA512

4dca34f7a0c0ecf2018de5a0e2ba5a9145cfdac508dafa1f5de5fad4072703f6621587b164a742d094cb557e8cedba5630cd7477fbf355a6311ac457c0cb5670

Score

10^/10

xloader po6r loader persistence rat suricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

po6r

Decoy

jnhuichuangxin.com

mubashir.art

extol.design

doyyindh.xyz

milanoautoexperts.com

4thefringe.com

453511.com

sellathonautocredit.com

velgian.com

6672pk.com

wodeluzhou.com

sumiyoshiku-hizaita.xyz

imoveldeprimeira.com

dgjssp.com

endokc.com

side-clicks.com

cashndashfinancial.com

vanhemelryck.info

agamitrading.com

woofgang.xyz

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\kellybrown.exe\","	DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3864-134-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/920-141-0x0000000002E40000-0x0000000002E69000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exeDHL - OVERDUE ACCOUNT NOTICE - 1301474408.execmmon32.exe

description	pid	process	target process
PID 3080 set thread context of 3864	3080	DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe	DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe
PID 3864 set thread context of 2436	3864	DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe	Explorer.EXE
PID 920 set thread context of 2436	920	cmmon32.exe	Explorer.EXE

Drops file in Windows directory 3 IoCs

Processes:

svchost.exeTiWorker.exe

description	ioc	process
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MusNotifyIcon.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotifyIcon.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotifyIcon.exe

Modifies data under HKEY_USERS 55 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "1157726"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "4"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4380"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "13.332750"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4152"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "6.666726"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "90228624"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.006545"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4068"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132896864758800513"	svchost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exeDHL - OVERDUE ACCOUNT NOTICE - 1301474408.execmmon32.exe

pid	process
3080	DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe
3080	DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe
3864	DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe
3864	DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe
3864	DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe
3864	DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe
920	cmmon32.exe
920	cmmon32.exe
920	cmmon32.exe
920	cmmon32.exe
920	cmmon32.exe
920	cmmon32.exe
920	cmmon32.exe
920	cmmon32.exe
920	cmmon32.exe
920	cmmon32.exe
920	cmmon32.exe
920	cmmon32.exe
920	cmmon32.exe
920	cmmon32.exe
920	cmmon32.exe
920	cmmon32.exe
920	cmmon32.exe
920	cmmon32.exe
920	cmmon32.exe
920	cmmon32.exe
920	cmmon32.exe
920	cmmon32.exe
920	cmmon32.exe
920	cmmon32.exe
920	cmmon32.exe
920	cmmon32.exe
920	cmmon32.exe
920	cmmon32.exe
920	cmmon32.exe
920	cmmon32.exe
920	cmmon32.exe
920	cmmon32.exe
920	cmmon32.exe
920	cmmon32.exe
920	cmmon32.exe
920	cmmon32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2436 Explorer.EXE

pid	process
2436	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

DHL - OVERDUE ACCOUNT NOTICE - 1301474408.execmmon32.exe

pid	process
3864	DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe
3864	DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe
3864	DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe
920	cmmon32.exe
920	cmmon32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exeTiWorker.exe

description	pid	process
Token: SeDebugPrivilege	3080	DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe
Token: SeSecurityPrivilege	2632	TiWorker.exe
Token: SeRestorePrivilege	2632	TiWorker.exe
Token: SeBackupPrivilege	2632	TiWorker.exe
Token: SeBackupPrivilege	2632	TiWorker.exe
Token: SeRestorePrivilege	2632	TiWorker.exe
Token: SeSecurityPrivilege	2632	TiWorker.exe
Token: SeBackupPrivilege	2632	TiWorker.exe
Token: SeRestorePrivilege	2632	TiWorker.exe
Token: SeSecurityPrivilege	2632	TiWorker.exe
Token: SeBackupPrivilege	2632	TiWorker.exe
Token: SeRestorePrivilege	2632	TiWorker.exe
Token: SeSecurityPrivilege	2632	TiWorker.exe
Token: SeBackupPrivilege	2632	TiWorker.exe
Token: SeRestorePrivilege	2632	TiWorker.exe
Token: SeSecurityPrivilege	2632	TiWorker.exe
Token: SeBackupPrivilege	2632	TiWorker.exe
Token: SeRestorePrivilege	2632	TiWorker.exe
Token: SeSecurityPrivilege	2632	TiWorker.exe
Token: SeBackupPrivilege	2632	TiWorker.exe
Token: SeRestorePrivilege	2632	TiWorker.exe
Token: SeSecurityPrivilege	2632	TiWorker.exe
Token: SeBackupPrivilege	2632	TiWorker.exe
Token: SeRestorePrivilege	2632	TiWorker.exe
Token: SeSecurityPrivilege	2632	TiWorker.exe
Token: SeBackupPrivilege	2632	TiWorker.exe
Token: SeRestorePrivilege	2632	TiWorker.exe
Token: SeSecurityPrivilege	2632	TiWorker.exe
Token: SeBackupPrivilege	2632	TiWorker.exe
Token: SeRestorePrivilege	2632	TiWorker.exe
Token: SeSecurityPrivilege	2632	TiWorker.exe
Token: SeBackupPrivilege	2632	TiWorker.exe
Token: SeRestorePrivilege	2632	TiWorker.exe
Token: SeSecurityPrivilege	2632	TiWorker.exe
Token: SeBackupPrivilege	2632	TiWorker.exe
Token: SeRestorePrivilege	2632	TiWorker.exe
Token: SeSecurityPrivilege	2632	TiWorker.exe
Token: SeBackupPrivilege	2632	TiWorker.exe
Token: SeRestorePrivilege	2632	TiWorker.exe
Token: SeSecurityPrivilege	2632	TiWorker.exe
Token: SeBackupPrivilege	2632	TiWorker.exe
Token: SeRestorePrivilege	2632	TiWorker.exe
Token: SeSecurityPrivilege	2632	TiWorker.exe
Token: SeBackupPrivilege	2632	TiWorker.exe
Token: SeRestorePrivilege	2632	TiWorker.exe
Token: SeSecurityPrivilege	2632	TiWorker.exe
Token: SeBackupPrivilege	2632	TiWorker.exe
Token: SeRestorePrivilege	2632	TiWorker.exe
Token: SeSecurityPrivilege	2632	TiWorker.exe
Token: SeBackupPrivilege	2632	TiWorker.exe
Token: SeRestorePrivilege	2632	TiWorker.exe
Token: SeSecurityPrivilege	2632	TiWorker.exe
Token: SeBackupPrivilege	2632	TiWorker.exe
Token: SeRestorePrivilege	2632	TiWorker.exe
Token: SeSecurityPrivilege	2632	TiWorker.exe
Token: SeBackupPrivilege	2632	TiWorker.exe
Token: SeRestorePrivilege	2632	TiWorker.exe
Token: SeSecurityPrivilege	2632	TiWorker.exe
Token: SeBackupPrivilege	2632	TiWorker.exe
Token: SeRestorePrivilege	2632	TiWorker.exe
Token: SeSecurityPrivilege	2632	TiWorker.exe
Token: SeBackupPrivilege	2632	TiWorker.exe
Token: SeRestorePrivilege	2632	TiWorker.exe
Token: SeSecurityPrivilege	2632	TiWorker.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exeExplorer.EXE

description	pid	process	target process
PID 3080 wrote to memory of 3864	3080	DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe	DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe
PID 3080 wrote to memory of 3864	3080	DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe	DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe
PID 3080 wrote to memory of 3864	3080	DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe	DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe
PID 3080 wrote to memory of 3864	3080	DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe	DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe
PID 3080 wrote to memory of 3864	3080	DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe	DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe
PID 3080 wrote to memory of 3864	3080	DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe	DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe
PID 2436 wrote to memory of 920	2436	Explorer.EXE	cmmon32.exe
PID 2436 wrote to memory of 920	2436	Explorer.EXE	cmmon32.exe
PID 2436 wrote to memory of 920	2436	Explorer.EXE	cmmon32.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2436

C:\Users\Admin\AppData\Local\Temp\DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe
"C:\Users\Admin\AppData\Local\Temp\DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe"
2⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3080

C:\Users\Admin\AppData\Local\Temp\DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe
"C:\Users\Admin\AppData\Local\Temp\DHL - OVERDUE ACCOUNT NOTICE - 1301474408.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3864

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:920

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
1⤵
- Checks processor information in registry
PID:432

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3384

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/920-143-0x0000000004B90000-0x0000000004C20000-memory.dmp

Filesize
576KB

Download
memory/920-142-0x0000000004CB0000-0x0000000004FFA000-memory.dmp

Filesize
3.3MB

Download
memory/920-141-0x0000000002E40000-0x0000000002E69000-memory.dmp

Filesize
164KB

Download
memory/920-140-0x0000000000200000-0x000000000020C000-memory.dmp

Filesize
48KB

Download
memory/2436-139-0x0000000002A50000-0x0000000002B16000-memory.dmp

Filesize
792KB

Download
memory/2436-144-0x0000000007900000-0x0000000007A5F000-memory.dmp

Filesize
1.4MB

Download
memory/3080-133-0x000000000BFE0000-0x000000000C072000-memory.dmp

Filesize
584KB

Download
memory/3080-130-0x00000000746FE000-0x00000000746FF000-memory.dmp

Filesize
4KB

Download
memory/3080-132-0x0000000005660000-0x0000000005661000-memory.dmp

Filesize
4KB

Download
memory/3080-131-0x0000000000CD0000-0x0000000000CDE000-memory.dmp

Filesize
56KB

Download
memory/3864-138-0x0000000001260000-0x0000000001271000-memory.dmp

Filesize
68KB

Download
memory/3864-137-0x000000000041D000-0x000000000041E000-memory.dmp

Filesize
4KB

Download
memory/3864-135-0x00000000012F0000-0x000000000163A000-memory.dmp

Filesize
3.3MB

Download
memory/3864-134-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads