Analysis
-
max time kernel
168s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
17-02-2022 18:11
Static task
static1
Behavioral task
behavioral1
Sample
8c6d84464096e6d1849c689708516a8d.exe
Resource
win7-en-20211208
General
-
Target
8c6d84464096e6d1849c689708516a8d.exe
-
Size
385KB
-
MD5
8c6d84464096e6d1849c689708516a8d
-
SHA1
8be47c3512da862eacddc5f4e1eddc55d0e8d4bb
-
SHA256
6370ffa17cea91839f8a40555da2ef41f0e97d539e4bdc60871a7783abcdd7f6
-
SHA512
02913ecf4ab9927c86efb3add83a9edf21de2269acc49b698296626242d5aa04cd89eb8ac267ddafac82d39a2fa099e7474cd70f13f22ab324d1c54f14fbe967
Malware Config
Extracted
xloader
2.5
ahc8
192451.com
wwwripostes.net
sirikhalsalaw.com
bitterbaybay.com
stella-scrubs.com
almanecermezcal.com
goodgood.online
translate-now.online
sincerefilm.com
quadrantforensics.com
johnfrenchart.com
plick-click.com
alnileen.com
tghi.xyz
172711.com
maymakita.com
punnyaseva.com
ukash-online.com
sho-yururi-blog.com
hebergement-solidaire.com
civicinfluencers.net
gzhf8888.com
kuleallstar.com
palisadeslodgecondos.com
holyhirschsprungs.com
azalearoseuk.com
jaggllc.com
italianrofrow.xyz
ioewur.xyz
3a5hlv.icu
kitcycle.com
estate.xyz
ankaraescortvip.xyz
richclubsite2001.xyz
kastore.website
515pleasantvalleyway.com
sittlermd.com
mytemple.group
tiny-wagen.com
sharaleesvintageflames.com
mentalesteem.com
sport-newss.online
fbve.space
lovingtruebloodindallas.com
eaglehospitality.biz
roofrepairnow.info
mcrosfts-updata.digital
cimpactinc.com
greatnotleyeast.com
lovely-tics.com
douglas-enterprise.com
dayannalima.online
ksodl.com
rainbowlampro.com
theinteriorsfurniture.com
eidmueller.email
cg020.online
gta6fuzhu.com
cinemaocity.com
hopeitivity.com
savageequipment.biz
groceriesbazaar.com
hempgotas.com
casino-pharaon-play.xyz
ralfrassendnk-login.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2556-134-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/4448-142-0x0000000000960000-0x0000000000989000-memory.dmp xloader -
Executes dropped EXE 2 IoCs
Processes:
mgavd.exemgavd.exepid process 4716 mgavd.exe 2556 mgavd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
mgavd.exemgavd.execolorcpl.exedescription pid process target process PID 4716 set thread context of 2556 4716 mgavd.exe mgavd.exe PID 2556 set thread context of 2620 2556 mgavd.exe Explorer.EXE PID 4448 set thread context of 2620 4448 colorcpl.exe Explorer.EXE -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
mgavd.execolorcpl.exepid process 2556 mgavd.exe 2556 mgavd.exe 2556 mgavd.exe 2556 mgavd.exe 4448 colorcpl.exe 4448 colorcpl.exe 4448 colorcpl.exe 4448 colorcpl.exe 4448 colorcpl.exe 4448 colorcpl.exe 4448 colorcpl.exe 4448 colorcpl.exe 4448 colorcpl.exe 4448 colorcpl.exe 4448 colorcpl.exe 4448 colorcpl.exe 4448 colorcpl.exe 4448 colorcpl.exe 4448 colorcpl.exe 4448 colorcpl.exe 4448 colorcpl.exe 4448 colorcpl.exe 4448 colorcpl.exe 4448 colorcpl.exe 4448 colorcpl.exe 4448 colorcpl.exe 4448 colorcpl.exe 4448 colorcpl.exe 4448 colorcpl.exe 4448 colorcpl.exe 4448 colorcpl.exe 4448 colorcpl.exe 4448 colorcpl.exe 4448 colorcpl.exe 4448 colorcpl.exe 4448 colorcpl.exe 4448 colorcpl.exe 4448 colorcpl.exe 4448 colorcpl.exe 4448 colorcpl.exe 4448 colorcpl.exe 4448 colorcpl.exe 4448 colorcpl.exe 4448 colorcpl.exe 4448 colorcpl.exe 4448 colorcpl.exe 4448 colorcpl.exe 4448 colorcpl.exe 4448 colorcpl.exe 4448 colorcpl.exe 4448 colorcpl.exe 4448 colorcpl.exe 4448 colorcpl.exe 4448 colorcpl.exe 4448 colorcpl.exe 4448 colorcpl.exe 4448 colorcpl.exe 4448 colorcpl.exe 4448 colorcpl.exe 4448 colorcpl.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2620 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
mgavd.execolorcpl.exepid process 2556 mgavd.exe 2556 mgavd.exe 2556 mgavd.exe 4448 colorcpl.exe 4448 colorcpl.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
mgavd.exesvchost.execolorcpl.exeTiWorker.exedescription pid process Token: SeDebugPrivilege 2556 mgavd.exe Token: SeShutdownPrivilege 1672 svchost.exe Token: SeCreatePagefilePrivilege 1672 svchost.exe Token: SeShutdownPrivilege 1672 svchost.exe Token: SeCreatePagefilePrivilege 1672 svchost.exe Token: SeDebugPrivilege 4448 colorcpl.exe Token: SeShutdownPrivilege 1672 svchost.exe Token: SeCreatePagefilePrivilege 1672 svchost.exe Token: SeSecurityPrivilege 1144 TiWorker.exe Token: SeRestorePrivilege 1144 TiWorker.exe Token: SeBackupPrivilege 1144 TiWorker.exe Token: SeBackupPrivilege 1144 TiWorker.exe Token: SeRestorePrivilege 1144 TiWorker.exe Token: SeSecurityPrivilege 1144 TiWorker.exe Token: SeBackupPrivilege 1144 TiWorker.exe Token: SeRestorePrivilege 1144 TiWorker.exe Token: SeSecurityPrivilege 1144 TiWorker.exe Token: SeBackupPrivilege 1144 TiWorker.exe Token: SeRestorePrivilege 1144 TiWorker.exe Token: SeSecurityPrivilege 1144 TiWorker.exe Token: SeBackupPrivilege 1144 TiWorker.exe Token: SeRestorePrivilege 1144 TiWorker.exe Token: SeSecurityPrivilege 1144 TiWorker.exe Token: SeBackupPrivilege 1144 TiWorker.exe Token: SeRestorePrivilege 1144 TiWorker.exe Token: SeSecurityPrivilege 1144 TiWorker.exe Token: SeBackupPrivilege 1144 TiWorker.exe Token: SeRestorePrivilege 1144 TiWorker.exe Token: SeSecurityPrivilege 1144 TiWorker.exe Token: SeBackupPrivilege 1144 TiWorker.exe Token: SeRestorePrivilege 1144 TiWorker.exe Token: SeSecurityPrivilege 1144 TiWorker.exe Token: SeBackupPrivilege 1144 TiWorker.exe Token: SeRestorePrivilege 1144 TiWorker.exe Token: SeSecurityPrivilege 1144 TiWorker.exe Token: SeBackupPrivilege 1144 TiWorker.exe Token: SeRestorePrivilege 1144 TiWorker.exe Token: SeSecurityPrivilege 1144 TiWorker.exe Token: SeBackupPrivilege 1144 TiWorker.exe Token: SeRestorePrivilege 1144 TiWorker.exe Token: SeSecurityPrivilege 1144 TiWorker.exe Token: SeBackupPrivilege 1144 TiWorker.exe Token: SeRestorePrivilege 1144 TiWorker.exe Token: SeSecurityPrivilege 1144 TiWorker.exe Token: SeBackupPrivilege 1144 TiWorker.exe Token: SeRestorePrivilege 1144 TiWorker.exe Token: SeSecurityPrivilege 1144 TiWorker.exe Token: SeBackupPrivilege 1144 TiWorker.exe Token: SeRestorePrivilege 1144 TiWorker.exe Token: SeSecurityPrivilege 1144 TiWorker.exe Token: SeBackupPrivilege 1144 TiWorker.exe Token: SeRestorePrivilege 1144 TiWorker.exe Token: SeSecurityPrivilege 1144 TiWorker.exe Token: SeBackupPrivilege 1144 TiWorker.exe Token: SeRestorePrivilege 1144 TiWorker.exe Token: SeSecurityPrivilege 1144 TiWorker.exe Token: SeBackupPrivilege 1144 TiWorker.exe Token: SeRestorePrivilege 1144 TiWorker.exe Token: SeSecurityPrivilege 1144 TiWorker.exe Token: SeBackupPrivilege 1144 TiWorker.exe Token: SeRestorePrivilege 1144 TiWorker.exe Token: SeSecurityPrivilege 1144 TiWorker.exe Token: SeBackupPrivilege 1144 TiWorker.exe Token: SeRestorePrivilege 1144 TiWorker.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
8c6d84464096e6d1849c689708516a8d.exemgavd.exeExplorer.EXEcolorcpl.exedescription pid process target process PID 4020 wrote to memory of 4716 4020 8c6d84464096e6d1849c689708516a8d.exe mgavd.exe PID 4020 wrote to memory of 4716 4020 8c6d84464096e6d1849c689708516a8d.exe mgavd.exe PID 4020 wrote to memory of 4716 4020 8c6d84464096e6d1849c689708516a8d.exe mgavd.exe PID 4716 wrote to memory of 2556 4716 mgavd.exe mgavd.exe PID 4716 wrote to memory of 2556 4716 mgavd.exe mgavd.exe PID 4716 wrote to memory of 2556 4716 mgavd.exe mgavd.exe PID 4716 wrote to memory of 2556 4716 mgavd.exe mgavd.exe PID 4716 wrote to memory of 2556 4716 mgavd.exe mgavd.exe PID 4716 wrote to memory of 2556 4716 mgavd.exe mgavd.exe PID 2620 wrote to memory of 4448 2620 Explorer.EXE colorcpl.exe PID 2620 wrote to memory of 4448 2620 Explorer.EXE colorcpl.exe PID 2620 wrote to memory of 4448 2620 Explorer.EXE colorcpl.exe PID 4448 wrote to memory of 5004 4448 colorcpl.exe cmd.exe PID 4448 wrote to memory of 5004 4448 colorcpl.exe cmd.exe PID 4448 wrote to memory of 5004 4448 colorcpl.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Users\Admin\AppData\Local\Temp\8c6d84464096e6d1849c689708516a8d.exe"C:\Users\Admin\AppData\Local\Temp\8c6d84464096e6d1849c689708516a8d.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Users\Admin\AppData\Local\Temp\mgavd.exeC:\Users\Admin\AppData\Local\Temp\mgavd.exe C:\Users\Admin\AppData\Local\Temp\qkiged3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Users\Admin\AppData\Local\Temp\mgavd.exeC:\Users\Admin\AppData\Local\Temp\mgavd.exe C:\Users\Admin\AppData\Local\Temp\qkiged4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2556 -
C:\Windows\SysWOW64\colorcpl.exe"C:\Windows\SysWOW64\colorcpl.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\mgavd.exe"3⤵PID:5004
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1672
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1144
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\cnqpil5ibr72wgMD5
63539c239244dbf6f83e1cc1ebb0a444
SHA167247ee80ed7f59271e7d897a683ce503cde51c3
SHA2561bbd6f3f30511de3bf7c7643d929edd1f863c0f0bd67331d99b58cb170f61993
SHA5125049f48fe77653a511e5949cfe6c565611f68ae08a557385fb70833495455021fe2ec657c9e127e0e3169dd2127dc136df73b4c361d3bd71661d6f51b28c5d11
-
C:\Users\Admin\AppData\Local\Temp\mgavd.exeMD5
1738f16649edcdc550f3e20daa46eafc
SHA15368d6a6a275a46f5db8bc32a918555321d64a63
SHA256668cc6abe5a037b7570fe87a8f1f8aa0e31da4479e7f9ebf188462176d889a35
SHA512d0b348417cb75064e2553b17b0252d05f18bd76491a2c4a90202f21f875b50d3f097933e67c1cb67e6e2be320ca6080ba9120a118677a2df563f0e3dbfe61b13
-
C:\Users\Admin\AppData\Local\Temp\mgavd.exeMD5
1738f16649edcdc550f3e20daa46eafc
SHA15368d6a6a275a46f5db8bc32a918555321d64a63
SHA256668cc6abe5a037b7570fe87a8f1f8aa0e31da4479e7f9ebf188462176d889a35
SHA512d0b348417cb75064e2553b17b0252d05f18bd76491a2c4a90202f21f875b50d3f097933e67c1cb67e6e2be320ca6080ba9120a118677a2df563f0e3dbfe61b13
-
C:\Users\Admin\AppData\Local\Temp\mgavd.exeMD5
1738f16649edcdc550f3e20daa46eafc
SHA15368d6a6a275a46f5db8bc32a918555321d64a63
SHA256668cc6abe5a037b7570fe87a8f1f8aa0e31da4479e7f9ebf188462176d889a35
SHA512d0b348417cb75064e2553b17b0252d05f18bd76491a2c4a90202f21f875b50d3f097933e67c1cb67e6e2be320ca6080ba9120a118677a2df563f0e3dbfe61b13
-
C:\Users\Admin\AppData\Local\Temp\qkigedMD5
9b99f44011ecc5da234e3f81f9623261
SHA11f0b6c9dcff5bc24595fc35d775713dc6f5cce7f
SHA2567014625142806826e7427ec69626abe3d15ce7b21286881eb8c48bcb96d0c47c
SHA5121af1e48b36ad4584d4340e09344dba060974469e5defe7bef9b31e93a6d61b95276c5139f4ae2f5c4342806d75a240753440aaa0805e31406b46617093ff2268
-
memory/1672-143-0x0000021651350000-0x0000021651360000-memory.dmpFilesize
64KB
-
memory/1672-145-0x00000216540D0000-0x00000216540D4000-memory.dmpFilesize
16KB
-
memory/1672-144-0x0000021651A20000-0x0000021651A30000-memory.dmpFilesize
64KB
-
memory/2556-134-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2556-139-0x0000000000AE0000-0x0000000000AF1000-memory.dmpFilesize
68KB
-
memory/2556-137-0x0000000000C00000-0x0000000000F4A000-memory.dmpFilesize
3.3MB
-
memory/2556-138-0x000000000041D000-0x000000000041E000-memory.dmpFilesize
4KB
-
memory/2620-140-0x0000000008E10000-0x0000000008F0C000-memory.dmpFilesize
1008KB
-
memory/2620-148-0x0000000008F10000-0x000000000902F000-memory.dmpFilesize
1.1MB
-
memory/4448-141-0x0000000000B80000-0x0000000000B99000-memory.dmpFilesize
100KB
-
memory/4448-142-0x0000000000960000-0x0000000000989000-memory.dmpFilesize
164KB
-
memory/4448-146-0x0000000002BE0000-0x0000000002F2A000-memory.dmpFilesize
3.3MB
-
memory/4448-147-0x0000000002930000-0x00000000029C0000-memory.dmpFilesize
576KB