Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
18-02-2022 01:19
Static task
static1
General
-
Target
cd4c3c2bd35873b1645f1c991feb8c9bd6a0e920b64075114c26ea8e74a4c1c4.exe
-
Size
409KB
-
MD5
bc8aa22ea84d7c15414faa6e52baf2f6
-
SHA1
3d1beb573a7040b35b0783c2215d1f4ce674e1a8
-
SHA256
cd4c3c2bd35873b1645f1c991feb8c9bd6a0e920b64075114c26ea8e74a4c1c4
-
SHA512
fc9eeeadaa8f910bec3a7d2e91c70a15dc68b73cd725c12e4e102fc42be8619a7d8590b4a4276e0d3f017bed5686b48e5f70d2c75a20641ca24f5c8c5af02234
Malware Config
Extracted
xloader
2.5
ahc8
192451.com
wwwripostes.net
sirikhalsalaw.com
bitterbaybay.com
stella-scrubs.com
almanecermezcal.com
goodgood.online
translate-now.online
sincerefilm.com
quadrantforensics.com
johnfrenchart.com
plick-click.com
alnileen.com
tghi.xyz
172711.com
maymakita.com
punnyaseva.com
ukash-online.com
sho-yururi-blog.com
hebergement-solidaire.com
civicinfluencers.net
gzhf8888.com
kuleallstar.com
palisadeslodgecondos.com
holyhirschsprungs.com
azalearoseuk.com
jaggllc.com
italianrofrow.xyz
ioewur.xyz
3a5hlv.icu
kitcycle.com
estate.xyz
ankaraescortvip.xyz
richclubsite2001.xyz
kastore.website
515pleasantvalleyway.com
sittlermd.com
mytemple.group
tiny-wagen.com
sharaleesvintageflames.com
mentalesteem.com
sport-newss.online
fbve.space
lovingtruebloodindallas.com
eaglehospitality.biz
roofrepairnow.info
mcrosfts-updata.digital
cimpactinc.com
greatnotleyeast.com
lovely-tics.com
douglas-enterprise.com
dayannalima.online
ksodl.com
rainbowlampro.com
theinteriorsfurniture.com
eidmueller.email
cg020.online
gta6fuzhu.com
cinemaocity.com
hopeitivity.com
savageequipment.biz
groceriesbazaar.com
hempgotas.com
casino-pharaon-play.xyz
ralfrassendnk-login.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/3876-119-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/3876-123-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/3420-129-0x0000000003100000-0x0000000003129000-memory.dmp xloader -
Blocklisted process makes network request 1 IoCs
Processes:
cscript.exeflow pid process 21 3420 cscript.exe -
Executes dropped EXE 2 IoCs
Processes:
nbutivrxkc.exenbutivrxkc.exepid process 4156 nbutivrxkc.exe 3876 nbutivrxkc.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
nbutivrxkc.exenbutivrxkc.execscript.exedescription pid process target process PID 4156 set thread context of 3876 4156 nbutivrxkc.exe nbutivrxkc.exe PID 3876 set thread context of 3032 3876 nbutivrxkc.exe Explorer.EXE PID 3420 set thread context of 3032 3420 cscript.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
nbutivrxkc.execscript.exepid process 3876 nbutivrxkc.exe 3876 nbutivrxkc.exe 3876 nbutivrxkc.exe 3876 nbutivrxkc.exe 3420 cscript.exe 3420 cscript.exe 3420 cscript.exe 3420 cscript.exe 3420 cscript.exe 3420 cscript.exe 3420 cscript.exe 3420 cscript.exe 3420 cscript.exe 3420 cscript.exe 3420 cscript.exe 3420 cscript.exe 3420 cscript.exe 3420 cscript.exe 3420 cscript.exe 3420 cscript.exe 3420 cscript.exe 3420 cscript.exe 3420 cscript.exe 3420 cscript.exe 3420 cscript.exe 3420 cscript.exe 3420 cscript.exe 3420 cscript.exe 3420 cscript.exe 3420 cscript.exe 3420 cscript.exe 3420 cscript.exe 3420 cscript.exe 3420 cscript.exe 3420 cscript.exe 3420 cscript.exe 3420 cscript.exe 3420 cscript.exe 3420 cscript.exe 3420 cscript.exe 3420 cscript.exe 3420 cscript.exe 3420 cscript.exe 3420 cscript.exe 3420 cscript.exe 3420 cscript.exe 3420 cscript.exe 3420 cscript.exe 3420 cscript.exe 3420 cscript.exe 3420 cscript.exe 3420 cscript.exe 3420 cscript.exe 3420 cscript.exe 3420 cscript.exe 3420 cscript.exe 3420 cscript.exe 3420 cscript.exe 3420 cscript.exe 3420 cscript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3032 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
nbutivrxkc.execscript.exepid process 3876 nbutivrxkc.exe 3876 nbutivrxkc.exe 3876 nbutivrxkc.exe 3420 cscript.exe 3420 cscript.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
nbutivrxkc.execscript.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 3876 nbutivrxkc.exe Token: SeDebugPrivilege 3420 cscript.exe Token: SeShutdownPrivilege 3032 Explorer.EXE Token: SeCreatePagefilePrivilege 3032 Explorer.EXE Token: SeShutdownPrivilege 3032 Explorer.EXE Token: SeCreatePagefilePrivilege 3032 Explorer.EXE Token: SeShutdownPrivilege 3032 Explorer.EXE Token: SeCreatePagefilePrivilege 3032 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
cd4c3c2bd35873b1645f1c991feb8c9bd6a0e920b64075114c26ea8e74a4c1c4.exenbutivrxkc.exeExplorer.EXEcscript.exedescription pid process target process PID 5108 wrote to memory of 4156 5108 cd4c3c2bd35873b1645f1c991feb8c9bd6a0e920b64075114c26ea8e74a4c1c4.exe nbutivrxkc.exe PID 5108 wrote to memory of 4156 5108 cd4c3c2bd35873b1645f1c991feb8c9bd6a0e920b64075114c26ea8e74a4c1c4.exe nbutivrxkc.exe PID 5108 wrote to memory of 4156 5108 cd4c3c2bd35873b1645f1c991feb8c9bd6a0e920b64075114c26ea8e74a4c1c4.exe nbutivrxkc.exe PID 4156 wrote to memory of 3876 4156 nbutivrxkc.exe nbutivrxkc.exe PID 4156 wrote to memory of 3876 4156 nbutivrxkc.exe nbutivrxkc.exe PID 4156 wrote to memory of 3876 4156 nbutivrxkc.exe nbutivrxkc.exe PID 4156 wrote to memory of 3876 4156 nbutivrxkc.exe nbutivrxkc.exe PID 4156 wrote to memory of 3876 4156 nbutivrxkc.exe nbutivrxkc.exe PID 4156 wrote to memory of 3876 4156 nbutivrxkc.exe nbutivrxkc.exe PID 3032 wrote to memory of 3420 3032 Explorer.EXE cscript.exe PID 3032 wrote to memory of 3420 3032 Explorer.EXE cscript.exe PID 3032 wrote to memory of 3420 3032 Explorer.EXE cscript.exe PID 3420 wrote to memory of 3672 3420 cscript.exe cmd.exe PID 3420 wrote to memory of 3672 3420 cscript.exe cmd.exe PID 3420 wrote to memory of 3672 3420 cscript.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cd4c3c2bd35873b1645f1c991feb8c9bd6a0e920b64075114c26ea8e74a4c1c4.exe"C:\Users\Admin\AppData\Local\Temp\cd4c3c2bd35873b1645f1c991feb8c9bd6a0e920b64075114c26ea8e74a4c1c4.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\nbutivrxkc.exeC:\Users\Admin\AppData\Local\Temp\nbutivrxkc.exe C:\Users\Admin\AppData\Local\Temp\efhgpmycu3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\nbutivrxkc.exeC:\Users\Admin\AppData\Local\Temp\nbutivrxkc.exe C:\Users\Admin\AppData\Local\Temp\efhgpmycu4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\nbutivrxkc.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3thcqyo8k432fMD5
80d510dca0072a3a7eb2f77924fafa9e
SHA12b0eafc6fdfadbd8ff215a3d9e90630283f33737
SHA25609cf0a4e5c932a5c1c7c3549fbdeae041334e02d0dc0482bc803ff8a80685008
SHA51290aff62f0aea024bce6fe8497a9a49a5062558d380e0c2b4ced5acbe00d38b525b15e7447266caa6764f64521b35163a505fc25c96f8e8dde8378b6d3b667ae6
-
C:\Users\Admin\AppData\Local\Temp\efhgpmycuMD5
d7da3dc51b4b2703cf68607497899fe3
SHA19b51f6194c5f52bf8bbdc5af605d5682a3d3ae15
SHA256ad2ace9c45df2f7e93e1d6d50b58e14949873dc92da8529f684e429e1089c466
SHA512b763032639214e05613e3c7e5dd44dc319fc0750874363a934cae781c321323b1e10750668a174be9b16041a4a46a0d3ed812bf4daf29e56d6eb51c98b9dd143
-
C:\Users\Admin\AppData\Local\Temp\nbutivrxkc.exeMD5
7bc8aed6c1675063724c2d8e638ff0dd
SHA151b525db185e226265c14b129eaecac6726284be
SHA2568bd46909b3b4c292f7d35ada0756cca34fb39047c0065f8f6f96191a8c35eec0
SHA51296f2c224afa0c2a7c3b73554f708bccc5e2c261f0ed6b0b8d94c93335fc706702c5d6164dbf9c8514a27dca369d03e20171e350efa78a04075f4b7ffa5089fab
-
C:\Users\Admin\AppData\Local\Temp\nbutivrxkc.exeMD5
7bc8aed6c1675063724c2d8e638ff0dd
SHA151b525db185e226265c14b129eaecac6726284be
SHA2568bd46909b3b4c292f7d35ada0756cca34fb39047c0065f8f6f96191a8c35eec0
SHA51296f2c224afa0c2a7c3b73554f708bccc5e2c261f0ed6b0b8d94c93335fc706702c5d6164dbf9c8514a27dca369d03e20171e350efa78a04075f4b7ffa5089fab
-
C:\Users\Admin\AppData\Local\Temp\nbutivrxkc.exeMD5
7bc8aed6c1675063724c2d8e638ff0dd
SHA151b525db185e226265c14b129eaecac6726284be
SHA2568bd46909b3b4c292f7d35ada0756cca34fb39047c0065f8f6f96191a8c35eec0
SHA51296f2c224afa0c2a7c3b73554f708bccc5e2c261f0ed6b0b8d94c93335fc706702c5d6164dbf9c8514a27dca369d03e20171e350efa78a04075f4b7ffa5089fab
-
memory/3032-131-0x0000000003350000-0x0000000003440000-memory.dmpFilesize
960KB
-
memory/3032-126-0x0000000005860000-0x00000000059FC000-memory.dmpFilesize
1.6MB
-
memory/3420-128-0x00000000047B0000-0x0000000004AD0000-memory.dmpFilesize
3.1MB
-
memory/3420-130-0x0000000004B60000-0x0000000004BF0000-memory.dmpFilesize
576KB
-
memory/3420-129-0x0000000003100000-0x0000000003129000-memory.dmpFilesize
164KB
-
memory/3420-127-0x0000000000150000-0x0000000000177000-memory.dmpFilesize
156KB
-
memory/3876-119-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/3876-124-0x000000000041D000-0x000000000041E000-memory.dmpFilesize
4KB
-
memory/3876-125-0x0000000000D00000-0x0000000000D11000-memory.dmpFilesize
68KB
-
memory/3876-123-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/3876-122-0x0000000000990000-0x0000000000CB0000-memory.dmpFilesize
3.1MB