Analysis
-
max time kernel
152s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
23-02-2022 14:15
Static task
static1
Behavioral task
behavioral1
Sample
RECEIPT REF NO 002627262.exe
Resource
win7-20220223-en
General
-
Target
RECEIPT REF NO 002627262.exe
-
Size
302KB
-
MD5
5d333987aafbd8bf8df57e9b9e56b4ac
-
SHA1
c7bc50b60c4b20e1bf40eed679def38e46c0fb13
-
SHA256
3353fe4567105c292bdae27525448f7d7a5d0b174e097355ff04e75057dd63f3
-
SHA512
38eccdd1bd52da95835c8305257aa0b548a7582d04a87f2c06e82365cf00fdd699cb6ecc46b40146a658b9f4efae562141d809ad7b05ddfebc5d694b6417e517
Malware Config
Extracted
xloader
2.5
rmfg
prospectcompounding.com
grand-prix.voyage
solvingpklogc.xyz
eliamhome.com
gamevip88.club
arsels.info
dswlt.com
dchehe.com
lawyerjerusalem.com
pbnseo.xyz
apuryifuid.com
kiukiupoker88.net
leannonimpact.com
kare-furniture.com
mississaugaremax.online
zpyh198.com
dueplay.store
naimi.ltd
greenstepspodiatry.com
cewirtanen.com
stonebyparamount.com
stellenbargains.com
meyerranch.realty
bitcoingrab.com
ifjejijfe.xyz
drjeannerot.com
trgau.com
thailandland.land
satupena.info
coinzillo.com
cloudreveller.digital
wilsoncreekarts.com
hyalucaps.com
dempius.com
onycostopsale.com
54jjpygl.xyz
quick2repair.net
tpyrj.com
cyndeiversondesigns.com
lmandarin.com
bornholm-urlaub.info
rodictibey.quest
saiione.com
flydakhla.com
surveycourses.com
bestnico.space
huvao.com
uptownholding.com
elitesellerstrafficnet.com
zitzies.xyz
supermercadolonuestro.com
laptoppricenepal.com
navyantra.com
myjms315.com
loanswithbrian.net
birbeygrup.xyz
trend-marketing.club
meipassion.com
amtha.com
witlyza.com
boardsandbeamsdecor.com
c2batwpnmu5uvtvnvfk5916.com
yavuzselimorganizasyon.com
4580055.xyz
brimstrategy.com
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 536 created 3840 536 WerFault.exe bdll_ryptrh_r.exe -
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3228-134-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/3228-138-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/1596-147-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RPXLG6JPLXID = "C:\\Program Files (x86)\\Mmdwx\\bdll_ryptrh_r.exe" rundll32.exe -
Executes dropped EXE 3 IoCs
Processes:
wpxizwm.exewpxizwm.exebdll_ryptrh_r.exepid process 460 wpxizwm.exe 3228 wpxizwm.exe 3840 bdll_ryptrh_r.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
wpxizwm.exewpxizwm.exerundll32.exedescription pid process target process PID 460 set thread context of 3228 460 wpxizwm.exe wpxizwm.exe PID 3228 set thread context of 2324 3228 wpxizwm.exe Explorer.EXE PID 3228 set thread context of 2324 3228 wpxizwm.exe Explorer.EXE PID 1596 set thread context of 2324 1596 rundll32.exe Explorer.EXE -
Drops file in Program Files directory 4 IoCs
Processes:
rundll32.exeExplorer.EXEdescription ioc process File opened for modification C:\Program Files (x86)\Mmdwx\bdll_ryptrh_r.exe rundll32.exe File opened for modification C:\Program Files (x86)\Mmdwx Explorer.EXE File created C:\Program Files (x86)\Mmdwx\bdll_ryptrh_r.exe Explorer.EXE File opened for modification C:\Program Files (x86)\Mmdwx\bdll_ryptrh_r.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1252 3840 WerFault.exe bdll_ryptrh_r.exe -
Processes:
rundll32.exedescription ioc process Key created \Registry\User\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 54 IoCs
Processes:
wpxizwm.exerundll32.exepid process 3228 wpxizwm.exe 3228 wpxizwm.exe 3228 wpxizwm.exe 3228 wpxizwm.exe 3228 wpxizwm.exe 3228 wpxizwm.exe 1596 rundll32.exe 1596 rundll32.exe 1596 rundll32.exe 1596 rundll32.exe 1596 rundll32.exe 1596 rundll32.exe 1596 rundll32.exe 1596 rundll32.exe 1596 rundll32.exe 1596 rundll32.exe 1596 rundll32.exe 1596 rundll32.exe 1596 rundll32.exe 1596 rundll32.exe 1596 rundll32.exe 1596 rundll32.exe 1596 rundll32.exe 1596 rundll32.exe 1596 rundll32.exe 1596 rundll32.exe 1596 rundll32.exe 1596 rundll32.exe 1596 rundll32.exe 1596 rundll32.exe 1596 rundll32.exe 1596 rundll32.exe 1596 rundll32.exe 1596 rundll32.exe 1596 rundll32.exe 1596 rundll32.exe 1596 rundll32.exe 1596 rundll32.exe 1596 rundll32.exe 1596 rundll32.exe 1596 rundll32.exe 1596 rundll32.exe 1596 rundll32.exe 1596 rundll32.exe 1596 rundll32.exe 1596 rundll32.exe 1596 rundll32.exe 1596 rundll32.exe 1596 rundll32.exe 1596 rundll32.exe 1596 rundll32.exe 1596 rundll32.exe 1596 rundll32.exe 1596 rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2324 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
wpxizwm.exerundll32.exepid process 3228 wpxizwm.exe 3228 wpxizwm.exe 3228 wpxizwm.exe 3228 wpxizwm.exe 1596 rundll32.exe 1596 rundll32.exe 1596 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
wpxizwm.exerundll32.exeExplorer.EXEWerFault.exedescription pid process Token: SeDebugPrivilege 3228 wpxizwm.exe Token: SeDebugPrivilege 1596 rundll32.exe Token: SeShutdownPrivilege 2324 Explorer.EXE Token: SeCreatePagefilePrivilege 2324 Explorer.EXE Token: SeShutdownPrivilege 2324 Explorer.EXE Token: SeCreatePagefilePrivilege 2324 Explorer.EXE Token: SeShutdownPrivilege 2324 Explorer.EXE Token: SeCreatePagefilePrivilege 2324 Explorer.EXE Token: SeShutdownPrivilege 2324 Explorer.EXE Token: SeCreatePagefilePrivilege 2324 Explorer.EXE Token: SeRestorePrivilege 1252 WerFault.exe Token: SeBackupPrivilege 1252 WerFault.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
RECEIPT REF NO 002627262.exewpxizwm.exeExplorer.EXErundll32.exeWerFault.exedescription pid process target process PID 3780 wrote to memory of 460 3780 RECEIPT REF NO 002627262.exe wpxizwm.exe PID 3780 wrote to memory of 460 3780 RECEIPT REF NO 002627262.exe wpxizwm.exe PID 3780 wrote to memory of 460 3780 RECEIPT REF NO 002627262.exe wpxizwm.exe PID 460 wrote to memory of 3228 460 wpxizwm.exe wpxizwm.exe PID 460 wrote to memory of 3228 460 wpxizwm.exe wpxizwm.exe PID 460 wrote to memory of 3228 460 wpxizwm.exe wpxizwm.exe PID 460 wrote to memory of 3228 460 wpxizwm.exe wpxizwm.exe PID 460 wrote to memory of 3228 460 wpxizwm.exe wpxizwm.exe PID 460 wrote to memory of 3228 460 wpxizwm.exe wpxizwm.exe PID 2324 wrote to memory of 1596 2324 Explorer.EXE rundll32.exe PID 2324 wrote to memory of 1596 2324 Explorer.EXE rundll32.exe PID 2324 wrote to memory of 1596 2324 Explorer.EXE rundll32.exe PID 1596 wrote to memory of 2724 1596 rundll32.exe cmd.exe PID 1596 wrote to memory of 2724 1596 rundll32.exe cmd.exe PID 1596 wrote to memory of 2724 1596 rundll32.exe cmd.exe PID 1596 wrote to memory of 3628 1596 rundll32.exe cmd.exe PID 1596 wrote to memory of 3628 1596 rundll32.exe cmd.exe PID 1596 wrote to memory of 3628 1596 rundll32.exe cmd.exe PID 1596 wrote to memory of 2056 1596 rundll32.exe Firefox.exe PID 1596 wrote to memory of 2056 1596 rundll32.exe Firefox.exe PID 2324 wrote to memory of 3840 2324 Explorer.EXE bdll_ryptrh_r.exe PID 2324 wrote to memory of 3840 2324 Explorer.EXE bdll_ryptrh_r.exe PID 2324 wrote to memory of 3840 2324 Explorer.EXE bdll_ryptrh_r.exe PID 536 wrote to memory of 3840 536 WerFault.exe bdll_ryptrh_r.exe PID 536 wrote to memory of 3840 536 WerFault.exe bdll_ryptrh_r.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer rundll32.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RECEIPT REF NO 002627262.exe"C:\Users\Admin\AppData\Local\Temp\RECEIPT REF NO 002627262.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\wpxizwm.exeC:\Users\Admin\AppData\Local\Temp\wpxizwm.exe C:\Users\Admin\AppData\Local\Temp\vdean3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\wpxizwm.exeC:\Users\Admin\AppData\Local\Temp\wpxizwm.exe C:\Users\Admin\AppData\Local\Temp\vdean4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\wpxizwm.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Program Files (x86)\Mmdwx\bdll_ryptrh_r.exe"C:\Program Files (x86)\Mmdwx\bdll_ryptrh_r.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 5523⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3840 -ip 38401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Mmdwx\bdll_ryptrh_r.exeMD5
05f07e533e418df0521a64d9af400daf
SHA143408653ea6d815bc7acb11a1328982c5e61aff8
SHA2569371dfe491756a047f8617103536db01dfcf8a4dfac1530f598b0a6cb5981abd
SHA51254ed026848c0b96a5c6a62629990bf0a6661502bf12e8b3a5fdd68a8678d956bb49bbccc5abc47a722043ff79d7db15844236e28d7a5ad2b150fb479eb4e974f
-
C:\Program Files (x86)\Mmdwx\bdll_ryptrh_r.exeMD5
05f07e533e418df0521a64d9af400daf
SHA143408653ea6d815bc7acb11a1328982c5e61aff8
SHA2569371dfe491756a047f8617103536db01dfcf8a4dfac1530f598b0a6cb5981abd
SHA51254ed026848c0b96a5c6a62629990bf0a6661502bf12e8b3a5fdd68a8678d956bb49bbccc5abc47a722043ff79d7db15844236e28d7a5ad2b150fb479eb4e974f
-
C:\Users\Admin\AppData\Local\Temp\DB1MD5
b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
C:\Users\Admin\AppData\Local\Temp\vdeanMD5
a04faf63da2fbfb5679e41d04140939e
SHA1b8d6dbb0f2fafdeeead79c0cd62326cda95a8785
SHA256c6144a6b0af2eaaa5b1226448b012740bcad08bc401a4f697d755b571c066a7c
SHA512cd98d5fc8708992769cd7d792c3bd09624983e548e949a9844677f58ddf51c5f2cd479b2e05ae734054d8633f6cddf0127165c54903fec897a86bdef1ce7a866
-
C:\Users\Admin\AppData\Local\Temp\wpxizwm.exeMD5
05f07e533e418df0521a64d9af400daf
SHA143408653ea6d815bc7acb11a1328982c5e61aff8
SHA2569371dfe491756a047f8617103536db01dfcf8a4dfac1530f598b0a6cb5981abd
SHA51254ed026848c0b96a5c6a62629990bf0a6661502bf12e8b3a5fdd68a8678d956bb49bbccc5abc47a722043ff79d7db15844236e28d7a5ad2b150fb479eb4e974f
-
C:\Users\Admin\AppData\Local\Temp\wpxizwm.exeMD5
05f07e533e418df0521a64d9af400daf
SHA143408653ea6d815bc7acb11a1328982c5e61aff8
SHA2569371dfe491756a047f8617103536db01dfcf8a4dfac1530f598b0a6cb5981abd
SHA51254ed026848c0b96a5c6a62629990bf0a6661502bf12e8b3a5fdd68a8678d956bb49bbccc5abc47a722043ff79d7db15844236e28d7a5ad2b150fb479eb4e974f
-
C:\Users\Admin\AppData\Local\Temp\wpxizwm.exeMD5
05f07e533e418df0521a64d9af400daf
SHA143408653ea6d815bc7acb11a1328982c5e61aff8
SHA2569371dfe491756a047f8617103536db01dfcf8a4dfac1530f598b0a6cb5981abd
SHA51254ed026848c0b96a5c6a62629990bf0a6661502bf12e8b3a5fdd68a8678d956bb49bbccc5abc47a722043ff79d7db15844236e28d7a5ad2b150fb479eb4e974f
-
C:\Users\Admin\AppData\Local\Temp\xsyco49pmc4lMD5
945121f49321875af38fe7f12dd2343e
SHA1f2cf4c6a504815e362a18cce671b6c0b371629e1
SHA256ff66241def80707fe029fefa54441de9eb88028c5cc33f20ef080cf2e04254e5
SHA5121ca2a7f9c3e1c535514ebc9a5861c4f632a39354351e63a074081b864cd9592636781fe5714dad8472148ba1b5f0f41b104075556960aec73b3510f6ff3d6634
-
memory/1596-147-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1596-148-0x00000000043B0000-0x00000000046FA000-memory.dmpFilesize
3.3MB
-
memory/1596-149-0x00000000040E0000-0x0000000004170000-memory.dmpFilesize
576KB
-
memory/1596-146-0x0000000000A20000-0x0000000000A34000-memory.dmpFilesize
80KB
-
memory/2324-141-0x0000000007D80000-0x0000000007EDC000-memory.dmpFilesize
1.4MB
-
memory/2324-150-0x0000000008280000-0x00000000083BA000-memory.dmpFilesize
1.2MB
-
memory/2324-145-0x00000000071E0000-0x000000000728D000-memory.dmpFilesize
692KB
-
memory/3228-144-0x0000000000940000-0x0000000000951000-memory.dmpFilesize
68KB
-
memory/3228-139-0x000000000041D000-0x000000000041E000-memory.dmpFilesize
4KB
-
memory/3228-140-0x00000000005E0000-0x00000000005F1000-memory.dmpFilesize
68KB
-
memory/3228-143-0x000000000041D000-0x000000000041E000-memory.dmpFilesize
4KB
-
memory/3228-138-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/3228-137-0x0000000000A70000-0x0000000000DBA000-memory.dmpFilesize
3.3MB
-
memory/3228-134-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB