Analysis
-
max time kernel
1801s -
max time network
1804s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
28-02-2022 11:21
Static task
static1
Behavioral task
behavioral1
Sample
INV15420.exe
Resource
win7-20220223-en
General
-
Target
INV15420.exe
-
Size
42KB
-
MD5
a17204c4cc765969839d22f78bc125bb
-
SHA1
7f29c80d2fbc4c4a73f65684fb689543e202d684
-
SHA256
109bfc4f1d73233b058db08b761ad7c77a7bc43bfe2b10a71614e536c2e89d3a
-
SHA512
950daa0ff2917f37d71f84bcac7df96c856d0966338b563f480c92d59343938441be0ff93d8801a4dfdc5a4542b3f5b39a5ee9926e9be5b6a498f7e372da6f91
Malware Config
Extracted
xloader
2.5
ahc8
192451.com
wwwripostes.net
sirikhalsalaw.com
bitterbaybay.com
stella-scrubs.com
almanecermezcal.com
goodgood.online
translate-now.online
sincerefilm.com
quadrantforensics.com
johnfrenchart.com
plick-click.com
alnileen.com
tghi.xyz
172711.com
maymakita.com
punnyaseva.com
ukash-online.com
sho-yururi-blog.com
hebergement-solidaire.com
civicinfluencers.net
gzhf8888.com
kuleallstar.com
palisadeslodgecondos.com
holyhirschsprungs.com
azalearoseuk.com
jaggllc.com
italianrofrow.xyz
ioewur.xyz
3a5hlv.icu
kitcycle.com
estate.xyz
ankaraescortvip.xyz
richclubsite2001.xyz
kastore.website
515pleasantvalleyway.com
sittlermd.com
mytemple.group
tiny-wagen.com
sharaleesvintageflames.com
mentalesteem.com
sport-newss.online
fbve.space
lovingtruebloodindallas.com
eaglehospitality.biz
roofrepairnow.info
mcrosfts-updata.digital
cimpactinc.com
greatnotleyeast.com
lovely-tics.com
douglas-enterprise.com
dayannalima.online
ksodl.com
rainbowlampro.com
theinteriorsfurniture.com
eidmueller.email
cg020.online
gta6fuzhu.com
cinemaocity.com
hopeitivity.com
savageequipment.biz
groceriesbazaar.com
hempgotas.com
casino-pharaon-play.xyz
ralfrassendnk-login.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3548-137-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/3752-144-0x00000000001D0000-0x00000000001F9000-memory.dmp xloader -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
cmstp.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cmstp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\YBJX0XHXAPX = "C:\\Program Files (x86)\\Bybhxv\\userv0_p.exe" cmstp.exe -
Blocklisted process makes network request 11 IoCs
Processes:
cmstp.exeflow pid process 78 3752 cmstp.exe 114 3752 cmstp.exe 131 3752 cmstp.exe 182 3752 cmstp.exe 238 3752 cmstp.exe 250 3752 cmstp.exe 261 3752 cmstp.exe 317 3752 cmstp.exe 364 3752 cmstp.exe 375 3752 cmstp.exe 399 3752 cmstp.exe -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
userv0_p.exeuserv0_p.exepid process 2544 userv0_p.exe 636 userv0_p.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
INV15420.exeINV15420.execmstp.exeuserv0_p.exedescription pid process target process PID 1000 set thread context of 3548 1000 INV15420.exe INV15420.exe PID 3548 set thread context of 2444 3548 INV15420.exe Explorer.EXE PID 3752 set thread context of 2444 3752 cmstp.exe Explorer.EXE PID 2544 set thread context of 636 2544 userv0_p.exe userv0_p.exe -
Drops file in Program Files directory 4 IoCs
Processes:
Explorer.EXEcmstp.exedescription ioc process File opened for modification C:\Program Files (x86)\Bybhxv\userv0_p.exe Explorer.EXE File opened for modification C:\Program Files (x86)\Bybhxv\userv0_p.exe cmstp.exe File opened for modification C:\Program Files (x86)\Bybhxv Explorer.EXE File created C:\Program Files (x86)\Bybhxv\userv0_p.exe Explorer.EXE -
Processes:
cmstp.exedescription ioc process Key created \Registry\User\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cmstp.exe -
Modifies registry class 2 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
INV15420.execmstp.exepid process 3548 INV15420.exe 3548 INV15420.exe 3548 INV15420.exe 3548 INV15420.exe 3752 cmstp.exe 3752 cmstp.exe 3752 cmstp.exe 3752 cmstp.exe 3752 cmstp.exe 3752 cmstp.exe 3752 cmstp.exe 3752 cmstp.exe 3752 cmstp.exe 3752 cmstp.exe 3752 cmstp.exe 3752 cmstp.exe 3752 cmstp.exe 3752 cmstp.exe 3752 cmstp.exe 3752 cmstp.exe 3752 cmstp.exe 3752 cmstp.exe 3752 cmstp.exe 3752 cmstp.exe 3752 cmstp.exe 3752 cmstp.exe 3752 cmstp.exe 3752 cmstp.exe 3752 cmstp.exe 3752 cmstp.exe 3752 cmstp.exe 3752 cmstp.exe 3752 cmstp.exe 3752 cmstp.exe 3752 cmstp.exe 3752 cmstp.exe 3752 cmstp.exe 3752 cmstp.exe 3752 cmstp.exe 3752 cmstp.exe 3752 cmstp.exe 3752 cmstp.exe 3752 cmstp.exe 3752 cmstp.exe 3752 cmstp.exe 3752 cmstp.exe 3752 cmstp.exe 3752 cmstp.exe 3752 cmstp.exe 3752 cmstp.exe 3752 cmstp.exe 3752 cmstp.exe 3752 cmstp.exe 3752 cmstp.exe 3752 cmstp.exe 3752 cmstp.exe 3752 cmstp.exe 3752 cmstp.exe 3752 cmstp.exe 3752 cmstp.exe 3752 cmstp.exe 3752 cmstp.exe 3752 cmstp.exe 3752 cmstp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2444 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
INV15420.execmstp.exepid process 3548 INV15420.exe 3548 INV15420.exe 3548 INV15420.exe 3752 cmstp.exe 3752 cmstp.exe 3752 cmstp.exe 3752 cmstp.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
Processes:
INV15420.exeINV15420.execmstp.exeExplorer.EXEuserv0_p.exeuserv0_p.exedescription pid process Token: SeDebugPrivilege 1000 INV15420.exe Token: SeDebugPrivilege 3548 INV15420.exe Token: SeDebugPrivilege 3752 cmstp.exe Token: SeShutdownPrivilege 2444 Explorer.EXE Token: SeCreatePagefilePrivilege 2444 Explorer.EXE Token: SeShutdownPrivilege 2444 Explorer.EXE Token: SeCreatePagefilePrivilege 2444 Explorer.EXE Token: SeShutdownPrivilege 2444 Explorer.EXE Token: SeCreatePagefilePrivilege 2444 Explorer.EXE Token: SeShutdownPrivilege 2444 Explorer.EXE Token: SeCreatePagefilePrivilege 2444 Explorer.EXE Token: SeShutdownPrivilege 2444 Explorer.EXE Token: SeCreatePagefilePrivilege 2444 Explorer.EXE Token: SeShutdownPrivilege 2444 Explorer.EXE Token: SeCreatePagefilePrivilege 2444 Explorer.EXE Token: SeShutdownPrivilege 2444 Explorer.EXE Token: SeCreatePagefilePrivilege 2444 Explorer.EXE Token: SeShutdownPrivilege 2444 Explorer.EXE Token: SeCreatePagefilePrivilege 2444 Explorer.EXE Token: SeDebugPrivilege 2544 userv0_p.exe Token: SeDebugPrivilege 636 userv0_p.exe Token: SeShutdownPrivilege 2444 Explorer.EXE Token: SeCreatePagefilePrivilege 2444 Explorer.EXE Token: SeShutdownPrivilege 2444 Explorer.EXE Token: SeCreatePagefilePrivilege 2444 Explorer.EXE Token: SeShutdownPrivilege 2444 Explorer.EXE Token: SeCreatePagefilePrivilege 2444 Explorer.EXE Token: SeShutdownPrivilege 2444 Explorer.EXE Token: SeCreatePagefilePrivilege 2444 Explorer.EXE Token: SeShutdownPrivilege 2444 Explorer.EXE Token: SeCreatePagefilePrivilege 2444 Explorer.EXE Token: SeShutdownPrivilege 2444 Explorer.EXE Token: SeCreatePagefilePrivilege 2444 Explorer.EXE Token: SeShutdownPrivilege 2444 Explorer.EXE Token: SeCreatePagefilePrivilege 2444 Explorer.EXE Token: SeShutdownPrivilege 2444 Explorer.EXE Token: SeCreatePagefilePrivilege 2444 Explorer.EXE Token: SeShutdownPrivilege 2444 Explorer.EXE Token: SeCreatePagefilePrivilege 2444 Explorer.EXE Token: SeShutdownPrivilege 2444 Explorer.EXE Token: SeCreatePagefilePrivilege 2444 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 2444 Explorer.EXE 2444 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 2444 Explorer.EXE -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
INV15420.exeExplorer.EXEcmstp.exeuserv0_p.exedescription pid process target process PID 1000 wrote to memory of 3548 1000 INV15420.exe INV15420.exe PID 1000 wrote to memory of 3548 1000 INV15420.exe INV15420.exe PID 1000 wrote to memory of 3548 1000 INV15420.exe INV15420.exe PID 1000 wrote to memory of 3548 1000 INV15420.exe INV15420.exe PID 1000 wrote to memory of 3548 1000 INV15420.exe INV15420.exe PID 1000 wrote to memory of 3548 1000 INV15420.exe INV15420.exe PID 2444 wrote to memory of 3752 2444 Explorer.EXE cmstp.exe PID 2444 wrote to memory of 3752 2444 Explorer.EXE cmstp.exe PID 2444 wrote to memory of 3752 2444 Explorer.EXE cmstp.exe PID 3752 wrote to memory of 2840 3752 cmstp.exe cmd.exe PID 3752 wrote to memory of 2840 3752 cmstp.exe cmd.exe PID 3752 wrote to memory of 2840 3752 cmstp.exe cmd.exe PID 2444 wrote to memory of 2544 2444 Explorer.EXE userv0_p.exe PID 2444 wrote to memory of 2544 2444 Explorer.EXE userv0_p.exe PID 2444 wrote to memory of 2544 2444 Explorer.EXE userv0_p.exe PID 2544 wrote to memory of 636 2544 userv0_p.exe userv0_p.exe PID 2544 wrote to memory of 636 2544 userv0_p.exe userv0_p.exe PID 2544 wrote to memory of 636 2544 userv0_p.exe userv0_p.exe PID 2544 wrote to memory of 636 2544 userv0_p.exe userv0_p.exe PID 2544 wrote to memory of 636 2544 userv0_p.exe userv0_p.exe PID 2544 wrote to memory of 636 2544 userv0_p.exe userv0_p.exe PID 3752 wrote to memory of 1716 3752 cmstp.exe cmd.exe PID 3752 wrote to memory of 1716 3752 cmstp.exe cmd.exe PID 3752 wrote to memory of 1716 3752 cmstp.exe cmd.exe PID 3752 wrote to memory of 3048 3752 cmstp.exe Firefox.exe PID 3752 wrote to memory of 3048 3752 cmstp.exe Firefox.exe PID 3752 wrote to memory of 3048 3752 cmstp.exe Firefox.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
cmstp.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer cmstp.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Users\Admin\AppData\Local\Temp\INV15420.exe"C:\Users\Admin\AppData\Local\Temp\INV15420.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Users\Admin\AppData\Local\Temp\INV15420.exe"C:\Users\Admin\AppData\Local\Temp\INV15420.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3548 -
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Adds policy Run key to start application
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3752 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\INV15420.exe"3⤵PID:2840
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵PID:1716
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:3048
-
C:\Program Files (x86)\Bybhxv\userv0_p.exe"C:\Program Files (x86)\Bybhxv\userv0_p.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Program Files (x86)\Bybhxv\userv0_p.exe"C:\Program Files (x86)\Bybhxv\userv0_p.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:636
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k wsappx -p1⤵PID:3612
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k wsappx -p1⤵PID:3812
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Bybhxv\userv0_p.exeMD5
a17204c4cc765969839d22f78bc125bb
SHA17f29c80d2fbc4c4a73f65684fb689543e202d684
SHA256109bfc4f1d73233b058db08b761ad7c77a7bc43bfe2b10a71614e536c2e89d3a
SHA512950daa0ff2917f37d71f84bcac7df96c856d0966338b563f480c92d59343938441be0ff93d8801a4dfdc5a4542b3f5b39a5ee9926e9be5b6a498f7e372da6f91
-
C:\Program Files (x86)\Bybhxv\userv0_p.exeMD5
a17204c4cc765969839d22f78bc125bb
SHA17f29c80d2fbc4c4a73f65684fb689543e202d684
SHA256109bfc4f1d73233b058db08b761ad7c77a7bc43bfe2b10a71614e536c2e89d3a
SHA512950daa0ff2917f37d71f84bcac7df96c856d0966338b563f480c92d59343938441be0ff93d8801a4dfdc5a4542b3f5b39a5ee9926e9be5b6a498f7e372da6f91
-
C:\Program Files (x86)\Bybhxv\userv0_p.exeMD5
a17204c4cc765969839d22f78bc125bb
SHA17f29c80d2fbc4c4a73f65684fb689543e202d684
SHA256109bfc4f1d73233b058db08b761ad7c77a7bc43bfe2b10a71614e536c2e89d3a
SHA512950daa0ff2917f37d71f84bcac7df96c856d0966338b563f480c92d59343938441be0ff93d8801a4dfdc5a4542b3f5b39a5ee9926e9be5b6a498f7e372da6f91
-
C:\Users\Admin\AppData\Local\Temp\DB1MD5
b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
memory/636-156-0x0000000001380000-0x00000000016CA000-memory.dmpFilesize
3.3MB
-
memory/1000-136-0x0000000006000000-0x000000000609C000-memory.dmpFilesize
624KB
-
memory/1000-131-0x00000000001F0000-0x0000000000200000-memory.dmpFilesize
64KB
-
memory/1000-132-0x0000000005040000-0x00000000055E4000-memory.dmpFilesize
5.6MB
-
memory/1000-133-0x0000000004B90000-0x0000000004C22000-memory.dmpFilesize
584KB
-
memory/1000-130-0x0000000074FAE000-0x0000000074FAF000-memory.dmpFilesize
4KB
-
memory/1000-134-0x0000000004D10000-0x0000000004D11000-memory.dmpFilesize
4KB
-
memory/1000-135-0x0000000004C50000-0x0000000004C5A000-memory.dmpFilesize
40KB
-
memory/2444-147-0x0000000008A40000-0x0000000008B4E000-memory.dmpFilesize
1.1MB
-
memory/2444-142-0x00000000088E0000-0x0000000008A32000-memory.dmpFilesize
1.3MB
-
memory/2544-153-0x0000000005700000-0x0000000005701000-memory.dmpFilesize
4KB
-
memory/2544-152-0x0000000073DFE000-0x0000000073DFF000-memory.dmpFilesize
4KB
-
memory/3548-141-0x0000000001220000-0x0000000001231000-memory.dmpFilesize
68KB
-
memory/3548-139-0x0000000001700000-0x0000000001A4A000-memory.dmpFilesize
3.3MB
-
memory/3548-140-0x000000000041D000-0x000000000041E000-memory.dmpFilesize
4KB
-
memory/3548-137-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/3752-146-0x00000000041B0000-0x0000000004240000-memory.dmpFilesize
576KB
-
memory/3752-145-0x0000000004480000-0x00000000047CA000-memory.dmpFilesize
3.3MB
-
memory/3752-144-0x00000000001D0000-0x00000000001F9000-memory.dmpFilesize
164KB
-
memory/3752-143-0x0000000000510000-0x0000000000526000-memory.dmpFilesize
88KB