Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
01-03-2022 11:57
Static task
static1
Behavioral task
behavioral1
Sample
RECEIPT 0266255252.exe
Resource
win7-en-20211208
General
-
Target
RECEIPT 0266255252.exe
-
Size
300KB
-
MD5
c7012ce63b4ed9e49bf7be48fc27beae
-
SHA1
8c91c8e2a90b9e9b3d3dde1fb32e02e5de5dd347
-
SHA256
b3babb49432b3d09adbf7e79dfb2fe84f4d417ad394ccd59412c9e083a42a673
-
SHA512
6ded1f1974ace78c102fc60e65cef89b664860edd87938af9efa1b4574de43667b614fbc19f49fae2d018180a2a706181982179193bba5c5ccac565758ee2e60
Malware Config
Extracted
xloader
2.5
rmfg
prospectcompounding.com
grand-prix.voyage
solvingpklogc.xyz
eliamhome.com
gamevip88.club
arsels.info
dswlt.com
dchehe.com
lawyerjerusalem.com
pbnseo.xyz
apuryifuid.com
kiukiupoker88.net
leannonimpact.com
kare-furniture.com
mississaugaremax.online
zpyh198.com
dueplay.store
naimi.ltd
greenstepspodiatry.com
cewirtanen.com
stonebyparamount.com
stellenbargains.com
meyerranch.realty
bitcoingrab.com
ifjejijfe.xyz
drjeannerot.com
trgau.com
thailandland.land
satupena.info
coinzillo.com
cloudreveller.digital
wilsoncreekarts.com
hyalucaps.com
dempius.com
onycostopsale.com
54jjpygl.xyz
quick2repair.net
tpyrj.com
cyndeiversondesigns.com
lmandarin.com
bornholm-urlaub.info
rodictibey.quest
saiione.com
flydakhla.com
surveycourses.com
bestnico.space
huvao.com
uptownholding.com
elitesellerstrafficnet.com
zitzies.xyz
supermercadolonuestro.com
laptoppricenepal.com
navyantra.com
myjms315.com
loanswithbrian.net
birbeygrup.xyz
trend-marketing.club
meipassion.com
amtha.com
witlyza.com
boardsandbeamsdecor.com
c2batwpnmu5uvtvnvfk5916.com
yavuzselimorganizasyon.com
4580055.xyz
brimstrategy.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/564-63-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/564-67-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1380-72-0x0000000000080000-0x00000000000A9000-memory.dmp xloader -
Executes dropped EXE 2 IoCs
Processes:
etesfm.exeetesfm.exepid process 1684 etesfm.exe 564 etesfm.exe -
Loads dropped DLL 2 IoCs
Processes:
RECEIPT 0266255252.exeetesfm.exepid process 1668 RECEIPT 0266255252.exe 1684 etesfm.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
etesfm.exeetesfm.exehelp.exedescription pid process target process PID 1684 set thread context of 564 1684 etesfm.exe etesfm.exe PID 564 set thread context of 1372 564 etesfm.exe Explorer.EXE PID 1380 set thread context of 1372 1380 help.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
etesfm.exehelp.exepid process 564 etesfm.exe 564 etesfm.exe 1380 help.exe 1380 help.exe 1380 help.exe 1380 help.exe 1380 help.exe 1380 help.exe 1380 help.exe 1380 help.exe 1380 help.exe 1380 help.exe 1380 help.exe 1380 help.exe 1380 help.exe 1380 help.exe 1380 help.exe 1380 help.exe 1380 help.exe 1380 help.exe 1380 help.exe 1380 help.exe 1380 help.exe 1380 help.exe 1380 help.exe 1380 help.exe 1380 help.exe 1380 help.exe 1380 help.exe 1380 help.exe 1380 help.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1372 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
etesfm.exehelp.exepid process 564 etesfm.exe 564 etesfm.exe 564 etesfm.exe 1380 help.exe 1380 help.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
etesfm.exehelp.exedescription pid process Token: SeDebugPrivilege 564 etesfm.exe Token: SeDebugPrivilege 1380 help.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1372 Explorer.EXE 1372 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1372 Explorer.EXE 1372 Explorer.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
RECEIPT 0266255252.exeetesfm.exeExplorer.EXEhelp.exedescription pid process target process PID 1668 wrote to memory of 1684 1668 RECEIPT 0266255252.exe etesfm.exe PID 1668 wrote to memory of 1684 1668 RECEIPT 0266255252.exe etesfm.exe PID 1668 wrote to memory of 1684 1668 RECEIPT 0266255252.exe etesfm.exe PID 1668 wrote to memory of 1684 1668 RECEIPT 0266255252.exe etesfm.exe PID 1684 wrote to memory of 564 1684 etesfm.exe etesfm.exe PID 1684 wrote to memory of 564 1684 etesfm.exe etesfm.exe PID 1684 wrote to memory of 564 1684 etesfm.exe etesfm.exe PID 1684 wrote to memory of 564 1684 etesfm.exe etesfm.exe PID 1684 wrote to memory of 564 1684 etesfm.exe etesfm.exe PID 1684 wrote to memory of 564 1684 etesfm.exe etesfm.exe PID 1684 wrote to memory of 564 1684 etesfm.exe etesfm.exe PID 1372 wrote to memory of 1380 1372 Explorer.EXE help.exe PID 1372 wrote to memory of 1380 1372 Explorer.EXE help.exe PID 1372 wrote to memory of 1380 1372 Explorer.EXE help.exe PID 1372 wrote to memory of 1380 1372 Explorer.EXE help.exe PID 1380 wrote to memory of 1764 1380 help.exe cmd.exe PID 1380 wrote to memory of 1764 1380 help.exe cmd.exe PID 1380 wrote to memory of 1764 1380 help.exe cmd.exe PID 1380 wrote to memory of 1764 1380 help.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RECEIPT 0266255252.exe"C:\Users\Admin\AppData\Local\Temp\RECEIPT 0266255252.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\etesfm.exeC:\Users\Admin\AppData\Local\Temp\etesfm.exe C:\Users\Admin\AppData\Local\Temp\vzyiso2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\etesfm.exeC:\Users\Admin\AppData\Local\Temp\etesfm.exe C:\Users\Admin\AppData\Local\Temp\vzyiso3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\etesfm.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\etesfm.exeMD5
12ba701928ac0c5894000dedc1213151
SHA1eab2734cb14c0aedd4689b502c854869eb9e97d3
SHA25631422622c217fe7978d0c5c8878a990a9288b80a796c4f3274e92ebf08005f4d
SHA5121aca194f0f0905d470215745cd113b111345ba2330177cb59659db8d714dc2b65b780086f4586e6b908e2549bd079e7c5d20714ff35052fdcf6098c058aafb5a
-
C:\Users\Admin\AppData\Local\Temp\etesfm.exeMD5
12ba701928ac0c5894000dedc1213151
SHA1eab2734cb14c0aedd4689b502c854869eb9e97d3
SHA25631422622c217fe7978d0c5c8878a990a9288b80a796c4f3274e92ebf08005f4d
SHA5121aca194f0f0905d470215745cd113b111345ba2330177cb59659db8d714dc2b65b780086f4586e6b908e2549bd079e7c5d20714ff35052fdcf6098c058aafb5a
-
C:\Users\Admin\AppData\Local\Temp\etesfm.exeMD5
12ba701928ac0c5894000dedc1213151
SHA1eab2734cb14c0aedd4689b502c854869eb9e97d3
SHA25631422622c217fe7978d0c5c8878a990a9288b80a796c4f3274e92ebf08005f4d
SHA5121aca194f0f0905d470215745cd113b111345ba2330177cb59659db8d714dc2b65b780086f4586e6b908e2549bd079e7c5d20714ff35052fdcf6098c058aafb5a
-
C:\Users\Admin\AppData\Local\Temp\hg1xt3velopl8MD5
f940151ae73b4a19450f1214d210fbb8
SHA1c45702b0676bc18a792c217f6b804fecf0487836
SHA2566e0e27ead911c2ec1fb0c30cdbad40bea1d7e90bedb3d74e3cd6d7f6ff0f430a
SHA512d1911faa1088dbdf19971580dab118cca1e4ce28ec061fb7f49c2e9cfaeb67e7fbc7abcac824f36b0724a95fd204fff24b2c892e9ef81ede8b8c80c60ecf5f77
-
C:\Users\Admin\AppData\Local\Temp\vzyisoMD5
ca93353f618e990d0c4ac5c3007abfdd
SHA14a52063da3beb1ddf89f8d91e5bc7fd9c80a2fa9
SHA256c8a49296632cae0607c345427b99fc44dfa1d90e6524bbfa8249acfeafe386dd
SHA51236fcf63cee72aa2525981281d64bfc641eb4564a48f9cebb4c120a36efb79522869f3890f89839d4e456b29d324bbed6db8d0d0e2dc3d7ac8d9ce5be5e0041db
-
\Users\Admin\AppData\Local\Temp\etesfm.exeMD5
12ba701928ac0c5894000dedc1213151
SHA1eab2734cb14c0aedd4689b502c854869eb9e97d3
SHA25631422622c217fe7978d0c5c8878a990a9288b80a796c4f3274e92ebf08005f4d
SHA5121aca194f0f0905d470215745cd113b111345ba2330177cb59659db8d714dc2b65b780086f4586e6b908e2549bd079e7c5d20714ff35052fdcf6098c058aafb5a
-
\Users\Admin\AppData\Local\Temp\etesfm.exeMD5
12ba701928ac0c5894000dedc1213151
SHA1eab2734cb14c0aedd4689b502c854869eb9e97d3
SHA25631422622c217fe7978d0c5c8878a990a9288b80a796c4f3274e92ebf08005f4d
SHA5121aca194f0f0905d470215745cd113b111345ba2330177cb59659db8d714dc2b65b780086f4586e6b908e2549bd079e7c5d20714ff35052fdcf6098c058aafb5a
-
memory/564-67-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/564-63-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/564-66-0x0000000000890000-0x0000000000B93000-memory.dmpFilesize
3.0MB
-
memory/564-68-0x000000000041D000-0x000000000041E000-memory.dmpFilesize
4KB
-
memory/564-69-0x0000000000340000-0x0000000000351000-memory.dmpFilesize
68KB
-
memory/1372-70-0x0000000005F00000-0x0000000006064000-memory.dmpFilesize
1.4MB
-
memory/1372-75-0x0000000006620000-0x00000000066E4000-memory.dmpFilesize
784KB
-
memory/1380-71-0x00000000003B0000-0x00000000003B6000-memory.dmpFilesize
24KB
-
memory/1380-72-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/1380-73-0x00000000006F0000-0x00000000009F3000-memory.dmpFilesize
3.0MB
-
memory/1380-74-0x00000000004B0000-0x0000000000540000-memory.dmpFilesize
576KB
-
memory/1668-55-0x0000000076641000-0x0000000076643000-memory.dmpFilesize
8KB