Analysis
-
max time kernel
155s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
01-03-2022 11:57
Static task
static1
Behavioral task
behavioral1
Sample
RECEIPT 0266255252.exe
Resource
win7-en-20211208
General
-
Target
RECEIPT 0266255252.exe
-
Size
300KB
-
MD5
c7012ce63b4ed9e49bf7be48fc27beae
-
SHA1
8c91c8e2a90b9e9b3d3dde1fb32e02e5de5dd347
-
SHA256
b3babb49432b3d09adbf7e79dfb2fe84f4d417ad394ccd59412c9e083a42a673
-
SHA512
6ded1f1974ace78c102fc60e65cef89b664860edd87938af9efa1b4574de43667b614fbc19f49fae2d018180a2a706181982179193bba5c5ccac565758ee2e60
Malware Config
Extracted
xloader
2.5
rmfg
prospectcompounding.com
grand-prix.voyage
solvingpklogc.xyz
eliamhome.com
gamevip88.club
arsels.info
dswlt.com
dchehe.com
lawyerjerusalem.com
pbnseo.xyz
apuryifuid.com
kiukiupoker88.net
leannonimpact.com
kare-furniture.com
mississaugaremax.online
zpyh198.com
dueplay.store
naimi.ltd
greenstepspodiatry.com
cewirtanen.com
stonebyparamount.com
stellenbargains.com
meyerranch.realty
bitcoingrab.com
ifjejijfe.xyz
drjeannerot.com
trgau.com
thailandland.land
satupena.info
coinzillo.com
cloudreveller.digital
wilsoncreekarts.com
hyalucaps.com
dempius.com
onycostopsale.com
54jjpygl.xyz
quick2repair.net
tpyrj.com
cyndeiversondesigns.com
lmandarin.com
bornholm-urlaub.info
rodictibey.quest
saiione.com
flydakhla.com
surveycourses.com
bestnico.space
huvao.com
uptownholding.com
elitesellerstrafficnet.com
zitzies.xyz
supermercadolonuestro.com
laptoppricenepal.com
navyantra.com
myjms315.com
loanswithbrian.net
birbeygrup.xyz
trend-marketing.club
meipassion.com
amtha.com
witlyza.com
boardsandbeamsdecor.com
c2batwpnmu5uvtvnvfk5916.com
yavuzselimorganizasyon.com
4580055.xyz
brimstrategy.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4896-134-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/4908-142-0x00000000006B0000-0x00000000006D9000-memory.dmp xloader -
Executes dropped EXE 2 IoCs
Processes:
etesfm.exeetesfm.exepid process 3292 etesfm.exe 4896 etesfm.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
etesfm.exeetesfm.execolorcpl.exedescription pid process target process PID 3292 set thread context of 4896 3292 etesfm.exe etesfm.exe PID 4896 set thread context of 1164 4896 etesfm.exe Explorer.EXE PID 4908 set thread context of 1164 4908 colorcpl.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
etesfm.execolorcpl.exepid process 4896 etesfm.exe 4896 etesfm.exe 4896 etesfm.exe 4896 etesfm.exe 4908 colorcpl.exe 4908 colorcpl.exe 4908 colorcpl.exe 4908 colorcpl.exe 4908 colorcpl.exe 4908 colorcpl.exe 4908 colorcpl.exe 4908 colorcpl.exe 4908 colorcpl.exe 4908 colorcpl.exe 4908 colorcpl.exe 4908 colorcpl.exe 4908 colorcpl.exe 4908 colorcpl.exe 4908 colorcpl.exe 4908 colorcpl.exe 4908 colorcpl.exe 4908 colorcpl.exe 4908 colorcpl.exe 4908 colorcpl.exe 4908 colorcpl.exe 4908 colorcpl.exe 4908 colorcpl.exe 4908 colorcpl.exe 4908 colorcpl.exe 4908 colorcpl.exe 4908 colorcpl.exe 4908 colorcpl.exe 4908 colorcpl.exe 4908 colorcpl.exe 4908 colorcpl.exe 4908 colorcpl.exe 4908 colorcpl.exe 4908 colorcpl.exe 4908 colorcpl.exe 4908 colorcpl.exe 4908 colorcpl.exe 4908 colorcpl.exe 4908 colorcpl.exe 4908 colorcpl.exe 4908 colorcpl.exe 4908 colorcpl.exe 4908 colorcpl.exe 4908 colorcpl.exe 4908 colorcpl.exe 4908 colorcpl.exe 4908 colorcpl.exe 4908 colorcpl.exe 4908 colorcpl.exe 4908 colorcpl.exe 4908 colorcpl.exe 4908 colorcpl.exe 4908 colorcpl.exe 4908 colorcpl.exe 4908 colorcpl.exe 4908 colorcpl.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1164 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
etesfm.execolorcpl.exepid process 4896 etesfm.exe 4896 etesfm.exe 4896 etesfm.exe 4908 colorcpl.exe 4908 colorcpl.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
etesfm.execolorcpl.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 4896 etesfm.exe Token: SeDebugPrivilege 4908 colorcpl.exe Token: SeShutdownPrivilege 1164 Explorer.EXE Token: SeCreatePagefilePrivilege 1164 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
RECEIPT 0266255252.exeetesfm.exeExplorer.EXEcolorcpl.exedescription pid process target process PID 4920 wrote to memory of 3292 4920 RECEIPT 0266255252.exe etesfm.exe PID 4920 wrote to memory of 3292 4920 RECEIPT 0266255252.exe etesfm.exe PID 4920 wrote to memory of 3292 4920 RECEIPT 0266255252.exe etesfm.exe PID 3292 wrote to memory of 4896 3292 etesfm.exe etesfm.exe PID 3292 wrote to memory of 4896 3292 etesfm.exe etesfm.exe PID 3292 wrote to memory of 4896 3292 etesfm.exe etesfm.exe PID 3292 wrote to memory of 4896 3292 etesfm.exe etesfm.exe PID 3292 wrote to memory of 4896 3292 etesfm.exe etesfm.exe PID 3292 wrote to memory of 4896 3292 etesfm.exe etesfm.exe PID 1164 wrote to memory of 4908 1164 Explorer.EXE colorcpl.exe PID 1164 wrote to memory of 4908 1164 Explorer.EXE colorcpl.exe PID 1164 wrote to memory of 4908 1164 Explorer.EXE colorcpl.exe PID 4908 wrote to memory of 4660 4908 colorcpl.exe cmd.exe PID 4908 wrote to memory of 4660 4908 colorcpl.exe cmd.exe PID 4908 wrote to memory of 4660 4908 colorcpl.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RECEIPT 0266255252.exe"C:\Users\Admin\AppData\Local\Temp\RECEIPT 0266255252.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\etesfm.exeC:\Users\Admin\AppData\Local\Temp\etesfm.exe C:\Users\Admin\AppData\Local\Temp\vzyiso3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\etesfm.exeC:\Users\Admin\AppData\Local\Temp\etesfm.exe C:\Users\Admin\AppData\Local\Temp\vzyiso4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\colorcpl.exe"C:\Windows\SysWOW64\colorcpl.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\etesfm.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\etesfm.exeMD5
12ba701928ac0c5894000dedc1213151
SHA1eab2734cb14c0aedd4689b502c854869eb9e97d3
SHA25631422622c217fe7978d0c5c8878a990a9288b80a796c4f3274e92ebf08005f4d
SHA5121aca194f0f0905d470215745cd113b111345ba2330177cb59659db8d714dc2b65b780086f4586e6b908e2549bd079e7c5d20714ff35052fdcf6098c058aafb5a
-
C:\Users\Admin\AppData\Local\Temp\etesfm.exeMD5
12ba701928ac0c5894000dedc1213151
SHA1eab2734cb14c0aedd4689b502c854869eb9e97d3
SHA25631422622c217fe7978d0c5c8878a990a9288b80a796c4f3274e92ebf08005f4d
SHA5121aca194f0f0905d470215745cd113b111345ba2330177cb59659db8d714dc2b65b780086f4586e6b908e2549bd079e7c5d20714ff35052fdcf6098c058aafb5a
-
C:\Users\Admin\AppData\Local\Temp\etesfm.exeMD5
12ba701928ac0c5894000dedc1213151
SHA1eab2734cb14c0aedd4689b502c854869eb9e97d3
SHA25631422622c217fe7978d0c5c8878a990a9288b80a796c4f3274e92ebf08005f4d
SHA5121aca194f0f0905d470215745cd113b111345ba2330177cb59659db8d714dc2b65b780086f4586e6b908e2549bd079e7c5d20714ff35052fdcf6098c058aafb5a
-
C:\Users\Admin\AppData\Local\Temp\hg1xt3velopl8MD5
f940151ae73b4a19450f1214d210fbb8
SHA1c45702b0676bc18a792c217f6b804fecf0487836
SHA2566e0e27ead911c2ec1fb0c30cdbad40bea1d7e90bedb3d74e3cd6d7f6ff0f430a
SHA512d1911faa1088dbdf19971580dab118cca1e4ce28ec061fb7f49c2e9cfaeb67e7fbc7abcac824f36b0724a95fd204fff24b2c892e9ef81ede8b8c80c60ecf5f77
-
C:\Users\Admin\AppData\Local\Temp\vzyisoMD5
ca93353f618e990d0c4ac5c3007abfdd
SHA14a52063da3beb1ddf89f8d91e5bc7fd9c80a2fa9
SHA256c8a49296632cae0607c345427b99fc44dfa1d90e6524bbfa8249acfeafe386dd
SHA51236fcf63cee72aa2525981281d64bfc641eb4564a48f9cebb4c120a36efb79522869f3890f89839d4e456b29d324bbed6db8d0d0e2dc3d7ac8d9ce5be5e0041db
-
memory/1164-140-0x0000000008E30000-0x0000000008F8C000-memory.dmpFilesize
1.4MB
-
memory/1164-145-0x0000000008B20000-0x0000000008C00000-memory.dmpFilesize
896KB
-
memory/4896-138-0x000000000041D000-0x000000000041E000-memory.dmpFilesize
4KB
-
memory/4896-137-0x0000000000BD0000-0x0000000000F1A000-memory.dmpFilesize
3.3MB
-
memory/4896-139-0x00000000005C0000-0x00000000005D1000-memory.dmpFilesize
68KB
-
memory/4896-134-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4908-141-0x00000000005F0000-0x0000000000609000-memory.dmpFilesize
100KB
-
memory/4908-142-0x00000000006B0000-0x00000000006D9000-memory.dmpFilesize
164KB
-
memory/4908-143-0x0000000002970000-0x0000000002CBA000-memory.dmpFilesize
3.3MB
-
memory/4908-144-0x00000000026A0000-0x0000000002730000-memory.dmpFilesize
576KB