Analysis
-
max time kernel
155s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
08-03-2022 10:36
Static task
static1
Behavioral task
behavioral1
Sample
PO.exe
Resource
win7-20220223-en
General
-
Target
PO.exe
-
Size
906KB
-
MD5
d87832e3f675ffd9d871f455ffa55ff1
-
SHA1
8d2a9daa0caf5fad0159ed2233d56bf94b8e7337
-
SHA256
31f44a55873cb84506a1213469e0c884eb7f8b4dea91197bedf8a892c1404654
-
SHA512
779258a90d6552c09b132b01b80418054c9a972d797d91c8e202644594a487da60653777137f6acf1ad8ad4d7e8b873bb88505338a126923f9876c9c7499adf9
Malware Config
Extracted
xloader
2.5
yrcy
sturlabas.com
tantrungcompany.com
wildgraceyogahealing.com
wsparalegal.com
8xhgq.xyz
mysaylav.com
amelntl.net
cooleshow.online
adventuresbydisneyathome.com
sprinklekart.com
prostitutkitambovasuck.info
pakdao.com
finsith.com
nightpartner82.xyz
sex9a4ufbj.com
ketohousee.com
mairie-les-cammazes.com
elebots.xyz
highqualityremodeling.net
teamsterslocal553.com
rws3.xyz
ngucocloisua.online
waiting-game.com
chauffeureddriven.com
makemusictemecula.com
17taol.com
big-swindle.com
surveycourses.com
my-safqati.com
gn-powerplants.com
colorgameph.com
jaysingpurchessacademy.com
onlinedon.net
sebashtiana.com
vitamincfood.com
thesportcollective.com
tradableassettokens.com
worldhealthnutrition.com
let-value.com
tanyademby.com
tollesonhouses.com
puzzleadventure.city
mindsetolimpionico.com
krakenind.com
investorsbak.com
tenloe049.xyz
gooddeals4u.online
adelphosformacao.com
cyndeiversondesigns.com
hrofmdieh.com
volucercab.com
bitcoindatai.com
gokelmining.com
magicbasketbourse.net
myblessedgeneration.com
super-trade.online
onevishnu.online
ctr-expert.com
globalitinfra.com
lickmychili.com
0xbot.net
91aaa.net
b3yg6g.com
ruleship.com
lifescreativeflow.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3512-137-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/3512-139-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/3152-145-0x0000000000310000-0x0000000000339000-memory.dmp xloader -
Suspicious use of SetThreadContext 3 IoCs
Processes:
PO.exeRegSvcs.exechkdsk.exedescription pid process target process PID 3764 set thread context of 3512 3764 PO.exe RegSvcs.exe PID 3512 set thread context of 2428 3512 RegSvcs.exe Explorer.EXE PID 3152 set thread context of 2428 3152 chkdsk.exe Explorer.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
chkdsk.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
PO.exeRegSvcs.exechkdsk.exepid process 3764 PO.exe 3764 PO.exe 3512 RegSvcs.exe 3512 RegSvcs.exe 3512 RegSvcs.exe 3512 RegSvcs.exe 3152 chkdsk.exe 3152 chkdsk.exe 3152 chkdsk.exe 3152 chkdsk.exe 3152 chkdsk.exe 3152 chkdsk.exe 3152 chkdsk.exe 3152 chkdsk.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
RegSvcs.exechkdsk.exepid process 3512 RegSvcs.exe 3512 RegSvcs.exe 3512 RegSvcs.exe 3152 chkdsk.exe 3152 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
PO.exeRegSvcs.exeExplorer.EXEchkdsk.exedescription pid process Token: SeDebugPrivilege 3764 PO.exe Token: SeDebugPrivilege 3512 RegSvcs.exe Token: SeShutdownPrivilege 2428 Explorer.EXE Token: SeCreatePagefilePrivilege 2428 Explorer.EXE Token: SeDebugPrivilege 3152 chkdsk.exe Token: SeShutdownPrivilege 2428 Explorer.EXE Token: SeCreatePagefilePrivilege 2428 Explorer.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
PO.exeExplorer.EXEchkdsk.exedescription pid process target process PID 3764 wrote to memory of 3512 3764 PO.exe RegSvcs.exe PID 3764 wrote to memory of 3512 3764 PO.exe RegSvcs.exe PID 3764 wrote to memory of 3512 3764 PO.exe RegSvcs.exe PID 3764 wrote to memory of 3512 3764 PO.exe RegSvcs.exe PID 3764 wrote to memory of 3512 3764 PO.exe RegSvcs.exe PID 3764 wrote to memory of 3512 3764 PO.exe RegSvcs.exe PID 2428 wrote to memory of 3152 2428 Explorer.EXE chkdsk.exe PID 2428 wrote to memory of 3152 2428 Explorer.EXE chkdsk.exe PID 2428 wrote to memory of 3152 2428 Explorer.EXE chkdsk.exe PID 3152 wrote to memory of 3852 3152 chkdsk.exe cmd.exe PID 3152 wrote to memory of 3852 3152 chkdsk.exe cmd.exe PID 3152 wrote to memory of 3852 3152 chkdsk.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PO.exe"C:\Users\Admin\AppData\Local\Temp\PO.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2428-143-0x0000000008310000-0x000000000846F000-memory.dmpFilesize
1.4MB
-
memory/2428-148-0x00000000087D0000-0x0000000008913000-memory.dmpFilesize
1.3MB
-
memory/3152-147-0x0000000004AD0000-0x0000000004B60000-memory.dmpFilesize
576KB
-
memory/3152-146-0x0000000004D50000-0x000000000509A000-memory.dmpFilesize
3.3MB
-
memory/3152-145-0x0000000000310000-0x0000000000339000-memory.dmpFilesize
164KB
-
memory/3152-144-0x0000000000580000-0x000000000058A000-memory.dmpFilesize
40KB
-
memory/3512-139-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/3512-137-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/3512-140-0x0000000001990000-0x0000000001CDA000-memory.dmpFilesize
3.3MB
-
memory/3512-141-0x000000000041D000-0x000000000041E000-memory.dmpFilesize
4KB
-
memory/3512-142-0x0000000001380000-0x0000000001391000-memory.dmpFilesize
68KB
-
memory/3764-130-0x00000000749E0000-0x0000000075190000-memory.dmpFilesize
7.7MB
-
memory/3764-136-0x0000000000DD0000-0x0000000000E6C000-memory.dmpFilesize
624KB
-
memory/3764-135-0x0000000005070000-0x000000000507A000-memory.dmpFilesize
40KB
-
memory/3764-134-0x0000000004E90000-0x0000000005434000-memory.dmpFilesize
5.6MB
-
memory/3764-133-0x0000000004E90000-0x0000000004F22000-memory.dmpFilesize
584KB
-
memory/3764-132-0x0000000005440000-0x00000000059E4000-memory.dmpFilesize
5.6MB
-
memory/3764-131-0x00000000003B0000-0x0000000000498000-memory.dmpFilesize
928KB