Analysis
-
max time kernel
177s -
max time network
185s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
11-03-2022 02:15
Static task
static1
Behavioral task
behavioral1
Sample
triage_dropped_file.exe
Resource
win7-20220223-en
General
-
Target
triage_dropped_file.exe
-
Size
308KB
-
MD5
e41def555743c430d0def4a513de4d96
-
SHA1
7c90a41062f1f867a1ae0bdeb1d37ca72cd2b95e
-
SHA256
1190df73979f3dc768713f51fcf6e2eb439b95caf7c4a2b998c377ea5a35e9d5
-
SHA512
331add20592a9cd8336bc902fe0f4934f6b50866904eb60f4cc3e6046c5edf8d29b5e901cc37f1619ffed9ae83201bbb93d165297ba41dda655b533870e722b6
Malware Config
Extracted
xloader
2.5
ahc8
192451.com
wwwripostes.net
sirikhalsalaw.com
bitterbaybay.com
stella-scrubs.com
almanecermezcal.com
goodgood.online
translate-now.online
sincerefilm.com
quadrantforensics.com
johnfrenchart.com
plick-click.com
alnileen.com
tghi.xyz
172711.com
maymakita.com
punnyaseva.com
ukash-online.com
sho-yururi-blog.com
hebergement-solidaire.com
civicinfluencers.net
gzhf8888.com
kuleallstar.com
palisadeslodgecondos.com
holyhirschsprungs.com
azalearoseuk.com
jaggllc.com
italianrofrow.xyz
ioewur.xyz
3a5hlv.icu
kitcycle.com
estate.xyz
ankaraescortvip.xyz
richclubsite2001.xyz
kastore.website
515pleasantvalleyway.com
sittlermd.com
mytemple.group
tiny-wagen.com
sharaleesvintageflames.com
mentalesteem.com
sport-newss.online
fbve.space
lovingtruebloodindallas.com
eaglehospitality.biz
roofrepairnow.info
mcrosfts-updata.digital
cimpactinc.com
greatnotleyeast.com
lovely-tics.com
douglas-enterprise.com
dayannalima.online
ksodl.com
rainbowlampro.com
theinteriorsfurniture.com
eidmueller.email
cg020.online
gta6fuzhu.com
cinemaocity.com
hopeitivity.com
savageequipment.biz
groceriesbazaar.com
hempgotas.com
casino-pharaon-play.xyz
ralfrassendnk-login.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1852-135-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/1852-142-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/4696-147-0x0000000000210000-0x0000000000239000-memory.dmp xloader -
Executes dropped EXE 2 IoCs
Processes:
bifhcp.exebifhcp.exepid process 1316 bifhcp.exe 1852 bifhcp.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
bifhcp.exebifhcp.exeipconfig.exedescription pid process target process PID 1316 set thread context of 1852 1316 bifhcp.exe bifhcp.exe PID 1852 set thread context of 2712 1852 bifhcp.exe Explorer.EXE PID 1852 set thread context of 2712 1852 bifhcp.exe Explorer.EXE PID 4696 set thread context of 2712 4696 ipconfig.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 4696 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
bifhcp.exeipconfig.exepid process 1852 bifhcp.exe 1852 bifhcp.exe 1852 bifhcp.exe 1852 bifhcp.exe 1852 bifhcp.exe 1852 bifhcp.exe 4696 ipconfig.exe 4696 ipconfig.exe 4696 ipconfig.exe 4696 ipconfig.exe 4696 ipconfig.exe 4696 ipconfig.exe 4696 ipconfig.exe 4696 ipconfig.exe 4696 ipconfig.exe 4696 ipconfig.exe 4696 ipconfig.exe 4696 ipconfig.exe 4696 ipconfig.exe 4696 ipconfig.exe 4696 ipconfig.exe 4696 ipconfig.exe 4696 ipconfig.exe 4696 ipconfig.exe 4696 ipconfig.exe 4696 ipconfig.exe 4696 ipconfig.exe 4696 ipconfig.exe 4696 ipconfig.exe 4696 ipconfig.exe 4696 ipconfig.exe 4696 ipconfig.exe 4696 ipconfig.exe 4696 ipconfig.exe 4696 ipconfig.exe 4696 ipconfig.exe 4696 ipconfig.exe 4696 ipconfig.exe 4696 ipconfig.exe 4696 ipconfig.exe 4696 ipconfig.exe 4696 ipconfig.exe 4696 ipconfig.exe 4696 ipconfig.exe 4696 ipconfig.exe 4696 ipconfig.exe 4696 ipconfig.exe 4696 ipconfig.exe 4696 ipconfig.exe 4696 ipconfig.exe 4696 ipconfig.exe 4696 ipconfig.exe 4696 ipconfig.exe 4696 ipconfig.exe 4696 ipconfig.exe 4696 ipconfig.exe 4696 ipconfig.exe 4696 ipconfig.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2712 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
bifhcp.exeipconfig.exepid process 1852 bifhcp.exe 1852 bifhcp.exe 1852 bifhcp.exe 1852 bifhcp.exe 4696 ipconfig.exe 4696 ipconfig.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
bifhcp.exeipconfig.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1852 bifhcp.exe Token: SeDebugPrivilege 4696 ipconfig.exe Token: SeShutdownPrivilege 2712 Explorer.EXE Token: SeCreatePagefilePrivilege 2712 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
triage_dropped_file.exebifhcp.exeExplorer.EXEipconfig.exedescription pid process target process PID 824 wrote to memory of 1316 824 triage_dropped_file.exe bifhcp.exe PID 824 wrote to memory of 1316 824 triage_dropped_file.exe bifhcp.exe PID 824 wrote to memory of 1316 824 triage_dropped_file.exe bifhcp.exe PID 1316 wrote to memory of 1852 1316 bifhcp.exe bifhcp.exe PID 1316 wrote to memory of 1852 1316 bifhcp.exe bifhcp.exe PID 1316 wrote to memory of 1852 1316 bifhcp.exe bifhcp.exe PID 1316 wrote to memory of 1852 1316 bifhcp.exe bifhcp.exe PID 1316 wrote to memory of 1852 1316 bifhcp.exe bifhcp.exe PID 1316 wrote to memory of 1852 1316 bifhcp.exe bifhcp.exe PID 2712 wrote to memory of 4696 2712 Explorer.EXE ipconfig.exe PID 2712 wrote to memory of 4696 2712 Explorer.EXE ipconfig.exe PID 2712 wrote to memory of 4696 2712 Explorer.EXE ipconfig.exe PID 4696 wrote to memory of 1680 4696 ipconfig.exe cmd.exe PID 4696 wrote to memory of 1680 4696 ipconfig.exe cmd.exe PID 4696 wrote to memory of 1680 4696 ipconfig.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\triage_dropped_file.exe"C:\Users\Admin\AppData\Local\Temp\triage_dropped_file.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bifhcp.exeC:\Users\Admin\AppData\Local\Temp\bifhcp.exe C:\Users\Admin\AppData\Local\Temp\xvipmw3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bifhcp.exeC:\Users\Admin\AppData\Local\Temp\bifhcp.exe C:\Users\Admin\AppData\Local\Temp\xvipmw4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\SysWOW64\ipconfig.exe"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\bifhcp.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\8uvc6tb2cw52MD5
ad8694bf41f9cbbb4d8e671a3ce0612a
SHA160b8f572210e8112f04d165b515bd63a2eefaebc
SHA256f12abecd7d300f5e0077a910f46adff553a2f3d5492cc076443345ea5c038239
SHA51210c9214615a73582dda0c288d297eacbc9c655977a6a6f01b78f5d0c1c2d748a0cecaf5ce08a54de75baee760629de6c77b81d2647e6c7a22465d844142be478
-
C:\Users\Admin\AppData\Local\Temp\bifhcp.exeMD5
40025a502304d446b8e53205991b96c1
SHA1652b3f88b0521c3abd88290c5d69049e7486312c
SHA256ac6b87cea22911ecafab82748a03eab9d0ea2cfe669191cfbc61c446af809655
SHA512042fb40d8d10657023cdd344f515944ae6b9df644ebe4bf6bf6ed326f0f37d88a7f09a134dc969fc29a727b997c1ee0b06ad15c02f1af0180c4cec5901eefca2
-
C:\Users\Admin\AppData\Local\Temp\bifhcp.exeMD5
40025a502304d446b8e53205991b96c1
SHA1652b3f88b0521c3abd88290c5d69049e7486312c
SHA256ac6b87cea22911ecafab82748a03eab9d0ea2cfe669191cfbc61c446af809655
SHA512042fb40d8d10657023cdd344f515944ae6b9df644ebe4bf6bf6ed326f0f37d88a7f09a134dc969fc29a727b997c1ee0b06ad15c02f1af0180c4cec5901eefca2
-
C:\Users\Admin\AppData\Local\Temp\bifhcp.exeMD5
40025a502304d446b8e53205991b96c1
SHA1652b3f88b0521c3abd88290c5d69049e7486312c
SHA256ac6b87cea22911ecafab82748a03eab9d0ea2cfe669191cfbc61c446af809655
SHA512042fb40d8d10657023cdd344f515944ae6b9df644ebe4bf6bf6ed326f0f37d88a7f09a134dc969fc29a727b997c1ee0b06ad15c02f1af0180c4cec5901eefca2
-
C:\Users\Admin\AppData\Local\Temp\xvipmwMD5
da749731ed6579052c657302b892b44b
SHA17da4156af0f1e9ef397e836e9f7a75e90bce1a07
SHA256c39222c6207fd53f6836e1dd1726f4d2f3f76622208b8113ce23fcb22cb88470
SHA512e05b3dbd36daabc99edccbee11e31b3cc645b04f41226e2fb1c5772342e47240383d63564955ef35fa5b530e4b404af041f89836ad4ebea8b5c3d65fa3687d92
-
memory/1316-134-0x0000000000CD0000-0x0000000000CD2000-memory.dmpFilesize
8KB
-
memory/1852-141-0x0000000000F50000-0x0000000000F61000-memory.dmpFilesize
68KB
-
memory/1852-144-0x0000000001470000-0x0000000001481000-memory.dmpFilesize
68KB
-
memory/1852-139-0x000000000041D000-0x000000000041E000-memory.dmpFilesize
4KB
-
memory/1852-138-0x0000000000FB0000-0x00000000012FA000-memory.dmpFilesize
3.3MB
-
memory/1852-135-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1852-142-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1852-143-0x000000000041D000-0x000000000041E000-memory.dmpFilesize
4KB
-
memory/2712-140-0x0000000002AB0000-0x0000000002BF5000-memory.dmpFilesize
1.3MB
-
memory/2712-145-0x0000000007C30000-0x0000000007D7B000-memory.dmpFilesize
1.3MB
-
memory/2712-150-0x0000000002DC0000-0x0000000002E78000-memory.dmpFilesize
736KB
-
memory/4696-146-0x0000000000340000-0x000000000034B000-memory.dmpFilesize
44KB
-
memory/4696-147-0x0000000000210000-0x0000000000239000-memory.dmpFilesize
164KB
-
memory/4696-148-0x0000000000BF0000-0x0000000000F3A000-memory.dmpFilesize
3.3MB
-
memory/4696-149-0x0000000000A20000-0x0000000000AB0000-memory.dmpFilesize
576KB