Analysis
-
max time kernel
4294208s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20220310-en -
submitted
11-03-2022 12:55
Static task
static1
Behavioral task
behavioral1
Sample
triage_dropped_file.exe
Resource
win7-20220310-en
Behavioral task
behavioral2
Sample
triage_dropped_file.exe
Resource
win10v2004-en-20220113
General
-
Target
triage_dropped_file.exe
-
Size
308KB
-
MD5
e41def555743c430d0def4a513de4d96
-
SHA1
7c90a41062f1f867a1ae0bdeb1d37ca72cd2b95e
-
SHA256
1190df73979f3dc768713f51fcf6e2eb439b95caf7c4a2b998c377ea5a35e9d5
-
SHA512
331add20592a9cd8336bc902fe0f4934f6b50866904eb60f4cc3e6046c5edf8d29b5e901cc37f1619ffed9ae83201bbb93d165297ba41dda655b533870e722b6
Malware Config
Extracted
xloader
2.5
ahc8
192451.com
wwwripostes.net
sirikhalsalaw.com
bitterbaybay.com
stella-scrubs.com
almanecermezcal.com
goodgood.online
translate-now.online
sincerefilm.com
quadrantforensics.com
johnfrenchart.com
plick-click.com
alnileen.com
tghi.xyz
172711.com
maymakita.com
punnyaseva.com
ukash-online.com
sho-yururi-blog.com
hebergement-solidaire.com
civicinfluencers.net
gzhf8888.com
kuleallstar.com
palisadeslodgecondos.com
holyhirschsprungs.com
azalearoseuk.com
jaggllc.com
italianrofrow.xyz
ioewur.xyz
3a5hlv.icu
kitcycle.com
estate.xyz
ankaraescortvip.xyz
richclubsite2001.xyz
kastore.website
515pleasantvalleyway.com
sittlermd.com
mytemple.group
tiny-wagen.com
sharaleesvintageflames.com
mentalesteem.com
sport-newss.online
fbve.space
lovingtruebloodindallas.com
eaglehospitality.biz
roofrepairnow.info
mcrosfts-updata.digital
cimpactinc.com
greatnotleyeast.com
lovely-tics.com
douglas-enterprise.com
dayannalima.online
ksodl.com
rainbowlampro.com
theinteriorsfurniture.com
eidmueller.email
cg020.online
gta6fuzhu.com
cinemaocity.com
hopeitivity.com
savageequipment.biz
groceriesbazaar.com
hempgotas.com
casino-pharaon-play.xyz
ralfrassendnk-login.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/952-62-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/952-65-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1640-76-0x0000000000080000-0x00000000000A9000-memory.dmp xloader -
Blocklisted process makes network request 1 IoCs
Processes:
cmd.exeflow pid process 31 1640 cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
bifhcp.exebifhcp.exepid process 1752 bifhcp.exe 952 bifhcp.exe -
Loads dropped DLL 2 IoCs
Processes:
triage_dropped_file.exebifhcp.exepid process 1500 triage_dropped_file.exe 1752 bifhcp.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
bifhcp.exebifhcp.execmd.exedescription pid process target process PID 1752 set thread context of 952 1752 bifhcp.exe bifhcp.exe PID 952 set thread context of 1392 952 bifhcp.exe Explorer.EXE PID 952 set thread context of 1392 952 bifhcp.exe Explorer.EXE PID 1640 set thread context of 1392 1640 cmd.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
bifhcp.execmd.exepid process 952 bifhcp.exe 952 bifhcp.exe 952 bifhcp.exe 1640 cmd.exe 1640 cmd.exe 1640 cmd.exe 1640 cmd.exe 1640 cmd.exe 1640 cmd.exe 1640 cmd.exe 1640 cmd.exe 1640 cmd.exe 1640 cmd.exe 1640 cmd.exe 1640 cmd.exe 1640 cmd.exe 1640 cmd.exe 1640 cmd.exe 1640 cmd.exe 1640 cmd.exe 1640 cmd.exe 1640 cmd.exe 1640 cmd.exe 1640 cmd.exe 1640 cmd.exe 1640 cmd.exe 1640 cmd.exe 1640 cmd.exe 1640 cmd.exe 1640 cmd.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1392 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
bifhcp.execmd.exepid process 952 bifhcp.exe 952 bifhcp.exe 952 bifhcp.exe 952 bifhcp.exe 1640 cmd.exe 1640 cmd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
bifhcp.execmd.exedescription pid process Token: SeDebugPrivilege 952 bifhcp.exe Token: SeDebugPrivilege 1640 cmd.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1392 Explorer.EXE 1392 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1392 Explorer.EXE 1392 Explorer.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
triage_dropped_file.exebifhcp.exeExplorer.EXEcmd.exedescription pid process target process PID 1500 wrote to memory of 1752 1500 triage_dropped_file.exe bifhcp.exe PID 1500 wrote to memory of 1752 1500 triage_dropped_file.exe bifhcp.exe PID 1500 wrote to memory of 1752 1500 triage_dropped_file.exe bifhcp.exe PID 1500 wrote to memory of 1752 1500 triage_dropped_file.exe bifhcp.exe PID 1752 wrote to memory of 952 1752 bifhcp.exe bifhcp.exe PID 1752 wrote to memory of 952 1752 bifhcp.exe bifhcp.exe PID 1752 wrote to memory of 952 1752 bifhcp.exe bifhcp.exe PID 1752 wrote to memory of 952 1752 bifhcp.exe bifhcp.exe PID 1752 wrote to memory of 952 1752 bifhcp.exe bifhcp.exe PID 1752 wrote to memory of 952 1752 bifhcp.exe bifhcp.exe PID 1752 wrote to memory of 952 1752 bifhcp.exe bifhcp.exe PID 1392 wrote to memory of 1640 1392 Explorer.EXE cmd.exe PID 1392 wrote to memory of 1640 1392 Explorer.EXE cmd.exe PID 1392 wrote to memory of 1640 1392 Explorer.EXE cmd.exe PID 1392 wrote to memory of 1640 1392 Explorer.EXE cmd.exe PID 1640 wrote to memory of 1036 1640 cmd.exe cmd.exe PID 1640 wrote to memory of 1036 1640 cmd.exe cmd.exe PID 1640 wrote to memory of 1036 1640 cmd.exe cmd.exe PID 1640 wrote to memory of 1036 1640 cmd.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Users\Admin\AppData\Local\Temp\triage_dropped_file.exe"C:\Users\Admin\AppData\Local\Temp\triage_dropped_file.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Users\Admin\AppData\Local\Temp\bifhcp.exeC:\Users\Admin\AppData\Local\Temp\bifhcp.exe C:\Users\Admin\AppData\Local\Temp\xvipmw3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Users\Admin\AppData\Local\Temp\bifhcp.exeC:\Users\Admin\AppData\Local\Temp\bifhcp.exe C:\Users\Admin\AppData\Local\Temp\xvipmw4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:952 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\bifhcp.exe"3⤵PID:1036
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\8uvc6tb2cw52MD5
ad8694bf41f9cbbb4d8e671a3ce0612a
SHA160b8f572210e8112f04d165b515bd63a2eefaebc
SHA256f12abecd7d300f5e0077a910f46adff553a2f3d5492cc076443345ea5c038239
SHA51210c9214615a73582dda0c288d297eacbc9c655977a6a6f01b78f5d0c1c2d748a0cecaf5ce08a54de75baee760629de6c77b81d2647e6c7a22465d844142be478
-
C:\Users\Admin\AppData\Local\Temp\bifhcp.exeMD5
40025a502304d446b8e53205991b96c1
SHA1652b3f88b0521c3abd88290c5d69049e7486312c
SHA256ac6b87cea22911ecafab82748a03eab9d0ea2cfe669191cfbc61c446af809655
SHA512042fb40d8d10657023cdd344f515944ae6b9df644ebe4bf6bf6ed326f0f37d88a7f09a134dc969fc29a727b997c1ee0b06ad15c02f1af0180c4cec5901eefca2
-
C:\Users\Admin\AppData\Local\Temp\bifhcp.exeMD5
40025a502304d446b8e53205991b96c1
SHA1652b3f88b0521c3abd88290c5d69049e7486312c
SHA256ac6b87cea22911ecafab82748a03eab9d0ea2cfe669191cfbc61c446af809655
SHA512042fb40d8d10657023cdd344f515944ae6b9df644ebe4bf6bf6ed326f0f37d88a7f09a134dc969fc29a727b997c1ee0b06ad15c02f1af0180c4cec5901eefca2
-
C:\Users\Admin\AppData\Local\Temp\bifhcp.exeMD5
40025a502304d446b8e53205991b96c1
SHA1652b3f88b0521c3abd88290c5d69049e7486312c
SHA256ac6b87cea22911ecafab82748a03eab9d0ea2cfe669191cfbc61c446af809655
SHA512042fb40d8d10657023cdd344f515944ae6b9df644ebe4bf6bf6ed326f0f37d88a7f09a134dc969fc29a727b997c1ee0b06ad15c02f1af0180c4cec5901eefca2
-
C:\Users\Admin\AppData\Local\Temp\xvipmwMD5
da749731ed6579052c657302b892b44b
SHA17da4156af0f1e9ef397e836e9f7a75e90bce1a07
SHA256c39222c6207fd53f6836e1dd1726f4d2f3f76622208b8113ce23fcb22cb88470
SHA512e05b3dbd36daabc99edccbee11e31b3cc645b04f41226e2fb1c5772342e47240383d63564955ef35fa5b530e4b404af041f89836ad4ebea8b5c3d65fa3687d92
-
\Users\Admin\AppData\Local\Temp\bifhcp.exeMD5
40025a502304d446b8e53205991b96c1
SHA1652b3f88b0521c3abd88290c5d69049e7486312c
SHA256ac6b87cea22911ecafab82748a03eab9d0ea2cfe669191cfbc61c446af809655
SHA512042fb40d8d10657023cdd344f515944ae6b9df644ebe4bf6bf6ed326f0f37d88a7f09a134dc969fc29a727b997c1ee0b06ad15c02f1af0180c4cec5901eefca2
-
\Users\Admin\AppData\Local\Temp\bifhcp.exeMD5
40025a502304d446b8e53205991b96c1
SHA1652b3f88b0521c3abd88290c5d69049e7486312c
SHA256ac6b87cea22911ecafab82748a03eab9d0ea2cfe669191cfbc61c446af809655
SHA512042fb40d8d10657023cdd344f515944ae6b9df644ebe4bf6bf6ed326f0f37d88a7f09a134dc969fc29a727b997c1ee0b06ad15c02f1af0180c4cec5901eefca2
-
memory/952-65-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/952-62-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/952-72-0x0000000000340000-0x0000000000351000-memory.dmpFilesize
68KB
-
memory/952-71-0x000000000041D000-0x000000000041E000-memory.dmpFilesize
4KB
-
memory/952-66-0x0000000000940000-0x0000000000C43000-memory.dmpFilesize
3.0MB
-
memory/952-67-0x000000000041D000-0x000000000041E000-memory.dmpFilesize
4KB
-
memory/952-68-0x0000000000300000-0x0000000000311000-memory.dmpFilesize
68KB
-
memory/1392-69-0x0000000003AB0000-0x0000000003B64000-memory.dmpFilesize
720KB
-
memory/1392-73-0x0000000006780000-0x0000000006895000-memory.dmpFilesize
1.1MB
-
memory/1392-78-0x0000000006A50000-0x0000000006B8F000-memory.dmpFilesize
1.2MB
-
memory/1500-54-0x0000000075A31000-0x0000000075A33000-memory.dmpFilesize
8KB
-
memory/1640-74-0x000000004A260000-0x000000004A2AC000-memory.dmpFilesize
304KB
-
memory/1640-75-0x0000000002060000-0x0000000002363000-memory.dmpFilesize
3.0MB
-
memory/1640-76-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/1640-77-0x0000000001ED0000-0x0000000001F60000-memory.dmpFilesize
576KB
-
memory/1752-60-0x00000000000F0000-0x00000000000F2000-memory.dmpFilesize
8KB