Analysis

  • max time kernel
    4294211s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20220311-en
  • submitted
    22-03-2022 07:01

General

  • Target

    tmp.exe

  • Size

    274KB

  • MD5

    16c4a16f7bd751b068e65d81ba2f64cd

  • SHA1

    3cc2679cb6af197f177481f7708bed0eed93f458

  • SHA256

    145f840479b9baa3431886abf20b30820f2cc5fe427c0d14390818c7e38ad3cd

  • SHA512

    8675970aa4fc84e3fc6e9b84b7189e8077a372e15b01be22bfd52877e2e6c94d439e213271d2554f242182fc9052b9b98148876e31096467c778cc508cad006f

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ahc8

Decoy

192451.com

wwwripostes.net

sirikhalsalaw.com

bitterbaybay.com

stella-scrubs.com

almanecermezcal.com

goodgood.online

translate-now.online

sincerefilm.com

quadrantforensics.com

johnfrenchart.com

plick-click.com

alnileen.com

tghi.xyz

172711.com

maymakita.com

punnyaseva.com

ukash-online.com

sho-yururi-blog.com

hebergement-solidaire.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

  • Xloader Payload 3 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Drops file in Program Files directory
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1420
    • C:\Users\Admin\AppData\Local\Temp\tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1832
      • C:\Users\Admin\AppData\Local\Temp\hsssany.exe
        C:\Users\Admin\AppData\Local\Temp\hsssany.exe C:\Users\Admin\AppData\Local\Temp\igjxkq
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:308
        • C:\Users\Admin\AppData\Local\Temp\hsssany.exe
          C:\Users\Admin\AppData\Local\Temp\hsssany.exe C:\Users\Admin\AppData\Local\Temp\igjxkq
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:468
    • C:\Windows\SysWOW64\cmmon32.exe
      "C:\Windows\SysWOW64\cmmon32.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1304
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\hsssany.exe"
        3⤵
          PID:1296
        • C:\Program Files\Mozilla Firefox\Firefox.exe
          "C:\Program Files\Mozilla Firefox\Firefox.exe"
          3⤵
            PID:1084
        • C:\Program Files (x86)\K7nh8xz\igfxqlu.exe
          "C:\Program Files (x86)\K7nh8xz\igfxqlu.exe"
          2⤵
          • Executes dropped EXE
          PID:1116

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Defense Evasion

      Modify Registry

      2
      T1112

      Discovery

      System Information Discovery

      1
      T1082

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\K7nh8xz\igfxqlu.exe
        MD5

        a25a388c0f8ab3779421f0747163c39b

        SHA1

        22267c3ea32c9ff6077cc8eccab8e9704a8cd3f2

        SHA256

        f13565cdb210b49835f19fea5c535ae953c9e8a26ed7702b2fdf613a2c3e5959

        SHA512

        807bffd3a312cac816f7dea888af7918c639ebaec25f2afb0f8afdb408ca4ffe06feead3e745bc46c8ca5a4e0ccb5f279ebe7a19c768ddcc839505b26a28ead2

      • C:\Program Files (x86)\K7nh8xz\igfxqlu.exe
        MD5

        a25a388c0f8ab3779421f0747163c39b

        SHA1

        22267c3ea32c9ff6077cc8eccab8e9704a8cd3f2

        SHA256

        f13565cdb210b49835f19fea5c535ae953c9e8a26ed7702b2fdf613a2c3e5959

        SHA512

        807bffd3a312cac816f7dea888af7918c639ebaec25f2afb0f8afdb408ca4ffe06feead3e745bc46c8ca5a4e0ccb5f279ebe7a19c768ddcc839505b26a28ead2

      • C:\Users\Admin\AppData\Local\Temp\fki5xdwbhcbhpy
        MD5

        7fb21510f14fd999145c37cb54d191de

        SHA1

        7ce318c80c798dfcc6a601d531f49ed95134e9ce

        SHA256

        a20f4cce92d9bd4eb9c9e943514de908ea2ca9f666623c04de319dd7a7a67367

        SHA512

        483b8cbab3e6bd316b290a7cc8f9ae5316d5f8d843e37a26ec628172a038454c557569729eb5cf1ca7731c8781580109a0c9c0f7d2a4c12012d716e2aa0d8e7d

      • C:\Users\Admin\AppData\Local\Temp\hsssany.exe
        MD5

        a25a388c0f8ab3779421f0747163c39b

        SHA1

        22267c3ea32c9ff6077cc8eccab8e9704a8cd3f2

        SHA256

        f13565cdb210b49835f19fea5c535ae953c9e8a26ed7702b2fdf613a2c3e5959

        SHA512

        807bffd3a312cac816f7dea888af7918c639ebaec25f2afb0f8afdb408ca4ffe06feead3e745bc46c8ca5a4e0ccb5f279ebe7a19c768ddcc839505b26a28ead2

      • C:\Users\Admin\AppData\Local\Temp\hsssany.exe
        MD5

        a25a388c0f8ab3779421f0747163c39b

        SHA1

        22267c3ea32c9ff6077cc8eccab8e9704a8cd3f2

        SHA256

        f13565cdb210b49835f19fea5c535ae953c9e8a26ed7702b2fdf613a2c3e5959

        SHA512

        807bffd3a312cac816f7dea888af7918c639ebaec25f2afb0f8afdb408ca4ffe06feead3e745bc46c8ca5a4e0ccb5f279ebe7a19c768ddcc839505b26a28ead2

      • C:\Users\Admin\AppData\Local\Temp\hsssany.exe
        MD5

        a25a388c0f8ab3779421f0747163c39b

        SHA1

        22267c3ea32c9ff6077cc8eccab8e9704a8cd3f2

        SHA256

        f13565cdb210b49835f19fea5c535ae953c9e8a26ed7702b2fdf613a2c3e5959

        SHA512

        807bffd3a312cac816f7dea888af7918c639ebaec25f2afb0f8afdb408ca4ffe06feead3e745bc46c8ca5a4e0ccb5f279ebe7a19c768ddcc839505b26a28ead2

      • C:\Users\Admin\AppData\Local\Temp\igjxkq
        MD5

        1169886f2881955b7e4af98a4d4251d6

        SHA1

        ab0a023754e13727d7e76c7821da43667519c1aa

        SHA256

        f0c6b182474ca01313269fb8f3a1e8aa82c2389ae1b0ee919ff710a34519f320

        SHA512

        80a7794c370cee1babd3dde9e412cfdc4ab850a1654623e3a4fe5657e7ab88d4ae77efcbd15fa9560d405ff01a422a41d9e6569a508a9f8a8987c36fc479f314

      • \Users\Admin\AppData\Local\Temp\hsssany.exe
        MD5

        a25a388c0f8ab3779421f0747163c39b

        SHA1

        22267c3ea32c9ff6077cc8eccab8e9704a8cd3f2

        SHA256

        f13565cdb210b49835f19fea5c535ae953c9e8a26ed7702b2fdf613a2c3e5959

        SHA512

        807bffd3a312cac816f7dea888af7918c639ebaec25f2afb0f8afdb408ca4ffe06feead3e745bc46c8ca5a4e0ccb5f279ebe7a19c768ddcc839505b26a28ead2

      • \Users\Admin\AppData\Local\Temp\hsssany.exe
        MD5

        a25a388c0f8ab3779421f0747163c39b

        SHA1

        22267c3ea32c9ff6077cc8eccab8e9704a8cd3f2

        SHA256

        f13565cdb210b49835f19fea5c535ae953c9e8a26ed7702b2fdf613a2c3e5959

        SHA512

        807bffd3a312cac816f7dea888af7918c639ebaec25f2afb0f8afdb408ca4ffe06feead3e745bc46c8ca5a4e0ccb5f279ebe7a19c768ddcc839505b26a28ead2

      • \Users\Admin\AppData\Local\Temp\hsssany.exe
        MD5

        a25a388c0f8ab3779421f0747163c39b

        SHA1

        22267c3ea32c9ff6077cc8eccab8e9704a8cd3f2

        SHA256

        f13565cdb210b49835f19fea5c535ae953c9e8a26ed7702b2fdf613a2c3e5959

        SHA512

        807bffd3a312cac816f7dea888af7918c639ebaec25f2afb0f8afdb408ca4ffe06feead3e745bc46c8ca5a4e0ccb5f279ebe7a19c768ddcc839505b26a28ead2

      • memory/308-61-0x0000000000220000-0x0000000000222000-memory.dmp
        Filesize

        8KB

      • memory/468-68-0x0000000000820000-0x0000000000B23000-memory.dmp
        Filesize

        3.0MB

      • memory/468-67-0x0000000000400000-0x0000000000429000-memory.dmp
        Filesize

        164KB

      • memory/468-69-0x00000000002B0000-0x00000000002C1000-memory.dmp
        Filesize

        68KB

      • memory/468-64-0x0000000000400000-0x0000000000429000-memory.dmp
        Filesize

        164KB

      • memory/1304-71-0x00000000008A0000-0x00000000008AD000-memory.dmp
        Filesize

        52KB

      • memory/1304-72-0x0000000000080000-0x00000000000A9000-memory.dmp
        Filesize

        164KB

      • memory/1304-73-0x0000000001E40000-0x0000000002143000-memory.dmp
        Filesize

        3.0MB

      • memory/1304-74-0x0000000001CB0000-0x0000000001D40000-memory.dmp
        Filesize

        576KB

      • memory/1420-70-0x00000000068E0000-0x0000000006A68000-memory.dmp
        Filesize

        1.5MB

      • memory/1420-75-0x0000000004D50000-0x0000000004E87000-memory.dmp
        Filesize

        1.2MB

      • memory/1832-54-0x00000000759B1000-0x00000000759B3000-memory.dmp
        Filesize

        8KB