Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220331-en -
submitted
04-04-2022 13:48
Static task
static1
Behavioral task
behavioral1
Sample
BLLLLAADDEE.exe
Resource
win7-20220331-en
General
-
Target
BLLLLAADDEE.exe
-
Size
35KB
-
MD5
0a8d67dc73dadb3aafaa35ba4c522a99
-
SHA1
80ef67fc098bd298cf4d286adaf1e59dbace8211
-
SHA256
ccc3111d1efd08344fdaa03990ed7029b09e1a5f014424760b6ae2eae5539829
-
SHA512
f768f28c5981a53f36b670dc356bed13c9311c81064f1b36b062731ca4f76a336a81b7f3d447b549198ab8b50bf401a7cc0876575261e3e66cee26f9c88d1b15
Malware Config
Extracted
xloader
2.5
ssac
beautybybrin.com
oregemo.com
prospectoriq.com
blazermid.com
cloudnineloans.com
myyntisofta.com
filoupoils.com
web-solutiontnpasumo3.xyz
becbares.com
lines-hikkoshi.com
ohayouwww.com
writingdadsobituarywithdad.com
bridalbaes.com
jamshir.com
rangertots.com
dankbrobeans.com
titan111.com
uplearns.info
maxicashprokil.xyz
evc24.com
mingshan888.com
thehomefurnishings.com
jjyive.space
vtkk.info
state-attorney.online
zoho.systems
nd300.com
ivermectinforanimals.ca
gruppobenedetto.com
planet99angka.xyz
astrotiq.com
fangshensj.com
ocean.limited
zalaridumpf.quest
cursolibreonline.com
lifein.art
identspactures.com
nfltvgo.com
chronicfit.store
mariajosereina.com
hebbz764776341.com
anpxlmmspix.mobi
mydevhub.tech
nobelrealm.com
dentalteamny.com
patinerd.com
socratisbey.xyz
hnylcwfs.com
yujieqin.com
midorato.com
sunglowdragon.com
americaplr.com
cxqdscape.com
situsgacor.xyz
sattlerei-dortmund.com
life120lospaccio.com
riddleme.one
perpustakaan-geominerba.online
renatafaceandbodyskincare.com
allkoreas.com
myvisitiq.com
candlesallday.com
poleador.com
4hsp116.com
homesbyvw.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4416-127-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/4416-129-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/4048-135-0x0000000000C60000-0x0000000000C89000-memory.dmp xloader -
Suspicious use of SetThreadContext 3 IoCs
Processes:
BLLLLAADDEE.exeaspnet_compiler.exesvchost.exedescription pid process target process PID 3548 set thread context of 4416 3548 BLLLLAADDEE.exe aspnet_compiler.exe PID 4416 set thread context of 660 4416 aspnet_compiler.exe Explorer.EXE PID 4048 set thread context of 660 4048 svchost.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
aspnet_compiler.exesvchost.exepid process 4416 aspnet_compiler.exe 4416 aspnet_compiler.exe 4416 aspnet_compiler.exe 4416 aspnet_compiler.exe 4048 svchost.exe 4048 svchost.exe 4048 svchost.exe 4048 svchost.exe 4048 svchost.exe 4048 svchost.exe 4048 svchost.exe 4048 svchost.exe 4048 svchost.exe 4048 svchost.exe 4048 svchost.exe 4048 svchost.exe 4048 svchost.exe 4048 svchost.exe 4048 svchost.exe 4048 svchost.exe 4048 svchost.exe 4048 svchost.exe 4048 svchost.exe 4048 svchost.exe 4048 svchost.exe 4048 svchost.exe 4048 svchost.exe 4048 svchost.exe 4048 svchost.exe 4048 svchost.exe 4048 svchost.exe 4048 svchost.exe 4048 svchost.exe 4048 svchost.exe 4048 svchost.exe 4048 svchost.exe 4048 svchost.exe 4048 svchost.exe 4048 svchost.exe 4048 svchost.exe 4048 svchost.exe 4048 svchost.exe 4048 svchost.exe 4048 svchost.exe 4048 svchost.exe 4048 svchost.exe 4048 svchost.exe 4048 svchost.exe 4048 svchost.exe 4048 svchost.exe 4048 svchost.exe 4048 svchost.exe 4048 svchost.exe 4048 svchost.exe 4048 svchost.exe 4048 svchost.exe 4048 svchost.exe 4048 svchost.exe 4048 svchost.exe 4048 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 660 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
aspnet_compiler.exesvchost.exepid process 4416 aspnet_compiler.exe 4416 aspnet_compiler.exe 4416 aspnet_compiler.exe 4048 svchost.exe 4048 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
BLLLLAADDEE.exeaspnet_compiler.exesvchost.exedescription pid process Token: SeDebugPrivilege 3548 BLLLLAADDEE.exe Token: SeDebugPrivilege 4416 aspnet_compiler.exe Token: SeDebugPrivilege 4048 svchost.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
BLLLLAADDEE.exeExplorer.EXEsvchost.exedescription pid process target process PID 3548 wrote to memory of 4416 3548 BLLLLAADDEE.exe aspnet_compiler.exe PID 3548 wrote to memory of 4416 3548 BLLLLAADDEE.exe aspnet_compiler.exe PID 3548 wrote to memory of 4416 3548 BLLLLAADDEE.exe aspnet_compiler.exe PID 3548 wrote to memory of 4416 3548 BLLLLAADDEE.exe aspnet_compiler.exe PID 3548 wrote to memory of 4416 3548 BLLLLAADDEE.exe aspnet_compiler.exe PID 3548 wrote to memory of 4416 3548 BLLLLAADDEE.exe aspnet_compiler.exe PID 660 wrote to memory of 4048 660 Explorer.EXE svchost.exe PID 660 wrote to memory of 4048 660 Explorer.EXE svchost.exe PID 660 wrote to memory of 4048 660 Explorer.EXE svchost.exe PID 4048 wrote to memory of 4612 4048 svchost.exe cmd.exe PID 4048 wrote to memory of 4612 4048 svchost.exe cmd.exe PID 4048 wrote to memory of 4612 4048 svchost.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:660 -
C:\Users\Admin\AppData\Local\Temp\BLLLLAADDEE.exe"C:\Users\Admin\AppData\Local\Temp\BLLLLAADDEE.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4416 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵PID:4612
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/660-139-0x0000000002D50000-0x0000000002DE4000-memory.dmpFilesize
592KB
-
memory/660-132-0x0000000007ED0000-0x0000000007FD3000-memory.dmpFilesize
1.0MB
-
memory/3548-125-0x0000000006320000-0x00000000063BC000-memory.dmpFilesize
624KB
-
memory/3548-124-0x0000000000C60000-0x0000000000C6C000-memory.dmpFilesize
48KB
-
memory/4048-134-0x00000000000D0000-0x00000000000DE000-memory.dmpFilesize
56KB
-
memory/4048-138-0x0000000001370000-0x0000000001400000-memory.dmpFilesize
576KB
-
memory/4048-137-0x0000000001700000-0x0000000001A4A000-memory.dmpFilesize
3.3MB
-
memory/4048-135-0x0000000000C60000-0x0000000000C89000-memory.dmpFilesize
164KB
-
memory/4048-133-0x0000000000000000-mapping.dmp
-
memory/4416-127-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4416-131-0x0000000001330000-0x0000000001341000-memory.dmpFilesize
68KB
-
memory/4416-130-0x00000000016A0000-0x00000000019EA000-memory.dmpFilesize
3.3MB
-
memory/4416-129-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4416-126-0x0000000000000000-mapping.dmp
-
memory/4612-136-0x0000000000000000-mapping.dmp