Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220331-en -
submitted
08-04-2022 08:30
Static task
static1
Behavioral task
behavioral1
Sample
fiyat talebi.exe
Resource
win7-20220310-en
General
-
Target
fiyat talebi.exe
-
Size
242KB
-
MD5
cd5a1f00e5069978e2265c76b1ddf25d
-
SHA1
b995ba1b34b3debabad436b14ad5c94829e6e27b
-
SHA256
f2b30831e93ef719ecc6b3d7fa88509a1b77d35068d4d6ab2728d9938c8a7859
-
SHA512
656bca68ff35b4f341f2347af02b0f68cf56b1e3a20629dd446e0abad18d229de2501879a002c7bf99b9b27890fc2e5c1171bb7d585312bf0eaf74827d30200c
Malware Config
Extracted
xloader
2.5
cbgo
santesha.com
britneysbeautybar.com
sh-cy17.com
jeffcarveragency.com
3117111.com
sobrehosting.net
ddm123.xyz
toxcompliance.com
auditorydesigns.com
vliftfacial.com
ielhii.com
naameliss.com
ritualchariot.com
solchange.com
quatre-vingts.design
lawnmowermashine.com
braceletsstore.net
admappy.com
tollivercoltd.com
vaidix.com
rodrigomartinsadv.com
bouncingskull.com
hamiltonhellerrealestate.com
dream-kidz.com
growupnotgrowold.com
clanginandbangin.com
cornerstone-constructions.com
mcdonalds-delivery.xyz
omnikro.com
nca-group.com
hughers3.com
move-mobius.com
shrivs.com
hoshikuzu-hegemony.com
zpwx17.online
masoncable.com
butecreditunion.com
creativefolksnetwork.xyz
lejanet.com
tacticalslings.club
bestprodutos.com
quirkysoul39.com
sdettest.com
aomendc.xyz
lorticepttoyof6.xyz
nonvaxrnpositions.com
maintainaviation.com
kubanitka.com
fractalmerch.xyz
elbowguru.com
nikiyang.com
cialisactivesupers.com
bestofrochester.info
ynov-rennes.com
saiden8164.com
ffuster.com
papierle.com
dobsonfryedentist.com
rufisquoisedetransit.com
compassionatecuddling.com
kimlady.com
mashinchand.com
semicivilization.com
milamixecommerce.com
ambassadorandceoclub.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4380-130-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/4380-134-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/5108-139-0x0000000000A00000-0x0000000000A29000-memory.dmp xloader -
Executes dropped EXE 2 IoCs
Processes:
qmzngjtx.exeqmzngjtx.exepid process 4228 qmzngjtx.exe 4380 qmzngjtx.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
qmzngjtx.exeqmzngjtx.execmd.exedescription pid process target process PID 4228 set thread context of 4380 4228 qmzngjtx.exe qmzngjtx.exe PID 4380 set thread context of 3084 4380 qmzngjtx.exe Explorer.EXE PID 5108 set thread context of 3084 5108 cmd.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
qmzngjtx.execmd.exepid process 4380 qmzngjtx.exe 4380 qmzngjtx.exe 4380 qmzngjtx.exe 4380 qmzngjtx.exe 5108 cmd.exe 5108 cmd.exe 5108 cmd.exe 5108 cmd.exe 5108 cmd.exe 5108 cmd.exe 5108 cmd.exe 5108 cmd.exe 5108 cmd.exe 5108 cmd.exe 5108 cmd.exe 5108 cmd.exe 5108 cmd.exe 5108 cmd.exe 5108 cmd.exe 5108 cmd.exe 5108 cmd.exe 5108 cmd.exe 5108 cmd.exe 5108 cmd.exe 5108 cmd.exe 5108 cmd.exe 5108 cmd.exe 5108 cmd.exe 5108 cmd.exe 5108 cmd.exe 5108 cmd.exe 5108 cmd.exe 5108 cmd.exe 5108 cmd.exe 5108 cmd.exe 5108 cmd.exe 5108 cmd.exe 5108 cmd.exe 5108 cmd.exe 5108 cmd.exe 5108 cmd.exe 5108 cmd.exe 5108 cmd.exe 5108 cmd.exe 5108 cmd.exe 5108 cmd.exe 5108 cmd.exe 5108 cmd.exe 5108 cmd.exe 5108 cmd.exe 5108 cmd.exe 5108 cmd.exe 5108 cmd.exe 5108 cmd.exe 5108 cmd.exe 5108 cmd.exe 5108 cmd.exe 5108 cmd.exe 5108 cmd.exe 5108 cmd.exe 5108 cmd.exe 5108 cmd.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3084 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
qmzngjtx.execmd.exepid process 4380 qmzngjtx.exe 4380 qmzngjtx.exe 4380 qmzngjtx.exe 5108 cmd.exe 5108 cmd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
qmzngjtx.execmd.exedescription pid process Token: SeDebugPrivilege 4380 qmzngjtx.exe Token: SeDebugPrivilege 5108 cmd.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
fiyat talebi.exeqmzngjtx.exeExplorer.EXEcmd.exedescription pid process target process PID 3268 wrote to memory of 4228 3268 fiyat talebi.exe qmzngjtx.exe PID 3268 wrote to memory of 4228 3268 fiyat talebi.exe qmzngjtx.exe PID 3268 wrote to memory of 4228 3268 fiyat talebi.exe qmzngjtx.exe PID 4228 wrote to memory of 4380 4228 qmzngjtx.exe qmzngjtx.exe PID 4228 wrote to memory of 4380 4228 qmzngjtx.exe qmzngjtx.exe PID 4228 wrote to memory of 4380 4228 qmzngjtx.exe qmzngjtx.exe PID 4228 wrote to memory of 4380 4228 qmzngjtx.exe qmzngjtx.exe PID 4228 wrote to memory of 4380 4228 qmzngjtx.exe qmzngjtx.exe PID 4228 wrote to memory of 4380 4228 qmzngjtx.exe qmzngjtx.exe PID 3084 wrote to memory of 5108 3084 Explorer.EXE cmd.exe PID 3084 wrote to memory of 5108 3084 Explorer.EXE cmd.exe PID 3084 wrote to memory of 5108 3084 Explorer.EXE cmd.exe PID 5108 wrote to memory of 1636 5108 cmd.exe cmd.exe PID 5108 wrote to memory of 1636 5108 cmd.exe cmd.exe PID 5108 wrote to memory of 1636 5108 cmd.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fiyat talebi.exe"C:\Users\Admin\AppData\Local\Temp\fiyat talebi.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\qmzngjtx.exeC:\Users\Admin\AppData\Local\Temp\qmzngjtx.exe C:\Users\Admin\AppData\Local\Temp\qhidoqldbb3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\qmzngjtx.exeC:\Users\Admin\AppData\Local\Temp\qmzngjtx.exe C:\Users\Admin\AppData\Local\Temp\qhidoqldbb4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\qmzngjtx.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\n4ctxmrbh0uoaq3yhaFilesize
212KB
MD50800086693d43f3e3f5248c8789ef97c
SHA19779f40e0a93bd5825d7f715453924819b9a59e6
SHA256089179b2f01e25d4117e018c7ebe402d2e4c68b9774c15f29fde43fa57aa32df
SHA5128fa85746c74bd7b2361dab36e3228a1c8f27f2d6b9d6a01b10ab97f07212bdc1ba52724d4239cc76b649763be8c2d2f0f298430fbbb1af94d7d4e1f50d52e0f4
-
C:\Users\Admin\AppData\Local\Temp\qhidoqldbbFilesize
4KB
MD54189ad2dedcab199ef7a58a4c490733e
SHA1023179460cc47e1ede06f9e4cc5b7ecfd87dadc2
SHA256513b1e9affe4c24ff16e2156cb1bf14c0e7c75d53b6886341a01474e5c784f3b
SHA512f27292ea85b5f4cf47c982dce736afdc69f9f0893b0a521546803e524e195a72b5a0e5c132a4f7fdcbed96baecfcee22f7e53363c71a309022dd312dee2597dc
-
C:\Users\Admin\AppData\Local\Temp\qmzngjtx.exeFilesize
5KB
MD5120556bf1317f6395f13ff5377e308d9
SHA1f36799d4885de8cc8f8c947e4fc28e1a3a39beab
SHA25663b0f72ed3dade8ad655daf220470057fce741dda011d4cfbdd7646460df3f46
SHA51275902aac1f4f6758ac53ab717b6f91eb326a8acf331c495b08cff27c571c31d244d8b30cd812a2ecfd9fbf70c230f673672bdbde0b57ededfd8b1c26200c98dd
-
C:\Users\Admin\AppData\Local\Temp\qmzngjtx.exeFilesize
5KB
MD5120556bf1317f6395f13ff5377e308d9
SHA1f36799d4885de8cc8f8c947e4fc28e1a3a39beab
SHA25663b0f72ed3dade8ad655daf220470057fce741dda011d4cfbdd7646460df3f46
SHA51275902aac1f4f6758ac53ab717b6f91eb326a8acf331c495b08cff27c571c31d244d8b30cd812a2ecfd9fbf70c230f673672bdbde0b57ededfd8b1c26200c98dd
-
C:\Users\Admin\AppData\Local\Temp\qmzngjtx.exeFilesize
5KB
MD5120556bf1317f6395f13ff5377e308d9
SHA1f36799d4885de8cc8f8c947e4fc28e1a3a39beab
SHA25663b0f72ed3dade8ad655daf220470057fce741dda011d4cfbdd7646460df3f46
SHA51275902aac1f4f6758ac53ab717b6f91eb326a8acf331c495b08cff27c571c31d244d8b30cd812a2ecfd9fbf70c230f673672bdbde0b57ededfd8b1c26200c98dd
-
memory/1636-140-0x0000000000000000-mapping.dmp
-
memory/3084-136-0x0000000008A00000-0x0000000008B4D000-memory.dmpFilesize
1.3MB
-
memory/3084-143-0x0000000003130000-0x000000000325E000-memory.dmpFilesize
1.2MB
-
memory/4228-124-0x0000000000000000-mapping.dmp
-
memory/4380-133-0x0000000000AE0000-0x0000000000E2A000-memory.dmpFilesize
3.3MB
-
memory/4380-135-0x00000000005D0000-0x00000000005E1000-memory.dmpFilesize
68KB
-
memory/4380-134-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4380-130-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4380-129-0x0000000000000000-mapping.dmp
-
memory/5108-137-0x0000000000000000-mapping.dmp
-
memory/5108-138-0x0000000000550000-0x00000000005AA000-memory.dmpFilesize
360KB
-
memory/5108-139-0x0000000000A00000-0x0000000000A29000-memory.dmpFilesize
164KB
-
memory/5108-141-0x00000000012B0000-0x00000000015FA000-memory.dmpFilesize
3.3MB
-
memory/5108-142-0x00000000010E0000-0x0000000001170000-memory.dmpFilesize
576KB