Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20220331-en -
submitted
12-04-2022 13:58
Static task
static1
Behavioral task
behavioral1
Sample
COMMANDE2022.exe
Resource
win7-20220331-en
General
-
Target
COMMANDE2022.exe
-
Size
240KB
-
MD5
b416c05593038ca7e314f102e0dcae6e
-
SHA1
20ab9278c05a8f278a2daff13951b6d28086db71
-
SHA256
c0d6833e7ba34a1a05310005fa4e09ad5e1e2b60edf8fe62fc42b7610913496c
-
SHA512
a3425015be98c426f394e06e37bc945ee52e07c023ca8b7fe7d52baa5761c77c1cb1d16f6806330b8f2e3e71056263e70e8bec922b7dd0dad07962d97713b43a
Malware Config
Extracted
xloader
2.5
cbgo
santesha.com
britneysbeautybar.com
sh-cy17.com
jeffcarveragency.com
3117111.com
sobrehosting.net
ddm123.xyz
toxcompliance.com
auditorydesigns.com
vliftfacial.com
ielhii.com
naameliss.com
ritualchariot.com
solchange.com
quatre-vingts.design
lawnmowermashine.com
braceletsstore.net
admappy.com
tollivercoltd.com
vaidix.com
rodrigomartinsadv.com
bouncingskull.com
hamiltonhellerrealestate.com
dream-kidz.com
growupnotgrowold.com
clanginandbangin.com
cornerstone-constructions.com
mcdonalds-delivery.xyz
omnikro.com
nca-group.com
hughers3.com
move-mobius.com
shrivs.com
hoshikuzu-hegemony.com
zpwx17.online
masoncable.com
butecreditunion.com
creativefolksnetwork.xyz
lejanet.com
tacticalslings.club
bestprodutos.com
quirkysoul39.com
sdettest.com
aomendc.xyz
lorticepttoyof6.xyz
nonvaxrnpositions.com
maintainaviation.com
kubanitka.com
fractalmerch.xyz
elbowguru.com
nikiyang.com
cialisactivesupers.com
bestofrochester.info
ynov-rennes.com
saiden8164.com
ffuster.com
papierle.com
dobsonfryedentist.com
rufisquoisedetransit.com
compassionatecuddling.com
kimlady.com
mashinchand.com
semicivilization.com
milamixecommerce.com
ambassadorandceoclub.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2036-63-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/2036-64-0x000000000041D450-mapping.dmp xloader behavioral1/memory/2036-67-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/2008-75-0x0000000000080000-0x00000000000A9000-memory.dmp xloader -
Executes dropped EXE 2 IoCs
Processes:
jgtuubxgos.exejgtuubxgos.exepid process 960 jgtuubxgos.exe 2036 jgtuubxgos.exe -
Loads dropped DLL 2 IoCs
Processes:
COMMANDE2022.exejgtuubxgos.exepid process 1328 COMMANDE2022.exe 960 jgtuubxgos.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
jgtuubxgos.exejgtuubxgos.execolorcpl.exedescription pid process target process PID 960 set thread context of 2036 960 jgtuubxgos.exe jgtuubxgos.exe PID 2036 set thread context of 1252 2036 jgtuubxgos.exe Explorer.EXE PID 2008 set thread context of 1252 2008 colorcpl.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
jgtuubxgos.execolorcpl.exepid process 2036 jgtuubxgos.exe 2036 jgtuubxgos.exe 2008 colorcpl.exe 2008 colorcpl.exe 2008 colorcpl.exe 2008 colorcpl.exe 2008 colorcpl.exe 2008 colorcpl.exe 2008 colorcpl.exe 2008 colorcpl.exe 2008 colorcpl.exe 2008 colorcpl.exe 2008 colorcpl.exe 2008 colorcpl.exe 2008 colorcpl.exe 2008 colorcpl.exe 2008 colorcpl.exe 2008 colorcpl.exe 2008 colorcpl.exe 2008 colorcpl.exe 2008 colorcpl.exe 2008 colorcpl.exe 2008 colorcpl.exe 2008 colorcpl.exe 2008 colorcpl.exe 2008 colorcpl.exe 2008 colorcpl.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
jgtuubxgos.execolorcpl.exepid process 2036 jgtuubxgos.exe 2036 jgtuubxgos.exe 2036 jgtuubxgos.exe 2008 colorcpl.exe 2008 colorcpl.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
jgtuubxgos.execolorcpl.exedescription pid process Token: SeDebugPrivilege 2036 jgtuubxgos.exe Token: SeDebugPrivilege 2008 colorcpl.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1252 Explorer.EXE 1252 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1252 Explorer.EXE 1252 Explorer.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
COMMANDE2022.exejgtuubxgos.exeExplorer.EXEcolorcpl.exedescription pid process target process PID 1328 wrote to memory of 960 1328 COMMANDE2022.exe jgtuubxgos.exe PID 1328 wrote to memory of 960 1328 COMMANDE2022.exe jgtuubxgos.exe PID 1328 wrote to memory of 960 1328 COMMANDE2022.exe jgtuubxgos.exe PID 1328 wrote to memory of 960 1328 COMMANDE2022.exe jgtuubxgos.exe PID 960 wrote to memory of 2036 960 jgtuubxgos.exe jgtuubxgos.exe PID 960 wrote to memory of 2036 960 jgtuubxgos.exe jgtuubxgos.exe PID 960 wrote to memory of 2036 960 jgtuubxgos.exe jgtuubxgos.exe PID 960 wrote to memory of 2036 960 jgtuubxgos.exe jgtuubxgos.exe PID 960 wrote to memory of 2036 960 jgtuubxgos.exe jgtuubxgos.exe PID 960 wrote to memory of 2036 960 jgtuubxgos.exe jgtuubxgos.exe PID 960 wrote to memory of 2036 960 jgtuubxgos.exe jgtuubxgos.exe PID 1252 wrote to memory of 2008 1252 Explorer.EXE colorcpl.exe PID 1252 wrote to memory of 2008 1252 Explorer.EXE colorcpl.exe PID 1252 wrote to memory of 2008 1252 Explorer.EXE colorcpl.exe PID 1252 wrote to memory of 2008 1252 Explorer.EXE colorcpl.exe PID 2008 wrote to memory of 1964 2008 colorcpl.exe cmd.exe PID 2008 wrote to memory of 1964 2008 colorcpl.exe cmd.exe PID 2008 wrote to memory of 1964 2008 colorcpl.exe cmd.exe PID 2008 wrote to memory of 1964 2008 colorcpl.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\COMMANDE2022.exe"C:\Users\Admin\AppData\Local\Temp\COMMANDE2022.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jgtuubxgos.exeC:\Users\Admin\AppData\Local\Temp\jgtuubxgos.exe C:\Users\Admin\AppData\Local\Temp\htcdlhlzf3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jgtuubxgos.exeC:\Users\Admin\AppData\Local\Temp\jgtuubxgos.exe C:\Users\Admin\AppData\Local\Temp\htcdlhlzf4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\colorcpl.exe"C:\Windows\SysWOW64\colorcpl.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\jgtuubxgos.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\htcdlhlzfFilesize
4KB
MD52ef3334ad7021b15415a3d6c2bcad2e5
SHA1559738ae73b169a851c684250f3fd281ae73b59c
SHA256acd6f8529cb6b49fcc51261a8574be51eeb204fe9bdcb4e8dc4131e7ad2d4172
SHA51244ff29341a7e434d13e69c49a5f3703b2d255c40978ea2ab0d869f508e10042affa8f5f59e74eb5295ae7dc61963d2f13fbb172ad48664811dee4e0c8f4b8bc2
-
C:\Users\Admin\AppData\Local\Temp\jgtuubxgos.exeFilesize
5KB
MD57379cf00c2ceec0b6256dc610ee8dbe2
SHA10c49ddab376fc45f565dde736c863f93f0195fc8
SHA256da93d14187f32f7a905a8cc4f97c096fd7171049dc01abaa16e5385c6cb9df29
SHA5120aac0c418a119ff5ec2d1e05b98aa7927c2c6e62062aec0101869e5c5ce245db801b9d7849356af276780071e96d237b6b3e699cda5a7273d5a5708633249d8e
-
C:\Users\Admin\AppData\Local\Temp\jgtuubxgos.exeFilesize
5KB
MD57379cf00c2ceec0b6256dc610ee8dbe2
SHA10c49ddab376fc45f565dde736c863f93f0195fc8
SHA256da93d14187f32f7a905a8cc4f97c096fd7171049dc01abaa16e5385c6cb9df29
SHA5120aac0c418a119ff5ec2d1e05b98aa7927c2c6e62062aec0101869e5c5ce245db801b9d7849356af276780071e96d237b6b3e699cda5a7273d5a5708633249d8e
-
C:\Users\Admin\AppData\Local\Temp\jgtuubxgos.exeFilesize
5KB
MD57379cf00c2ceec0b6256dc610ee8dbe2
SHA10c49ddab376fc45f565dde736c863f93f0195fc8
SHA256da93d14187f32f7a905a8cc4f97c096fd7171049dc01abaa16e5385c6cb9df29
SHA5120aac0c418a119ff5ec2d1e05b98aa7927c2c6e62062aec0101869e5c5ce245db801b9d7849356af276780071e96d237b6b3e699cda5a7273d5a5708633249d8e
-
C:\Users\Admin\AppData\Local\Temp\t90ysxzhlbpyFilesize
214KB
MD509fad7f6fdd368909ddda0c82a2f4765
SHA1e9657c98a2db2541e9688c4c17bbe72ac98dca63
SHA25640f0f0667c86edd961adec95e071b433aff224eb9cf0ba59e52cd6ef8e3d1106
SHA51220c71f4b10c037d9d47e66b351a46db0855d6f253d1135c1b9ac8bc6182f734bce296814d7dfd7c86fe2bacdf39230766f2b9d7af6cb86dc54e85ef33b43a6bf
-
\Users\Admin\AppData\Local\Temp\jgtuubxgos.exeFilesize
5KB
MD57379cf00c2ceec0b6256dc610ee8dbe2
SHA10c49ddab376fc45f565dde736c863f93f0195fc8
SHA256da93d14187f32f7a905a8cc4f97c096fd7171049dc01abaa16e5385c6cb9df29
SHA5120aac0c418a119ff5ec2d1e05b98aa7927c2c6e62062aec0101869e5c5ce245db801b9d7849356af276780071e96d237b6b3e699cda5a7273d5a5708633249d8e
-
\Users\Admin\AppData\Local\Temp\jgtuubxgos.exeFilesize
5KB
MD57379cf00c2ceec0b6256dc610ee8dbe2
SHA10c49ddab376fc45f565dde736c863f93f0195fc8
SHA256da93d14187f32f7a905a8cc4f97c096fd7171049dc01abaa16e5385c6cb9df29
SHA5120aac0c418a119ff5ec2d1e05b98aa7927c2c6e62062aec0101869e5c5ce245db801b9d7849356af276780071e96d237b6b3e699cda5a7273d5a5708633249d8e
-
memory/960-56-0x0000000000000000-mapping.dmp
-
memory/1252-70-0x0000000004BB0000-0x0000000004C86000-memory.dmpFilesize
856KB
-
memory/1252-78-0x0000000002CA0000-0x0000000002D53000-memory.dmpFilesize
716KB
-
memory/1328-54-0x0000000075341000-0x0000000075343000-memory.dmpFilesize
8KB
-
memory/1964-73-0x0000000000000000-mapping.dmp
-
memory/2008-71-0x0000000000000000-mapping.dmp
-
memory/2008-74-0x0000000000300000-0x0000000000318000-memory.dmpFilesize
96KB
-
memory/2008-75-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/2008-76-0x0000000001EF0000-0x00000000021F3000-memory.dmpFilesize
3.0MB
-
memory/2008-77-0x0000000001E10000-0x0000000001EA0000-memory.dmpFilesize
576KB
-
memory/2036-69-0x0000000000280000-0x0000000000291000-memory.dmpFilesize
68KB
-
memory/2036-68-0x0000000000B00000-0x0000000000E03000-memory.dmpFilesize
3.0MB
-
memory/2036-67-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2036-64-0x000000000041D450-mapping.dmp
-
memory/2036-63-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB