Analysis
-
max time kernel
165s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-20220331-en -
submitted
12-04-2022 13:58
Static task
static1
Behavioral task
behavioral1
Sample
COMMANDE2022.exe
Resource
win7-20220331-en
General
-
Target
COMMANDE2022.exe
-
Size
240KB
-
MD5
b416c05593038ca7e314f102e0dcae6e
-
SHA1
20ab9278c05a8f278a2daff13951b6d28086db71
-
SHA256
c0d6833e7ba34a1a05310005fa4e09ad5e1e2b60edf8fe62fc42b7610913496c
-
SHA512
a3425015be98c426f394e06e37bc945ee52e07c023ca8b7fe7d52baa5761c77c1cb1d16f6806330b8f2e3e71056263e70e8bec922b7dd0dad07962d97713b43a
Malware Config
Extracted
xloader
2.5
cbgo
santesha.com
britneysbeautybar.com
sh-cy17.com
jeffcarveragency.com
3117111.com
sobrehosting.net
ddm123.xyz
toxcompliance.com
auditorydesigns.com
vliftfacial.com
ielhii.com
naameliss.com
ritualchariot.com
solchange.com
quatre-vingts.design
lawnmowermashine.com
braceletsstore.net
admappy.com
tollivercoltd.com
vaidix.com
rodrigomartinsadv.com
bouncingskull.com
hamiltonhellerrealestate.com
dream-kidz.com
growupnotgrowold.com
clanginandbangin.com
cornerstone-constructions.com
mcdonalds-delivery.xyz
omnikro.com
nca-group.com
hughers3.com
move-mobius.com
shrivs.com
hoshikuzu-hegemony.com
zpwx17.online
masoncable.com
butecreditunion.com
creativefolksnetwork.xyz
lejanet.com
tacticalslings.club
bestprodutos.com
quirkysoul39.com
sdettest.com
aomendc.xyz
lorticepttoyof6.xyz
nonvaxrnpositions.com
maintainaviation.com
kubanitka.com
fractalmerch.xyz
elbowguru.com
nikiyang.com
cialisactivesupers.com
bestofrochester.info
ynov-rennes.com
saiden8164.com
ffuster.com
papierle.com
dobsonfryedentist.com
rufisquoisedetransit.com
compassionatecuddling.com
kimlady.com
mashinchand.com
semicivilization.com
milamixecommerce.com
ambassadorandceoclub.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2624-130-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/2488-138-0x0000000000A20000-0x0000000000A49000-memory.dmp xloader -
Executes dropped EXE 2 IoCs
Processes:
jgtuubxgos.exejgtuubxgos.exepid process 4684 jgtuubxgos.exe 2624 jgtuubxgos.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
jgtuubxgos.exejgtuubxgos.exemstsc.exedescription pid process target process PID 4684 set thread context of 2624 4684 jgtuubxgos.exe jgtuubxgos.exe PID 2624 set thread context of 2676 2624 jgtuubxgos.exe Explorer.EXE PID 2488 set thread context of 2676 2488 mstsc.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
jgtuubxgos.exemstsc.exepid process 2624 jgtuubxgos.exe 2624 jgtuubxgos.exe 2624 jgtuubxgos.exe 2624 jgtuubxgos.exe 2488 mstsc.exe 2488 mstsc.exe 2488 mstsc.exe 2488 mstsc.exe 2488 mstsc.exe 2488 mstsc.exe 2488 mstsc.exe 2488 mstsc.exe 2488 mstsc.exe 2488 mstsc.exe 2488 mstsc.exe 2488 mstsc.exe 2488 mstsc.exe 2488 mstsc.exe 2488 mstsc.exe 2488 mstsc.exe 2488 mstsc.exe 2488 mstsc.exe 2488 mstsc.exe 2488 mstsc.exe 2488 mstsc.exe 2488 mstsc.exe 2488 mstsc.exe 2488 mstsc.exe 2488 mstsc.exe 2488 mstsc.exe 2488 mstsc.exe 2488 mstsc.exe 2488 mstsc.exe 2488 mstsc.exe 2488 mstsc.exe 2488 mstsc.exe 2488 mstsc.exe 2488 mstsc.exe 2488 mstsc.exe 2488 mstsc.exe 2488 mstsc.exe 2488 mstsc.exe 2488 mstsc.exe 2488 mstsc.exe 2488 mstsc.exe 2488 mstsc.exe 2488 mstsc.exe 2488 mstsc.exe 2488 mstsc.exe 2488 mstsc.exe 2488 mstsc.exe 2488 mstsc.exe 2488 mstsc.exe 2488 mstsc.exe 2488 mstsc.exe 2488 mstsc.exe 2488 mstsc.exe 2488 mstsc.exe 2488 mstsc.exe 2488 mstsc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2676 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
jgtuubxgos.exemstsc.exepid process 2624 jgtuubxgos.exe 2624 jgtuubxgos.exe 2624 jgtuubxgos.exe 2488 mstsc.exe 2488 mstsc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
jgtuubxgos.exemstsc.exedescription pid process Token: SeDebugPrivilege 2624 jgtuubxgos.exe Token: SeDebugPrivilege 2488 mstsc.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
COMMANDE2022.exejgtuubxgos.exeExplorer.EXEmstsc.exedescription pid process target process PID 3520 wrote to memory of 4684 3520 COMMANDE2022.exe jgtuubxgos.exe PID 3520 wrote to memory of 4684 3520 COMMANDE2022.exe jgtuubxgos.exe PID 3520 wrote to memory of 4684 3520 COMMANDE2022.exe jgtuubxgos.exe PID 4684 wrote to memory of 2624 4684 jgtuubxgos.exe jgtuubxgos.exe PID 4684 wrote to memory of 2624 4684 jgtuubxgos.exe jgtuubxgos.exe PID 4684 wrote to memory of 2624 4684 jgtuubxgos.exe jgtuubxgos.exe PID 4684 wrote to memory of 2624 4684 jgtuubxgos.exe jgtuubxgos.exe PID 4684 wrote to memory of 2624 4684 jgtuubxgos.exe jgtuubxgos.exe PID 4684 wrote to memory of 2624 4684 jgtuubxgos.exe jgtuubxgos.exe PID 2676 wrote to memory of 2488 2676 Explorer.EXE mstsc.exe PID 2676 wrote to memory of 2488 2676 Explorer.EXE mstsc.exe PID 2676 wrote to memory of 2488 2676 Explorer.EXE mstsc.exe PID 2488 wrote to memory of 3832 2488 mstsc.exe cmd.exe PID 2488 wrote to memory of 3832 2488 mstsc.exe cmd.exe PID 2488 wrote to memory of 3832 2488 mstsc.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\COMMANDE2022.exe"C:\Users\Admin\AppData\Local\Temp\COMMANDE2022.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jgtuubxgos.exeC:\Users\Admin\AppData\Local\Temp\jgtuubxgos.exe C:\Users\Admin\AppData\Local\Temp\htcdlhlzf3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jgtuubxgos.exeC:\Users\Admin\AppData\Local\Temp\jgtuubxgos.exe C:\Users\Admin\AppData\Local\Temp\htcdlhlzf4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\mstsc.exe"C:\Windows\SysWOW64\mstsc.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\jgtuubxgos.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\htcdlhlzfFilesize
4KB
MD52ef3334ad7021b15415a3d6c2bcad2e5
SHA1559738ae73b169a851c684250f3fd281ae73b59c
SHA256acd6f8529cb6b49fcc51261a8574be51eeb204fe9bdcb4e8dc4131e7ad2d4172
SHA51244ff29341a7e434d13e69c49a5f3703b2d255c40978ea2ab0d869f508e10042affa8f5f59e74eb5295ae7dc61963d2f13fbb172ad48664811dee4e0c8f4b8bc2
-
C:\Users\Admin\AppData\Local\Temp\jgtuubxgos.exeFilesize
5KB
MD57379cf00c2ceec0b6256dc610ee8dbe2
SHA10c49ddab376fc45f565dde736c863f93f0195fc8
SHA256da93d14187f32f7a905a8cc4f97c096fd7171049dc01abaa16e5385c6cb9df29
SHA5120aac0c418a119ff5ec2d1e05b98aa7927c2c6e62062aec0101869e5c5ce245db801b9d7849356af276780071e96d237b6b3e699cda5a7273d5a5708633249d8e
-
C:\Users\Admin\AppData\Local\Temp\jgtuubxgos.exeFilesize
5KB
MD57379cf00c2ceec0b6256dc610ee8dbe2
SHA10c49ddab376fc45f565dde736c863f93f0195fc8
SHA256da93d14187f32f7a905a8cc4f97c096fd7171049dc01abaa16e5385c6cb9df29
SHA5120aac0c418a119ff5ec2d1e05b98aa7927c2c6e62062aec0101869e5c5ce245db801b9d7849356af276780071e96d237b6b3e699cda5a7273d5a5708633249d8e
-
C:\Users\Admin\AppData\Local\Temp\jgtuubxgos.exeFilesize
5KB
MD57379cf00c2ceec0b6256dc610ee8dbe2
SHA10c49ddab376fc45f565dde736c863f93f0195fc8
SHA256da93d14187f32f7a905a8cc4f97c096fd7171049dc01abaa16e5385c6cb9df29
SHA5120aac0c418a119ff5ec2d1e05b98aa7927c2c6e62062aec0101869e5c5ce245db801b9d7849356af276780071e96d237b6b3e699cda5a7273d5a5708633249d8e
-
C:\Users\Admin\AppData\Local\Temp\t90ysxzhlbpyFilesize
214KB
MD509fad7f6fdd368909ddda0c82a2f4765
SHA1e9657c98a2db2541e9688c4c17bbe72ac98dca63
SHA25640f0f0667c86edd961adec95e071b433aff224eb9cf0ba59e52cd6ef8e3d1106
SHA51220c71f4b10c037d9d47e66b351a46db0855d6f253d1135c1b9ac8bc6182f734bce296814d7dfd7c86fe2bacdf39230766f2b9d7af6cb86dc54e85ef33b43a6bf
-
memory/2488-137-0x0000000000A90000-0x0000000000BCA000-memory.dmpFilesize
1.2MB
-
memory/2488-136-0x0000000000000000-mapping.dmp
-
memory/2488-140-0x0000000002CC0000-0x000000000300A000-memory.dmpFilesize
3.3MB
-
memory/2488-138-0x0000000000A20000-0x0000000000A49000-memory.dmpFilesize
164KB
-
memory/2488-141-0x0000000002B30000-0x0000000002BC0000-memory.dmpFilesize
576KB
-
memory/2624-130-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2624-129-0x0000000000000000-mapping.dmp
-
memory/2624-133-0x00000000015E0000-0x000000000192A000-memory.dmpFilesize
3.3MB
-
memory/2624-134-0x0000000001580000-0x0000000001591000-memory.dmpFilesize
68KB
-
memory/2676-135-0x00000000026C0000-0x00000000027A6000-memory.dmpFilesize
920KB
-
memory/2676-142-0x0000000008410000-0x000000000852C000-memory.dmpFilesize
1.1MB
-
memory/3832-139-0x0000000000000000-mapping.dmp
-
memory/4684-124-0x0000000000000000-mapping.dmp