Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
26-04-2022 05:40
Static task
static1
Behavioral task
behavioral1
Sample
Product_Order#250422.exe
Resource
win7-20220414-en
General
-
Target
Product_Order#250422.exe
-
Size
257KB
-
MD5
265de87c891fc42f378339b4ce0406f5
-
SHA1
76dee4e7e7c2f22da904b6629880c3f89dca8fed
-
SHA256
2affbb57b10032083dc1fe15a3c1ff1a2aa0b59f74b4ac6d094e94db6a650faa
-
SHA512
ca3e0a56c00928958f406ea5841b8c3f21076cd57e31c1818f8801addb7d0436aaf75bc3ae75f0a859fd7601b8dd8569ee658892bff00124324bc76b1a327f4f
Malware Config
Extracted
xloader
2.5
dx3n
polebear.xyz
luciamoca.com
185451.com
bookfriendspodcast.net
reliancetechsolutions.com
wuzuiso.com
ig-representative.com
ryotaohno.com
wlnhcl.com
oasispoolth.com
fo71.com
storyandidentity.com
sayarpro.com
arrow-electronics-corps.net
brasbux.com
nigeriaafricasummit.com
choud.store
medicareopenenrollment.info
amlhcz.com
fdklflkdioerklfdke.store
andreanieblas.com
whhsdzyl.com
millionistabruja.com
treeteescoop.com
taob518.com
wasjesusmarried.net
travisleecontracting.com
wearemarinemarine.com
hallywoodfire.com
girotonix.space
dietnow3.info
water07.com
girlnextdoorlashes.com
healthoffword.xyz
picketfenceboutique.com
coobons.com
johnfrenchart.com
xn--snabbtkrkortonline-j3b.com
silkyskin.one
mskstyle777.store
themetamorfose.com
psd2reality.com
04htt.xyz
report-help-session.com
huaxiayinshua.com
twinklylight.com
wrightpurpose.com
customsurfacescanada.com
ed1tconsulting.com
genesisfoundry.com
xxsq.net
hsncsoft.com
rfreilly.com
launchyourplffunnel.com
minjunsa.com
metaverseedtech.com
lens-experts.com
butikhira.xyz
onlinedatingoftallahassee.com
newarkroofingcontractor.com
jo1ntodaya.info
criticalequipmentservices.com
defence.group
appcast-60.com
iexiufu.net
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4916-136-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/5084-145-0x0000000000E30000-0x0000000000E59000-memory.dmp xloader -
Executes dropped EXE 2 IoCs
Processes:
aueycsx.exeaueycsx.exepid process 5072 aueycsx.exe 4916 aueycsx.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
aueycsx.exeaueycsx.exeWWAHost.exedescription pid process target process PID 5072 set thread context of 4916 5072 aueycsx.exe aueycsx.exe PID 4916 set thread context of 2576 4916 aueycsx.exe Explorer.EXE PID 5084 set thread context of 2576 5084 WWAHost.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
aueycsx.exeWWAHost.exepid process 4916 aueycsx.exe 4916 aueycsx.exe 4916 aueycsx.exe 4916 aueycsx.exe 5084 WWAHost.exe 5084 WWAHost.exe 5084 WWAHost.exe 5084 WWAHost.exe 5084 WWAHost.exe 5084 WWAHost.exe 5084 WWAHost.exe 5084 WWAHost.exe 5084 WWAHost.exe 5084 WWAHost.exe 5084 WWAHost.exe 5084 WWAHost.exe 5084 WWAHost.exe 5084 WWAHost.exe 5084 WWAHost.exe 5084 WWAHost.exe 5084 WWAHost.exe 5084 WWAHost.exe 5084 WWAHost.exe 5084 WWAHost.exe 5084 WWAHost.exe 5084 WWAHost.exe 5084 WWAHost.exe 5084 WWAHost.exe 5084 WWAHost.exe 5084 WWAHost.exe 5084 WWAHost.exe 5084 WWAHost.exe 5084 WWAHost.exe 5084 WWAHost.exe 5084 WWAHost.exe 5084 WWAHost.exe 5084 WWAHost.exe 5084 WWAHost.exe 5084 WWAHost.exe 5084 WWAHost.exe 5084 WWAHost.exe 5084 WWAHost.exe 5084 WWAHost.exe 5084 WWAHost.exe 5084 WWAHost.exe 5084 WWAHost.exe 5084 WWAHost.exe 5084 WWAHost.exe 5084 WWAHost.exe 5084 WWAHost.exe 5084 WWAHost.exe 5084 WWAHost.exe 5084 WWAHost.exe 5084 WWAHost.exe 5084 WWAHost.exe 5084 WWAHost.exe 5084 WWAHost.exe 5084 WWAHost.exe 5084 WWAHost.exe 5084 WWAHost.exe 5084 WWAHost.exe 5084 WWAHost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2576 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
aueycsx.exeWWAHost.exepid process 4916 aueycsx.exe 4916 aueycsx.exe 4916 aueycsx.exe 5084 WWAHost.exe 5084 WWAHost.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
aueycsx.exeWWAHost.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 4916 aueycsx.exe Token: SeDebugPrivilege 5084 WWAHost.exe Token: SeShutdownPrivilege 2576 Explorer.EXE Token: SeCreatePagefilePrivilege 2576 Explorer.EXE Token: SeShutdownPrivilege 2576 Explorer.EXE Token: SeCreatePagefilePrivilege 2576 Explorer.EXE Token: SeShutdownPrivilege 2576 Explorer.EXE Token: SeCreatePagefilePrivilege 2576 Explorer.EXE Token: SeShutdownPrivilege 2576 Explorer.EXE Token: SeCreatePagefilePrivilege 2576 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Product_Order#250422.exeaueycsx.exeExplorer.EXEWWAHost.exedescription pid process target process PID 4880 wrote to memory of 5072 4880 Product_Order#250422.exe aueycsx.exe PID 4880 wrote to memory of 5072 4880 Product_Order#250422.exe aueycsx.exe PID 4880 wrote to memory of 5072 4880 Product_Order#250422.exe aueycsx.exe PID 5072 wrote to memory of 4916 5072 aueycsx.exe aueycsx.exe PID 5072 wrote to memory of 4916 5072 aueycsx.exe aueycsx.exe PID 5072 wrote to memory of 4916 5072 aueycsx.exe aueycsx.exe PID 5072 wrote to memory of 4916 5072 aueycsx.exe aueycsx.exe PID 5072 wrote to memory of 4916 5072 aueycsx.exe aueycsx.exe PID 5072 wrote to memory of 4916 5072 aueycsx.exe aueycsx.exe PID 2576 wrote to memory of 5084 2576 Explorer.EXE WWAHost.exe PID 2576 wrote to memory of 5084 2576 Explorer.EXE WWAHost.exe PID 2576 wrote to memory of 5084 2576 Explorer.EXE WWAHost.exe PID 5084 wrote to memory of 1872 5084 WWAHost.exe cmd.exe PID 5084 wrote to memory of 1872 5084 WWAHost.exe cmd.exe PID 5084 wrote to memory of 1872 5084 WWAHost.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Product_Order#250422.exe"C:\Users\Admin\AppData\Local\Temp\Product_Order#250422.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\aueycsx.exeC:\Users\Admin\AppData\Local\Temp\aueycsx.exe C:\Users\Admin\AppData\Local\Temp\kfupp3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\aueycsx.exeC:\Users\Admin\AppData\Local\Temp\aueycsx.exe C:\Users\Admin\AppData\Local\Temp\kfupp4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WWAHost.exe"C:\Windows\SysWOW64\WWAHost.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\aueycsx.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2l0ehdjchxpnymplfkFilesize
163KB
MD56a9be40e3e90d64d41bb5bf5ab045047
SHA15b46d8d3f0b1b3c3fb1674d741b42e5cee316bff
SHA25606e5128d97870d0c68f6b4c384108b0276fcbc47e1d38456a2f1577769165f7d
SHA512985452bdbe94300017e8cbf35ca1bcaa27016217027bb3a6c1c0ae237d394036949fc4d6afe785255a87ce483ebb75a7ee0d412f041c1de1c842b800108a874e
-
C:\Users\Admin\AppData\Local\Temp\aueycsx.exeFilesize
3KB
MD54447ceaa26383801955378fb5831ee91
SHA1ab3c4d769e9125203ce3dbf7e35e76318c2ce3a4
SHA2563a9b3e044e408c91a6b274d11bb7ec8913aa04b9efa290a899cbf37bed39e930
SHA5121fcc1a10127946c55ccbb314c52edb1b88c45ea99d367ef8bcd98a44005d5ca0495c54e451b1607d29e751592475682982577d492117b513e4ad090f2be42e50
-
C:\Users\Admin\AppData\Local\Temp\aueycsx.exeFilesize
3KB
MD54447ceaa26383801955378fb5831ee91
SHA1ab3c4d769e9125203ce3dbf7e35e76318c2ce3a4
SHA2563a9b3e044e408c91a6b274d11bb7ec8913aa04b9efa290a899cbf37bed39e930
SHA5121fcc1a10127946c55ccbb314c52edb1b88c45ea99d367ef8bcd98a44005d5ca0495c54e451b1607d29e751592475682982577d492117b513e4ad090f2be42e50
-
C:\Users\Admin\AppData\Local\Temp\aueycsx.exeFilesize
3KB
MD54447ceaa26383801955378fb5831ee91
SHA1ab3c4d769e9125203ce3dbf7e35e76318c2ce3a4
SHA2563a9b3e044e408c91a6b274d11bb7ec8913aa04b9efa290a899cbf37bed39e930
SHA5121fcc1a10127946c55ccbb314c52edb1b88c45ea99d367ef8bcd98a44005d5ca0495c54e451b1607d29e751592475682982577d492117b513e4ad090f2be42e50
-
C:\Users\Admin\AppData\Local\Temp\kfuppFilesize
4KB
MD55a873257abf1da214b790721f619fe0d
SHA180d4635dac8fc7e2b72039bc3a154ef3ed831647
SHA256323f1d55732df50c290ae1fab18f949fce0b0431fe614ff575582afefc389ea7
SHA5120c04e0fa15eb17d8f310a78b3f171d0a5eb8bed33caec8490de1f4b322ca18f857c11a24033074fc5c3a973ad680d538343c6347f6182dbc29df250c6b3af8ab
-
memory/1872-143-0x0000000000000000-mapping.dmp
-
memory/2576-141-0x0000000002DF0000-0x0000000002F2C000-memory.dmpFilesize
1.2MB
-
memory/2576-148-0x00000000085D0000-0x0000000008682000-memory.dmpFilesize
712KB
-
memory/4916-136-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4916-135-0x0000000000000000-mapping.dmp
-
memory/4916-138-0x0000000000BF0000-0x0000000000F3A000-memory.dmpFilesize
3.3MB
-
memory/4916-140-0x00000000005C0000-0x00000000005D1000-memory.dmpFilesize
68KB
-
memory/5072-130-0x0000000000000000-mapping.dmp
-
memory/5084-142-0x0000000000000000-mapping.dmp
-
memory/5084-145-0x0000000000E30000-0x0000000000E59000-memory.dmpFilesize
164KB
-
memory/5084-144-0x0000000000EB0000-0x0000000000F8C000-memory.dmpFilesize
880KB
-
memory/5084-146-0x0000000002280000-0x00000000025CA000-memory.dmpFilesize
3.3MB
-
memory/5084-147-0x0000000001E70000-0x0000000001F00000-memory.dmpFilesize
576KB