Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
06-05-2022 14:28
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220414-en
General
-
Target
tmp.exe
-
Size
193KB
-
MD5
4ef1cf561792490cfc119a6f4b9433cc
-
SHA1
6c7cfb9a79edeba7859088ca1a1f9da6d236facb
-
SHA256
25148c38c34edf03d8c2610e75188f9223421978e0a73eec5c8a303ca1280d07
-
SHA512
ba4d5b504491e9ed078b51235c3f1a6af7ff769a70ff6127297a03c299a6fe8f7ea1bdea158ff2624d2e9949125a3802255350e748ee263befc9e820e9530813
Malware Config
Extracted
xloader
2.5
bs8f
atmospheraglobal.com
dontshootima.com
bestofferusde.club
yourdigitalboss.com
breskizci.com
myarrovacoastwebsite.com
reasclerk.com
efrovida.com
wsmz.net
upneett.com
loefflerforgov.com
noida.info
trndystore.com
arhaldar.online
vivibanca.tech
mykrema.com
vseserialy.online
ridgewayinsua.com
heauxland.com
bestcollegecourses.com
scent-kart.xyz
handyman-prime.com
wrightpurpose.com
hellounio.com
wealthy-link-erp.com
josegal.com
texasdominionrealty.com
hespresso.net
dreamonetnpasumo5.xyz
videosmind.com
abbawaalema.quest
esmtoluca.com
2382108759.com
akbastionoffilamentousfungi.com
electramanpower.com
siguealpanda.com
alquilerfurgon.com
3-little-pigs.com
esolutions4u.com
thatgolfer.com
biom4rk.com
paramusapartments.com
mothergadgets.com
ktnreport.xyz
amxdrivers.com
buymyhomeallcash.com
lifeisthere.com
nous-citoyens.com
destimarketing.com
lawinepro.com
littlenorwayfarmhouse.com
realworldgb488.rest
qualinorm.com
capitaltechcorp.com
familybeautifull.com
continentaldeal.com
scratchforce.com
veganbreathing.com
hickoryfalls-pm.com
pascal-rocha.com
20kretirementplan.biz
lehome.store
hellanatural.com
hnythao.com
gnizdo.online
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1880-63-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1880-64-0x000000000041D440-mapping.dmp xloader behavioral1/memory/1880-67-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/2020-75-0x0000000000090000-0x00000000000B9000-memory.dmp xloader -
Blocklisted process makes network request 1 IoCs
Processes:
msiexec.exeflow pid process 12 2020 msiexec.exe -
Executes dropped EXE 2 IoCs
Processes:
lilaxqbb.exelilaxqbb.exepid process 1960 lilaxqbb.exe 1880 lilaxqbb.exe -
Loads dropped DLL 2 IoCs
Processes:
tmp.exelilaxqbb.exepid process 1964 tmp.exe 1960 lilaxqbb.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
lilaxqbb.exelilaxqbb.exemsiexec.exedescription pid process target process PID 1960 set thread context of 1880 1960 lilaxqbb.exe lilaxqbb.exe PID 1880 set thread context of 1304 1880 lilaxqbb.exe Explorer.EXE PID 2020 set thread context of 1304 2020 msiexec.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
lilaxqbb.exemsiexec.exepid process 1880 lilaxqbb.exe 1880 lilaxqbb.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe 2020 msiexec.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
lilaxqbb.exemsiexec.exepid process 1880 lilaxqbb.exe 1880 lilaxqbb.exe 1880 lilaxqbb.exe 2020 msiexec.exe 2020 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
lilaxqbb.exemsiexec.exedescription pid process Token: SeDebugPrivilege 1880 lilaxqbb.exe Token: SeDebugPrivilege 2020 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1304 Explorer.EXE 1304 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1304 Explorer.EXE 1304 Explorer.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
tmp.exelilaxqbb.exeExplorer.EXEmsiexec.exedescription pid process target process PID 1964 wrote to memory of 1960 1964 tmp.exe lilaxqbb.exe PID 1964 wrote to memory of 1960 1964 tmp.exe lilaxqbb.exe PID 1964 wrote to memory of 1960 1964 tmp.exe lilaxqbb.exe PID 1964 wrote to memory of 1960 1964 tmp.exe lilaxqbb.exe PID 1960 wrote to memory of 1880 1960 lilaxqbb.exe lilaxqbb.exe PID 1960 wrote to memory of 1880 1960 lilaxqbb.exe lilaxqbb.exe PID 1960 wrote to memory of 1880 1960 lilaxqbb.exe lilaxqbb.exe PID 1960 wrote to memory of 1880 1960 lilaxqbb.exe lilaxqbb.exe PID 1960 wrote to memory of 1880 1960 lilaxqbb.exe lilaxqbb.exe PID 1960 wrote to memory of 1880 1960 lilaxqbb.exe lilaxqbb.exe PID 1960 wrote to memory of 1880 1960 lilaxqbb.exe lilaxqbb.exe PID 1304 wrote to memory of 2020 1304 Explorer.EXE msiexec.exe PID 1304 wrote to memory of 2020 1304 Explorer.EXE msiexec.exe PID 1304 wrote to memory of 2020 1304 Explorer.EXE msiexec.exe PID 1304 wrote to memory of 2020 1304 Explorer.EXE msiexec.exe PID 1304 wrote to memory of 2020 1304 Explorer.EXE msiexec.exe PID 1304 wrote to memory of 2020 1304 Explorer.EXE msiexec.exe PID 1304 wrote to memory of 2020 1304 Explorer.EXE msiexec.exe PID 2020 wrote to memory of 1040 2020 msiexec.exe cmd.exe PID 2020 wrote to memory of 1040 2020 msiexec.exe cmd.exe PID 2020 wrote to memory of 1040 2020 msiexec.exe cmd.exe PID 2020 wrote to memory of 1040 2020 msiexec.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\lilaxqbb.exeC:\Users\Admin\AppData\Local\Temp\lilaxqbb.exe C:\Users\Admin\AppData\Local\Temp\qwzjl3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\lilaxqbb.exeC:\Users\Admin\AppData\Local\Temp\lilaxqbb.exe C:\Users\Admin\AppData\Local\Temp\qwzjl4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\lilaxqbb.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\lilaxqbb.exeFilesize
6KB
MD5cea873373b350445440e7333d45a2735
SHA14ee5af4ce6b5cb191cbc2880a7b8259287b92b5d
SHA256d2b2d63ba5a80cf8bda26906d44f868d0a36f5e62f5fc5f8009ccc7c1cb20f79
SHA512fa4e11fdd7c4d816413ee63e464210cec74ae871ed5ccbaebb0003be37b90ac0934eb6840e8e5d6098661e6df7c552c7e7e0aaebf302fcbc847070dfdf7a3c8f
-
C:\Users\Admin\AppData\Local\Temp\lilaxqbb.exeFilesize
6KB
MD5cea873373b350445440e7333d45a2735
SHA14ee5af4ce6b5cb191cbc2880a7b8259287b92b5d
SHA256d2b2d63ba5a80cf8bda26906d44f868d0a36f5e62f5fc5f8009ccc7c1cb20f79
SHA512fa4e11fdd7c4d816413ee63e464210cec74ae871ed5ccbaebb0003be37b90ac0934eb6840e8e5d6098661e6df7c552c7e7e0aaebf302fcbc847070dfdf7a3c8f
-
C:\Users\Admin\AppData\Local\Temp\lilaxqbb.exeFilesize
6KB
MD5cea873373b350445440e7333d45a2735
SHA14ee5af4ce6b5cb191cbc2880a7b8259287b92b5d
SHA256d2b2d63ba5a80cf8bda26906d44f868d0a36f5e62f5fc5f8009ccc7c1cb20f79
SHA512fa4e11fdd7c4d816413ee63e464210cec74ae871ed5ccbaebb0003be37b90ac0934eb6840e8e5d6098661e6df7c552c7e7e0aaebf302fcbc847070dfdf7a3c8f
-
C:\Users\Admin\AppData\Local\Temp\qwzjlFilesize
4KB
MD5ad85e1abe255b453282baaf817b34bba
SHA1f2f40b78535012f337ec9f5983276f24c113d0a7
SHA2565b3e0f559d470993d2fce051bc09aa813f37c700da400491644a6ef5461ac0e9
SHA512375728e3eac5b19c105633012c3a0085d114c6afbbc7a8ad2c57df3f29addf2a7b37a83be5ada408f9fd0cd81c16864bb1304d1be5b5ac912f3847149515a456
-
C:\Users\Admin\AppData\Local\Temp\scijh7u2xhl2xtr17rFilesize
163KB
MD5dafb005f8fd0eef3d0c507a92401a547
SHA13688605f1c694b693c6e6cca6701feb3f7047ff6
SHA256b29edd425a3f3cf35ff5d21fda608732929b714e4b23f63f51df2bc2298bc659
SHA512dbed72bdf6cdb812bba4c7b13ba1fbacfcae5b696758febfc2305d9fcf6bf207f374afbb433f38ab7d11ac010c62e804cfe0d4df173590e9fc4a1d3d6eb4d091
-
\Users\Admin\AppData\Local\Temp\lilaxqbb.exeFilesize
6KB
MD5cea873373b350445440e7333d45a2735
SHA14ee5af4ce6b5cb191cbc2880a7b8259287b92b5d
SHA256d2b2d63ba5a80cf8bda26906d44f868d0a36f5e62f5fc5f8009ccc7c1cb20f79
SHA512fa4e11fdd7c4d816413ee63e464210cec74ae871ed5ccbaebb0003be37b90ac0934eb6840e8e5d6098661e6df7c552c7e7e0aaebf302fcbc847070dfdf7a3c8f
-
\Users\Admin\AppData\Local\Temp\lilaxqbb.exeFilesize
6KB
MD5cea873373b350445440e7333d45a2735
SHA14ee5af4ce6b5cb191cbc2880a7b8259287b92b5d
SHA256d2b2d63ba5a80cf8bda26906d44f868d0a36f5e62f5fc5f8009ccc7c1cb20f79
SHA512fa4e11fdd7c4d816413ee63e464210cec74ae871ed5ccbaebb0003be37b90ac0934eb6840e8e5d6098661e6df7c552c7e7e0aaebf302fcbc847070dfdf7a3c8f
-
memory/1040-73-0x0000000000000000-mapping.dmp
-
memory/1304-70-0x0000000006ED0000-0x000000000700C000-memory.dmpFilesize
1.2MB
-
memory/1304-78-0x0000000004900000-0x00000000049CE000-memory.dmpFilesize
824KB
-
memory/1880-64-0x000000000041D440-mapping.dmp
-
memory/1880-67-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1880-68-0x0000000000910000-0x0000000000C13000-memory.dmpFilesize
3.0MB
-
memory/1880-69-0x0000000000350000-0x0000000000361000-memory.dmpFilesize
68KB
-
memory/1880-63-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1960-56-0x0000000000000000-mapping.dmp
-
memory/1964-54-0x0000000075401000-0x0000000075403000-memory.dmpFilesize
8KB
-
memory/2020-71-0x0000000000000000-mapping.dmp
-
memory/2020-74-0x0000000000EF0000-0x0000000000F04000-memory.dmpFilesize
80KB
-
memory/2020-75-0x0000000000090000-0x00000000000B9000-memory.dmpFilesize
164KB
-
memory/2020-76-0x0000000002310000-0x0000000002613000-memory.dmpFilesize
3.0MB
-
memory/2020-77-0x00000000009F0000-0x0000000000A80000-memory.dmpFilesize
576KB