Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
06-05-2022 14:34
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220414-en
General
-
Target
tmp.exe
-
Size
1.1MB
-
MD5
f2b83c2075be8c51ada1ac1b2366095e
-
SHA1
f1dbf47b7e225bd92bd8d1a14ea832117f7c1037
-
SHA256
dbdd02d3fc196dd03b6f970e8bb08d82896d35b72878c09daa0ab36efcb19cf0
-
SHA512
7fdaf5cb281658bd7a8e4088ec8609a3bdd0b07bd029cb8390c9ff3823c854d2d51462bfc4bca8cf2af709e1986ee9eaec33c0be4ca68c759e631e31d85470fe
Malware Config
Extracted
xloader
2.6
arh2
hstorc.com
blackountry.com
dhrbakery.com
dezhouofit.com
defipayout.xyz
ginas4t.com
byzbh63.xyz
qrcrashview.com
mialibaby.com
enhaut.net
samainnova.com
yashveerresort.com
delfos.online
dungcumay.com
lj-counseling.net
fliptheswitch.pro
padogbitelawyer.com
aticarev.com
sederino.site
bestplansforpets-japan3.life
radicallysimplesupps.com
sandbagmaker.com
misdcf.xyz
nbpz.xyz
floridasunbreaks.com
justfinishesofcolorado.com
homemethtestkit.com
chaquetashapticas.com
zodiactshirt.com
tees.email
zxzx999.com
tempepdf.com
watchusroll.com
parotacenter.com
assistcourse.online
paulstilingroup.com
cnbcfx.com
mooncore.xyz
laplugnation.com
gosti24.com
cthomassolutions.com
rkhubs.com
aboutpier.com
multimediaroomandboard.com
iamparrot.com
wifitest.info
nounworld.com
xpartner.biz
128grandviewdrivenewportnsw.com
bakiin.com
suitcell.com
onehitgamerstudios.com
bathingsuitsshoppingus.com
wingstarifa.com
ccasudqi.com
epiconscious.com
ponponshoes.com
cicom.tech
safetynetinc.net
recanto.xyz
sellsidelite.net
kevmoinesproperties.com
hdwallpaperpics.life
57gznfw.xyz
abtys6.online
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4996-136-0x0000000000400000-0x000000000042C000-memory.dmp xloader behavioral2/memory/2288-144-0x0000000001450000-0x000000000147B000-memory.dmp xloader -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
WWAHost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WWAHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\SFIPY8LPB4 = "C:\\Program Files (x86)\\M8pn\\ofalox44.exe" WWAHost.exe -
Executes dropped EXE 1 IoCs
Processes:
ofalox44.exepid process 4184 ofalox44.exe -
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
tmp.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion tmp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion tmp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
tmp.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum tmp.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 tmp.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
tmp.exehdwwiz.exeWWAHost.exedescription pid process target process PID 1732 set thread context of 4996 1732 tmp.exe hdwwiz.exe PID 4996 set thread context of 3032 4996 hdwwiz.exe Explorer.EXE PID 2288 set thread context of 3032 2288 WWAHost.exe Explorer.EXE -
Drops file in Program Files directory 4 IoCs
Processes:
Explorer.EXEWWAHost.exedescription ioc process File opened for modification C:\Program Files (x86)\M8pn\ofalox44.exe Explorer.EXE File opened for modification C:\Program Files (x86)\M8pn\ofalox44.exe WWAHost.exe File opened for modification C:\Program Files (x86)\M8pn Explorer.EXE File created C:\Program Files (x86)\M8pn\ofalox44.exe Explorer.EXE -
Processes:
WWAHost.exedescription ioc process Key created \Registry\User\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 WWAHost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
tmp.exehdwwiz.exeWWAHost.exepid process 1732 tmp.exe 1732 tmp.exe 1732 tmp.exe 1732 tmp.exe 1732 tmp.exe 1732 tmp.exe 1732 tmp.exe 1732 tmp.exe 1732 tmp.exe 1732 tmp.exe 1732 tmp.exe 1732 tmp.exe 4996 hdwwiz.exe 4996 hdwwiz.exe 4996 hdwwiz.exe 4996 hdwwiz.exe 1732 tmp.exe 1732 tmp.exe 2288 WWAHost.exe 2288 WWAHost.exe 2288 WWAHost.exe 2288 WWAHost.exe 2288 WWAHost.exe 2288 WWAHost.exe 2288 WWAHost.exe 2288 WWAHost.exe 2288 WWAHost.exe 2288 WWAHost.exe 2288 WWAHost.exe 2288 WWAHost.exe 2288 WWAHost.exe 2288 WWAHost.exe 2288 WWAHost.exe 2288 WWAHost.exe 2288 WWAHost.exe 2288 WWAHost.exe 2288 WWAHost.exe 2288 WWAHost.exe 2288 WWAHost.exe 2288 WWAHost.exe 2288 WWAHost.exe 2288 WWAHost.exe 2288 WWAHost.exe 2288 WWAHost.exe 2288 WWAHost.exe 2288 WWAHost.exe 2288 WWAHost.exe 2288 WWAHost.exe 2288 WWAHost.exe 2288 WWAHost.exe 2288 WWAHost.exe 2288 WWAHost.exe 2288 WWAHost.exe 2288 WWAHost.exe 2288 WWAHost.exe 2288 WWAHost.exe 2288 WWAHost.exe 2288 WWAHost.exe 2288 WWAHost.exe 2288 WWAHost.exe 2288 WWAHost.exe 2288 WWAHost.exe 2288 WWAHost.exe 2288 WWAHost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3032 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
hdwwiz.exeWWAHost.exepid process 4996 hdwwiz.exe 4996 hdwwiz.exe 4996 hdwwiz.exe 2288 WWAHost.exe 2288 WWAHost.exe 2288 WWAHost.exe 2288 WWAHost.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
Processes:
tmp.exehdwwiz.exeWWAHost.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1732 tmp.exe Token: SeDebugPrivilege 4996 hdwwiz.exe Token: SeDebugPrivilege 2288 WWAHost.exe Token: SeShutdownPrivilege 3032 Explorer.EXE Token: SeCreatePagefilePrivilege 3032 Explorer.EXE Token: SeShutdownPrivilege 3032 Explorer.EXE Token: SeCreatePagefilePrivilege 3032 Explorer.EXE Token: SeShutdownPrivilege 3032 Explorer.EXE Token: SeCreatePagefilePrivilege 3032 Explorer.EXE Token: SeShutdownPrivilege 3032 Explorer.EXE Token: SeCreatePagefilePrivilege 3032 Explorer.EXE Token: SeShutdownPrivilege 3032 Explorer.EXE Token: SeCreatePagefilePrivilege 3032 Explorer.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
tmp.exeExplorer.EXEWWAHost.exedescription pid process target process PID 1732 wrote to memory of 3624 1732 tmp.exe esentutl.exe PID 1732 wrote to memory of 3624 1732 tmp.exe esentutl.exe PID 1732 wrote to memory of 3624 1732 tmp.exe esentutl.exe PID 1732 wrote to memory of 4996 1732 tmp.exe hdwwiz.exe PID 1732 wrote to memory of 4996 1732 tmp.exe hdwwiz.exe PID 1732 wrote to memory of 4996 1732 tmp.exe hdwwiz.exe PID 1732 wrote to memory of 4996 1732 tmp.exe hdwwiz.exe PID 1732 wrote to memory of 4996 1732 tmp.exe hdwwiz.exe PID 1732 wrote to memory of 4996 1732 tmp.exe hdwwiz.exe PID 1732 wrote to memory of 4996 1732 tmp.exe hdwwiz.exe PID 3032 wrote to memory of 2288 3032 Explorer.EXE WWAHost.exe PID 3032 wrote to memory of 2288 3032 Explorer.EXE WWAHost.exe PID 3032 wrote to memory of 2288 3032 Explorer.EXE WWAHost.exe PID 2288 wrote to memory of 2088 2288 WWAHost.exe cmd.exe PID 2288 wrote to memory of 2088 2288 WWAHost.exe cmd.exe PID 2288 wrote to memory of 2088 2288 WWAHost.exe cmd.exe PID 2288 wrote to memory of 1588 2288 WWAHost.exe cmd.exe PID 2288 wrote to memory of 1588 2288 WWAHost.exe cmd.exe PID 2288 wrote to memory of 1588 2288 WWAHost.exe cmd.exe PID 2288 wrote to memory of 3020 2288 WWAHost.exe cmd.exe PID 2288 wrote to memory of 3020 2288 WWAHost.exe cmd.exe PID 2288 wrote to memory of 3020 2288 WWAHost.exe cmd.exe PID 2288 wrote to memory of 3164 2288 WWAHost.exe Firefox.exe PID 2288 wrote to memory of 3164 2288 WWAHost.exe Firefox.exe PID 2288 wrote to memory of 3164 2288 WWAHost.exe Firefox.exe PID 3032 wrote to memory of 4184 3032 Explorer.EXE ofalox44.exe PID 3032 wrote to memory of 4184 3032 Explorer.EXE ofalox44.exe PID 3032 wrote to memory of 4184 3032 Explorer.EXE ofalox44.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\esentutl.exe"C:\Windows\SysWOW64\esentutl.exe"3⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"3⤵
-
C:\Windows\SysWOW64\hdwwiz.exe"C:\Windows\SysWOW64\hdwwiz.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WWAHost.exe"C:\Windows\SysWOW64\WWAHost.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\hdwwiz.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Program Files (x86)\M8pn\ofalox44.exe"C:\Program Files (x86)\M8pn\ofalox44.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\M8pn\ofalox44.exeFilesize
64KB
MD5ad95d55ffcea88f38021920924e4c971
SHA1d49793c7f6359ef3519d6972efa8a6ad8151940d
SHA25681d43ad111bd8b8dad77e0c36e0d420332889fb9b473857dba779ea0c070442c
SHA5121b7464dbd3dba7aecbc898211838c28f8a0dcf630e382673a3daf94583fe9c0f809e143fd10435d3fc8794336c0d83032dbc7b30094e251408d7566d2df5b7b0
-
C:\Program Files (x86)\M8pn\ofalox44.exeFilesize
64KB
MD5ad95d55ffcea88f38021920924e4c971
SHA1d49793c7f6359ef3519d6972efa8a6ad8151940d
SHA25681d43ad111bd8b8dad77e0c36e0d420332889fb9b473857dba779ea0c070442c
SHA5121b7464dbd3dba7aecbc898211838c28f8a0dcf630e382673a3daf94583fe9c0f809e143fd10435d3fc8794336c0d83032dbc7b30094e251408d7566d2df5b7b0
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
40KB
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
memory/1588-148-0x0000000000000000-mapping.dmp
-
memory/1732-131-0x0000000005220000-0x00000000052BC000-memory.dmpFilesize
624KB
-
memory/1732-132-0x0000000006D00000-0x00000000072A4000-memory.dmpFilesize
5.6MB
-
memory/1732-133-0x0000000006810000-0x0000000006876000-memory.dmpFilesize
408KB
-
memory/1732-130-0x00000000007A0000-0x00000000008CA000-memory.dmpFilesize
1.2MB
-
memory/2088-142-0x0000000000000000-mapping.dmp
-
memory/2288-143-0x0000000000170000-0x000000000024C000-memory.dmpFilesize
880KB
-
memory/2288-144-0x0000000001450000-0x000000000147B000-memory.dmpFilesize
172KB
-
memory/2288-145-0x00000000020B0000-0x00000000023FA000-memory.dmpFilesize
3.3MB
-
memory/2288-146-0x0000000001F50000-0x0000000001FE0000-memory.dmpFilesize
576KB
-
memory/2288-141-0x0000000000000000-mapping.dmp
-
memory/3020-150-0x0000000000000000-mapping.dmp
-
memory/3032-140-0x0000000002A30000-0x0000000002AFA000-memory.dmpFilesize
808KB
-
memory/3032-147-0x0000000007C60000-0x0000000007D16000-memory.dmpFilesize
728KB
-
memory/3624-134-0x0000000000000000-mapping.dmp
-
memory/4184-152-0x0000000000000000-mapping.dmp
-
memory/4996-139-0x0000000000DA0000-0x0000000000DB1000-memory.dmpFilesize
68KB
-
memory/4996-136-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/4996-135-0x0000000000000000-mapping.dmp
-
memory/4996-138-0x0000000001100000-0x000000000144A000-memory.dmpFilesize
3.3MB