Analysis
-
max time kernel
152s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
12-05-2022 07:32
Static task
static1
Behavioral task
behavioral1
Sample
148b63c2b85f806c7c3036f854b1c6f0.exe
Resource
win7-20220414-en
General
-
Target
148b63c2b85f806c7c3036f854b1c6f0.exe
-
Size
253KB
-
MD5
148b63c2b85f806c7c3036f854b1c6f0
-
SHA1
43b8071712dc21a04140a2eae003380b7575f7e8
-
SHA256
ca4112bb9a7b776f14e9085c5b3ecaa7458ecaaa4c2515b79978d7f99eca768f
-
SHA512
b16af075fc1a9569d6898d58f623a8af277b09543130afaf9e21a710032d1545c42b37530514cb0d080ed3afcc028317573ae5cdd7c2fac5bbb87e0ac80f99d2
Malware Config
Extracted
xloader
2.6
arh2
hstorc.com
blackountry.com
dhrbakery.com
dezhouofit.com
defipayout.xyz
ginas4t.com
byzbh63.xyz
qrcrashview.com
mialibaby.com
enhaut.net
samainnova.com
yashveerresort.com
delfos.online
dungcumay.com
lj-counseling.net
fliptheswitch.pro
padogbitelawyer.com
aticarev.com
sederino.site
bestplansforpets-japan3.life
radicallysimplesupps.com
sandbagmaker.com
misdcf.xyz
nbpz.xyz
floridasunbreaks.com
justfinishesofcolorado.com
homemethtestkit.com
chaquetashapticas.com
zodiactshirt.com
tees.email
zxzx999.com
tempepdf.com
watchusroll.com
parotacenter.com
assistcourse.online
paulstilingroup.com
cnbcfx.com
mooncore.xyz
laplugnation.com
gosti24.com
cthomassolutions.com
rkhubs.com
aboutpier.com
multimediaroomandboard.com
iamparrot.com
wifitest.info
nounworld.com
xpartner.biz
128grandviewdrivenewportnsw.com
bakiin.com
suitcell.com
onehitgamerstudios.com
bathingsuitsshoppingus.com
wingstarifa.com
ccasudqi.com
epiconscious.com
ponponshoes.com
cicom.tech
safetynetinc.net
recanto.xyz
sellsidelite.net
kevmoinesproperties.com
hdwallpaperpics.life
57gznfw.xyz
abtys6.online
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1040-136-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral2/memory/1328-145-0x0000000000BC0000-0x0000000000BEB000-memory.dmp xloader -
Executes dropped EXE 3 IoCs
Processes:
lbaooyiqoz.exelbaooyiqoz.exe3fxqvuhzff.exepid process 3960 lbaooyiqoz.exe 1040 lbaooyiqoz.exe 1304 3fxqvuhzff.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
netsh.exedescription ioc process Key created \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run netsh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TLM0NRU88B = "C:\\Program Files (x86)\\Onf_t\\3fxqvuhzff.exe" netsh.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
lbaooyiqoz.exelbaooyiqoz.exenetsh.exedescription pid process target process PID 3960 set thread context of 1040 3960 lbaooyiqoz.exe lbaooyiqoz.exe PID 1040 set thread context of 2604 1040 lbaooyiqoz.exe Explorer.EXE PID 1328 set thread context of 2604 1328 netsh.exe Explorer.EXE -
Drops file in Program Files directory 4 IoCs
Processes:
netsh.exeExplorer.EXEdescription ioc process File opened for modification C:\Program Files (x86)\Onf_t\3fxqvuhzff.exe netsh.exe File opened for modification C:\Program Files (x86)\Onf_t Explorer.EXE File created C:\Program Files (x86)\Onf_t\3fxqvuhzff.exe Explorer.EXE File opened for modification C:\Program Files (x86)\Onf_t\3fxqvuhzff.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3816 1304 WerFault.exe 3fxqvuhzff.exe -
Processes:
netsh.exedescription ioc process Key created \Registry\User\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 netsh.exe -
Suspicious behavior: EnumeratesProcesses 56 IoCs
Processes:
lbaooyiqoz.exenetsh.exepid process 1040 lbaooyiqoz.exe 1040 lbaooyiqoz.exe 1040 lbaooyiqoz.exe 1040 lbaooyiqoz.exe 1328 netsh.exe 1328 netsh.exe 1328 netsh.exe 1328 netsh.exe 1328 netsh.exe 1328 netsh.exe 1328 netsh.exe 1328 netsh.exe 1328 netsh.exe 1328 netsh.exe 1328 netsh.exe 1328 netsh.exe 1328 netsh.exe 1328 netsh.exe 1328 netsh.exe 1328 netsh.exe 1328 netsh.exe 1328 netsh.exe 1328 netsh.exe 1328 netsh.exe 1328 netsh.exe 1328 netsh.exe 1328 netsh.exe 1328 netsh.exe 1328 netsh.exe 1328 netsh.exe 1328 netsh.exe 1328 netsh.exe 1328 netsh.exe 1328 netsh.exe 1328 netsh.exe 1328 netsh.exe 1328 netsh.exe 1328 netsh.exe 1328 netsh.exe 1328 netsh.exe 1328 netsh.exe 1328 netsh.exe 1328 netsh.exe 1328 netsh.exe 1328 netsh.exe 1328 netsh.exe 1328 netsh.exe 1328 netsh.exe 1328 netsh.exe 1328 netsh.exe 1328 netsh.exe 1328 netsh.exe 1328 netsh.exe 1328 netsh.exe 1328 netsh.exe 1328 netsh.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2604 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
lbaooyiqoz.exenetsh.exepid process 1040 lbaooyiqoz.exe 1040 lbaooyiqoz.exe 1040 lbaooyiqoz.exe 1328 netsh.exe 1328 netsh.exe 1328 netsh.exe 1328 netsh.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
lbaooyiqoz.exenetsh.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1040 lbaooyiqoz.exe Token: SeDebugPrivilege 1328 netsh.exe Token: SeShutdownPrivilege 2604 Explorer.EXE Token: SeCreatePagefilePrivilege 2604 Explorer.EXE -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
148b63c2b85f806c7c3036f854b1c6f0.exelbaooyiqoz.exeExplorer.EXEnetsh.exedescription pid process target process PID 2292 wrote to memory of 3960 2292 148b63c2b85f806c7c3036f854b1c6f0.exe lbaooyiqoz.exe PID 2292 wrote to memory of 3960 2292 148b63c2b85f806c7c3036f854b1c6f0.exe lbaooyiqoz.exe PID 2292 wrote to memory of 3960 2292 148b63c2b85f806c7c3036f854b1c6f0.exe lbaooyiqoz.exe PID 3960 wrote to memory of 1040 3960 lbaooyiqoz.exe lbaooyiqoz.exe PID 3960 wrote to memory of 1040 3960 lbaooyiqoz.exe lbaooyiqoz.exe PID 3960 wrote to memory of 1040 3960 lbaooyiqoz.exe lbaooyiqoz.exe PID 3960 wrote to memory of 1040 3960 lbaooyiqoz.exe lbaooyiqoz.exe PID 3960 wrote to memory of 1040 3960 lbaooyiqoz.exe lbaooyiqoz.exe PID 3960 wrote to memory of 1040 3960 lbaooyiqoz.exe lbaooyiqoz.exe PID 2604 wrote to memory of 1328 2604 Explorer.EXE netsh.exe PID 2604 wrote to memory of 1328 2604 Explorer.EXE netsh.exe PID 2604 wrote to memory of 1328 2604 Explorer.EXE netsh.exe PID 1328 wrote to memory of 2944 1328 netsh.exe cmd.exe PID 1328 wrote to memory of 2944 1328 netsh.exe cmd.exe PID 1328 wrote to memory of 2944 1328 netsh.exe cmd.exe PID 1328 wrote to memory of 2556 1328 netsh.exe cmd.exe PID 1328 wrote to memory of 2556 1328 netsh.exe cmd.exe PID 1328 wrote to memory of 2556 1328 netsh.exe cmd.exe PID 1328 wrote to memory of 2788 1328 netsh.exe cmd.exe PID 1328 wrote to memory of 2788 1328 netsh.exe cmd.exe PID 1328 wrote to memory of 2788 1328 netsh.exe cmd.exe PID 1328 wrote to memory of 4088 1328 netsh.exe Firefox.exe PID 1328 wrote to memory of 4088 1328 netsh.exe Firefox.exe PID 1328 wrote to memory of 4088 1328 netsh.exe Firefox.exe PID 2604 wrote to memory of 1304 2604 Explorer.EXE 3fxqvuhzff.exe PID 2604 wrote to memory of 1304 2604 Explorer.EXE 3fxqvuhzff.exe PID 2604 wrote to memory of 1304 2604 Explorer.EXE 3fxqvuhzff.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\148b63c2b85f806c7c3036f854b1c6f0.exe"C:\Users\Admin\AppData\Local\Temp\148b63c2b85f806c7c3036f854b1c6f0.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\lbaooyiqoz.exeC:\Users\Admin\AppData\Local\Temp\lbaooyiqoz.exe C:\Users\Admin\AppData\Local\Temp\enevfyfwb3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\lbaooyiqoz.exeC:\Users\Admin\AppData\Local\Temp\lbaooyiqoz.exe C:\Users\Admin\AppData\Local\Temp\enevfyfwb4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\lbaooyiqoz.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Program Files (x86)\Onf_t\3fxqvuhzff.exe"C:\Program Files (x86)\Onf_t\3fxqvuhzff.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 4723⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1304 -ip 13041⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Onf_t\3fxqvuhzff.exeFilesize
74KB
MD5b0981fa438a30d097b95a96d1d7ec4b9
SHA1e75ad5039db2bd35d56019da92cd8c71f95dbc4c
SHA256f77848ff5808ce9a5a0d7732cbc15882c7453e4bd1c927bb62bdae198b4b7697
SHA512be0257e995faa14ce18d9107078b4b6127ad5ce7c3fbbdda5aa1904d7f7eb41167398d36b124dc7296afc2d71df64e6e04a39b66fd7436b1b26a163773381eea
-
C:\Program Files (x86)\Onf_t\3fxqvuhzff.exeFilesize
74KB
MD5b0981fa438a30d097b95a96d1d7ec4b9
SHA1e75ad5039db2bd35d56019da92cd8c71f95dbc4c
SHA256f77848ff5808ce9a5a0d7732cbc15882c7453e4bd1c927bb62bdae198b4b7697
SHA512be0257e995faa14ce18d9107078b4b6127ad5ce7c3fbbdda5aa1904d7f7eb41167398d36b124dc7296afc2d71df64e6e04a39b66fd7436b1b26a163773381eea
-
C:\Users\Admin\AppData\Local\Temp\2zz4hssyl78Filesize
171KB
MD56629f2fca8fbc541cd84585ba0322e0a
SHA1ee152ebf1a896a3e36423c10f2e82144e8d2637c
SHA256cb50a336c419ed641855193c3c0467f29c60db1281dba1902b1fe4e23f67a57f
SHA51225eb74a5362c67377a8030b4cc8c74f6c63151cb53fab167ff1387824c8bc4bcfe6d95d89cfd75344b2b1a0cd17fd4f28f54d83078fb8cc2e90e75703043359b
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
40KB
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
C:\Users\Admin\AppData\Local\Temp\enevfyfwbFilesize
5KB
MD589a491b662b90b975d9e4a21c82922f7
SHA176feb91a683e49167ee4733a3c33036d488d13a1
SHA2565341ab5d2d79a3589bad2eab39513a9445935a628f74acf2b0a92e0eb3c9f439
SHA51241831f6d6b1c1c4f7aecf4a1f8c482e91992ffe3872c4e7e5e3cd5f8cde758fb54319935377af1d3239efa6c49afa3876e8421f3dbcd4e91fea3fec3e4a28638
-
C:\Users\Admin\AppData\Local\Temp\lbaooyiqoz.exeFilesize
74KB
MD5b0981fa438a30d097b95a96d1d7ec4b9
SHA1e75ad5039db2bd35d56019da92cd8c71f95dbc4c
SHA256f77848ff5808ce9a5a0d7732cbc15882c7453e4bd1c927bb62bdae198b4b7697
SHA512be0257e995faa14ce18d9107078b4b6127ad5ce7c3fbbdda5aa1904d7f7eb41167398d36b124dc7296afc2d71df64e6e04a39b66fd7436b1b26a163773381eea
-
C:\Users\Admin\AppData\Local\Temp\lbaooyiqoz.exeFilesize
74KB
MD5b0981fa438a30d097b95a96d1d7ec4b9
SHA1e75ad5039db2bd35d56019da92cd8c71f95dbc4c
SHA256f77848ff5808ce9a5a0d7732cbc15882c7453e4bd1c927bb62bdae198b4b7697
SHA512be0257e995faa14ce18d9107078b4b6127ad5ce7c3fbbdda5aa1904d7f7eb41167398d36b124dc7296afc2d71df64e6e04a39b66fd7436b1b26a163773381eea
-
C:\Users\Admin\AppData\Local\Temp\lbaooyiqoz.exeFilesize
74KB
MD5b0981fa438a30d097b95a96d1d7ec4b9
SHA1e75ad5039db2bd35d56019da92cd8c71f95dbc4c
SHA256f77848ff5808ce9a5a0d7732cbc15882c7453e4bd1c927bb62bdae198b4b7697
SHA512be0257e995faa14ce18d9107078b4b6127ad5ce7c3fbbdda5aa1904d7f7eb41167398d36b124dc7296afc2d71df64e6e04a39b66fd7436b1b26a163773381eea
-
memory/1040-135-0x0000000000000000-mapping.dmp
-
memory/1040-136-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/1040-139-0x0000000000AF0000-0x0000000000E3A000-memory.dmpFilesize
3.3MB
-
memory/1040-140-0x00000000009D0000-0x00000000009E1000-memory.dmpFilesize
68KB
-
memory/1304-153-0x0000000000000000-mapping.dmp
-
memory/1328-142-0x0000000000000000-mapping.dmp
-
memory/1328-146-0x00000000015E0000-0x000000000192A000-memory.dmpFilesize
3.3MB
-
memory/1328-147-0x0000000001280000-0x0000000001310000-memory.dmpFilesize
576KB
-
memory/1328-144-0x00000000015C0000-0x00000000015DE000-memory.dmpFilesize
120KB
-
memory/1328-145-0x0000000000BC0000-0x0000000000BEB000-memory.dmpFilesize
172KB
-
memory/2556-149-0x0000000000000000-mapping.dmp
-
memory/2604-148-0x0000000002EF0000-0x0000000003030000-memory.dmpFilesize
1.2MB
-
memory/2604-141-0x0000000002D60000-0x0000000002EF0000-memory.dmpFilesize
1.6MB
-
memory/2788-151-0x0000000000000000-mapping.dmp
-
memory/2944-143-0x0000000000000000-mapping.dmp
-
memory/3960-130-0x0000000000000000-mapping.dmp