Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
12-05-2022 07:33
Static task
static1
Behavioral task
behavioral1
Sample
b116243ed4215cbcb325a827d11cdc68.exe
Resource
win7-20220414-en
General
-
Target
b116243ed4215cbcb325a827d11cdc68.exe
-
Size
245KB
-
MD5
b116243ed4215cbcb325a827d11cdc68
-
SHA1
c9ef499d8ec2966dda389ce769012b4ad6661cbc
-
SHA256
ecd736b3ee17564a101bfdf8ff757edf53948a983ef1c1dd088cd9f214034990
-
SHA512
39543aa90882920e8ba46777eb092abb678471c7cc7876d1ad98b2d4b1c6f4f50669d18c764c3b655866a682acabe2b73e1958be5a4ebfc0973574d210393ef3
Malware Config
Extracted
xloader
2.5
bs8f
atmospheraglobal.com
dontshootima.com
bestofferusde.club
yourdigitalboss.com
breskizci.com
myarrovacoastwebsite.com
reasclerk.com
efrovida.com
wsmz.net
upneett.com
loefflerforgov.com
noida.info
trndystore.com
arhaldar.online
vivibanca.tech
mykrema.com
vseserialy.online
ridgewayinsua.com
heauxland.com
bestcollegecourses.com
scent-kart.xyz
handyman-prime.com
wrightpurpose.com
hellounio.com
wealthy-link-erp.com
josegal.com
texasdominionrealty.com
hespresso.net
dreamonetnpasumo5.xyz
videosmind.com
abbawaalema.quest
esmtoluca.com
2382108759.com
akbastionoffilamentousfungi.com
electramanpower.com
siguealpanda.com
alquilerfurgon.com
3-little-pigs.com
esolutions4u.com
thatgolfer.com
biom4rk.com
paramusapartments.com
mothergadgets.com
ktnreport.xyz
amxdrivers.com
buymyhomeallcash.com
lifeisthere.com
nous-citoyens.com
destimarketing.com
lawinepro.com
littlenorwayfarmhouse.com
realworldgb488.rest
qualinorm.com
capitaltechcorp.com
familybeautifull.com
continentaldeal.com
scratchforce.com
veganbreathing.com
hickoryfalls-pm.com
pascal-rocha.com
20kretirementplan.biz
lehome.store
hellanatural.com
hnythao.com
gnizdo.online
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3708-136-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/3708-139-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/4608-145-0x0000000000F90000-0x0000000000FB9000-memory.dmp xloader -
Executes dropped EXE 3 IoCs
Processes:
fdwfm.exefdwfm.execdixplbpuvk.exepid process 384 fdwfm.exe 3708 fdwfm.exe 4936 cdixplbpuvk.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ipconfig.exedescription ioc process Key created \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ipconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\GJOP6TG0KVTH = "C:\\Program Files (x86)\\Kplx4\\cdixplbpuvk.exe" ipconfig.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
fdwfm.exefdwfm.exeipconfig.exedescription pid process target process PID 384 set thread context of 3708 384 fdwfm.exe fdwfm.exe PID 3708 set thread context of 2600 3708 fdwfm.exe Explorer.EXE PID 4608 set thread context of 2600 4608 ipconfig.exe Explorer.EXE -
Drops file in Program Files directory 4 IoCs
Processes:
ipconfig.exeExplorer.EXEdescription ioc process File opened for modification C:\Program Files (x86)\Kplx4\cdixplbpuvk.exe ipconfig.exe File opened for modification C:\Program Files (x86)\Kplx4 Explorer.EXE File created C:\Program Files (x86)\Kplx4\cdixplbpuvk.exe Explorer.EXE File opened for modification C:\Program Files (x86)\Kplx4\cdixplbpuvk.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 984 4936 WerFault.exe cdixplbpuvk.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 4608 ipconfig.exe -
Processes:
ipconfig.exedescription ioc process Key created \Registry\User\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 ipconfig.exe -
Modifies registry class 2 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 52 IoCs
Processes:
fdwfm.exeipconfig.exepid process 3708 fdwfm.exe 3708 fdwfm.exe 3708 fdwfm.exe 3708 fdwfm.exe 4608 ipconfig.exe 4608 ipconfig.exe 4608 ipconfig.exe 4608 ipconfig.exe 4608 ipconfig.exe 4608 ipconfig.exe 4608 ipconfig.exe 4608 ipconfig.exe 4608 ipconfig.exe 4608 ipconfig.exe 4608 ipconfig.exe 4608 ipconfig.exe 4608 ipconfig.exe 4608 ipconfig.exe 4608 ipconfig.exe 4608 ipconfig.exe 4608 ipconfig.exe 4608 ipconfig.exe 4608 ipconfig.exe 4608 ipconfig.exe 4608 ipconfig.exe 4608 ipconfig.exe 4608 ipconfig.exe 4608 ipconfig.exe 4608 ipconfig.exe 4608 ipconfig.exe 4608 ipconfig.exe 4608 ipconfig.exe 4608 ipconfig.exe 4608 ipconfig.exe 4608 ipconfig.exe 4608 ipconfig.exe 4608 ipconfig.exe 4608 ipconfig.exe 4608 ipconfig.exe 4608 ipconfig.exe 4608 ipconfig.exe 4608 ipconfig.exe 4608 ipconfig.exe 4608 ipconfig.exe 4608 ipconfig.exe 4608 ipconfig.exe 4608 ipconfig.exe 4608 ipconfig.exe 4608 ipconfig.exe 4608 ipconfig.exe 4608 ipconfig.exe 4608 ipconfig.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2600 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
fdwfm.exeipconfig.exepid process 3708 fdwfm.exe 3708 fdwfm.exe 3708 fdwfm.exe 4608 ipconfig.exe 4608 ipconfig.exe 4608 ipconfig.exe 4608 ipconfig.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
fdwfm.exeipconfig.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 3708 fdwfm.exe Token: SeDebugPrivilege 4608 ipconfig.exe Token: SeShutdownPrivilege 2600 Explorer.EXE Token: SeCreatePagefilePrivilege 2600 Explorer.EXE Token: SeShutdownPrivilege 2600 Explorer.EXE Token: SeCreatePagefilePrivilege 2600 Explorer.EXE Token: SeShutdownPrivilege 2600 Explorer.EXE Token: SeCreatePagefilePrivilege 2600 Explorer.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
b116243ed4215cbcb325a827d11cdc68.exefdwfm.exeExplorer.EXEipconfig.exedescription pid process target process PID 2828 wrote to memory of 384 2828 b116243ed4215cbcb325a827d11cdc68.exe fdwfm.exe PID 2828 wrote to memory of 384 2828 b116243ed4215cbcb325a827d11cdc68.exe fdwfm.exe PID 2828 wrote to memory of 384 2828 b116243ed4215cbcb325a827d11cdc68.exe fdwfm.exe PID 384 wrote to memory of 3708 384 fdwfm.exe fdwfm.exe PID 384 wrote to memory of 3708 384 fdwfm.exe fdwfm.exe PID 384 wrote to memory of 3708 384 fdwfm.exe fdwfm.exe PID 384 wrote to memory of 3708 384 fdwfm.exe fdwfm.exe PID 384 wrote to memory of 3708 384 fdwfm.exe fdwfm.exe PID 384 wrote to memory of 3708 384 fdwfm.exe fdwfm.exe PID 2600 wrote to memory of 4608 2600 Explorer.EXE ipconfig.exe PID 2600 wrote to memory of 4608 2600 Explorer.EXE ipconfig.exe PID 2600 wrote to memory of 4608 2600 Explorer.EXE ipconfig.exe PID 4608 wrote to memory of 4548 4608 ipconfig.exe cmd.exe PID 4608 wrote to memory of 4548 4608 ipconfig.exe cmd.exe PID 4608 wrote to memory of 4548 4608 ipconfig.exe cmd.exe PID 4608 wrote to memory of 5076 4608 ipconfig.exe cmd.exe PID 4608 wrote to memory of 5076 4608 ipconfig.exe cmd.exe PID 4608 wrote to memory of 5076 4608 ipconfig.exe cmd.exe PID 4608 wrote to memory of 4968 4608 ipconfig.exe Firefox.exe PID 4608 wrote to memory of 4968 4608 ipconfig.exe Firefox.exe PID 2600 wrote to memory of 4936 2600 Explorer.EXE cdixplbpuvk.exe PID 2600 wrote to memory of 4936 2600 Explorer.EXE cdixplbpuvk.exe PID 2600 wrote to memory of 4936 2600 Explorer.EXE cdixplbpuvk.exe PID 4608 wrote to memory of 4968 4608 ipconfig.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b116243ed4215cbcb325a827d11cdc68.exe"C:\Users\Admin\AppData\Local\Temp\b116243ed4215cbcb325a827d11cdc68.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fdwfm.exeC:\Users\Admin\AppData\Local\Temp\fdwfm.exe C:\Users\Admin\AppData\Local\Temp\dimjwfh3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fdwfm.exeC:\Users\Admin\AppData\Local\Temp\fdwfm.exe C:\Users\Admin\AppData\Local\Temp\dimjwfh4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\SysWOW64\ipconfig.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Gathers network information
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\fdwfm.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Program Files (x86)\Kplx4\cdixplbpuvk.exe"C:\Program Files (x86)\Kplx4\cdixplbpuvk.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 2163⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4936 -ip 49361⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Kplx4\cdixplbpuvk.exeFilesize
74KB
MD520a453ac2dfd314bf1f374bb0171681e
SHA1cf673d84f74b343061b923a8cd90936344cb5bc4
SHA25626a72e117f00a00dfe14730575d9e791eb783f5df77d3cdc7e736ef8493f93e0
SHA512ba8606472ab4d03ef92689ddf993df62d0e1dc743e65821e915ef6237e9ff9e81cd7670f1da3f88748e1b66a8a80e72d9796adcb834fc159314db9af4882a642
-
C:\Program Files (x86)\Kplx4\cdixplbpuvk.exeFilesize
74KB
MD520a453ac2dfd314bf1f374bb0171681e
SHA1cf673d84f74b343061b923a8cd90936344cb5bc4
SHA25626a72e117f00a00dfe14730575d9e791eb783f5df77d3cdc7e736ef8493f93e0
SHA512ba8606472ab4d03ef92689ddf993df62d0e1dc743e65821e915ef6237e9ff9e81cd7670f1da3f88748e1b66a8a80e72d9796adcb834fc159314db9af4882a642
-
C:\Users\Admin\AppData\Local\Temp\07psh9jxx8mb5tFilesize
163KB
MD52c8a5acbcf62c17a33d922b3b195e5f2
SHA14d8f1fd37d8a88fce9a413e50953616a2a79a4a7
SHA256a4a062a6f2ba7f29ef472549256f378c72ce26b94466acd3a313eb6d61fbc664
SHA512e96420d378adf2b601b067a8d6426a4544b0c42dcca850ba3e342167899f3245bd2b5d4655015e39b26e3465566c10d1576253f5c104904362ea27700fadc24c
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
40KB
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
C:\Users\Admin\AppData\Local\Temp\dimjwfhFilesize
4KB
MD5cb63c004083d462107d544017b29f953
SHA120896ed8b2ef0f60cd37cea225f0174ac4a4fe6b
SHA256da7cb9a05a5d27d1d6a2817bee8478627bbaaea1dcc393cd58f32b461462d4c7
SHA512aa0475bd3bda49f7d032a53b5dc98d8029718f9bc15b209c8cf8f5515cd59e3e20209908d8d9df139c38420f23bd69808bb1b452adb1e0576d9834ba0a465445
-
C:\Users\Admin\AppData\Local\Temp\fdwfm.exeFilesize
74KB
MD520a453ac2dfd314bf1f374bb0171681e
SHA1cf673d84f74b343061b923a8cd90936344cb5bc4
SHA25626a72e117f00a00dfe14730575d9e791eb783f5df77d3cdc7e736ef8493f93e0
SHA512ba8606472ab4d03ef92689ddf993df62d0e1dc743e65821e915ef6237e9ff9e81cd7670f1da3f88748e1b66a8a80e72d9796adcb834fc159314db9af4882a642
-
C:\Users\Admin\AppData\Local\Temp\fdwfm.exeFilesize
74KB
MD520a453ac2dfd314bf1f374bb0171681e
SHA1cf673d84f74b343061b923a8cd90936344cb5bc4
SHA25626a72e117f00a00dfe14730575d9e791eb783f5df77d3cdc7e736ef8493f93e0
SHA512ba8606472ab4d03ef92689ddf993df62d0e1dc743e65821e915ef6237e9ff9e81cd7670f1da3f88748e1b66a8a80e72d9796adcb834fc159314db9af4882a642
-
C:\Users\Admin\AppData\Local\Temp\fdwfm.exeFilesize
74KB
MD520a453ac2dfd314bf1f374bb0171681e
SHA1cf673d84f74b343061b923a8cd90936344cb5bc4
SHA25626a72e117f00a00dfe14730575d9e791eb783f5df77d3cdc7e736ef8493f93e0
SHA512ba8606472ab4d03ef92689ddf993df62d0e1dc743e65821e915ef6237e9ff9e81cd7670f1da3f88748e1b66a8a80e72d9796adcb834fc159314db9af4882a642
-
memory/384-130-0x0000000000000000-mapping.dmp
-
memory/2600-142-0x0000000002B90000-0x0000000002C5B000-memory.dmpFilesize
812KB
-
memory/2600-149-0x0000000002C60000-0x0000000002D6C000-memory.dmpFilesize
1.0MB
-
memory/3708-136-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/3708-141-0x0000000000DF0000-0x0000000000E01000-memory.dmpFilesize
68KB
-
memory/3708-140-0x00000000009B0000-0x0000000000CFA000-memory.dmpFilesize
3.3MB
-
memory/3708-139-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/3708-135-0x0000000000000000-mapping.dmp
-
memory/4548-147-0x0000000000000000-mapping.dmp
-
memory/4608-143-0x0000000000000000-mapping.dmp
-
memory/4608-145-0x0000000000F90000-0x0000000000FB9000-memory.dmpFilesize
164KB
-
memory/4608-144-0x0000000000EF0000-0x0000000000EFB000-memory.dmpFilesize
44KB
-
memory/4608-146-0x0000000001880000-0x0000000001BCA000-memory.dmpFilesize
3.3MB
-
memory/4608-148-0x0000000001760000-0x00000000017F0000-memory.dmpFilesize
576KB
-
memory/4936-152-0x0000000000000000-mapping.dmp
-
memory/5076-150-0x0000000000000000-mapping.dmp