Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
13-05-2022 14:52
Static task
static1
General
-
Target
6cfb66c75d42e49a9a8d6cbf73eb9de1c8df27848f2bf65a81b5b64743699cba.exe
-
Size
275KB
-
MD5
b5691d968eccd79d3b535e2686cb1a03
-
SHA1
94d44d86ce784de393323a58474224731189c19b
-
SHA256
6cfb66c75d42e49a9a8d6cbf73eb9de1c8df27848f2bf65a81b5b64743699cba
-
SHA512
fbb331868c26b6d01553b19571f7ab66d97f049ad8323168189302d6f4d20df5af6ec9528d204130e609807d796f9f081dfc4a50cd5692e38169aa9223ceb849
Malware Config
Extracted
xloader
2.5
bs8f
atmospheraglobal.com
dontshootima.com
bestofferusde.club
yourdigitalboss.com
breskizci.com
myarrovacoastwebsite.com
reasclerk.com
efrovida.com
wsmz.net
upneett.com
loefflerforgov.com
noida.info
trndystore.com
arhaldar.online
vivibanca.tech
mykrema.com
vseserialy.online
ridgewayinsua.com
heauxland.com
bestcollegecourses.com
scent-kart.xyz
handyman-prime.com
wrightpurpose.com
hellounio.com
wealthy-link-erp.com
josegal.com
texasdominionrealty.com
hespresso.net
dreamonetnpasumo5.xyz
videosmind.com
abbawaalema.quest
esmtoluca.com
2382108759.com
akbastionoffilamentousfungi.com
electramanpower.com
siguealpanda.com
alquilerfurgon.com
3-little-pigs.com
esolutions4u.com
thatgolfer.com
biom4rk.com
paramusapartments.com
mothergadgets.com
ktnreport.xyz
amxdrivers.com
buymyhomeallcash.com
lifeisthere.com
nous-citoyens.com
destimarketing.com
lawinepro.com
littlenorwayfarmhouse.com
realworldgb488.rest
qualinorm.com
capitaltechcorp.com
familybeautifull.com
continentaldeal.com
scratchforce.com
veganbreathing.com
hickoryfalls-pm.com
pascal-rocha.com
20kretirementplan.biz
lehome.store
hellanatural.com
hnythao.com
gnizdo.online
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/4724-136-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/4956-144-0x0000000001220000-0x0000000001249000-memory.dmp xloader -
Executes dropped EXE 2 IoCs
Processes:
tiyikk.exetiyikk.exepid process 3352 tiyikk.exe 4724 tiyikk.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
tiyikk.exetiyikk.execontrol.exedescription pid process target process PID 3352 set thread context of 4724 3352 tiyikk.exe tiyikk.exe PID 4724 set thread context of 2896 4724 tiyikk.exe Explorer.EXE PID 4956 set thread context of 2896 4956 control.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
tiyikk.execontrol.exepid process 4724 tiyikk.exe 4724 tiyikk.exe 4724 tiyikk.exe 4724 tiyikk.exe 4956 control.exe 4956 control.exe 4956 control.exe 4956 control.exe 4956 control.exe 4956 control.exe 4956 control.exe 4956 control.exe 4956 control.exe 4956 control.exe 4956 control.exe 4956 control.exe 4956 control.exe 4956 control.exe 4956 control.exe 4956 control.exe 4956 control.exe 4956 control.exe 4956 control.exe 4956 control.exe 4956 control.exe 4956 control.exe 4956 control.exe 4956 control.exe 4956 control.exe 4956 control.exe 4956 control.exe 4956 control.exe 4956 control.exe 4956 control.exe 4956 control.exe 4956 control.exe 4956 control.exe 4956 control.exe 4956 control.exe 4956 control.exe 4956 control.exe 4956 control.exe 4956 control.exe 4956 control.exe 4956 control.exe 4956 control.exe 4956 control.exe 4956 control.exe 4956 control.exe 4956 control.exe 4956 control.exe 4956 control.exe 4956 control.exe 4956 control.exe 4956 control.exe 4956 control.exe 4956 control.exe 4956 control.exe 4956 control.exe 4956 control.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2896 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
tiyikk.execontrol.exepid process 4724 tiyikk.exe 4724 tiyikk.exe 4724 tiyikk.exe 4956 control.exe 4956 control.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
Processes:
tiyikk.execontrol.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 4724 tiyikk.exe Token: SeDebugPrivilege 4956 control.exe Token: SeShutdownPrivilege 2896 Explorer.EXE Token: SeCreatePagefilePrivilege 2896 Explorer.EXE Token: SeShutdownPrivilege 2896 Explorer.EXE Token: SeCreatePagefilePrivilege 2896 Explorer.EXE Token: SeShutdownPrivilege 2896 Explorer.EXE Token: SeCreatePagefilePrivilege 2896 Explorer.EXE Token: SeShutdownPrivilege 2896 Explorer.EXE Token: SeCreatePagefilePrivilege 2896 Explorer.EXE Token: SeShutdownPrivilege 2896 Explorer.EXE Token: SeCreatePagefilePrivilege 2896 Explorer.EXE Token: SeShutdownPrivilege 2896 Explorer.EXE Token: SeCreatePagefilePrivilege 2896 Explorer.EXE Token: SeShutdownPrivilege 2896 Explorer.EXE Token: SeCreatePagefilePrivilege 2896 Explorer.EXE Token: SeShutdownPrivilege 2896 Explorer.EXE Token: SeCreatePagefilePrivilege 2896 Explorer.EXE Token: SeShutdownPrivilege 2896 Explorer.EXE Token: SeCreatePagefilePrivilege 2896 Explorer.EXE Token: SeShutdownPrivilege 2896 Explorer.EXE Token: SeCreatePagefilePrivilege 2896 Explorer.EXE Token: SeShutdownPrivilege 2896 Explorer.EXE Token: SeCreatePagefilePrivilege 2896 Explorer.EXE Token: SeShutdownPrivilege 2896 Explorer.EXE Token: SeCreatePagefilePrivilege 2896 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 2896 Explorer.EXE 2896 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
6cfb66c75d42e49a9a8d6cbf73eb9de1c8df27848f2bf65a81b5b64743699cba.exetiyikk.exeExplorer.EXEcontrol.exedescription pid process target process PID 4716 wrote to memory of 3352 4716 6cfb66c75d42e49a9a8d6cbf73eb9de1c8df27848f2bf65a81b5b64743699cba.exe tiyikk.exe PID 4716 wrote to memory of 3352 4716 6cfb66c75d42e49a9a8d6cbf73eb9de1c8df27848f2bf65a81b5b64743699cba.exe tiyikk.exe PID 4716 wrote to memory of 3352 4716 6cfb66c75d42e49a9a8d6cbf73eb9de1c8df27848f2bf65a81b5b64743699cba.exe tiyikk.exe PID 3352 wrote to memory of 4724 3352 tiyikk.exe tiyikk.exe PID 3352 wrote to memory of 4724 3352 tiyikk.exe tiyikk.exe PID 3352 wrote to memory of 4724 3352 tiyikk.exe tiyikk.exe PID 3352 wrote to memory of 4724 3352 tiyikk.exe tiyikk.exe PID 3352 wrote to memory of 4724 3352 tiyikk.exe tiyikk.exe PID 3352 wrote to memory of 4724 3352 tiyikk.exe tiyikk.exe PID 2896 wrote to memory of 4956 2896 Explorer.EXE control.exe PID 2896 wrote to memory of 4956 2896 Explorer.EXE control.exe PID 2896 wrote to memory of 4956 2896 Explorer.EXE control.exe PID 4956 wrote to memory of 220 4956 control.exe cmd.exe PID 4956 wrote to memory of 220 4956 control.exe cmd.exe PID 4956 wrote to memory of 220 4956 control.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\6cfb66c75d42e49a9a8d6cbf73eb9de1c8df27848f2bf65a81b5b64743699cba.exe"C:\Users\Admin\AppData\Local\Temp\6cfb66c75d42e49a9a8d6cbf73eb9de1c8df27848f2bf65a81b5b64743699cba.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tiyikk.exeC:\Users\Admin\AppData\Local\Temp\tiyikk.exe C:\Users\Admin\AppData\Local\Temp\qgshio3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tiyikk.exeC:\Users\Admin\AppData\Local\Temp\tiyikk.exe C:\Users\Admin\AppData\Local\Temp\qgshio4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\control.exe"C:\Windows\SysWOW64\control.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\tiyikk.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7vgh4qve0cz5acu01Filesize
163KB
MD507f3aff9015e5a75c2072685deb6d1d5
SHA1b2c832c23a920017029d812e46d09d2381c334ba
SHA256b647d2d7d5b812323f2083805eef68709e266b61c3d3a71bc9b5e95293fd1570
SHA51200d3ef513e9be2317388f446bbcb2809d1f2912ac6fa19e4afad8c58f7581729935d4edda24837ddd01eec9599b2a3e6875013524b96dc0dbce36248abefe127
-
C:\Users\Admin\AppData\Local\Temp\qgshioFilesize
5KB
MD51fe76d811e64564c593de6cbfed7f88e
SHA1a25d3e18096ed89c0c1359cb67e64ae78344dba6
SHA25692611f59df9188605c9742cb4c849901b1898e8b8c28c2e96c52fe4d864d4152
SHA5123ca4acfd5a0e485c28babff488a9164c3a201ee582e95a9f27a6a650e9cae4d49c873db2529b2cc69bdd053f1b1ae810a230c1e10b2fb239a51d19d274fabdea
-
C:\Users\Admin\AppData\Local\Temp\tiyikk.exeFilesize
132KB
MD55e89cc47cfe9f83c48d114e2e6fc14c0
SHA11880762c1bef75a58d9e04a0f5c7ee91204de0dc
SHA256b311ad23de2f58800c9e3dce92462335bd2df05752f658103f62a5f303e3e657
SHA5127df13234a743aa5f3e43e696ed18da312a59864f90d4f382ef01f7ed951ef2d4a63257f40db56ebd621e91b1829517b51e0ffe69c7e26d058d9fc5557cc3c2ca
-
C:\Users\Admin\AppData\Local\Temp\tiyikk.exeFilesize
132KB
MD55e89cc47cfe9f83c48d114e2e6fc14c0
SHA11880762c1bef75a58d9e04a0f5c7ee91204de0dc
SHA256b311ad23de2f58800c9e3dce92462335bd2df05752f658103f62a5f303e3e657
SHA5127df13234a743aa5f3e43e696ed18da312a59864f90d4f382ef01f7ed951ef2d4a63257f40db56ebd621e91b1829517b51e0ffe69c7e26d058d9fc5557cc3c2ca
-
C:\Users\Admin\AppData\Local\Temp\tiyikk.exeFilesize
132KB
MD55e89cc47cfe9f83c48d114e2e6fc14c0
SHA11880762c1bef75a58d9e04a0f5c7ee91204de0dc
SHA256b311ad23de2f58800c9e3dce92462335bd2df05752f658103f62a5f303e3e657
SHA5127df13234a743aa5f3e43e696ed18da312a59864f90d4f382ef01f7ed951ef2d4a63257f40db56ebd621e91b1829517b51e0ffe69c7e26d058d9fc5557cc3c2ca
-
memory/220-146-0x0000000000000000-mapping.dmp
-
memory/2896-141-0x0000000007EF0000-0x000000000801F000-memory.dmpFilesize
1.2MB
-
memory/2896-148-0x0000000008500000-0x0000000008652000-memory.dmpFilesize
1.3MB
-
memory/3352-130-0x0000000000000000-mapping.dmp
-
memory/4724-138-0x0000000001560000-0x00000000018AA000-memory.dmpFilesize
3.3MB
-
memory/4724-140-0x0000000000FC0000-0x0000000000FD1000-memory.dmpFilesize
68KB
-
memory/4724-136-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4724-135-0x0000000000000000-mapping.dmp
-
memory/4956-142-0x0000000000000000-mapping.dmp
-
memory/4956-143-0x0000000000620000-0x0000000000647000-memory.dmpFilesize
156KB
-
memory/4956-144-0x0000000001220000-0x0000000001249000-memory.dmpFilesize
164KB
-
memory/4956-145-0x0000000003140000-0x000000000348A000-memory.dmpFilesize
3.3MB
-
memory/4956-147-0x0000000002F70000-0x0000000003000000-memory.dmpFilesize
576KB