Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 00:13
Static task
static1
Behavioral task
behavioral1
Sample
R00127789.exe
Resource
win7-20220414-en
General
-
Target
R00127789.exe
-
Size
754KB
-
MD5
5ade5905aebb3d0f6cafd3d36c01927b
-
SHA1
8b5f6901647c9f17114e3092fc2b226c7478121d
-
SHA256
d10a6b48293d226a0700a84f7dc756fe50c78a9d167500e3b3c763781c52b006
-
SHA512
c2e324286d7a819f9dc228b51258e888db980fbdd5a05171bd25ba6c742b3ff71d285db095ab7d577f620f8a3e5baba0c863154d4f63df6e5b1e0241362421a4
Malware Config
Extracted
xloader
2.5
mjup
cyqcc.com
mynext.guru
clickbuzz.tech
testingsitewp.store
starblast.space
xn--cocola-6wa.com
kathicrafts.com
tiktokshop.cloud
akasa42.com
therosedalefw.com
fabuluxepicnicsatl.com
dtoyer.com
trungtambtx.com
uploaded.space
newgradient.com
micron365.com
driving-ukrainka.com
feretsfreshcutsproduce.com
1781tudor301.info
mecca-services.com
privacyqlxyvu.online
tomopro.net
b8ceex.com
strategybllc.com
ivikno.com
lqydzc.com
toutbesoin.com
reunionwaveclassic.com
5ifbc.com
nailwrapsturkiye.com
greengriffinmerc.com
candeliver.online
sandifordprivatetutelage.com
ma7lat.online
zongzizaixian.com
groupsexlivecams.com
cookinggem.com
hojohotsprings.com
lefevrerealtor.com
nro-onc.biz
gloford.com
goldsmash.net
halachmi.online
kosherlending.com
asdspietro.com
trustwaves.net
ciscoworkplace.com
fluiwesn291-ocn.xyz
yangscatering.com
anushreehomemadeproducts.online
hallowseason.com
alsiaf.com
greatnotleyeast.com
plantssky.com
studiozaja.com
qugw.space
yukhappy.xyz
vanillabeer.gallery
alhambrainnjamaica.com
getaudionow.com
dalessandrolawgroup.com
zkuri.com
rocket-bet.com
apnagas.com
avisosclientes.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/908-137-0x0000000000400000-0x000000000042A000-memory.dmp xloader behavioral2/memory/3652-147-0x0000000001110000-0x000000000113A000-memory.dmp xloader -
Blocklisted process makes network request 1 IoCs
Processes:
cmd.exeflow pid process 67 3652 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
AddInProcess32.exepid process 908 AddInProcess32.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
R00127789.exeAddInProcess32.execmd.exedescription pid process target process PID 3928 set thread context of 908 3928 R00127789.exe AddInProcess32.exe PID 908 set thread context of 3020 908 AddInProcess32.exe Explorer.EXE PID 3652 set thread context of 3020 3652 cmd.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 48 IoCs
Processes:
R00127789.exeAddInProcess32.execmd.exepid process 3928 R00127789.exe 3928 R00127789.exe 908 AddInProcess32.exe 908 AddInProcess32.exe 908 AddInProcess32.exe 908 AddInProcess32.exe 3652 cmd.exe 3652 cmd.exe 3652 cmd.exe 3652 cmd.exe 3652 cmd.exe 3652 cmd.exe 3652 cmd.exe 3652 cmd.exe 3652 cmd.exe 3652 cmd.exe 3652 cmd.exe 3652 cmd.exe 3652 cmd.exe 3652 cmd.exe 3652 cmd.exe 3652 cmd.exe 3652 cmd.exe 3652 cmd.exe 3652 cmd.exe 3652 cmd.exe 3652 cmd.exe 3652 cmd.exe 3652 cmd.exe 3652 cmd.exe 3652 cmd.exe 3652 cmd.exe 3652 cmd.exe 3652 cmd.exe 3652 cmd.exe 3652 cmd.exe 3652 cmd.exe 3652 cmd.exe 3652 cmd.exe 3652 cmd.exe 3652 cmd.exe 3652 cmd.exe 3652 cmd.exe 3652 cmd.exe 3652 cmd.exe 3652 cmd.exe 3652 cmd.exe 3652 cmd.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3020 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
AddInProcess32.execmd.exepid process 908 AddInProcess32.exe 908 AddInProcess32.exe 908 AddInProcess32.exe 3652 cmd.exe 3652 cmd.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
R00127789.exeAddInProcess32.execmd.exedescription pid process Token: SeDebugPrivilege 3928 R00127789.exe Token: SeDebugPrivilege 908 AddInProcess32.exe Token: SeDebugPrivilege 3652 cmd.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
R00127789.exeExplorer.EXEcmd.exedescription pid process target process PID 3928 wrote to memory of 908 3928 R00127789.exe AddInProcess32.exe PID 3928 wrote to memory of 908 3928 R00127789.exe AddInProcess32.exe PID 3928 wrote to memory of 908 3928 R00127789.exe AddInProcess32.exe PID 3928 wrote to memory of 908 3928 R00127789.exe AddInProcess32.exe PID 3928 wrote to memory of 908 3928 R00127789.exe AddInProcess32.exe PID 3928 wrote to memory of 908 3928 R00127789.exe AddInProcess32.exe PID 3020 wrote to memory of 3652 3020 Explorer.EXE cmd.exe PID 3020 wrote to memory of 3652 3020 Explorer.EXE cmd.exe PID 3020 wrote to memory of 3652 3020 Explorer.EXE cmd.exe PID 3652 wrote to memory of 3508 3652 cmd.exe cmd.exe PID 3652 wrote to memory of 3508 3652 cmd.exe cmd.exe PID 3652 wrote to memory of 3508 3652 cmd.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\R00127789.exe"C:\Users\Admin\AppData\Local\Temp\R00127789.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exeFilesize
42KB
MD59827ff3cdf4b83f9c86354606736ca9c
SHA1e73d73f42bb2a310f03eb1bcbb22be2b8eb7c723
SHA256c1cf3dc8fa1c7fc00f88e07ad539979b3706ca8d69223cffd1d58bc8f521f63a
SHA5128261828d55f3b5134c0aeb98311c04e20c5395d4347251746f3be0fb854f36cc7e118713cd00c9867537e6e47d5e71f2b2384fc00c67f0ae1b285b8310321579
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exeFilesize
42KB
MD59827ff3cdf4b83f9c86354606736ca9c
SHA1e73d73f42bb2a310f03eb1bcbb22be2b8eb7c723
SHA256c1cf3dc8fa1c7fc00f88e07ad539979b3706ca8d69223cffd1d58bc8f521f63a
SHA5128261828d55f3b5134c0aeb98311c04e20c5395d4347251746f3be0fb854f36cc7e118713cd00c9867537e6e47d5e71f2b2384fc00c67f0ae1b285b8310321579
-
memory/908-139-0x00000000012C0000-0x000000000160A000-memory.dmpFilesize
3.3MB
-
memory/908-141-0x0000000001610000-0x0000000001621000-memory.dmpFilesize
68KB
-
memory/908-136-0x0000000000000000-mapping.dmp
-
memory/908-137-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/3020-150-0x0000000008110000-0x0000000008249000-memory.dmpFilesize
1.2MB
-
memory/3020-142-0x0000000003110000-0x0000000003208000-memory.dmpFilesize
992KB
-
memory/3508-145-0x0000000000000000-mapping.dmp
-
memory/3652-146-0x00000000001B0000-0x000000000020A000-memory.dmpFilesize
360KB
-
memory/3652-143-0x0000000000000000-mapping.dmp
-
memory/3652-147-0x0000000001110000-0x000000000113A000-memory.dmpFilesize
168KB
-
memory/3652-148-0x0000000001970000-0x0000000001CBA000-memory.dmpFilesize
3.3MB
-
memory/3652-149-0x00000000017D0000-0x0000000001860000-memory.dmpFilesize
576KB
-
memory/3928-135-0x00000000114B0000-0x00000000114D2000-memory.dmpFilesize
136KB
-
memory/3928-134-0x0000000008B50000-0x0000000008B5A000-memory.dmpFilesize
40KB
-
memory/3928-133-0x0000000005580000-0x0000000005612000-memory.dmpFilesize
584KB
-
memory/3928-132-0x0000000005A90000-0x0000000006034000-memory.dmpFilesize
5.6MB
-
memory/3928-130-0x00000000009B0000-0x0000000000A72000-memory.dmpFilesize
776KB
-
memory/3928-131-0x0000000005440000-0x00000000054DC000-memory.dmpFilesize
624KB