General
Target

New purchase Order.exe

Filesize

477KB

Completed

21-05-2022 01:42

Task

behavioral2

Score
10/10
MD5

dd481272bd8f9e8ca40868e4a90db854

SHA1

8871b4d7173d89b539aa1b3e91139cb4c0ce744e

SHA256

8edf8a8b1972c8dd05a960b7a79a7a87c8977b69b700ab9db28bab9207b8b267

SHA256

168ed59d8f6edd7b37b44441480e59fdef67beb35487974aec59aa36852407c75d5537532f6cd0104327516fd2e0359fadb6fe56a8def782864413df341761a8

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

a8hq

Decoy

veteransductcleaning.com

beajtjunkies.com

houseofascofi.com

scottsdalemediator.com

atelyadesign.com

profitcase.pro

imtokenio.club

qinglingpai.com

bigsmile-meal.net

daytonlivestream.com

aspiradores10.online

ytybs120.com

hdatelier.com

bearpierce.com

yeson28ca.com

booklearner.com

m8j9.club

mmophamthinhlegend.space

hq4a7o6zb.com

sophiadaki.online

sunraiz.site

calorieup.com

vighneshequipments.com

695522z.xyz

xjfhkjy.com

jcpractice.xyz

micahriffle.com

babiezarena.com

heythatstony.com

bmtjt.com

aete.info

yeyeps.com

chafaouihicham.com

globalider.com

uwksu.com

jimmy.technology

theveatchplantation.com

devondarcy.com

suburbpaw.online

ballsfashion.com

devsecops-maturity-analysis.net

naturealizarte.com

jpvuy.icu

algoworksconsulting.com

51jzsy.com

the-arboretum.net

sportsmachine.xyz

kemanewright.com

transporteslatinoberlin.com

multirollup.xyz

Signatures 16

Filter: none

Collection
Credential Access
Defense Evasion
Discovery
Persistence
  • Xloader

    Description

    Xloader is a rebranded version of Formbook malware.

  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    Description

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    Tags

  • Xloader Payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/4324-139-0x0000000000400000-0x000000000042B000-memory.dmpxloader
    behavioral2/memory/4284-146-0x0000000000850000-0x000000000087B000-memory.dmpxloader
  • Checks computer location settings
    New purchase Order.exe

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\NationNew purchase Order.exe
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Adds Run key to start application
    svchost.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Runsvchost.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ZBMLBHH8RP = "C:\\Program Files (x86)\\Fb6itazi\\dbepmbxxqnj8rbmx.exe"svchost.exe
  • Suspicious use of SetThreadContext
    New purchase Order.exeNew purchase Order.exesvchost.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3968 set thread context of 43243968New purchase Order.exeNew purchase Order.exe
    PID 4324 set thread context of 31404324New purchase Order.exeExplorer.EXE
    PID 4284 set thread context of 31404284svchost.exeExplorer.EXE
  • Drops file in Program Files directory
    svchost.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Program Files (x86)\Fb6itazi\dbepmbxxqnj8rbmx.exesvchost.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Creates scheduled task(s)
    schtasks.exe

    Description

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    TTPs

    Scheduled Task

    Reported IOCs

    pidprocess
    3532schtasks.exe
  • Modifies Internet Explorer settings
    svchost.exe

    TTPs

    Modify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\Registry\User\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2svchost.exe
  • Suspicious behavior: EnumeratesProcesses
    New purchase Order.exeNew purchase Order.exesvchost.exe

    Reported IOCs

    pidprocess
    3968New purchase Order.exe
    3968New purchase Order.exe
    3968New purchase Order.exe
    4324New purchase Order.exe
    4324New purchase Order.exe
    4324New purchase Order.exe
    4324New purchase Order.exe
    4284svchost.exe
    4284svchost.exe
    4284svchost.exe
    4284svchost.exe
    4284svchost.exe
    4284svchost.exe
    4284svchost.exe
    4284svchost.exe
    4284svchost.exe
    4284svchost.exe
    4284svchost.exe
    4284svchost.exe
    4284svchost.exe
    4284svchost.exe
    4284svchost.exe
    4284svchost.exe
    4284svchost.exe
    4284svchost.exe
    4284svchost.exe
    4284svchost.exe
    4284svchost.exe
    4284svchost.exe
    4284svchost.exe
    4284svchost.exe
    4284svchost.exe
    4284svchost.exe
    4284svchost.exe
    4284svchost.exe
    4284svchost.exe
    4284svchost.exe
    4284svchost.exe
    4284svchost.exe
    4284svchost.exe
    4284svchost.exe
    4284svchost.exe
    4284svchost.exe
  • Suspicious behavior: GetForegroundWindowSpam
    Explorer.EXE

    Reported IOCs

    pidprocess
    3140Explorer.EXE
  • Suspicious behavior: MapViewOfSection
    New purchase Order.exesvchost.exe

    Reported IOCs

    pidprocess
    4324New purchase Order.exe
    4324New purchase Order.exe
    4324New purchase Order.exe
    4284svchost.exe
    4284svchost.exe
    4284svchost.exe
  • Suspicious use of AdjustPrivilegeToken
    New purchase Order.exeNew purchase Order.exesvchost.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege3968New purchase Order.exe
    Token: SeDebugPrivilege4324New purchase Order.exe
    Token: SeDebugPrivilege4284svchost.exe
  • Suspicious use of WriteProcessMemory
    New purchase Order.exeExplorer.EXEsvchost.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3968 wrote to memory of 35323968New purchase Order.exeschtasks.exe
    PID 3968 wrote to memory of 35323968New purchase Order.exeschtasks.exe
    PID 3968 wrote to memory of 35323968New purchase Order.exeschtasks.exe
    PID 3968 wrote to memory of 43323968New purchase Order.exeNew purchase Order.exe
    PID 3968 wrote to memory of 43323968New purchase Order.exeNew purchase Order.exe
    PID 3968 wrote to memory of 43323968New purchase Order.exeNew purchase Order.exe
    PID 3968 wrote to memory of 43243968New purchase Order.exeNew purchase Order.exe
    PID 3968 wrote to memory of 43243968New purchase Order.exeNew purchase Order.exe
    PID 3968 wrote to memory of 43243968New purchase Order.exeNew purchase Order.exe
    PID 3968 wrote to memory of 43243968New purchase Order.exeNew purchase Order.exe
    PID 3968 wrote to memory of 43243968New purchase Order.exeNew purchase Order.exe
    PID 3968 wrote to memory of 43243968New purchase Order.exeNew purchase Order.exe
    PID 3140 wrote to memory of 42843140Explorer.EXEsvchost.exe
    PID 3140 wrote to memory of 42843140Explorer.EXEsvchost.exe
    PID 3140 wrote to memory of 42843140Explorer.EXEsvchost.exe
    PID 4284 wrote to memory of 51084284svchost.execmd.exe
    PID 4284 wrote to memory of 51084284svchost.execmd.exe
    PID 4284 wrote to memory of 51084284svchost.execmd.exe
    PID 4284 wrote to memory of 50444284svchost.execmd.exe
    PID 4284 wrote to memory of 50444284svchost.execmd.exe
    PID 4284 wrote to memory of 50444284svchost.execmd.exe
    PID 4284 wrote to memory of 24084284svchost.execmd.exe
    PID 4284 wrote to memory of 24084284svchost.execmd.exe
    PID 4284 wrote to memory of 24084284svchost.execmd.exe
    PID 4284 wrote to memory of 25844284svchost.exeFirefox.exe
    PID 4284 wrote to memory of 25844284svchost.exeFirefox.exe
Processes 10
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    Suspicious behavior: GetForegroundWindowSpam
    Suspicious use of WriteProcessMemory
    PID:3140
    • C:\Users\Admin\AppData\Local\Temp\New purchase Order.exe
      "C:\Users\Admin\AppData\Local\Temp\New purchase Order.exe"
      Checks computer location settings
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3968
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NADfrJFSUbwNu" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE1C9.tmp"
        Creates scheduled task(s)
        PID:3532
      • C:\Users\Admin\AppData\Local\Temp\New purchase Order.exe
        "{path}"
        PID:4332
      • C:\Users\Admin\AppData\Local\Temp\New purchase Order.exe
        "{path}"
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        PID:4324
    • C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\SysWOW64\svchost.exe"
      Adds Run key to start application
      Suspicious use of SetThreadContext
      Drops file in Program Files directory
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4284
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\New purchase Order.exe"
        PID:5108
      • C:\Windows\SysWOW64\cmd.exe
        /c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
        PID:5044
      • C:\Windows\SysWOW64\cmd.exe
        /c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
        PID:2408
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        PID:2584
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Privilege Escalation
                Replay Monitor
                00:00 00:00
                Downloads
                • C:\Users\Admin\AppData\Local\Temp\DB1

                  MD5

                  b608d407fc15adea97c26936bc6f03f6

                  SHA1

                  953e7420801c76393902c0d6bb56148947e41571

                  SHA256

                  b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

                  SHA512

                  cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

                • C:\Users\Admin\AppData\Local\Temp\DB1

                  MD5

                  349e6eb110e34a08924d92f6b334801d

                  SHA1

                  bdfb289daff51890cc71697b6322aa4b35ec9169

                  SHA256

                  c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

                  SHA512

                  2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

                • C:\Users\Admin\AppData\Local\Temp\tmpE1C9.tmp

                  MD5

                  693cec7063ae8316643119c3959510df

                  SHA1

                  be146fdbca9d655c68b2c44b0fbae3ba746f4fa8

                  SHA256

                  2784a2e4f37567fff37ad56df7267af05f75a88f4a1dca9ec66a1a144e760762

                  SHA512

                  86bfd518aabbcd2f69e062f037e7b3582a4bce5ba17b70f75335a768a2b39a80c5aee0cdfd4e72cf2149ad9bf53e1002ead2bba37861ff1c9172526c4aa1ab13

                • memory/2408-153-0x0000000000000000-mapping.dmp

                • memory/3140-150-0x0000000007B60000-0x0000000007CA8000-memory.dmp

                • memory/3140-143-0x0000000008040000-0x000000000818F000-memory.dmp

                • memory/3532-135-0x0000000000000000-mapping.dmp

                • memory/3968-134-0x00000000053D0000-0x00000000053DA000-memory.dmp

                • memory/3968-131-0x00000000059F0000-0x0000000005F94000-memory.dmp

                • memory/3968-132-0x0000000005440000-0x00000000054D2000-memory.dmp

                • memory/3968-133-0x00000000054E0000-0x000000000557C000-memory.dmp

                • memory/3968-130-0x00000000009D0000-0x0000000000A4E000-memory.dmp

                • memory/4284-149-0x0000000000F70000-0x0000000001000000-memory.dmp

                • memory/4284-144-0x0000000000000000-mapping.dmp

                • memory/4284-145-0x0000000000220000-0x000000000022E000-memory.dmp

                • memory/4284-147-0x0000000001300000-0x000000000164A000-memory.dmp

                • memory/4284-146-0x0000000000850000-0x000000000087B000-memory.dmp

                • memory/4324-140-0x0000000001340000-0x000000000168A000-memory.dmp

                • memory/4324-142-0x0000000000D40000-0x0000000000D51000-memory.dmp

                • memory/4324-139-0x0000000000400000-0x000000000042B000-memory.dmp

                • memory/4324-138-0x0000000000000000-mapping.dmp

                • memory/4332-137-0x0000000000000000-mapping.dmp

                • memory/5044-151-0x0000000000000000-mapping.dmp

                • memory/5108-148-0x0000000000000000-mapping.dmp