Analysis
-
max time kernel
148s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 01:39
Static task
static1
Behavioral task
behavioral1
Sample
New purchase Order.exe
Resource
win7-20220414-en
General
-
Target
New purchase Order.exe
-
Size
477KB
-
MD5
dd481272bd8f9e8ca40868e4a90db854
-
SHA1
8871b4d7173d89b539aa1b3e91139cb4c0ce744e
-
SHA256
8edf8a8b1972c8dd05a960b7a79a7a87c8977b69b700ab9db28bab9207b8b267
-
SHA512
168ed59d8f6edd7b37b44441480e59fdef67beb35487974aec59aa36852407c75d5537532f6cd0104327516fd2e0359fadb6fe56a8def782864413df341761a8
Malware Config
Extracted
xloader
2.6
a8hq
veteransductcleaning.com
beajtjunkies.com
houseofascofi.com
scottsdalemediator.com
atelyadesign.com
profitcase.pro
imtokenio.club
qinglingpai.com
bigsmile-meal.net
daytonlivestream.com
aspiradores10.online
ytybs120.com
hdatelier.com
bearpierce.com
yeson28ca.com
booklearner.com
m8j9.club
mmophamthinhlegend.space
hq4a7o6zb.com
sophiadaki.online
sunraiz.site
calorieup.com
vighneshequipments.com
695522z.xyz
xjfhkjy.com
jcpractice.xyz
micahriffle.com
babiezarena.com
heythatstony.com
bmtjt.com
aete.info
yeyeps.com
chafaouihicham.com
globalider.com
uwksu.com
jimmy.technology
theveatchplantation.com
devondarcy.com
suburbpaw.online
ballsfashion.com
devsecops-maturity-analysis.net
naturealizarte.com
jpvuy.icu
algoworksconsulting.com
51jzsy.com
the-arboretum.net
sportsmachine.xyz
kemanewright.com
transporteslatinoberlin.com
multirollup.xyz
anaconda-otome.xyz
cheneiz.net
hillsbororosewoodresidences.com
sanphamgiadinh.xyz
xml-ott.com
aimdistributors.net
powergenaku.com
pt24lotto.info
healthyaging.partners
westsuits.com
decentralwebapp.online
mytropicaldreams.com
pravit-ball.online
northern-lights.info
simcondo.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4324-139-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral2/memory/4284-146-0x0000000000850000-0x000000000087B000-memory.dmp xloader -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
New purchase Order.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation New purchase Order.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key created \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ZBMLBHH8RP = "C:\\Program Files (x86)\\Fb6itazi\\dbepmbxxqnj8rbmx.exe" svchost.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
New purchase Order.exeNew purchase Order.exesvchost.exedescription pid process target process PID 3968 set thread context of 4324 3968 New purchase Order.exe New purchase Order.exe PID 4324 set thread context of 3140 4324 New purchase Order.exe Explorer.EXE PID 4284 set thread context of 3140 4284 svchost.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Program Files (x86)\Fb6itazi\dbepmbxxqnj8rbmx.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Processes:
svchost.exedescription ioc process Key created \Registry\User\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 svchost.exe -
Suspicious behavior: EnumeratesProcesses 43 IoCs
Processes:
New purchase Order.exeNew purchase Order.exesvchost.exepid process 3968 New purchase Order.exe 3968 New purchase Order.exe 3968 New purchase Order.exe 4324 New purchase Order.exe 4324 New purchase Order.exe 4324 New purchase Order.exe 4324 New purchase Order.exe 4284 svchost.exe 4284 svchost.exe 4284 svchost.exe 4284 svchost.exe 4284 svchost.exe 4284 svchost.exe 4284 svchost.exe 4284 svchost.exe 4284 svchost.exe 4284 svchost.exe 4284 svchost.exe 4284 svchost.exe 4284 svchost.exe 4284 svchost.exe 4284 svchost.exe 4284 svchost.exe 4284 svchost.exe 4284 svchost.exe 4284 svchost.exe 4284 svchost.exe 4284 svchost.exe 4284 svchost.exe 4284 svchost.exe 4284 svchost.exe 4284 svchost.exe 4284 svchost.exe 4284 svchost.exe 4284 svchost.exe 4284 svchost.exe 4284 svchost.exe 4284 svchost.exe 4284 svchost.exe 4284 svchost.exe 4284 svchost.exe 4284 svchost.exe 4284 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3140 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
New purchase Order.exesvchost.exepid process 4324 New purchase Order.exe 4324 New purchase Order.exe 4324 New purchase Order.exe 4284 svchost.exe 4284 svchost.exe 4284 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
New purchase Order.exeNew purchase Order.exesvchost.exedescription pid process Token: SeDebugPrivilege 3968 New purchase Order.exe Token: SeDebugPrivilege 4324 New purchase Order.exe Token: SeDebugPrivilege 4284 svchost.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
New purchase Order.exeExplorer.EXEsvchost.exedescription pid process target process PID 3968 wrote to memory of 3532 3968 New purchase Order.exe schtasks.exe PID 3968 wrote to memory of 3532 3968 New purchase Order.exe schtasks.exe PID 3968 wrote to memory of 3532 3968 New purchase Order.exe schtasks.exe PID 3968 wrote to memory of 4332 3968 New purchase Order.exe New purchase Order.exe PID 3968 wrote to memory of 4332 3968 New purchase Order.exe New purchase Order.exe PID 3968 wrote to memory of 4332 3968 New purchase Order.exe New purchase Order.exe PID 3968 wrote to memory of 4324 3968 New purchase Order.exe New purchase Order.exe PID 3968 wrote to memory of 4324 3968 New purchase Order.exe New purchase Order.exe PID 3968 wrote to memory of 4324 3968 New purchase Order.exe New purchase Order.exe PID 3968 wrote to memory of 4324 3968 New purchase Order.exe New purchase Order.exe PID 3968 wrote to memory of 4324 3968 New purchase Order.exe New purchase Order.exe PID 3968 wrote to memory of 4324 3968 New purchase Order.exe New purchase Order.exe PID 3140 wrote to memory of 4284 3140 Explorer.EXE svchost.exe PID 3140 wrote to memory of 4284 3140 Explorer.EXE svchost.exe PID 3140 wrote to memory of 4284 3140 Explorer.EXE svchost.exe PID 4284 wrote to memory of 5108 4284 svchost.exe cmd.exe PID 4284 wrote to memory of 5108 4284 svchost.exe cmd.exe PID 4284 wrote to memory of 5108 4284 svchost.exe cmd.exe PID 4284 wrote to memory of 5044 4284 svchost.exe cmd.exe PID 4284 wrote to memory of 5044 4284 svchost.exe cmd.exe PID 4284 wrote to memory of 5044 4284 svchost.exe cmd.exe PID 4284 wrote to memory of 2408 4284 svchost.exe cmd.exe PID 4284 wrote to memory of 2408 4284 svchost.exe cmd.exe PID 4284 wrote to memory of 2408 4284 svchost.exe cmd.exe PID 4284 wrote to memory of 2584 4284 svchost.exe Firefox.exe PID 4284 wrote to memory of 2584 4284 svchost.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\New purchase Order.exe"C:\Users\Admin\AppData\Local\Temp\New purchase Order.exe"2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NADfrJFSUbwNu" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE1C9.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\New purchase Order.exe"{path}"3⤵
-
C:\Users\Admin\AppData\Local\Temp\New purchase Order.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\New purchase Order.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
40KB
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
C:\Users\Admin\AppData\Local\Temp\tmpE1C9.tmpFilesize
1KB
MD5693cec7063ae8316643119c3959510df
SHA1be146fdbca9d655c68b2c44b0fbae3ba746f4fa8
SHA2562784a2e4f37567fff37ad56df7267af05f75a88f4a1dca9ec66a1a144e760762
SHA51286bfd518aabbcd2f69e062f037e7b3582a4bce5ba17b70f75335a768a2b39a80c5aee0cdfd4e72cf2149ad9bf53e1002ead2bba37861ff1c9172526c4aa1ab13
-
memory/2408-153-0x0000000000000000-mapping.dmp
-
memory/3140-143-0x0000000008040000-0x000000000818F000-memory.dmpFilesize
1.3MB
-
memory/3140-150-0x0000000007B60000-0x0000000007CA8000-memory.dmpFilesize
1.3MB
-
memory/3532-135-0x0000000000000000-mapping.dmp
-
memory/3968-134-0x00000000053D0000-0x00000000053DA000-memory.dmpFilesize
40KB
-
memory/3968-131-0x00000000059F0000-0x0000000005F94000-memory.dmpFilesize
5.6MB
-
memory/3968-132-0x0000000005440000-0x00000000054D2000-memory.dmpFilesize
584KB
-
memory/3968-133-0x00000000054E0000-0x000000000557C000-memory.dmpFilesize
624KB
-
memory/3968-130-0x00000000009D0000-0x0000000000A4E000-memory.dmpFilesize
504KB
-
memory/4284-149-0x0000000000F70000-0x0000000001000000-memory.dmpFilesize
576KB
-
memory/4284-144-0x0000000000000000-mapping.dmp
-
memory/4284-145-0x0000000000220000-0x000000000022E000-memory.dmpFilesize
56KB
-
memory/4284-146-0x0000000000850000-0x000000000087B000-memory.dmpFilesize
172KB
-
memory/4284-147-0x0000000001300000-0x000000000164A000-memory.dmpFilesize
3.3MB
-
memory/4324-139-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/4324-142-0x0000000000D40000-0x0000000000D51000-memory.dmpFilesize
68KB
-
memory/4324-140-0x0000000001340000-0x000000000168A000-memory.dmpFilesize
3.3MB
-
memory/4324-138-0x0000000000000000-mapping.dmp
-
memory/4332-137-0x0000000000000000-mapping.dmp
-
memory/5044-151-0x0000000000000000-mapping.dmp
-
memory/5108-148-0x0000000000000000-mapping.dmp