General
Target

New purchase Order.exe

Filesize

477KB

Completed

21-05-2022 01:44

Task

behavioral2

Score
10/10
MD5

dd481272bd8f9e8ca40868e4a90db854

SHA1

8871b4d7173d89b539aa1b3e91139cb4c0ce744e

SHA256

8edf8a8b1972c8dd05a960b7a79a7a87c8977b69b700ab9db28bab9207b8b267

SHA256

168ed59d8f6edd7b37b44441480e59fdef67beb35487974aec59aa36852407c75d5537532f6cd0104327516fd2e0359fadb6fe56a8def782864413df341761a8

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

a8hq

Decoy

veteransductcleaning.com

beajtjunkies.com

houseofascofi.com

scottsdalemediator.com

atelyadesign.com

profitcase.pro

imtokenio.club

qinglingpai.com

bigsmile-meal.net

daytonlivestream.com

aspiradores10.online

ytybs120.com

hdatelier.com

bearpierce.com

yeson28ca.com

booklearner.com

m8j9.club

mmophamthinhlegend.space

hq4a7o6zb.com

sophiadaki.online

sunraiz.site

calorieup.com

vighneshequipments.com

695522z.xyz

xjfhkjy.com

jcpractice.xyz

micahriffle.com

babiezarena.com

heythatstony.com

bmtjt.com

aete.info

yeyeps.com

chafaouihicham.com

globalider.com

uwksu.com

jimmy.technology

theveatchplantation.com

devondarcy.com

suburbpaw.online

ballsfashion.com

devsecops-maturity-analysis.net

naturealizarte.com

jpvuy.icu

algoworksconsulting.com

51jzsy.com

the-arboretum.net

sportsmachine.xyz

kemanewright.com

transporteslatinoberlin.com

multirollup.xyz

Signatures 12

Filter: none

Discovery
Persistence
  • Xloader

    Description

    Xloader is a rebranded version of Formbook malware.

  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    Description

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    Tags

  • Xloader Payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/4760-139-0x0000000000400000-0x000000000042B000-memory.dmpxloader
    behavioral2/memory/4760-141-0x0000000000400000-0x000000000042B000-memory.dmpxloader
    behavioral2/memory/2304-147-0x0000000000F40000-0x0000000000F6B000-memory.dmpxloader
  • Blocklisted process makes network request
    cscript.exe

    Reported IOCs

    flowpidprocess
    802304cscript.exe
  • Checks computer location settings
    New purchase Order.exe

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\NationNew purchase Order.exe
  • Suspicious use of SetThreadContext
    New purchase Order.exeNew purchase Order.execscript.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3092 set thread context of 47603092New purchase Order.exeNew purchase Order.exe
    PID 4760 set thread context of 31484760New purchase Order.exeExplorer.EXE
    PID 2304 set thread context of 31482304cscript.exeExplorer.EXE
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Creates scheduled task(s)
    schtasks.exe

    Description

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    TTPs

    Scheduled Task

    Reported IOCs

    pidprocess
    3600schtasks.exe
  • Suspicious behavior: EnumeratesProcesses
    New purchase Order.exeNew purchase Order.execscript.exe

    Reported IOCs

    pidprocess
    3092New purchase Order.exe
    3092New purchase Order.exe
    3092New purchase Order.exe
    4760New purchase Order.exe
    4760New purchase Order.exe
    4760New purchase Order.exe
    4760New purchase Order.exe
    2304cscript.exe
    2304cscript.exe
    2304cscript.exe
    2304cscript.exe
    2304cscript.exe
    2304cscript.exe
    2304cscript.exe
    2304cscript.exe
    2304cscript.exe
    2304cscript.exe
    2304cscript.exe
    2304cscript.exe
    2304cscript.exe
    2304cscript.exe
    2304cscript.exe
    2304cscript.exe
    2304cscript.exe
    2304cscript.exe
    2304cscript.exe
    2304cscript.exe
    2304cscript.exe
    2304cscript.exe
    2304cscript.exe
    2304cscript.exe
  • Suspicious behavior: MapViewOfSection
    New purchase Order.execscript.exe

    Reported IOCs

    pidprocess
    4760New purchase Order.exe
    4760New purchase Order.exe
    4760New purchase Order.exe
    2304cscript.exe
    2304cscript.exe
  • Suspicious use of AdjustPrivilegeToken
    New purchase Order.exeNew purchase Order.execscript.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege3092New purchase Order.exe
    Token: SeDebugPrivilege4760New purchase Order.exe
    Token: SeDebugPrivilege2304cscript.exe
  • Suspicious use of WriteProcessMemory
    New purchase Order.exeExplorer.EXEcscript.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3092 wrote to memory of 36003092New purchase Order.exeschtasks.exe
    PID 3092 wrote to memory of 36003092New purchase Order.exeschtasks.exe
    PID 3092 wrote to memory of 36003092New purchase Order.exeschtasks.exe
    PID 3092 wrote to memory of 51123092New purchase Order.exeNew purchase Order.exe
    PID 3092 wrote to memory of 51123092New purchase Order.exeNew purchase Order.exe
    PID 3092 wrote to memory of 51123092New purchase Order.exeNew purchase Order.exe
    PID 3092 wrote to memory of 47603092New purchase Order.exeNew purchase Order.exe
    PID 3092 wrote to memory of 47603092New purchase Order.exeNew purchase Order.exe
    PID 3092 wrote to memory of 47603092New purchase Order.exeNew purchase Order.exe
    PID 3092 wrote to memory of 47603092New purchase Order.exeNew purchase Order.exe
    PID 3092 wrote to memory of 47603092New purchase Order.exeNew purchase Order.exe
    PID 3092 wrote to memory of 47603092New purchase Order.exeNew purchase Order.exe
    PID 3148 wrote to memory of 23043148Explorer.EXEcscript.exe
    PID 3148 wrote to memory of 23043148Explorer.EXEcscript.exe
    PID 3148 wrote to memory of 23043148Explorer.EXEcscript.exe
    PID 2304 wrote to memory of 2042304cscript.execmd.exe
    PID 2304 wrote to memory of 2042304cscript.execmd.exe
    PID 2304 wrote to memory of 2042304cscript.execmd.exe
Processes 7
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    Suspicious use of WriteProcessMemory
    PID:3148
    • C:\Users\Admin\AppData\Local\Temp\New purchase Order.exe
      "C:\Users\Admin\AppData\Local\Temp\New purchase Order.exe"
      Checks computer location settings
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3092
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NADfrJFSUbwNu" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9078.tmp"
        Creates scheduled task(s)
        PID:3600
      • C:\Users\Admin\AppData\Local\Temp\New purchase Order.exe
        "{path}"
        PID:5112
      • C:\Users\Admin\AppData\Local\Temp\New purchase Order.exe
        "{path}"
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        PID:4760
    • C:\Windows\SysWOW64\cscript.exe
      "C:\Windows\SysWOW64\cscript.exe"
      Blocklisted process makes network request
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2304
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\New purchase Order.exe"
        PID:204
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • C:\Users\Admin\AppData\Local\Temp\tmp9078.tmp

                        MD5

                        693cec7063ae8316643119c3959510df

                        SHA1

                        be146fdbca9d655c68b2c44b0fbae3ba746f4fa8

                        SHA256

                        2784a2e4f37567fff37ad56df7267af05f75a88f4a1dca9ec66a1a144e760762

                        SHA512

                        86bfd518aabbcd2f69e062f037e7b3582a4bce5ba17b70f75335a768a2b39a80c5aee0cdfd4e72cf2149ad9bf53e1002ead2bba37861ff1c9172526c4aa1ab13

                      • memory/204-148-0x0000000000000000-mapping.dmp

                      • memory/2304-147-0x0000000000F40000-0x0000000000F6B000-memory.dmp

                      • memory/2304-146-0x0000000000070000-0x0000000000097000-memory.dmp

                      • memory/2304-149-0x0000000002F50000-0x000000000329A000-memory.dmp

                      • memory/2304-150-0x0000000002DB0000-0x0000000002E40000-memory.dmp

                      • memory/2304-145-0x0000000000000000-mapping.dmp

                      • memory/3092-134-0x00000000057F0000-0x00000000057FA000-memory.dmp

                      • memory/3092-133-0x0000000005900000-0x000000000599C000-memory.dmp

                      • memory/3092-132-0x0000000005850000-0x00000000058E2000-memory.dmp

                      • memory/3092-130-0x0000000000DF0000-0x0000000000E6E000-memory.dmp

                      • memory/3092-131-0x0000000005EB0000-0x0000000006454000-memory.dmp

                      • memory/3148-144-0x0000000008250000-0x00000000083E2000-memory.dmp

                      • memory/3148-151-0x0000000002720000-0x0000000002855000-memory.dmp

                      • memory/3600-135-0x0000000000000000-mapping.dmp

                      • memory/4760-143-0x0000000001930000-0x0000000001941000-memory.dmp

                      • memory/4760-142-0x00000000015C0000-0x000000000190A000-memory.dmp

                      • memory/4760-139-0x0000000000400000-0x000000000042B000-memory.dmp

                      • memory/4760-138-0x0000000000000000-mapping.dmp

                      • memory/4760-141-0x0000000000400000-0x000000000042B000-memory.dmp

                      • memory/5112-137-0x0000000000000000-mapping.dmp