Analysis
-
max time kernel
152s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
25-05-2022 01:07
Static task
static1
Behavioral task
behavioral1
Sample
FINAL DOCS HBL & MBL.exe
Resource
win7-20220414-en
General
-
Target
FINAL DOCS HBL & MBL.exe
-
Size
341KB
-
MD5
ed7a8355e96497207cbe18a9054419b0
-
SHA1
3e3fd5958bfcca507a8bf9c228db086206f49bf2
-
SHA256
f2ac93d21112c60a3f5a2e0b2f86ca1b9ae688680754140d031b15752e2df6ba
-
SHA512
2f9074f17d35ba1c383608803c0d62d3e669507045015f98a74d223fc38a444a102119d12b6c2b4bb3fa757215689a6b23fa1b5754dca5ccae76126ffb19523d
Malware Config
Extracted
xloader
2.6
ygkp
cbdlively.com
1nfo-post.com
janejohnsonlmt.com
autotradecryptoswithjack.com
mustang-international.net
dreamthorp.com
alexandratanner.net
exilings.com
gzjdgjg.com
51minzhu.com
wgv.info
raymondjamesconsult.com
omariblair.com
vaalerahealth.com
outdoorvoiceshop.com
spbo.info
blasiandating.online
c01-cdn48-oxble.xyz
mrmycology.com
installturbooax.com
duoxiyuemy.com
creativeartwithcarol.com
jasonatenphotography.net
hhcstarusa.com
91itaogo.com
itubini.com
trypetinsure.com
koushi3737.com
gujiufz.xyz
nereklam.com
greenlandtours.net
furrycutiepet.com
boredmilady.xyz
thepromenadeboutique.com
antoinevigne.com
affinityassurance.ltd
trmstudiotx.com
ganeshpyropark.com
rivaln.net
loupsychiatry.com
ballenasnegras.store
treylonburksjersey.com
cumannstaire.com
vintagemuseumct.com
reich-consulting.com
emmagabriele.com
form4506-t.net
al-muhamdi.com
ggmaprimarycare.com
q0fagmy6x5ctmxn6vykr.com
nqted.com
rebelsoflove.life
birdiecrafts.site
acrostical.info
usarealshop.com
d908.red
vspashkapolya.store
locksmith---pasadena.com
itooktheorangepill.com
findachristianbusiness.com
authorlanijames.com
cryptoreportfraud.com
idolovetheusa.com
moicapitaine.com
southwestcancer.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1524-64-0x000000000041F350-mapping.dmp xloader behavioral1/memory/1524-63-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral1/memory/1524-67-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral1/memory/1376-74-0x0000000000080000-0x00000000000AB000-memory.dmp xloader -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
msdt.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run msdt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\YNBT9Z_H1NY8 = "C:\\Program Files (x86)\\Bkt_tnhq8\\systray2d9l_r.exe" msdt.exe -
Executes dropped EXE 2 IoCs
Processes:
gggedibw.exegggedibw.exepid process 700 gggedibw.exe 1524 gggedibw.exe -
Loads dropped DLL 2 IoCs
Processes:
FINAL DOCS HBL & MBL.exegggedibw.exepid process 1972 FINAL DOCS HBL & MBL.exe 700 gggedibw.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
gggedibw.exegggedibw.exemsdt.exedescription pid process target process PID 700 set thread context of 1524 700 gggedibw.exe gggedibw.exe PID 1524 set thread context of 1292 1524 gggedibw.exe Explorer.EXE PID 1376 set thread context of 1292 1376 msdt.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
msdt.exedescription ioc process File opened for modification C:\Program Files (x86)\Bkt_tnhq8\systray2d9l_r.exe msdt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
msdt.exedescription ioc process Key created \Registry\User\S-1-5-21-2277218442-1199762539-2004043321-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 msdt.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
gggedibw.exemsdt.exepid process 1524 gggedibw.exe 1524 gggedibw.exe 1376 msdt.exe 1376 msdt.exe 1376 msdt.exe 1376 msdt.exe 1376 msdt.exe 1376 msdt.exe 1376 msdt.exe 1376 msdt.exe 1376 msdt.exe 1376 msdt.exe 1376 msdt.exe 1376 msdt.exe 1376 msdt.exe 1376 msdt.exe 1376 msdt.exe 1376 msdt.exe 1376 msdt.exe 1376 msdt.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
gggedibw.exemsdt.exepid process 1524 gggedibw.exe 1524 gggedibw.exe 1524 gggedibw.exe 1376 msdt.exe 1376 msdt.exe 1376 msdt.exe 1376 msdt.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
gggedibw.exemsdt.exedescription pid process Token: SeDebugPrivilege 1524 gggedibw.exe Token: SeDebugPrivilege 1376 msdt.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1292 Explorer.EXE 1292 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1292 Explorer.EXE 1292 Explorer.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
FINAL DOCS HBL & MBL.exegggedibw.exeExplorer.EXEmsdt.exedescription pid process target process PID 1972 wrote to memory of 700 1972 FINAL DOCS HBL & MBL.exe gggedibw.exe PID 1972 wrote to memory of 700 1972 FINAL DOCS HBL & MBL.exe gggedibw.exe PID 1972 wrote to memory of 700 1972 FINAL DOCS HBL & MBL.exe gggedibw.exe PID 1972 wrote to memory of 700 1972 FINAL DOCS HBL & MBL.exe gggedibw.exe PID 700 wrote to memory of 1524 700 gggedibw.exe gggedibw.exe PID 700 wrote to memory of 1524 700 gggedibw.exe gggedibw.exe PID 700 wrote to memory of 1524 700 gggedibw.exe gggedibw.exe PID 700 wrote to memory of 1524 700 gggedibw.exe gggedibw.exe PID 700 wrote to memory of 1524 700 gggedibw.exe gggedibw.exe PID 700 wrote to memory of 1524 700 gggedibw.exe gggedibw.exe PID 700 wrote to memory of 1524 700 gggedibw.exe gggedibw.exe PID 1292 wrote to memory of 1376 1292 Explorer.EXE msdt.exe PID 1292 wrote to memory of 1376 1292 Explorer.EXE msdt.exe PID 1292 wrote to memory of 1376 1292 Explorer.EXE msdt.exe PID 1292 wrote to memory of 1376 1292 Explorer.EXE msdt.exe PID 1376 wrote to memory of 1728 1376 msdt.exe cmd.exe PID 1376 wrote to memory of 1728 1376 msdt.exe cmd.exe PID 1376 wrote to memory of 1728 1376 msdt.exe cmd.exe PID 1376 wrote to memory of 1728 1376 msdt.exe cmd.exe PID 1376 wrote to memory of 828 1376 msdt.exe Firefox.exe PID 1376 wrote to memory of 828 1376 msdt.exe Firefox.exe PID 1376 wrote to memory of 828 1376 msdt.exe Firefox.exe PID 1376 wrote to memory of 828 1376 msdt.exe Firefox.exe PID 1376 wrote to memory of 828 1376 msdt.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\FINAL DOCS HBL & MBL.exe"C:\Users\Admin\AppData\Local\Temp\FINAL DOCS HBL & MBL.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\gggedibw.exeC:\Users\Admin\AppData\Local\Temp\gggedibw.exe C:\Users\Admin\AppData\Local\Temp\mjfsqpy3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\gggedibw.exeC:\Users\Admin\AppData\Local\Temp\gggedibw.exe C:\Users\Admin\AppData\Local\Temp\mjfsqpy4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\msdt.exe"C:\Windows\SysWOW64\msdt.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\gggedibw.exe"3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\gggedibw.exeFilesize
184KB
MD5aae9f5343cef252e1c7b4a1a3028b83d
SHA15d33892c4c69018e75ab7918e857998b53078466
SHA2565735f76f9f15637509f0cb6e3ee057a7e19084b10e9e133be03e2fefcc23db6e
SHA5121e6cd04fc9d69a5933cb8064489e35b6c2719c81dc30a405a050f0b975db629b3843fc2d576c217bb81bb12b5508dc001b894f926a2ac19b16a5b17f21aed659
-
C:\Users\Admin\AppData\Local\Temp\gggedibw.exeFilesize
184KB
MD5aae9f5343cef252e1c7b4a1a3028b83d
SHA15d33892c4c69018e75ab7918e857998b53078466
SHA2565735f76f9f15637509f0cb6e3ee057a7e19084b10e9e133be03e2fefcc23db6e
SHA5121e6cd04fc9d69a5933cb8064489e35b6c2719c81dc30a405a050f0b975db629b3843fc2d576c217bb81bb12b5508dc001b894f926a2ac19b16a5b17f21aed659
-
C:\Users\Admin\AppData\Local\Temp\gggedibw.exeFilesize
184KB
MD5aae9f5343cef252e1c7b4a1a3028b83d
SHA15d33892c4c69018e75ab7918e857998b53078466
SHA2565735f76f9f15637509f0cb6e3ee057a7e19084b10e9e133be03e2fefcc23db6e
SHA5121e6cd04fc9d69a5933cb8064489e35b6c2719c81dc30a405a050f0b975db629b3843fc2d576c217bb81bb12b5508dc001b894f926a2ac19b16a5b17f21aed659
-
C:\Users\Admin\AppData\Local\Temp\jqiv3bn3ymt6ac8jm7Filesize
171KB
MD51148683cca7b93d4a8c4bae984e56f25
SHA169a040267d63e9f4df5a30e70eceaddbd97c063a
SHA256283f659c8ebb71ad404509a287945444d5e02c335ba02b86ba185199d9d37b46
SHA512d559f25048a302c6b6b45e7f4f0ea10b0925160c99c904daff151426606de83dc5199298a871c3ba4777475e761f4e812c1a7ab747c76eba68d5c4d000cae007
-
C:\Users\Admin\AppData\Local\Temp\mjfsqpyFilesize
5KB
MD542d16384fa40f41309ee20f10da5838a
SHA18c94a48b1cf661f67c39ff649f306d6ec3809dce
SHA256b435dbb39f235eefdd4b1fc8f54156376914d2cd19ab63f7a0efbf8ba4a41a94
SHA512868a0f3e18005010bd79493b28c7e32b1c8c4d225db92aa7dfece7762ce08981db74746291d57619f12c7a5386ad4dfb2d43984873376a8b7792741e24a67b6d
-
\Users\Admin\AppData\Local\Temp\gggedibw.exeFilesize
184KB
MD5aae9f5343cef252e1c7b4a1a3028b83d
SHA15d33892c4c69018e75ab7918e857998b53078466
SHA2565735f76f9f15637509f0cb6e3ee057a7e19084b10e9e133be03e2fefcc23db6e
SHA5121e6cd04fc9d69a5933cb8064489e35b6c2719c81dc30a405a050f0b975db629b3843fc2d576c217bb81bb12b5508dc001b894f926a2ac19b16a5b17f21aed659
-
\Users\Admin\AppData\Local\Temp\gggedibw.exeFilesize
184KB
MD5aae9f5343cef252e1c7b4a1a3028b83d
SHA15d33892c4c69018e75ab7918e857998b53078466
SHA2565735f76f9f15637509f0cb6e3ee057a7e19084b10e9e133be03e2fefcc23db6e
SHA5121e6cd04fc9d69a5933cb8064489e35b6c2719c81dc30a405a050f0b975db629b3843fc2d576c217bb81bb12b5508dc001b894f926a2ac19b16a5b17f21aed659
-
memory/700-56-0x0000000000000000-mapping.dmp
-
memory/1292-70-0x0000000006990000-0x0000000006AEA000-memory.dmpFilesize
1.4MB
-
memory/1292-78-0x0000000006E40000-0x0000000006F74000-memory.dmpFilesize
1.2MB
-
memory/1376-75-0x00000000021E0000-0x00000000024E3000-memory.dmpFilesize
3.0MB
-
memory/1376-71-0x0000000000000000-mapping.dmp
-
memory/1376-74-0x0000000000080000-0x00000000000AB000-memory.dmpFilesize
172KB
-
memory/1376-73-0x0000000000B50000-0x0000000000C44000-memory.dmpFilesize
976KB
-
memory/1376-77-0x0000000000A00000-0x0000000000A90000-memory.dmpFilesize
576KB
-
memory/1524-67-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/1524-69-0x0000000000190000-0x00000000001A1000-memory.dmpFilesize
68KB
-
memory/1524-68-0x0000000000D90000-0x0000000001093000-memory.dmpFilesize
3.0MB
-
memory/1524-63-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/1524-64-0x000000000041F350-mapping.dmp
-
memory/1728-76-0x0000000000000000-mapping.dmp
-
memory/1972-54-0x0000000076721000-0x0000000076723000-memory.dmpFilesize
8KB