Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25-05-2022 01:07
Static task
static1
Behavioral task
behavioral1
Sample
FINAL DOCS HBL & MBL.exe
Resource
win7-20220414-en
General
-
Target
FINAL DOCS HBL & MBL.exe
-
Size
341KB
-
MD5
ed7a8355e96497207cbe18a9054419b0
-
SHA1
3e3fd5958bfcca507a8bf9c228db086206f49bf2
-
SHA256
f2ac93d21112c60a3f5a2e0b2f86ca1b9ae688680754140d031b15752e2df6ba
-
SHA512
2f9074f17d35ba1c383608803c0d62d3e669507045015f98a74d223fc38a444a102119d12b6c2b4bb3fa757215689a6b23fa1b5754dca5ccae76126ffb19523d
Malware Config
Extracted
xloader
2.6
ygkp
cbdlively.com
1nfo-post.com
janejohnsonlmt.com
autotradecryptoswithjack.com
mustang-international.net
dreamthorp.com
alexandratanner.net
exilings.com
gzjdgjg.com
51minzhu.com
wgv.info
raymondjamesconsult.com
omariblair.com
vaalerahealth.com
outdoorvoiceshop.com
spbo.info
blasiandating.online
c01-cdn48-oxble.xyz
mrmycology.com
installturbooax.com
duoxiyuemy.com
creativeartwithcarol.com
jasonatenphotography.net
hhcstarusa.com
91itaogo.com
itubini.com
trypetinsure.com
koushi3737.com
gujiufz.xyz
nereklam.com
greenlandtours.net
furrycutiepet.com
boredmilady.xyz
thepromenadeboutique.com
antoinevigne.com
affinityassurance.ltd
trmstudiotx.com
ganeshpyropark.com
rivaln.net
loupsychiatry.com
ballenasnegras.store
treylonburksjersey.com
cumannstaire.com
vintagemuseumct.com
reich-consulting.com
emmagabriele.com
form4506-t.net
al-muhamdi.com
ggmaprimarycare.com
q0fagmy6x5ctmxn6vykr.com
nqted.com
rebelsoflove.life
birdiecrafts.site
acrostical.info
usarealshop.com
d908.red
vspashkapolya.store
locksmith---pasadena.com
itooktheorangepill.com
findachristianbusiness.com
authorlanijames.com
cryptoreportfraud.com
idolovetheusa.com
moicapitaine.com
southwestcancer.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4604-136-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral2/memory/4132-145-0x0000000000E60000-0x0000000000E8B000-memory.dmp xloader -
Executes dropped EXE 3 IoCs
Processes:
gggedibw.exegggedibw.exegdjp7onuhz.exepid process 4396 gggedibw.exe 4604 gggedibw.exe 3924 gdjp7onuhz.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msdt.exedescription ioc process Key created \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run msdt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CPLDWP-X-2 = "C:\\Program Files (x86)\\C2dbxnz\\gdjp7onuhz.exe" msdt.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
gggedibw.exegggedibw.exemsdt.exedescription pid process target process PID 4396 set thread context of 4604 4396 gggedibw.exe gggedibw.exe PID 4604 set thread context of 1504 4604 gggedibw.exe Explorer.EXE PID 4132 set thread context of 1504 4132 msdt.exe Explorer.EXE -
Drops file in Program Files directory 4 IoCs
Processes:
msdt.exeExplorer.EXEdescription ioc process File opened for modification C:\Program Files (x86)\C2dbxnz\gdjp7onuhz.exe msdt.exe File opened for modification C:\Program Files (x86)\C2dbxnz Explorer.EXE File created C:\Program Files (x86)\C2dbxnz\gdjp7onuhz.exe Explorer.EXE File opened for modification C:\Program Files (x86)\C2dbxnz\gdjp7onuhz.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4520 3924 WerFault.exe gdjp7onuhz.exe -
Processes:
msdt.exedescription ioc process Key created \Registry\User\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 msdt.exe -
Suspicious behavior: EnumeratesProcesses 56 IoCs
Processes:
gggedibw.exemsdt.exepid process 4604 gggedibw.exe 4604 gggedibw.exe 4604 gggedibw.exe 4604 gggedibw.exe 4132 msdt.exe 4132 msdt.exe 4132 msdt.exe 4132 msdt.exe 4132 msdt.exe 4132 msdt.exe 4132 msdt.exe 4132 msdt.exe 4132 msdt.exe 4132 msdt.exe 4132 msdt.exe 4132 msdt.exe 4132 msdt.exe 4132 msdt.exe 4132 msdt.exe 4132 msdt.exe 4132 msdt.exe 4132 msdt.exe 4132 msdt.exe 4132 msdt.exe 4132 msdt.exe 4132 msdt.exe 4132 msdt.exe 4132 msdt.exe 4132 msdt.exe 4132 msdt.exe 4132 msdt.exe 4132 msdt.exe 4132 msdt.exe 4132 msdt.exe 4132 msdt.exe 4132 msdt.exe 4132 msdt.exe 4132 msdt.exe 4132 msdt.exe 4132 msdt.exe 4132 msdt.exe 4132 msdt.exe 4132 msdt.exe 4132 msdt.exe 4132 msdt.exe 4132 msdt.exe 4132 msdt.exe 4132 msdt.exe 4132 msdt.exe 4132 msdt.exe 4132 msdt.exe 4132 msdt.exe 4132 msdt.exe 4132 msdt.exe 4132 msdt.exe 4132 msdt.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1504 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
gggedibw.exemsdt.exepid process 4604 gggedibw.exe 4604 gggedibw.exe 4604 gggedibw.exe 4132 msdt.exe 4132 msdt.exe 4132 msdt.exe 4132 msdt.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
gggedibw.exemsdt.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 4604 gggedibw.exe Token: SeDebugPrivilege 4132 msdt.exe Token: SeShutdownPrivilege 1504 Explorer.EXE Token: SeCreatePagefilePrivilege 1504 Explorer.EXE -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
FINAL DOCS HBL & MBL.exegggedibw.exeExplorer.EXEmsdt.exedescription pid process target process PID 4588 wrote to memory of 4396 4588 FINAL DOCS HBL & MBL.exe gggedibw.exe PID 4588 wrote to memory of 4396 4588 FINAL DOCS HBL & MBL.exe gggedibw.exe PID 4588 wrote to memory of 4396 4588 FINAL DOCS HBL & MBL.exe gggedibw.exe PID 4396 wrote to memory of 4604 4396 gggedibw.exe gggedibw.exe PID 4396 wrote to memory of 4604 4396 gggedibw.exe gggedibw.exe PID 4396 wrote to memory of 4604 4396 gggedibw.exe gggedibw.exe PID 4396 wrote to memory of 4604 4396 gggedibw.exe gggedibw.exe PID 4396 wrote to memory of 4604 4396 gggedibw.exe gggedibw.exe PID 4396 wrote to memory of 4604 4396 gggedibw.exe gggedibw.exe PID 1504 wrote to memory of 4132 1504 Explorer.EXE msdt.exe PID 1504 wrote to memory of 4132 1504 Explorer.EXE msdt.exe PID 1504 wrote to memory of 4132 1504 Explorer.EXE msdt.exe PID 4132 wrote to memory of 4852 4132 msdt.exe cmd.exe PID 4132 wrote to memory of 4852 4132 msdt.exe cmd.exe PID 4132 wrote to memory of 4852 4132 msdt.exe cmd.exe PID 4132 wrote to memory of 4676 4132 msdt.exe cmd.exe PID 4132 wrote to memory of 4676 4132 msdt.exe cmd.exe PID 4132 wrote to memory of 4676 4132 msdt.exe cmd.exe PID 4132 wrote to memory of 3988 4132 msdt.exe cmd.exe PID 4132 wrote to memory of 3988 4132 msdt.exe cmd.exe PID 4132 wrote to memory of 3988 4132 msdt.exe cmd.exe PID 4132 wrote to memory of 2324 4132 msdt.exe Firefox.exe PID 4132 wrote to memory of 2324 4132 msdt.exe Firefox.exe PID 4132 wrote to memory of 2324 4132 msdt.exe Firefox.exe PID 1504 wrote to memory of 3924 1504 Explorer.EXE gdjp7onuhz.exe PID 1504 wrote to memory of 3924 1504 Explorer.EXE gdjp7onuhz.exe PID 1504 wrote to memory of 3924 1504 Explorer.EXE gdjp7onuhz.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\FINAL DOCS HBL & MBL.exe"C:\Users\Admin\AppData\Local\Temp\FINAL DOCS HBL & MBL.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\gggedibw.exeC:\Users\Admin\AppData\Local\Temp\gggedibw.exe C:\Users\Admin\AppData\Local\Temp\mjfsqpy3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\gggedibw.exeC:\Users\Admin\AppData\Local\Temp\gggedibw.exe C:\Users\Admin\AppData\Local\Temp\mjfsqpy4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\msdt.exe"C:\Windows\SysWOW64\msdt.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\gggedibw.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Program Files (x86)\C2dbxnz\gdjp7onuhz.exe"C:\Program Files (x86)\C2dbxnz\gdjp7onuhz.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 2163⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3924 -ip 39241⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\C2dbxnz\gdjp7onuhz.exeFilesize
184KB
MD5aae9f5343cef252e1c7b4a1a3028b83d
SHA15d33892c4c69018e75ab7918e857998b53078466
SHA2565735f76f9f15637509f0cb6e3ee057a7e19084b10e9e133be03e2fefcc23db6e
SHA5121e6cd04fc9d69a5933cb8064489e35b6c2719c81dc30a405a050f0b975db629b3843fc2d576c217bb81bb12b5508dc001b894f926a2ac19b16a5b17f21aed659
-
C:\Program Files (x86)\C2dbxnz\gdjp7onuhz.exeFilesize
184KB
MD5aae9f5343cef252e1c7b4a1a3028b83d
SHA15d33892c4c69018e75ab7918e857998b53078466
SHA2565735f76f9f15637509f0cb6e3ee057a7e19084b10e9e133be03e2fefcc23db6e
SHA5121e6cd04fc9d69a5933cb8064489e35b6c2719c81dc30a405a050f0b975db629b3843fc2d576c217bb81bb12b5508dc001b894f926a2ac19b16a5b17f21aed659
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
40KB
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
C:\Users\Admin\AppData\Local\Temp\gggedibw.exeFilesize
184KB
MD5aae9f5343cef252e1c7b4a1a3028b83d
SHA15d33892c4c69018e75ab7918e857998b53078466
SHA2565735f76f9f15637509f0cb6e3ee057a7e19084b10e9e133be03e2fefcc23db6e
SHA5121e6cd04fc9d69a5933cb8064489e35b6c2719c81dc30a405a050f0b975db629b3843fc2d576c217bb81bb12b5508dc001b894f926a2ac19b16a5b17f21aed659
-
C:\Users\Admin\AppData\Local\Temp\gggedibw.exeFilesize
184KB
MD5aae9f5343cef252e1c7b4a1a3028b83d
SHA15d33892c4c69018e75ab7918e857998b53078466
SHA2565735f76f9f15637509f0cb6e3ee057a7e19084b10e9e133be03e2fefcc23db6e
SHA5121e6cd04fc9d69a5933cb8064489e35b6c2719c81dc30a405a050f0b975db629b3843fc2d576c217bb81bb12b5508dc001b894f926a2ac19b16a5b17f21aed659
-
C:\Users\Admin\AppData\Local\Temp\gggedibw.exeFilesize
184KB
MD5aae9f5343cef252e1c7b4a1a3028b83d
SHA15d33892c4c69018e75ab7918e857998b53078466
SHA2565735f76f9f15637509f0cb6e3ee057a7e19084b10e9e133be03e2fefcc23db6e
SHA5121e6cd04fc9d69a5933cb8064489e35b6c2719c81dc30a405a050f0b975db629b3843fc2d576c217bb81bb12b5508dc001b894f926a2ac19b16a5b17f21aed659
-
C:\Users\Admin\AppData\Local\Temp\jqiv3bn3ymt6ac8jm7Filesize
171KB
MD51148683cca7b93d4a8c4bae984e56f25
SHA169a040267d63e9f4df5a30e70eceaddbd97c063a
SHA256283f659c8ebb71ad404509a287945444d5e02c335ba02b86ba185199d9d37b46
SHA512d559f25048a302c6b6b45e7f4f0ea10b0925160c99c904daff151426606de83dc5199298a871c3ba4777475e761f4e812c1a7ab747c76eba68d5c4d000cae007
-
C:\Users\Admin\AppData\Local\Temp\mjfsqpyFilesize
5KB
MD542d16384fa40f41309ee20f10da5838a
SHA18c94a48b1cf661f67c39ff649f306d6ec3809dce
SHA256b435dbb39f235eefdd4b1fc8f54156376914d2cd19ab63f7a0efbf8ba4a41a94
SHA512868a0f3e18005010bd79493b28c7e32b1c8c4d225db92aa7dfece7762ce08981db74746291d57619f12c7a5386ad4dfb2d43984873376a8b7792741e24a67b6d
-
memory/1504-148-0x0000000002580000-0x0000000002632000-memory.dmpFilesize
712KB
-
memory/1504-141-0x0000000007C90000-0x0000000007DCF000-memory.dmpFilesize
1.2MB
-
memory/3924-153-0x0000000000000000-mapping.dmp
-
memory/3988-151-0x0000000000000000-mapping.dmp
-
memory/4132-146-0x0000000002FD0000-0x000000000331A000-memory.dmpFilesize
3.3MB
-
memory/4132-145-0x0000000000E60000-0x0000000000E8B000-memory.dmpFilesize
172KB
-
memory/4132-142-0x0000000000000000-mapping.dmp
-
memory/4132-147-0x0000000002CD0000-0x0000000002D60000-memory.dmpFilesize
576KB
-
memory/4132-144-0x00000000006B0000-0x0000000000707000-memory.dmpFilesize
348KB
-
memory/4396-130-0x0000000000000000-mapping.dmp
-
memory/4604-138-0x0000000001960000-0x0000000001CAA000-memory.dmpFilesize
3.3MB
-
memory/4604-136-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/4604-135-0x0000000000000000-mapping.dmp
-
memory/4604-140-0x0000000001CB0000-0x0000000001CC1000-memory.dmpFilesize
68KB
-
memory/4676-149-0x0000000000000000-mapping.dmp
-
memory/4852-143-0x0000000000000000-mapping.dmp