Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
25-05-2022 14:00
Static task
static1
Behavioral task
behavioral1
Sample
INQNEW~0.exe
Resource
win7-20220414-en
General
-
Target
INQNEW~0.exe
-
Size
276KB
-
MD5
ebb0fecde4a2e88c63c27c82810113b5
-
SHA1
c5658bec21ea4dfe2d0a66089d2d18bf081c778f
-
SHA256
df1b0eef4f32a5c2527691175375962957db71bc913d37f6e71150e599b2b31c
-
SHA512
05960c717d5f30ca5b1424a3a2806c2a7a00b6ec4a3949bdb7db4d7f5fd885119cf18cbb752537ddcb7bc277ecf683d060c40baee3ac6bdb6f76cb5a50598ad8
Malware Config
Extracted
xloader
2.6
be4o
laboratoriobioixcha.com
tictocperushop.online
wild-oceans.com
belaruscountry.com
kicktmall.com
fitcoinweb.tech
mores.one
gogear.one
gxrcksy.com
samrcq.com
impossible-icecream.com
bravesxx.com
bookchainart.com
sleepsolutionsofmboro.com
ocbrazilbusinessclub.com
advisor76.xyz
xitaotech.com
mgsdtytifgf3414.xyz
johnson-brown.net
cr3drt.com
virtualtourpro.store
transporteriocristal.com
fjbingjiang.com
minecraftrojectx.site
ttrcb.com
sexlarab.com
cxzczc2.online
doorsmm.com
weisbergiegal.com
skythinks.com
schoolsuperaty.com
swampbucketkids.com
networklogicsa.com
businessevs.com
gulfcoastclinicchiro.com
milliards.xyz
moviesquery.com
cycletostack.com
c0wkvo.com
inkingthings.net
cookvillecampgroundvt.com
rajeshprinters.com
binge-bane.biz
ginger9632-voice.cloud
1nfo-post.com
unta.xyz
liuhumu.com
khandaia.info
ha01qnscvts0l.xyz
liert.site
allflowmedia.com
6ibnuj9t.xyz
embravewise.com
responsabilities.com
apexges.com
ola-speechtherapy.com
pristinefarmlands.com
adaraateristiayote.store
journeyhomemeditation.com
96238.top
nosipokip.site
itt-service.com
bw590jumpb.xyz
relieveyourdog.com
qiyeweiiliaoo0428.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1340-59-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral1/memory/1340-60-0x000000000041F270-mapping.dmp xloader behavioral1/memory/1340-62-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral1/memory/636-68-0x0000000000080000-0x00000000000AB000-memory.dmp xloader -
Executes dropped EXE 1 IoCs
Processes:
colorcplsff.exepid process 1168 colorcplsff.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
help.exedescription ioc process Key created \Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run help.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\KRZXSZIXDLH = "C:\\Program Files (x86)\\P1bg\\colorcplsff.exe" help.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
INQNEW~0.exevbc.exehelp.exedescription pid process target process PID 2040 set thread context of 1340 2040 INQNEW~0.exe vbc.exe PID 1340 set thread context of 1416 1340 vbc.exe Explorer.EXE PID 636 set thread context of 1416 636 help.exe Explorer.EXE -
Drops file in Program Files directory 2 IoCs
Processes:
help.exeExplorer.EXEdescription ioc process File opened for modification C:\Program Files (x86)\P1bg\colorcplsff.exe help.exe File created C:\Program Files (x86)\P1bg\colorcplsff.exe Explorer.EXE -
Processes:
help.exedescription ioc process Key created \Registry\User\S-1-5-21-1819626980-2277161760-1023733287-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 help.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
vbc.exehelp.exepid process 1340 vbc.exe 1340 vbc.exe 636 help.exe 636 help.exe 636 help.exe 636 help.exe 636 help.exe 636 help.exe 636 help.exe 636 help.exe 636 help.exe 636 help.exe 636 help.exe 636 help.exe 636 help.exe 636 help.exe 636 help.exe 636 help.exe 636 help.exe 636 help.exe 636 help.exe 636 help.exe 636 help.exe 636 help.exe 636 help.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
vbc.exehelp.exepid process 1340 vbc.exe 1340 vbc.exe 1340 vbc.exe 636 help.exe 636 help.exe 636 help.exe 636 help.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
vbc.exehelp.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1340 vbc.exe Token: SeDebugPrivilege 636 help.exe Token: SeShutdownPrivilege 1416 Explorer.EXE Token: SeShutdownPrivilege 1416 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1416 Explorer.EXE 1416 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1416 Explorer.EXE 1416 Explorer.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
INQNEW~0.exeExplorer.EXEhelp.exedescription pid process target process PID 2040 wrote to memory of 1340 2040 INQNEW~0.exe vbc.exe PID 2040 wrote to memory of 1340 2040 INQNEW~0.exe vbc.exe PID 2040 wrote to memory of 1340 2040 INQNEW~0.exe vbc.exe PID 2040 wrote to memory of 1340 2040 INQNEW~0.exe vbc.exe PID 2040 wrote to memory of 1340 2040 INQNEW~0.exe vbc.exe PID 2040 wrote to memory of 1340 2040 INQNEW~0.exe vbc.exe PID 2040 wrote to memory of 1340 2040 INQNEW~0.exe vbc.exe PID 1416 wrote to memory of 636 1416 Explorer.EXE help.exe PID 1416 wrote to memory of 636 1416 Explorer.EXE help.exe PID 1416 wrote to memory of 636 1416 Explorer.EXE help.exe PID 1416 wrote to memory of 636 1416 Explorer.EXE help.exe PID 636 wrote to memory of 1484 636 help.exe cmd.exe PID 636 wrote to memory of 1484 636 help.exe cmd.exe PID 636 wrote to memory of 1484 636 help.exe cmd.exe PID 636 wrote to memory of 1484 636 help.exe cmd.exe PID 636 wrote to memory of 672 636 help.exe Firefox.exe PID 636 wrote to memory of 672 636 help.exe Firefox.exe PID 636 wrote to memory of 672 636 help.exe Firefox.exe PID 636 wrote to memory of 672 636 help.exe Firefox.exe PID 636 wrote to memory of 672 636 help.exe Firefox.exe PID 1416 wrote to memory of 1168 1416 Explorer.EXE colorcplsff.exe PID 1416 wrote to memory of 1168 1416 Explorer.EXE colorcplsff.exe PID 1416 wrote to memory of 1168 1416 Explorer.EXE colorcplsff.exe PID 1416 wrote to memory of 1168 1416 Explorer.EXE colorcplsff.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\INQNEW~0.exe"C:\Users\Admin\AppData\Local\Temp\INQNEW~0.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Program Files (x86)\P1bg\colorcplsff.exe"C:\Program Files (x86)\P1bg\colorcplsff.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\P1bg\colorcplsff.exeFilesize
2.6MB
MD57dff668539101ab52fb818dfdb43187c
SHA11086105ab0d6f71a999badd744dc0bf41f977d2f
SHA256b1cfae88e590067e127201e49025d20bf466ab2e3c9cb72bc411d3937c5f1332
SHA512de4b232779783e4125c262cc813547ff0c15c2d355182a4cd0ea25c32d6467bd202cdeda7bed69714e0ab0e647776d794111fc0d9617b4e5ade1c938230fca32
-
C:\Program Files (x86)\P1bg\colorcplsff.exeFilesize
2.6MB
MD57dff668539101ab52fb818dfdb43187c
SHA11086105ab0d6f71a999badd744dc0bf41f977d2f
SHA256b1cfae88e590067e127201e49025d20bf466ab2e3c9cb72bc411d3937c5f1332
SHA512de4b232779783e4125c262cc813547ff0c15c2d355182a4cd0ea25c32d6467bd202cdeda7bed69714e0ab0e647776d794111fc0d9617b4e5ade1c938230fca32
-
memory/636-72-0x0000000000500000-0x0000000000590000-memory.dmpFilesize
576KB
-
memory/636-66-0x0000000000000000-mapping.dmp
-
memory/636-69-0x0000000000AB0000-0x0000000000DB3000-memory.dmpFilesize
3.0MB
-
memory/636-68-0x0000000000080000-0x00000000000AB000-memory.dmpFilesize
172KB
-
memory/636-67-0x0000000000AA0000-0x0000000000AA6000-memory.dmpFilesize
24KB
-
memory/1168-74-0x0000000000000000-mapping.dmp
-
memory/1340-63-0x00000000008C0000-0x0000000000BC3000-memory.dmpFilesize
3.0MB
-
memory/1340-64-0x0000000000290000-0x00000000002A1000-memory.dmpFilesize
68KB
-
memory/1340-57-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/1340-62-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/1340-60-0x000000000041F270-mapping.dmp
-
memory/1340-59-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/1340-56-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/1416-65-0x0000000006FA0000-0x0000000007144000-memory.dmpFilesize
1.6MB
-
memory/1416-73-0x0000000006C90000-0x0000000006DD0000-memory.dmpFilesize
1.2MB
-
memory/1484-70-0x0000000000000000-mapping.dmp
-
memory/2040-54-0x00000000013E0000-0x000000000142A000-memory.dmpFilesize
296KB
-
memory/2040-55-0x0000000075FE1000-0x0000000075FE3000-memory.dmpFilesize
8KB