Analysis
-
max time kernel
168s -
max time network
173s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
25-05-2022 14:00
Static task
static1
Behavioral task
behavioral1
Sample
INQNEW#PO24052022.qdf.exe
Resource
win7-20220414-en
General
-
Target
INQNEW#PO24052022.qdf.exe
-
Size
276KB
-
MD5
ebb0fecde4a2e88c63c27c82810113b5
-
SHA1
c5658bec21ea4dfe2d0a66089d2d18bf081c778f
-
SHA256
df1b0eef4f32a5c2527691175375962957db71bc913d37f6e71150e599b2b31c
-
SHA512
05960c717d5f30ca5b1424a3a2806c2a7a00b6ec4a3949bdb7db4d7f5fd885119cf18cbb752537ddcb7bc277ecf683d060c40baee3ac6bdb6f76cb5a50598ad8
Malware Config
Extracted
xloader
2.6
be4o
laboratoriobioixcha.com
tictocperushop.online
wild-oceans.com
belaruscountry.com
kicktmall.com
fitcoinweb.tech
mores.one
gogear.one
gxrcksy.com
samrcq.com
impossible-icecream.com
bravesxx.com
bookchainart.com
sleepsolutionsofmboro.com
ocbrazilbusinessclub.com
advisor76.xyz
xitaotech.com
mgsdtytifgf3414.xyz
johnson-brown.net
cr3drt.com
virtualtourpro.store
transporteriocristal.com
fjbingjiang.com
minecraftrojectx.site
ttrcb.com
sexlarab.com
cxzczc2.online
doorsmm.com
weisbergiegal.com
skythinks.com
schoolsuperaty.com
swampbucketkids.com
networklogicsa.com
businessevs.com
gulfcoastclinicchiro.com
milliards.xyz
moviesquery.com
cycletostack.com
c0wkvo.com
inkingthings.net
cookvillecampgroundvt.com
rajeshprinters.com
binge-bane.biz
ginger9632-voice.cloud
1nfo-post.com
unta.xyz
liuhumu.com
khandaia.info
ha01qnscvts0l.xyz
liert.site
allflowmedia.com
6ibnuj9t.xyz
embravewise.com
responsabilities.com
apexges.com
ola-speechtherapy.com
pristinefarmlands.com
adaraateristiayote.store
journeyhomemeditation.com
96238.top
nosipokip.site
itt-service.com
bw590jumpb.xyz
relieveyourdog.com
qiyeweiiliaoo0428.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/952-60-0x000000000041F270-mapping.dmp xloader behavioral1/memory/952-61-0x0000000000080000-0x00000000000AB000-memory.dmp xloader behavioral1/memory/1308-68-0x0000000000080000-0x00000000000AB000-memory.dmp xloader -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
systray.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run systray.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DT8PFTBPRT = "C:\\Program Files (x86)\\Mzv1psz\\certmgrf0j8u85p.exe" systray.exe -
Executes dropped EXE 1 IoCs
Processes:
certmgrf0j8u85p.exepid process 1772 certmgrf0j8u85p.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
INQNEW#PO24052022.qdf.exevbc.exesystray.exedescription pid process target process PID 872 set thread context of 952 872 INQNEW#PO24052022.qdf.exe vbc.exe PID 952 set thread context of 1220 952 vbc.exe Explorer.EXE PID 1308 set thread context of 1220 1308 systray.exe Explorer.EXE -
Drops file in Program Files directory 2 IoCs
Processes:
systray.exeExplorer.EXEdescription ioc process File opened for modification C:\Program Files (x86)\Mzv1psz\certmgrf0j8u85p.exe systray.exe File created C:\Program Files (x86)\Mzv1psz\certmgrf0j8u85p.exe Explorer.EXE -
Processes:
systray.exedescription ioc process Key created \Registry\User\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 systray.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
vbc.exesystray.exepid process 952 vbc.exe 952 vbc.exe 1308 systray.exe 1308 systray.exe 1308 systray.exe 1308 systray.exe 1308 systray.exe 1308 systray.exe 1308 systray.exe 1308 systray.exe 1308 systray.exe 1308 systray.exe 1308 systray.exe 1308 systray.exe 1308 systray.exe 1308 systray.exe 1308 systray.exe 1308 systray.exe 1308 systray.exe 1308 systray.exe 1308 systray.exe 1308 systray.exe 1308 systray.exe 1308 systray.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
vbc.exesystray.exepid process 952 vbc.exe 952 vbc.exe 952 vbc.exe 1308 systray.exe 1308 systray.exe 1308 systray.exe 1308 systray.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
vbc.exesystray.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 952 vbc.exe Token: SeDebugPrivilege 1308 systray.exe Token: SeShutdownPrivilege 1220 Explorer.EXE Token: SeShutdownPrivilege 1220 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1220 Explorer.EXE 1220 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1220 Explorer.EXE 1220 Explorer.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
INQNEW#PO24052022.qdf.exeExplorer.EXEsystray.exedescription pid process target process PID 872 wrote to memory of 952 872 INQNEW#PO24052022.qdf.exe vbc.exe PID 872 wrote to memory of 952 872 INQNEW#PO24052022.qdf.exe vbc.exe PID 872 wrote to memory of 952 872 INQNEW#PO24052022.qdf.exe vbc.exe PID 872 wrote to memory of 952 872 INQNEW#PO24052022.qdf.exe vbc.exe PID 872 wrote to memory of 952 872 INQNEW#PO24052022.qdf.exe vbc.exe PID 872 wrote to memory of 952 872 INQNEW#PO24052022.qdf.exe vbc.exe PID 872 wrote to memory of 952 872 INQNEW#PO24052022.qdf.exe vbc.exe PID 1220 wrote to memory of 1308 1220 Explorer.EXE systray.exe PID 1220 wrote to memory of 1308 1220 Explorer.EXE systray.exe PID 1220 wrote to memory of 1308 1220 Explorer.EXE systray.exe PID 1220 wrote to memory of 1308 1220 Explorer.EXE systray.exe PID 1308 wrote to memory of 1128 1308 systray.exe cmd.exe PID 1308 wrote to memory of 1128 1308 systray.exe cmd.exe PID 1308 wrote to memory of 1128 1308 systray.exe cmd.exe PID 1308 wrote to memory of 1128 1308 systray.exe cmd.exe PID 1308 wrote to memory of 1104 1308 systray.exe Firefox.exe PID 1308 wrote to memory of 1104 1308 systray.exe Firefox.exe PID 1308 wrote to memory of 1104 1308 systray.exe Firefox.exe PID 1308 wrote to memory of 1104 1308 systray.exe Firefox.exe PID 1308 wrote to memory of 1104 1308 systray.exe Firefox.exe PID 1220 wrote to memory of 1772 1220 Explorer.EXE certmgrf0j8u85p.exe PID 1220 wrote to memory of 1772 1220 Explorer.EXE certmgrf0j8u85p.exe PID 1220 wrote to memory of 1772 1220 Explorer.EXE certmgrf0j8u85p.exe PID 1220 wrote to memory of 1772 1220 Explorer.EXE certmgrf0j8u85p.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\INQNEW#PO24052022.qdf.exe"C:\Users\Admin\AppData\Local\Temp\INQNEW#PO24052022.qdf.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\systray.exe"C:\Windows\SysWOW64\systray.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Program Files (x86)\Mzv1psz\certmgrf0j8u85p.exe"C:\Program Files (x86)\Mzv1psz\certmgrf0j8u85p.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Mzv1psz\certmgrf0j8u85p.exeFilesize
2.6MB
MD5c9186500c029d36dc8e57431040c2f76
SHA1baaac30e02341cea28bed7f963ec7e78945dabc2
SHA256dd6b5964d36be4ed2f0b81dd43bb0a5ca434d82389d28eaa8632da15ade3a43b
SHA51203cc9bc677a981e04f5728c735e855c1ea9e466b3afdac0259749605d8b1567869b7c59fcbd00a92d54813e353d130ba5a9ce4c325ed06bf9dc5de16a106b599
-
C:\Program Files (x86)\Mzv1psz\certmgrf0j8u85p.exeFilesize
2.6MB
MD5c9186500c029d36dc8e57431040c2f76
SHA1baaac30e02341cea28bed7f963ec7e78945dabc2
SHA256dd6b5964d36be4ed2f0b81dd43bb0a5ca434d82389d28eaa8632da15ade3a43b
SHA51203cc9bc677a981e04f5728c735e855c1ea9e466b3afdac0259749605d8b1567869b7c59fcbd00a92d54813e353d130ba5a9ce4c325ed06bf9dc5de16a106b599
-
memory/872-54-0x0000000000CF0000-0x0000000000D3A000-memory.dmpFilesize
296KB
-
memory/872-55-0x00000000764C1000-0x00000000764C3000-memory.dmpFilesize
8KB
-
memory/952-56-0x0000000000080000-0x00000000000AB000-memory.dmpFilesize
172KB
-
memory/952-57-0x0000000000080000-0x00000000000AB000-memory.dmpFilesize
172KB
-
memory/952-60-0x000000000041F270-mapping.dmp
-
memory/952-61-0x0000000000080000-0x00000000000AB000-memory.dmpFilesize
172KB
-
memory/952-63-0x0000000000D50000-0x0000000001053000-memory.dmpFilesize
3.0MB
-
memory/952-64-0x0000000000170000-0x0000000000181000-memory.dmpFilesize
68KB
-
memory/1128-69-0x0000000000000000-mapping.dmp
-
memory/1220-73-0x0000000004D40000-0x0000000004E90000-memory.dmpFilesize
1.3MB
-
memory/1220-65-0x0000000004C00000-0x0000000004D3B000-memory.dmpFilesize
1.2MB
-
memory/1308-67-0x0000000000D20000-0x0000000000D25000-memory.dmpFilesize
20KB
-
memory/1308-68-0x0000000000080000-0x00000000000AB000-memory.dmpFilesize
172KB
-
memory/1308-70-0x0000000002130000-0x0000000002433000-memory.dmpFilesize
3.0MB
-
memory/1308-72-0x0000000000BE0000-0x0000000000C70000-memory.dmpFilesize
576KB
-
memory/1308-66-0x0000000000000000-mapping.dmp
-
memory/1772-74-0x0000000000000000-mapping.dmp