Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
25-05-2022 14:00
Static task
static1
Behavioral task
behavioral1
Sample
INQNEW~0.exe
Resource
win7-20220414-en
General
-
Target
INQNEW~0.exe
-
Size
276KB
-
MD5
ebb0fecde4a2e88c63c27c82810113b5
-
SHA1
c5658bec21ea4dfe2d0a66089d2d18bf081c778f
-
SHA256
df1b0eef4f32a5c2527691175375962957db71bc913d37f6e71150e599b2b31c
-
SHA512
05960c717d5f30ca5b1424a3a2806c2a7a00b6ec4a3949bdb7db4d7f5fd885119cf18cbb752537ddcb7bc277ecf683d060c40baee3ac6bdb6f76cb5a50598ad8
Malware Config
Extracted
xloader
2.6
be4o
laboratoriobioixcha.com
tictocperushop.online
wild-oceans.com
belaruscountry.com
kicktmall.com
fitcoinweb.tech
mores.one
gogear.one
gxrcksy.com
samrcq.com
impossible-icecream.com
bravesxx.com
bookchainart.com
sleepsolutionsofmboro.com
ocbrazilbusinessclub.com
advisor76.xyz
xitaotech.com
mgsdtytifgf3414.xyz
johnson-brown.net
cr3drt.com
virtualtourpro.store
transporteriocristal.com
fjbingjiang.com
minecraftrojectx.site
ttrcb.com
sexlarab.com
cxzczc2.online
doorsmm.com
weisbergiegal.com
skythinks.com
schoolsuperaty.com
swampbucketkids.com
networklogicsa.com
businessevs.com
gulfcoastclinicchiro.com
milliards.xyz
moviesquery.com
cycletostack.com
c0wkvo.com
inkingthings.net
cookvillecampgroundvt.com
rajeshprinters.com
binge-bane.biz
ginger9632-voice.cloud
1nfo-post.com
unta.xyz
liuhumu.com
khandaia.info
ha01qnscvts0l.xyz
liert.site
allflowmedia.com
6ibnuj9t.xyz
embravewise.com
responsabilities.com
apexges.com
ola-speechtherapy.com
pristinefarmlands.com
adaraateristiayote.store
journeyhomemeditation.com
96238.top
nosipokip.site
itt-service.com
bw590jumpb.xyz
relieveyourdog.com
qiyeweiiliaoo0428.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2024-59-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral1/memory/2024-60-0x000000000041F270-mapping.dmp xloader behavioral1/memory/2024-65-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral1/memory/1720-70-0x0000000000070000-0x000000000009B000-memory.dmp xloader -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\MBDX6TP8O = "C:\\Program Files (x86)\\U7nddpld\\regsvc1be.exe" wscript.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
INQNEW~0.exevbc.exewscript.exedescription pid process target process PID 2020 set thread context of 2024 2020 INQNEW~0.exe vbc.exe PID 2024 set thread context of 1300 2024 vbc.exe Explorer.EXE PID 2024 set thread context of 1300 2024 vbc.exe Explorer.EXE PID 1720 set thread context of 1300 1720 wscript.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
wscript.exedescription ioc process File opened for modification C:\Program Files (x86)\U7nddpld\regsvc1be.exe wscript.exe -
Processes:
wscript.exedescription ioc process Key created \Registry\User\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 wscript.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
vbc.exewscript.exepid process 2024 vbc.exe 2024 vbc.exe 2024 vbc.exe 1720 wscript.exe 1720 wscript.exe 1720 wscript.exe 1720 wscript.exe 1720 wscript.exe 1720 wscript.exe 1720 wscript.exe 1720 wscript.exe 1720 wscript.exe 1720 wscript.exe 1720 wscript.exe 1720 wscript.exe 1720 wscript.exe 1720 wscript.exe 1720 wscript.exe 1720 wscript.exe 1720 wscript.exe 1720 wscript.exe 1720 wscript.exe 1720 wscript.exe -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
vbc.exewscript.exepid process 2024 vbc.exe 2024 vbc.exe 2024 vbc.exe 2024 vbc.exe 1720 wscript.exe 1720 wscript.exe 1720 wscript.exe 1720 wscript.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
vbc.exewscript.exedescription pid process Token: SeDebugPrivilege 2024 vbc.exe Token: SeDebugPrivilege 1720 wscript.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1300 Explorer.EXE 1300 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1300 Explorer.EXE 1300 Explorer.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
INQNEW~0.exevbc.exewscript.exedescription pid process target process PID 2020 wrote to memory of 2024 2020 INQNEW~0.exe vbc.exe PID 2020 wrote to memory of 2024 2020 INQNEW~0.exe vbc.exe PID 2020 wrote to memory of 2024 2020 INQNEW~0.exe vbc.exe PID 2020 wrote to memory of 2024 2020 INQNEW~0.exe vbc.exe PID 2020 wrote to memory of 2024 2020 INQNEW~0.exe vbc.exe PID 2020 wrote to memory of 2024 2020 INQNEW~0.exe vbc.exe PID 2020 wrote to memory of 2024 2020 INQNEW~0.exe vbc.exe PID 2024 wrote to memory of 1720 2024 vbc.exe wscript.exe PID 2024 wrote to memory of 1720 2024 vbc.exe wscript.exe PID 2024 wrote to memory of 1720 2024 vbc.exe wscript.exe PID 2024 wrote to memory of 1720 2024 vbc.exe wscript.exe PID 1720 wrote to memory of 1648 1720 wscript.exe cmd.exe PID 1720 wrote to memory of 1648 1720 wscript.exe cmd.exe PID 1720 wrote to memory of 1648 1720 wscript.exe cmd.exe PID 1720 wrote to memory of 1648 1720 wscript.exe cmd.exe PID 1720 wrote to memory of 1884 1720 wscript.exe Firefox.exe PID 1720 wrote to memory of 1884 1720 wscript.exe Firefox.exe PID 1720 wrote to memory of 1884 1720 wscript.exe Firefox.exe PID 1720 wrote to memory of 1884 1720 wscript.exe Firefox.exe PID 1720 wrote to memory of 1884 1720 wscript.exe Firefox.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer wscript.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\INQNEW~0.exe"C:\Users\Admin\AppData\Local\Temp\INQNEW~0.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe"4⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"5⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1300-64-0x00000000044A0000-0x000000000458E000-memory.dmpFilesize
952KB
-
memory/1300-75-0x0000000006220000-0x000000000636E000-memory.dmpFilesize
1.3MB
-
memory/1300-67-0x0000000005F90000-0x000000000607F000-memory.dmpFilesize
956KB
-
memory/1648-71-0x0000000000000000-mapping.dmp
-
memory/1720-68-0x0000000000000000-mapping.dmp
-
memory/1720-74-0x0000000001EE0000-0x0000000001F70000-memory.dmpFilesize
576KB
-
memory/1720-72-0x0000000002070000-0x0000000002373000-memory.dmpFilesize
3.0MB
-
memory/1720-70-0x0000000000070000-0x000000000009B000-memory.dmpFilesize
172KB
-
memory/1720-69-0x0000000000AB0000-0x0000000000AD6000-memory.dmpFilesize
152KB
-
memory/2020-54-0x00000000013C0000-0x000000000140A000-memory.dmpFilesize
296KB
-
memory/2020-55-0x00000000755C1000-0x00000000755C3000-memory.dmpFilesize
8KB
-
memory/2024-59-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2024-57-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2024-66-0x00000000002D0000-0x00000000002E1000-memory.dmpFilesize
68KB
-
memory/2024-65-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2024-56-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2024-60-0x000000000041F270-mapping.dmp
-
memory/2024-63-0x0000000000280000-0x0000000000291000-memory.dmpFilesize
68KB
-
memory/2024-62-0x00000000008D0000-0x0000000000BD3000-memory.dmpFilesize
3.0MB