Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
30-05-2022 13:10
General
-
Target
triage_dropped_file.exe
-
Size
798KB
-
MD5
fa6cb9677ff2254615166747668a72ed
-
SHA1
e784bfd8f5f4514569205bb535ed8bc36ab47f28
-
SHA256
4fe26ebfc5412205231040de3bf8f865da141f2c9c5c2c809e4bf6ceced43e55
-
SHA512
e6e05225ecbf3e0157bc5b55980c17a7e9f61d36aadb172ae753b140c69b10f3e58d3a020e4225a25596b7aae586409e7c59e4ab2046e134ce5ccfc281484617
Malware Config
Extracted
xloader
2.6
be4o
laboratoriobioixcha.com
tictocperushop.online
wild-oceans.com
belaruscountry.com
kicktmall.com
fitcoinweb.tech
mores.one
gogear.one
gxrcksy.com
samrcq.com
impossible-icecream.com
bravesxx.com
bookchainart.com
sleepsolutionsofmboro.com
ocbrazilbusinessclub.com
advisor76.xyz
xitaotech.com
mgsdtytifgf3414.xyz
johnson-brown.net
cr3drt.com
Signatures
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Xloader
Xloader is a rebranded version of Formbook malware.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 5 IoCs
-
Adds policy Run key to start application 2 TTPs 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 25 IoCs
-
Suspicious behavior: MapViewOfSection 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SendNotifyMessage 2 IoCs
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\triage_dropped_file.exe"C:\Users\Admin\AppData\Local\Temp\triage_dropped_file.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Program Files (x86)\Nkptdv418\audiodgsdf0d.exe"C:\Program Files (x86)\Nkptdv418\audiodgsdf0d.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Nkptdv418\audiodgsdf0d.exeFilesize
2.6MB
MD55c860d77dcf4f07790ecb1b78535d7ab
SHA19338fcda335809cdae3706d2e19a505ff12f86e2
SHA2562fb352b83a8ff1303dd02800a6d2e27d5bc8316d241040dc71168318b2f6d69a
SHA5120cc81a1e6c3b5f5f3fa30dd8a102eb6106b01d3dc8cb4f4225cf1c9de72e5022a6c32e318e02e81f231e53cc008f5f066cf0eeb0ef8e6e1242de990a129d1a1c
-
C:\Program Files (x86)\Nkptdv418\audiodgsdf0d.exeFilesize
2.6MB
MD55c860d77dcf4f07790ecb1b78535d7ab
SHA19338fcda335809cdae3706d2e19a505ff12f86e2
SHA2562fb352b83a8ff1303dd02800a6d2e27d5bc8316d241040dc71168318b2f6d69a
SHA5120cc81a1e6c3b5f5f3fa30dd8a102eb6106b01d3dc8cb4f4225cf1c9de72e5022a6c32e318e02e81f231e53cc008f5f066cf0eeb0ef8e6e1242de990a129d1a1c
-
memory/580-83-0x0000000000000000-mapping.dmp
-
memory/1320-79-0x00000000070B0000-0x00000000071DC000-memory.dmpFilesize
1.2MB
-
memory/1320-82-0x00000000070B0000-0x00000000071DC000-memory.dmpFilesize
1.2MB
-
memory/1320-73-0x0000000006490000-0x00000000065C6000-memory.dmpFilesize
1.2MB
-
memory/1524-66-0x00000000001B0000-0x00000000001C1000-memory.dmpFilesize
68KB
-
memory/1524-69-0x00000000024A0000-0x00000000027A3000-memory.dmpFilesize
3.0MB
-
memory/1524-56-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/1524-57-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/1524-61-0x000000000041F270-mapping.dmp
-
memory/1524-60-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/1524-68-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/1936-62-0x000007FEF3F00000-0x000007FEF5488000-memory.dmpFilesize
21.5MB
-
memory/1936-54-0x0000000000DB0000-0x0000000000E7C000-memory.dmpFilesize
816KB
-
memory/1936-71-0x000007FEF2180000-0x000007FEF30CD000-memory.dmpFilesize
15.3MB
-
memory/1936-72-0x000007FEEE5B0000-0x000007FEEF000000-memory.dmpFilesize
10.3MB
-
memory/1936-59-0x000007FEF3F00000-0x000007FEF5488000-memory.dmpFilesize
21.5MB
-
memory/1936-65-0x000007FEF32C0000-0x000007FEF3EFF000-memory.dmpFilesize
12.2MB
-
memory/1936-64-0x000007FEF30D0000-0x000007FEF32B8000-memory.dmpFilesize
1.9MB
-
memory/1936-55-0x0000000000460000-0x0000000000496000-memory.dmpFilesize
216KB
-
memory/1936-80-0x000007FEEE5B0000-0x000007FEEF000000-memory.dmpFilesize
10.3MB
-
memory/1968-70-0x0000000000000000-mapping.dmp
-
memory/2028-78-0x0000000001D50000-0x0000000001DE0000-memory.dmpFilesize
576KB
-
memory/2028-77-0x00000000757C1000-0x00000000757C3000-memory.dmpFilesize
8KB
-
memory/2028-81-0x0000000000090000-0x00000000000BB000-memory.dmpFilesize
172KB
-
memory/2028-76-0x0000000001E90000-0x0000000002193000-memory.dmpFilesize
3.0MB
-
memory/2028-75-0x0000000000090000-0x00000000000BB000-memory.dmpFilesize
172KB
-
memory/2028-74-0x0000000000060000-0x000000000006D000-memory.dmpFilesize
52KB
-
memory/2028-67-0x0000000000000000-mapping.dmp