Analysis
-
max time kernel
186s -
max time network
191s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
03-06-2022 02:19
Static task
static1
Behavioral task
behavioral1
Sample
917479278d18fb239bb661f3960a821f.exe
Resource
win7-20220414-en
General
-
Target
917479278d18fb239bb661f3960a821f.exe
-
Size
265KB
-
MD5
917479278d18fb239bb661f3960a821f
-
SHA1
b85df90355ffd75a29855e4488e306433ee8e035
-
SHA256
3bc7cbfbffcb2fe26936caceab37794a4c9b750d2afe9733d2885860d50727f1
-
SHA512
c8eb6d79f58fb060d5c019bd73014297ae4fcb6cc3350a74f2bbc96e98d5cd049f3874b4c5d83950b02f9cb116caeaccb8499fc3c8c50a2f761803def2a24535
Malware Config
Extracted
xloader
2.5
uar3
sgadvocats.com
mjscannabus.com
hilldaley.com
ksdollhouse.com
hotgiftboutique.com
purebloodsmeet.com
relaunched.info
cap-glove.com
productcollection.store
fulikyy.xyz
remoteaviationjobs.com
bestcleancrystal.com
virtualorganizationpartner.com
bookgocar.com
hattuafhv.quest
makonigroup.com
officecom-myaccount.com
malgorzata-lac.com
e-learningeducators.com
hygilaur.com
kgv-lachswehr.com
salazarcomunicacion.com
robopython.com
corporateequity.online
complianceservicegroup.com
aperza-ex.com
webflowusa.com
asesoriasfinancieras.xyz
missolivesbranches.com
numiquest.com
criskconsultancy.com
gotemup.com
themaptalk.com
lakebalboahalf.com
cateringfrenchcroissant.com
paddocklakerealestate.com
lojaquerosurprezza.store
courtneywhitearmusic.com
geovannimaquinadevendas.online
pricklypairjazz.com
engagedigi.com
conduitforthespirit.com
anaheimaletrail.com
wholesalemall.store
alertsbecu.com
gestion-kayfra.com
youcanstores.com
qsuo.net
formadv.info
dihesia.xyz
carrreir.com
twenteeminuteswithtee.com
realliferenewal.com
officialprokodsukses.icu
stanfordgrouploscabos.com
maxicashpromir.xyz
zysqshjs.com
trc-clicks.com
chsclbd.com
amdproduce.net
republicoflies.com
beaux-parents.com
lucrativeapp.com
milbombas.com
alexanderplaywear.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4212-136-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/4212-143-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/4236-145-0x00000000003A0000-0x00000000003C9000-memory.dmp xloader behavioral2/memory/4236-150-0x00000000003A0000-0x00000000003C9000-memory.dmp xloader -
Executes dropped EXE 2 IoCs
Processes:
rpaise.exerpaise.exepid process 4868 rpaise.exe 4212 rpaise.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
rpaise.exerpaise.execolorcpl.exedescription pid process target process PID 4868 set thread context of 4212 4868 rpaise.exe rpaise.exe PID 4212 set thread context of 892 4212 rpaise.exe Explorer.EXE PID 4236 set thread context of 892 4236 colorcpl.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 56 IoCs
Processes:
rpaise.execolorcpl.exepid process 4212 rpaise.exe 4212 rpaise.exe 4212 rpaise.exe 4212 rpaise.exe 4236 colorcpl.exe 4236 colorcpl.exe 4236 colorcpl.exe 4236 colorcpl.exe 4236 colorcpl.exe 4236 colorcpl.exe 4236 colorcpl.exe 4236 colorcpl.exe 4236 colorcpl.exe 4236 colorcpl.exe 4236 colorcpl.exe 4236 colorcpl.exe 4236 colorcpl.exe 4236 colorcpl.exe 4236 colorcpl.exe 4236 colorcpl.exe 4236 colorcpl.exe 4236 colorcpl.exe 4236 colorcpl.exe 4236 colorcpl.exe 4236 colorcpl.exe 4236 colorcpl.exe 4236 colorcpl.exe 4236 colorcpl.exe 4236 colorcpl.exe 4236 colorcpl.exe 4236 colorcpl.exe 4236 colorcpl.exe 4236 colorcpl.exe 4236 colorcpl.exe 4236 colorcpl.exe 4236 colorcpl.exe 4236 colorcpl.exe 4236 colorcpl.exe 4236 colorcpl.exe 4236 colorcpl.exe 4236 colorcpl.exe 4236 colorcpl.exe 4236 colorcpl.exe 4236 colorcpl.exe 4236 colorcpl.exe 4236 colorcpl.exe 4236 colorcpl.exe 4236 colorcpl.exe 4236 colorcpl.exe 4236 colorcpl.exe 4236 colorcpl.exe 4236 colorcpl.exe 4236 colorcpl.exe 4236 colorcpl.exe 4236 colorcpl.exe 4236 colorcpl.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 892 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
rpaise.execolorcpl.exepid process 4212 rpaise.exe 4212 rpaise.exe 4212 rpaise.exe 4236 colorcpl.exe 4236 colorcpl.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rpaise.execolorcpl.exedescription pid process Token: SeDebugPrivilege 4212 rpaise.exe Token: SeDebugPrivilege 4236 colorcpl.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
917479278d18fb239bb661f3960a821f.exerpaise.exeExplorer.EXEcolorcpl.exedescription pid process target process PID 3408 wrote to memory of 4868 3408 917479278d18fb239bb661f3960a821f.exe rpaise.exe PID 3408 wrote to memory of 4868 3408 917479278d18fb239bb661f3960a821f.exe rpaise.exe PID 3408 wrote to memory of 4868 3408 917479278d18fb239bb661f3960a821f.exe rpaise.exe PID 4868 wrote to memory of 4212 4868 rpaise.exe rpaise.exe PID 4868 wrote to memory of 4212 4868 rpaise.exe rpaise.exe PID 4868 wrote to memory of 4212 4868 rpaise.exe rpaise.exe PID 4868 wrote to memory of 4212 4868 rpaise.exe rpaise.exe PID 4868 wrote to memory of 4212 4868 rpaise.exe rpaise.exe PID 4868 wrote to memory of 4212 4868 rpaise.exe rpaise.exe PID 892 wrote to memory of 4236 892 Explorer.EXE colorcpl.exe PID 892 wrote to memory of 4236 892 Explorer.EXE colorcpl.exe PID 892 wrote to memory of 4236 892 Explorer.EXE colorcpl.exe PID 4236 wrote to memory of 2172 4236 colorcpl.exe cmd.exe PID 4236 wrote to memory of 2172 4236 colorcpl.exe cmd.exe PID 4236 wrote to memory of 2172 4236 colorcpl.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\917479278d18fb239bb661f3960a821f.exe"C:\Users\Admin\AppData\Local\Temp\917479278d18fb239bb661f3960a821f.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\rpaise.exeC:\Users\Admin\AppData\Local\Temp\rpaise.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\rpaise.exeC:\Users\Admin\AppData\Local\Temp\rpaise.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\colorcpl.exe"C:\Windows\SysWOW64\colorcpl.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\rpaise.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\hu8td9yzk1kjm3cl7lp7Filesize
213KB
MD5a7ad4dcb67d4f5facf795967950ddec7
SHA1d72735bb705b7354ed79a95ecb1baaa77924fa93
SHA2567c15718892bb00067d3cb79c931d2c08f046df203a4aa03a7c3cdda4677ed5e8
SHA512046af78b65b3e7664765c0924ac79e8f03182e9c35c57b8983d084ce190b1ab34d00ed3727e9bed315b3c2ada3024140e00dac62387f77daf8cbb59d88af64bb
-
C:\Users\Admin\AppData\Local\Temp\rnwtjebFilesize
4KB
MD58495553dafb39c9feaa5470bf449e73c
SHA153841c44343d2bc66a96eb9236854551a568ed40
SHA25692429ea9fc92c180bed86632e42354d4f10985bee092fac672898ec71b5eef00
SHA512b4c1ce526bf63662fa6105292273062cee495c2a13874f712c666ce8114160ee96c2c2ce84aebebfc8d8fda1412201e2e617fdbf240a918d94c2b9140f1cafcb
-
C:\Users\Admin\AppData\Local\Temp\rpaise.exeFilesize
55KB
MD59c5faf3fe0cc6103f62962aac4ad642d
SHA1a44ccc223163e125c527daab5ed3688303b2eb2e
SHA256b6e3cae967e17270bf9eaaa7f5f74824a0130329bc6fed950dfe0973dd3df192
SHA512dc8f6e30aedc0608dc522b6e720850b408615e498c562261c9b9a888ee22c644d757258215722a6a3beadb4653940b4ff134930bf2a7349ada937b9b042d9f12
-
C:\Users\Admin\AppData\Local\Temp\rpaise.exeFilesize
55KB
MD59c5faf3fe0cc6103f62962aac4ad642d
SHA1a44ccc223163e125c527daab5ed3688303b2eb2e
SHA256b6e3cae967e17270bf9eaaa7f5f74824a0130329bc6fed950dfe0973dd3df192
SHA512dc8f6e30aedc0608dc522b6e720850b408615e498c562261c9b9a888ee22c644d757258215722a6a3beadb4653940b4ff134930bf2a7349ada937b9b042d9f12
-
C:\Users\Admin\AppData\Local\Temp\rpaise.exeFilesize
55KB
MD59c5faf3fe0cc6103f62962aac4ad642d
SHA1a44ccc223163e125c527daab5ed3688303b2eb2e
SHA256b6e3cae967e17270bf9eaaa7f5f74824a0130329bc6fed950dfe0973dd3df192
SHA512dc8f6e30aedc0608dc522b6e720850b408615e498c562261c9b9a888ee22c644d757258215722a6a3beadb4653940b4ff134930bf2a7349ada937b9b042d9f12
-
memory/892-141-0x0000000007CD0000-0x0000000007E36000-memory.dmpFilesize
1.4MB
-
memory/892-151-0x0000000007E40000-0x0000000007F4B000-memory.dmpFilesize
1.0MB
-
memory/892-149-0x0000000007E40000-0x0000000007F4B000-memory.dmpFilesize
1.0MB
-
memory/2172-147-0x0000000000000000-mapping.dmp
-
memory/4212-135-0x0000000000000000-mapping.dmp
-
memory/4212-140-0x00000000006D0000-0x00000000006E1000-memory.dmpFilesize
68KB
-
memory/4212-143-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4212-139-0x0000000000BB0000-0x0000000000EFA000-memory.dmpFilesize
3.3MB
-
memory/4212-136-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4236-142-0x0000000000000000-mapping.dmp
-
memory/4236-144-0x0000000000530000-0x0000000000549000-memory.dmpFilesize
100KB
-
memory/4236-145-0x00000000003A0000-0x00000000003C9000-memory.dmpFilesize
164KB
-
memory/4236-146-0x00000000024B0000-0x00000000027FA000-memory.dmpFilesize
3.3MB
-
memory/4236-148-0x00000000022D0000-0x0000000002360000-memory.dmpFilesize
576KB
-
memory/4236-150-0x00000000003A0000-0x00000000003C9000-memory.dmpFilesize
164KB
-
memory/4868-130-0x0000000000000000-mapping.dmp