Analysis
-
max time kernel
150s -
max time network
163s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
16/06/2022, 09:39
Static task
static1
Behavioral task
behavioral1
Sample
Request for kitchen equipment list+pictures needed for quotes pdf.exe
Resource
win7-20220414-en
General
-
Target
Request for kitchen equipment list+pictures needed for quotes pdf.exe
-
Size
433KB
-
MD5
c89e757197ebe39642988a32e0f308bb
-
SHA1
9cdc9b1c3f8f4bc6e0eb123d7a7de29d438ceacd
-
SHA256
3eee8bc217de9efded29ff02d6c7bab0061283826281be1296d2e3d99b3e279f
-
SHA512
af36f642762eac1fd5def973c8fca2490171063199182479504f71a7775a3bd3dbed128d2a869b0675ac7737a0446761538e538cecb678904e4322ba8f1df34f
Malware Config
Extracted
xloader
2.5
no9u
chmzdl.com
marketplace-item-4857734.com
lakesidepointeatlakenorman.com
wikisneaki.com
bonuschoices.com
oppizy.com
thevictoryguru.com
tenloe094.xyz
oqpqqa.space
ddaabong.com
testersclothing.com
paybro.online
niwios.com
timestablespassport.com
darkperseus.net
thekeenbeans.com
paperlanyardindia.com
classicsatthetoybox.com
mvzmarket.com
primaconsultingllc.com
beatnikfilms.net
autslhs24a.com
magtele.net
renkliavm.com
yy7744.top
woodshiremhc.com
sj777.biz
zsdazyy.com
andreemyette.com
carsboard.pro
corluescortbayanlarim.xyz
whatcrawfish.com
highlitestaffinq.com
ujns.net
marthalerr.com
veranstaltungstechnik-raase.com
smartam5.xyz
izopop.com
plushora.com
govisitsale.com
danielteveles.com
good-peruseytoperusetoday.info
reiswaarvoor.com
dwellvida.com
phoenixautonomousdrills.com
bakednload.com
podojuice.com
fellasies.com
foxfyr.com
rickloewen.com
civilspeak.com
hauteboymarket.com
itriumphed.com
castlestown.com
agencesarahm.com
shannonmeissner.com
anaconnda.com
campjoynational.com
mahaloflow.com
jerseyfirstcommercial.com
fetarcryptoanalysis.club
tulenlegend.com
travelerstreasure.com
engaginglove.com
voxspices.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 5 IoCs
resource yara_rule behavioral1/memory/1524-62-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1524-63-0x000000000041D430-mapping.dmp xloader behavioral1/memory/1524-65-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/112-72-0x0000000000080000-0x00000000000A9000-memory.dmp xloader behavioral1/memory/112-76-0x0000000000080000-0x00000000000A9000-memory.dmp xloader -
Deletes itself 1 IoCs
pid Process 592 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1368 set thread context of 1524 1368 Request for kitchen equipment list+pictures needed for quotes pdf.exe 31 PID 1524 set thread context of 1308 1524 Request for kitchen equipment list+pictures needed for quotes pdf.exe 16 PID 112 set thread context of 1308 112 wlanext.exe 16 -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 1368 Request for kitchen equipment list+pictures needed for quotes pdf.exe 1368 Request for kitchen equipment list+pictures needed for quotes pdf.exe 1368 Request for kitchen equipment list+pictures needed for quotes pdf.exe 1368 Request for kitchen equipment list+pictures needed for quotes pdf.exe 1368 Request for kitchen equipment list+pictures needed for quotes pdf.exe 1368 Request for kitchen equipment list+pictures needed for quotes pdf.exe 1368 Request for kitchen equipment list+pictures needed for quotes pdf.exe 1368 Request for kitchen equipment list+pictures needed for quotes pdf.exe 1524 Request for kitchen equipment list+pictures needed for quotes pdf.exe 1524 Request for kitchen equipment list+pictures needed for quotes pdf.exe 112 wlanext.exe 112 wlanext.exe 112 wlanext.exe 112 wlanext.exe 112 wlanext.exe 112 wlanext.exe 112 wlanext.exe 112 wlanext.exe 112 wlanext.exe 112 wlanext.exe 112 wlanext.exe 112 wlanext.exe 112 wlanext.exe 112 wlanext.exe 112 wlanext.exe 112 wlanext.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 1524 Request for kitchen equipment list+pictures needed for quotes pdf.exe 1524 Request for kitchen equipment list+pictures needed for quotes pdf.exe 1524 Request for kitchen equipment list+pictures needed for quotes pdf.exe 112 wlanext.exe 112 wlanext.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1368 Request for kitchen equipment list+pictures needed for quotes pdf.exe Token: SeDebugPrivilege 1524 Request for kitchen equipment list+pictures needed for quotes pdf.exe Token: SeDebugPrivilege 112 wlanext.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1308 Explorer.EXE 1308 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1308 Explorer.EXE 1308 Explorer.EXE -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 1368 wrote to memory of 628 1368 Request for kitchen equipment list+pictures needed for quotes pdf.exe 28 PID 1368 wrote to memory of 628 1368 Request for kitchen equipment list+pictures needed for quotes pdf.exe 28 PID 1368 wrote to memory of 628 1368 Request for kitchen equipment list+pictures needed for quotes pdf.exe 28 PID 1368 wrote to memory of 628 1368 Request for kitchen equipment list+pictures needed for quotes pdf.exe 28 PID 1368 wrote to memory of 1792 1368 Request for kitchen equipment list+pictures needed for quotes pdf.exe 29 PID 1368 wrote to memory of 1792 1368 Request for kitchen equipment list+pictures needed for quotes pdf.exe 29 PID 1368 wrote to memory of 1792 1368 Request for kitchen equipment list+pictures needed for quotes pdf.exe 29 PID 1368 wrote to memory of 1792 1368 Request for kitchen equipment list+pictures needed for quotes pdf.exe 29 PID 1368 wrote to memory of 1536 1368 Request for kitchen equipment list+pictures needed for quotes pdf.exe 30 PID 1368 wrote to memory of 1536 1368 Request for kitchen equipment list+pictures needed for quotes pdf.exe 30 PID 1368 wrote to memory of 1536 1368 Request for kitchen equipment list+pictures needed for quotes pdf.exe 30 PID 1368 wrote to memory of 1536 1368 Request for kitchen equipment list+pictures needed for quotes pdf.exe 30 PID 1368 wrote to memory of 1524 1368 Request for kitchen equipment list+pictures needed for quotes pdf.exe 31 PID 1368 wrote to memory of 1524 1368 Request for kitchen equipment list+pictures needed for quotes pdf.exe 31 PID 1368 wrote to memory of 1524 1368 Request for kitchen equipment list+pictures needed for quotes pdf.exe 31 PID 1368 wrote to memory of 1524 1368 Request for kitchen equipment list+pictures needed for quotes pdf.exe 31 PID 1368 wrote to memory of 1524 1368 Request for kitchen equipment list+pictures needed for quotes pdf.exe 31 PID 1368 wrote to memory of 1524 1368 Request for kitchen equipment list+pictures needed for quotes pdf.exe 31 PID 1368 wrote to memory of 1524 1368 Request for kitchen equipment list+pictures needed for quotes pdf.exe 31 PID 1308 wrote to memory of 112 1308 Explorer.EXE 32 PID 1308 wrote to memory of 112 1308 Explorer.EXE 32 PID 1308 wrote to memory of 112 1308 Explorer.EXE 32 PID 1308 wrote to memory of 112 1308 Explorer.EXE 32 PID 112 wrote to memory of 592 112 wlanext.exe 33 PID 112 wrote to memory of 592 112 wlanext.exe 33 PID 112 wrote to memory of 592 112 wlanext.exe 33 PID 112 wrote to memory of 592 112 wlanext.exe 33
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe"C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe"C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe"3⤵PID:628
-
-
C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe"C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe"3⤵PID:1792
-
-
C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe"C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe"3⤵PID:1536
-
-
C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe"C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1524
-
-
-
C:\Windows\SysWOW64\wlanext.exe"C:\Windows\SysWOW64\wlanext.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe"3⤵
- Deletes itself
PID:592
-
-