Analysis
-
max time kernel
160s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
16/06/2022, 09:39
Static task
static1
Behavioral task
behavioral1
Sample
Request for kitchen equipment list+pictures needed for quotes pdf.exe
Resource
win7-20220414-en
General
-
Target
Request for kitchen equipment list+pictures needed for quotes pdf.exe
-
Size
433KB
-
MD5
c89e757197ebe39642988a32e0f308bb
-
SHA1
9cdc9b1c3f8f4bc6e0eb123d7a7de29d438ceacd
-
SHA256
3eee8bc217de9efded29ff02d6c7bab0061283826281be1296d2e3d99b3e279f
-
SHA512
af36f642762eac1fd5def973c8fca2490171063199182479504f71a7775a3bd3dbed128d2a869b0675ac7737a0446761538e538cecb678904e4322ba8f1df34f
Malware Config
Extracted
xloader
2.5
no9u
chmzdl.com
marketplace-item-4857734.com
lakesidepointeatlakenorman.com
wikisneaki.com
bonuschoices.com
oppizy.com
thevictoryguru.com
tenloe094.xyz
oqpqqa.space
ddaabong.com
testersclothing.com
paybro.online
niwios.com
timestablespassport.com
darkperseus.net
thekeenbeans.com
paperlanyardindia.com
classicsatthetoybox.com
mvzmarket.com
primaconsultingllc.com
beatnikfilms.net
autslhs24a.com
magtele.net
renkliavm.com
yy7744.top
woodshiremhc.com
sj777.biz
zsdazyy.com
andreemyette.com
carsboard.pro
corluescortbayanlarim.xyz
whatcrawfish.com
highlitestaffinq.com
ujns.net
marthalerr.com
veranstaltungstechnik-raase.com
smartam5.xyz
izopop.com
plushora.com
govisitsale.com
danielteveles.com
good-peruseytoperusetoday.info
reiswaarvoor.com
dwellvida.com
phoenixautonomousdrills.com
bakednload.com
podojuice.com
fellasies.com
foxfyr.com
rickloewen.com
civilspeak.com
hauteboymarket.com
itriumphed.com
castlestown.com
agencesarahm.com
shannonmeissner.com
anaconnda.com
campjoynational.com
mahaloflow.com
jerseyfirstcommercial.com
fetarcryptoanalysis.club
tulenlegend.com
travelerstreasure.com
engaginglove.com
voxspices.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 4 IoCs
resource yara_rule behavioral2/memory/5000-137-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/5000-143-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/3968-147-0x0000000000780000-0x00000000007A9000-memory.dmp xloader behavioral2/memory/3968-150-0x0000000000780000-0x00000000007A9000-memory.dmp xloader -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 5032 set thread context of 5000 5032 Request for kitchen equipment list+pictures needed for quotes pdf.exe 92 PID 5000 set thread context of 1092 5000 Request for kitchen equipment list+pictures needed for quotes pdf.exe 29 PID 3968 set thread context of 1092 3968 cmd.exe 29 -
Suspicious behavior: EnumeratesProcesses 43 IoCs
pid Process 5032 Request for kitchen equipment list+pictures needed for quotes pdf.exe 5032 Request for kitchen equipment list+pictures needed for quotes pdf.exe 5032 Request for kitchen equipment list+pictures needed for quotes pdf.exe 5032 Request for kitchen equipment list+pictures needed for quotes pdf.exe 5032 Request for kitchen equipment list+pictures needed for quotes pdf.exe 5032 Request for kitchen equipment list+pictures needed for quotes pdf.exe 5032 Request for kitchen equipment list+pictures needed for quotes pdf.exe 5032 Request for kitchen equipment list+pictures needed for quotes pdf.exe 5032 Request for kitchen equipment list+pictures needed for quotes pdf.exe 5000 Request for kitchen equipment list+pictures needed for quotes pdf.exe 5000 Request for kitchen equipment list+pictures needed for quotes pdf.exe 5000 Request for kitchen equipment list+pictures needed for quotes pdf.exe 5000 Request for kitchen equipment list+pictures needed for quotes pdf.exe 3968 cmd.exe 3968 cmd.exe 3968 cmd.exe 3968 cmd.exe 3968 cmd.exe 3968 cmd.exe 3968 cmd.exe 3968 cmd.exe 3968 cmd.exe 3968 cmd.exe 3968 cmd.exe 3968 cmd.exe 3968 cmd.exe 3968 cmd.exe 3968 cmd.exe 3968 cmd.exe 3968 cmd.exe 3968 cmd.exe 3968 cmd.exe 3968 cmd.exe 3968 cmd.exe 3968 cmd.exe 3968 cmd.exe 3968 cmd.exe 3968 cmd.exe 3968 cmd.exe 3968 cmd.exe 3968 cmd.exe 3968 cmd.exe 3968 cmd.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1092 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 5000 Request for kitchen equipment list+pictures needed for quotes pdf.exe 5000 Request for kitchen equipment list+pictures needed for quotes pdf.exe 5000 Request for kitchen equipment list+pictures needed for quotes pdf.exe 3968 cmd.exe 3968 cmd.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 5032 Request for kitchen equipment list+pictures needed for quotes pdf.exe Token: SeDebugPrivilege 5000 Request for kitchen equipment list+pictures needed for quotes pdf.exe Token: SeDebugPrivilege 3968 cmd.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 5032 wrote to memory of 3708 5032 Request for kitchen equipment list+pictures needed for quotes pdf.exe 91 PID 5032 wrote to memory of 3708 5032 Request for kitchen equipment list+pictures needed for quotes pdf.exe 91 PID 5032 wrote to memory of 3708 5032 Request for kitchen equipment list+pictures needed for quotes pdf.exe 91 PID 5032 wrote to memory of 5000 5032 Request for kitchen equipment list+pictures needed for quotes pdf.exe 92 PID 5032 wrote to memory of 5000 5032 Request for kitchen equipment list+pictures needed for quotes pdf.exe 92 PID 5032 wrote to memory of 5000 5032 Request for kitchen equipment list+pictures needed for quotes pdf.exe 92 PID 5032 wrote to memory of 5000 5032 Request for kitchen equipment list+pictures needed for quotes pdf.exe 92 PID 5032 wrote to memory of 5000 5032 Request for kitchen equipment list+pictures needed for quotes pdf.exe 92 PID 5032 wrote to memory of 5000 5032 Request for kitchen equipment list+pictures needed for quotes pdf.exe 92 PID 1092 wrote to memory of 3968 1092 Explorer.EXE 93 PID 1092 wrote to memory of 3968 1092 Explorer.EXE 93 PID 1092 wrote to memory of 3968 1092 Explorer.EXE 93 PID 3968 wrote to memory of 1076 3968 cmd.exe 94 PID 3968 wrote to memory of 1076 3968 cmd.exe 94 PID 3968 wrote to memory of 1076 3968 cmd.exe 94
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe"C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe"C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe"3⤵PID:3708
-
-
C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe"C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5000
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe"3⤵PID:1076
-
-