Analysis Overview
SHA256
9b7a45f3ebfcd982ebb3611691539a2dc36d723f8e120f0d265512b6073bde61
Threat Level: Known bad
The file 7090e8e96194c00e896c6045572bbed8 was found to be: Known bad.
Malicious Activity Summary
suricata: ET MALWARE FormBook CnC Checkin (GET)
Xloader
Xloader Payload
Deletes itself
Suspicious use of SetThreadContext
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-06-16 09:39
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-16 09:39
Reported
2022-06-16 09:42
Platform
win7-20220414-en
Max time kernel
150s
Max time network
163s
Command Line
Signatures
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Xloader Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1368 set thread context of 1524 | N/A | C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe | C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe |
| PID 1524 set thread context of 1308 | N/A | C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe | C:\Windows\Explorer.EXE |
| PID 112 set thread context of 1308 | N/A | C:\Windows\SysWOW64\wlanext.exe | C:\Windows\Explorer.EXE |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wlanext.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wlanext.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wlanext.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe"
C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe"
C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe"
C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe"
C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe"
C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.izopop.com | udp |
| CA | 23.227.38.74:80 | www.izopop.com | tcp |
| US | 8.8.8.8:53 | www.reiswaarvoor.com | udp |
| US | 8.8.8.8:53 | www.agencesarahm.com | udp |
| NL | 142.250.179.147:80 | www.agencesarahm.com | tcp |
| US | 8.8.8.8:53 | www.woodshiremhc.com | udp |
| US | 74.115.45.120:80 | www.woodshiremhc.com | tcp |
| US | 8.8.8.8:53 | www.phoenixautonomousdrills.com | udp |
| US | 34.102.136.180:80 | www.phoenixautonomousdrills.com | tcp |
| US | 8.8.8.8:53 | www.foxfyr.com | udp |
| US | 23.81.144.134:80 | www.foxfyr.com | tcp |
| US | 8.8.8.8:53 | www.renkliavm.com | udp |
| TR | 94.199.206.56:80 | www.renkliavm.com | tcp |
| US | 8.8.8.8:53 | www.shannonmeissner.com | udp |
Files
memory/1368-54-0x0000000000210000-0x0000000000282000-memory.dmp
memory/1368-55-0x0000000076171000-0x0000000076173000-memory.dmp
memory/1368-56-0x0000000001CF0000-0x0000000001CFA000-memory.dmp
memory/1368-57-0x0000000005120000-0x0000000005186000-memory.dmp
memory/1368-58-0x0000000004670000-0x00000000046A0000-memory.dmp
memory/1524-59-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1524-60-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1524-62-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1524-63-0x000000000041D430-mapping.dmp
memory/1524-65-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1524-66-0x0000000000AE0000-0x0000000000DE3000-memory.dmp
memory/1308-68-0x0000000007390000-0x00000000074FD000-memory.dmp
memory/1524-67-0x0000000000180000-0x0000000000191000-memory.dmp
memory/112-69-0x0000000000000000-mapping.dmp
memory/592-70-0x0000000000000000-mapping.dmp
memory/112-71-0x0000000000360000-0x0000000000376000-memory.dmp
memory/112-72-0x0000000000080000-0x00000000000A9000-memory.dmp
memory/112-73-0x0000000002160000-0x0000000002463000-memory.dmp
memory/112-74-0x00000000003C0000-0x0000000000450000-memory.dmp
memory/1308-75-0x0000000007500000-0x0000000007632000-memory.dmp
memory/112-76-0x0000000000080000-0x00000000000A9000-memory.dmp
memory/1308-77-0x0000000007500000-0x0000000007632000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-16 09:39
Reported
2022-06-16 09:42
Platform
win10v2004-20220414-en
Max time kernel
160s
Max time network
170s
Command Line
Signatures
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Xloader Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5032 set thread context of 5000 | N/A | C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe | C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe |
| PID 5000 set thread context of 1092 | N/A | C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe | C:\Windows\Explorer.EXE |
| PID 3968 set thread context of 1092 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\Explorer.EXE |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe"
C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe"
C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Request for kitchen equipment list+pictures needed for quotes pdf.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 104.109.143.9:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 13.89.179.8:443 | tcp | |
| US | 8.238.111.254:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | www.woodshiremhc.com | udp |
| US | 74.115.45.120:80 | www.woodshiremhc.com | tcp |
| US | 8.8.8.8:53 | www.zsdazyy.com | udp |
| HK | 156.232.154.162:80 | www.zsdazyy.com | tcp |
| US | 8.8.8.8:53 | www.oqpqqa.space | udp |
| US | 8.8.8.8:53 | www.good-peruseytoperusetoday.info | udp |
| US | 52.200.164.252:80 | www.good-peruseytoperusetoday.info | tcp |
| US | 8.8.8.8:53 | www.whatcrawfish.com | udp |
| US | 199.59.243.220:80 | www.whatcrawfish.com | tcp |
| US | 8.8.8.8:53 | www.plushora.com | udp |
| CA | 23.227.38.74:80 | www.plushora.com | tcp |
| US | 8.8.8.8:53 | www.darkperseus.net | udp |
| US | 198.54.117.215:80 | www.darkperseus.net | tcp |
| US | 8.8.8.8:53 | www.timestablespassport.com | udp |
| DE | 3.64.163.50:80 | www.timestablespassport.com | tcp |
| US | 8.8.8.8:53 | www.civilspeak.com | udp |
| US | 15.197.142.173:80 | www.civilspeak.com | tcp |
| US | 8.8.8.8:53 | www.marthalerr.com | udp |
| US | 192.0.78.24:80 | www.marthalerr.com | tcp |
| US | 8.8.8.8:53 | www.phoenixautonomousdrills.com | udp |
| US | 34.102.136.180:80 | www.phoenixautonomousdrills.com | tcp |
Files
memory/5032-130-0x0000000000EA0000-0x0000000000F12000-memory.dmp
memory/5032-131-0x0000000005EC0000-0x0000000006464000-memory.dmp
memory/5032-132-0x0000000005910000-0x00000000059A2000-memory.dmp
memory/5032-133-0x00000000058B0000-0x00000000058BA000-memory.dmp
memory/5032-134-0x0000000009640000-0x00000000096DC000-memory.dmp
memory/3708-135-0x0000000000000000-mapping.dmp
memory/5000-136-0x0000000000000000-mapping.dmp
memory/5000-137-0x0000000000400000-0x0000000000429000-memory.dmp
memory/5000-139-0x0000000001560000-0x00000000018AA000-memory.dmp
memory/5000-140-0x0000000001370000-0x0000000001381000-memory.dmp
memory/1092-141-0x00000000082C0000-0x00000000083C7000-memory.dmp
memory/5000-143-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3968-142-0x0000000000000000-mapping.dmp
memory/3968-144-0x0000000000CA0000-0x0000000000CFA000-memory.dmp
memory/3968-145-0x0000000001170000-0x00000000014BA000-memory.dmp
memory/3968-147-0x0000000000780000-0x00000000007A9000-memory.dmp
memory/1076-146-0x0000000000000000-mapping.dmp
memory/3968-148-0x0000000000F10000-0x0000000000FA0000-memory.dmp
memory/1092-149-0x00000000083D0000-0x00000000084E7000-memory.dmp
memory/3968-150-0x0000000000780000-0x00000000007A9000-memory.dmp
memory/1092-151-0x00000000083D0000-0x00000000084E7000-memory.dmp