Analysis Overview
SHA256
94a0ea18b8f0b65b4caf51d3d969c27d6ab5fbae60de957aa5c52976d3c2f88a
Threat Level: Known bad
The file 298e312f74dc420e4e67667f7494e492 was found to be: Known bad.
Malicious Activity Summary
suricata: ET MALWARE FormBook CnC Checkin (GET)
Xloader
Xloader Payload
Deletes itself
Checks computer location settings
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in Program Files directory
N/A.
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-06-16 09:42
Signatures
N/A.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-16 09:42
Reported
2022-06-16 09:47
Platform
win7-20220414-en
Max time kernel
146s
Max time network
151s
Command Line
Signatures
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Xloader Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\PI.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\chkdsk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JHALG0OHNF = "C:\\Program Files (x86)\\A-zxhbbm\\mfcvbfluf.exe" | C:\Windows\SysWOW64\chkdsk.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1948 set thread context of 1068 | N/A | C:\Users\Admin\AppData\Local\Temp\PI.exe | C:\Users\Admin\AppData\Local\Temp\PI.exe |
| PID 1068 set thread context of 1368 | N/A | C:\Users\Admin\AppData\Local\Temp\PI.exe | C:\Windows\Explorer.EXE |
| PID 320 set thread context of 1368 | N/A | C:\Windows\SysWOW64\chkdsk.exe | C:\Windows\Explorer.EXE |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\A-zxhbbm\mfcvbfluf.exe | C:\Windows\SysWOW64\chkdsk.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\chkdsk.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \Registry\User\S-1-5-21-1819626980-2277161760-1023733287-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 | C:\Windows\SysWOW64\chkdsk.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PI.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\chkdsk.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\chkdsk.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\chkdsk.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\chkdsk.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\chkdsk.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\chkdsk.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\chkdsk.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\chkdsk.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\chkdsk.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\chkdsk.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\chkdsk.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\chkdsk.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\chkdsk.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\chkdsk.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\chkdsk.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\chkdsk.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PI.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\chkdsk.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\chkdsk.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\chkdsk.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\chkdsk.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PI.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\chkdsk.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.centra4858.com | udp |
| US | 40.65.124.100:80 | www.centra4858.com | tcp |
| US | 8.8.8.8:53 | www.mariorovera.com | udp |
| DE | 217.160.0.114:80 | www.mariorovera.com | tcp |
| US | 8.8.8.8:53 | www.achalarya.com | udp |
| US | 34.102.136.180:80 | www.achalarya.com | tcp |
| US | 8.8.8.8:53 | www.lizbyseedtag.com | udp |
| DE | 64.190.63.111:80 | www.lizbyseedtag.com | tcp |
| US | 8.8.8.8:53 | www.premiumpakistan.net | udp |
| US | 63.141.128.8:80 | www.premiumpakistan.net | tcp |
| US | 8.8.8.8:53 | www.marketingswaniawski.com | udp |
| US | 8.8.8.8:53 | www.coins-bitsbear.com | udp |
| US | 188.114.97.0:80 | www.coins-bitsbear.com | tcp |
| US | 8.8.8.8:53 | www.moab.house | udp |
| US | 198.54.117.210:80 | www.moab.house | tcp |
| US | 8.8.8.8:53 | www.luoccia.com | udp |
| US | 104.17.232.29:80 | www.luoccia.com | tcp |
| US | 8.8.8.8:53 | www.whitehorsefr.com | udp |
| US | 68.65.121.25:80 | www.whitehorsefr.com | tcp |
| US | 8.8.8.8:53 | www.yukasbakery.com | udp |
| US | 199.15.163.148:80 | www.yukasbakery.com | tcp |
| US | 199.15.163.148:80 | www.yukasbakery.com | tcp |
Files
memory/1948-54-0x0000000000DB0000-0x0000000000E64000-memory.dmp
memory/1948-55-0x0000000076571000-0x0000000076573000-memory.dmp
memory/1948-56-0x00000000008E0000-0x00000000008EA000-memory.dmp
memory/1948-57-0x0000000005B70000-0x0000000005C12000-memory.dmp
memory/1948-58-0x00000000059F0000-0x0000000005A5C000-memory.dmp
memory/1068-59-0x0000000000400000-0x000000000042C000-memory.dmp
memory/1068-60-0x0000000000400000-0x000000000042C000-memory.dmp
memory/1068-62-0x0000000000400000-0x000000000042C000-memory.dmp
memory/1068-63-0x000000000041F650-mapping.dmp
memory/1068-65-0x0000000000400000-0x000000000042C000-memory.dmp
memory/1068-66-0x0000000000880000-0x0000000000B83000-memory.dmp
memory/1068-67-0x0000000000270000-0x0000000000281000-memory.dmp
memory/1368-68-0x0000000006A60000-0x0000000006BFC000-memory.dmp
memory/320-69-0x0000000000000000-mapping.dmp
memory/320-70-0x0000000000C60000-0x0000000000C67000-memory.dmp
memory/320-71-0x00000000000C0000-0x00000000000EC000-memory.dmp
memory/268-72-0x0000000000000000-mapping.dmp
memory/320-73-0x0000000002070000-0x0000000002373000-memory.dmp
memory/320-74-0x0000000000A70000-0x0000000000B00000-memory.dmp
memory/1368-75-0x0000000007040000-0x0000000007143000-memory.dmp
memory/320-76-0x00000000000C0000-0x00000000000EC000-memory.dmp
memory/1368-77-0x0000000007040000-0x0000000007143000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-16 09:42
Reported
2022-06-16 09:47
Platform
win10v2004-20220414-en
Max time kernel
152s
Max time network
156s
Command Line
Signatures
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Xloader Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\PI.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4664 set thread context of 2572 | N/A | C:\Users\Admin\AppData\Local\Temp\PI.exe | C:\Users\Admin\AppData\Local\Temp\PI.exe |
| PID 2572 set thread context of 2528 | N/A | C:\Users\Admin\AppData\Local\Temp\PI.exe | C:\Windows\Explorer.EXE |
| PID 2572 set thread context of 2528 | N/A | C:\Users\Admin\AppData\Local\Temp\PI.exe | C:\Windows\Explorer.EXE |
| PID 5068 set thread context of 2528 | N/A | C:\Windows\SysWOW64\wlanext.exe | C:\Windows\Explorer.EXE |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PI.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wlanext.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wlanext.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PI.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PI.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wlanext.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 20.189.173.9:443 | tcp | |
| NL | 104.97.14.81:80 | tcp | |
| NL | 104.97.14.81:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | 176.122.125.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.abriongardnermd.com | udp |
| HK | 45.200.198.89:80 | www.abriongardnermd.com | tcp |
| US | 8.8.8.8:53 | www.aperfectsteps.com | udp |
| IN | 103.20.127.61:80 | www.aperfectsteps.com | tcp |
| US | 8.8.8.8:53 | www.activeexoskeletons.finance | udp |
| US | 3.133.215.23:80 | www.activeexoskeletons.finance | tcp |
| US | 8.8.8.8:53 | www.mikaio.com | udp |
| HK | 154.215.150.34:80 | www.mikaio.com | tcp |
| US | 8.8.8.8:53 | www.smartspot276.com | udp |
| CA | 23.227.38.74:80 | www.smartspot276.com | tcp |
| US | 8.8.8.8:53 | www.bigusd.xyz | udp |
| HK | 150.109.149.99:80 | www.bigusd.xyz | tcp |
Files
memory/4664-130-0x0000000000610000-0x00000000006C4000-memory.dmp
memory/4664-131-0x0000000005630000-0x0000000005BD4000-memory.dmp
memory/4664-132-0x0000000005120000-0x00000000051B2000-memory.dmp
memory/4664-133-0x0000000005320000-0x00000000053CA000-memory.dmp
memory/4664-134-0x0000000005300000-0x000000000530A000-memory.dmp
memory/4664-135-0x0000000007C90000-0x0000000007D2C000-memory.dmp
memory/4976-136-0x0000000000000000-mapping.dmp
memory/2572-137-0x0000000000000000-mapping.dmp
memory/2572-138-0x0000000000400000-0x000000000042C000-memory.dmp
memory/2572-140-0x0000000001490000-0x00000000017DA000-memory.dmp
memory/2572-141-0x0000000000F40000-0x0000000000F51000-memory.dmp
memory/2528-142-0x00000000031C0000-0x000000000327C000-memory.dmp
memory/2572-143-0x0000000000400000-0x000000000042C000-memory.dmp
memory/2572-144-0x00000000018C0000-0x00000000018D1000-memory.dmp
memory/2528-145-0x00000000088F0000-0x0000000008A3F000-memory.dmp
memory/2572-146-0x0000000000400000-0x000000000042C000-memory.dmp
memory/2528-147-0x00000000031C0000-0x000000000327C000-memory.dmp
memory/5068-148-0x0000000000000000-mapping.dmp
memory/5068-150-0x00000000004B0000-0x00000000004DC000-memory.dmp
memory/5068-149-0x00000000005D0000-0x00000000005E7000-memory.dmp
memory/5068-151-0x0000000000E00000-0x000000000114A000-memory.dmp
memory/5068-152-0x00000000004B0000-0x00000000004DC000-memory.dmp
memory/4832-153-0x0000000000000000-mapping.dmp
memory/5068-154-0x0000000001150000-0x00000000011E0000-memory.dmp
memory/2528-155-0x0000000003490000-0x000000000353E000-memory.dmp
memory/2528-156-0x0000000003490000-0x000000000353E000-memory.dmp