Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
16/06/2022, 09:42
Static task
static1
Behavioral task
behavioral1
Sample
PI.exe
Resource
win7-20220414-en
General
-
Target
PI.exe
-
Size
696KB
-
MD5
ef9ddc4ebd697d61db488c560d2115e9
-
SHA1
a60fa983cf0a54caa2001f86bac961bba4e4ecc6
-
SHA256
ce60e4de64afb14f5f5db72f72dcb978930c13b743f093bc8562468c7680d9ee
-
SHA512
c2564963ca294f5b6ccccc9ae1ae7c325cc981d0b225345b6aab72e1bb100f96606a46fab18f488d3d8eac98a814960c61f3d64986e9a422d3e2c7d6f7667aa9
Malware Config
Extracted
xloader
2.8
k59h
5Jmm72a3503V
N0yBoUCYUTRLfak=
211XjgQWec5Yk5Qo6SgqZGwU
1mxV5ax97shdmbA=
StuJphyppWyplnyrgD58/HNwVc4=
O2q6/rr5gcviVU/h
ataW27/QPlPRgNMvtQ==
ut6GGNcWyhBDDDQ1Db4=
93Rc7LJ6gUek2lG3djp7wg==
8wdHfz6ABUqJsUVbyLDW3Z08hA==
7nAdOLREOQFLfrv8ae4st8yEG1gjpCJs
HD53nVq5W+8zKjeAnUDT
udw2urI9JTRLfak=
eeyly1z1Ko4FGA==
VWym0IGvHmXECZ+AnUDT
Oez2q42RI520scgnuVUxpmA=
bZM6QYi3503V
kkZvoEkVm+eTBw==
HDJld+XLDUGV0YXCdjp7wg==
gW7mk4AU31LHCZ+AnUDT
b97QcjL0+t736HqYikbE
y3t7DryTIvEPDw==
jkALOMhiI53iVU/h
SPYaoUgOPlm69oOkZpap8JNArJg+Tg==
pitAx4hfYzNCQt45uqhMybBqnQ==
POcJnk8SZbDttDe6aVUxpmA=
quepsQLN/BFUinhanlUxpmA=
eBg80Zdun7Q5e7Hrsnaubn8c6OFoEYS39Bg=
o602hzL2/sl28SiAnUDT
zl4XMb0++3yPvDQ1Db4=
+ApLhBBQar9AjUJxQdsqZGwU
dJUZTLM2JzRLfak=
gilK68e/KZMdl+EVl6Dj3Z08hA==
OS6q51z19a4Hdx+cX1UxpmA=
cuzkjXZxtcDTzQch9iTJUOiCYZ+gRm4=
EqRTdCLkKo4FGA==
xG5Bi3Jvo7MALzLRc9kqZGwU
ydhQ87QHsSNw94SiY6Hb
t0A3cuTeNZjiVU/h
ZIw6d/t7IZziVU/h
teQ2ZRGQvVSAi74=
HxygVx1YApjiVU/h
Dg5Igy9sGHObiRtzIETeaB3BfJ+gRm4=
ZIvHqaSLvl1eqSCOB6k=
bCBL/MuWsInQGNuGdjp7wg==
phLNDc+Wk1aTvTQ1Db4=
O8KIwGQ5h5Gmzn/FdkZ9+3NwVc4=
Ci10mECILbQoYQAporBg9XNwVc4=
hkwqeFxZg3aJdv9Z39uMEHNwVc4=
Irh9v6KeIvEPDw==
k8knNtyrIvEPDw==
rkwrQczP9QdYllOudjp7wg==
DZM6T78yHzRLfak=
NNibtzLG4+Bbl6TJa2sjwT76c6Yn4IwbjeJZmw==
2I2i3Vlu4U7NCp+AnUDT
bB0DFoqhL4jDt0qqdjp7wg==
NFy0+7z7vb4JUAli8xT0LL54x9jlaXZJjA==
cf4CPb7MGhuODjQ1Db4=
OdCo5598p55yepX2
iLsPPbbMRaLiVU/h
sdBtD/2MfDZ0pMr7Z9cqZGwU
pl4rReWtIvEPDw==
DwlIiD+3503V
2oh594MGxkCKRHn4
mariorovera.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 5 IoCs
resource yara_rule behavioral1/memory/1264-62-0x0000000000400000-0x000000000042C000-memory.dmp xloader behavioral1/memory/1264-63-0x000000000041F650-mapping.dmp xloader behavioral1/memory/1264-65-0x0000000000400000-0x000000000042C000-memory.dmp xloader behavioral1/memory/364-72-0x0000000000080000-0x00000000000AC000-memory.dmp xloader behavioral1/memory/364-76-0x0000000000080000-0x00000000000AC000-memory.dmp xloader -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\LTWTXJJ0 = "C:\\Program Files (x86)\\Qwnmxv4\\Cookieslpxdufw0.exe" wininit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wininit.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International\Geo\Nation PI.exe -
Deletes itself 1 IoCs
pid Process 664 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1672 set thread context of 1264 1672 PI.exe 31 PID 1264 set thread context of 1212 1264 PI.exe 21 PID 364 set thread context of 1212 364 wininit.exe 21 -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Qwnmxv4\Cookieslpxdufw0.exe wininit.exe -
description ioc Process Key created \Registry\User\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 wininit.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 1672 PI.exe 1672 PI.exe 1672 PI.exe 1264 PI.exe 1264 PI.exe 364 wininit.exe 364 wininit.exe 364 wininit.exe 364 wininit.exe 364 wininit.exe 364 wininit.exe 364 wininit.exe 364 wininit.exe 364 wininit.exe 364 wininit.exe 364 wininit.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 1264 PI.exe 1264 PI.exe 1264 PI.exe 364 wininit.exe 364 wininit.exe 364 wininit.exe 364 wininit.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1672 PI.exe Token: SeDebugPrivilege 1264 PI.exe Token: SeDebugPrivilege 364 wininit.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1212 Explorer.EXE 1212 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1212 Explorer.EXE 1212 Explorer.EXE -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 1672 wrote to memory of 1324 1672 PI.exe 28 PID 1672 wrote to memory of 1324 1672 PI.exe 28 PID 1672 wrote to memory of 1324 1672 PI.exe 28 PID 1672 wrote to memory of 1324 1672 PI.exe 28 PID 1672 wrote to memory of 1164 1672 PI.exe 29 PID 1672 wrote to memory of 1164 1672 PI.exe 29 PID 1672 wrote to memory of 1164 1672 PI.exe 29 PID 1672 wrote to memory of 1164 1672 PI.exe 29 PID 1672 wrote to memory of 1256 1672 PI.exe 30 PID 1672 wrote to memory of 1256 1672 PI.exe 30 PID 1672 wrote to memory of 1256 1672 PI.exe 30 PID 1672 wrote to memory of 1256 1672 PI.exe 30 PID 1672 wrote to memory of 1264 1672 PI.exe 31 PID 1672 wrote to memory of 1264 1672 PI.exe 31 PID 1672 wrote to memory of 1264 1672 PI.exe 31 PID 1672 wrote to memory of 1264 1672 PI.exe 31 PID 1672 wrote to memory of 1264 1672 PI.exe 31 PID 1672 wrote to memory of 1264 1672 PI.exe 31 PID 1672 wrote to memory of 1264 1672 PI.exe 31 PID 1212 wrote to memory of 364 1212 Explorer.EXE 32 PID 1212 wrote to memory of 364 1212 Explorer.EXE 32 PID 1212 wrote to memory of 364 1212 Explorer.EXE 32 PID 1212 wrote to memory of 364 1212 Explorer.EXE 32 PID 364 wrote to memory of 664 364 wininit.exe 33 PID 364 wrote to memory of 664 364 wininit.exe 33 PID 364 wrote to memory of 664 364 wininit.exe 33 PID 364 wrote to memory of 664 364 wininit.exe 33 PID 364 wrote to memory of 1276 364 wininit.exe 36 PID 364 wrote to memory of 1276 364 wininit.exe 36 PID 364 wrote to memory of 1276 364 wininit.exe 36 PID 364 wrote to memory of 1276 364 wininit.exe 36 PID 364 wrote to memory of 1276 364 wininit.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\PI.exe"C:\Users\Admin\AppData\Local\Temp\PI.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Users\Admin\AppData\Local\Temp\PI.exe"C:\Users\Admin\AppData\Local\Temp\PI.exe"2⤵PID:1324
-
-
C:\Users\Admin\AppData\Local\Temp\PI.exe"C:\Users\Admin\AppData\Local\Temp\PI.exe"2⤵PID:1164
-
-
C:\Users\Admin\AppData\Local\Temp\PI.exe"C:\Users\Admin\AppData\Local\Temp\PI.exe"2⤵PID:1256
-
-
C:\Users\Admin\AppData\Local\Temp\PI.exe"C:\Users\Admin\AppData\Local\Temp\PI.exe"2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1264
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\SysWOW64\wininit.exe"C:\Windows\SysWOW64\wininit.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:364 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\PI.exe"3⤵
- Deletes itself
PID:664
-
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:1276
-
-