Analysis
-
max time kernel
154s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
16/06/2022, 09:42
Static task
static1
Behavioral task
behavioral1
Sample
PI.exe
Resource
win7-20220414-en
General
-
Target
PI.exe
-
Size
696KB
-
MD5
ef9ddc4ebd697d61db488c560d2115e9
-
SHA1
a60fa983cf0a54caa2001f86bac961bba4e4ecc6
-
SHA256
ce60e4de64afb14f5f5db72f72dcb978930c13b743f093bc8562468c7680d9ee
-
SHA512
c2564963ca294f5b6ccccc9ae1ae7c325cc981d0b225345b6aab72e1bb100f96606a46fab18f488d3d8eac98a814960c61f3d64986e9a422d3e2c7d6f7667aa9
Malware Config
Extracted
xloader
2.8
k59h
5Jmm72a3503V
N0yBoUCYUTRLfak=
211XjgQWec5Yk5Qo6SgqZGwU
1mxV5ax97shdmbA=
StuJphyppWyplnyrgD58/HNwVc4=
O2q6/rr5gcviVU/h
ataW27/QPlPRgNMvtQ==
ut6GGNcWyhBDDDQ1Db4=
93Rc7LJ6gUek2lG3djp7wg==
8wdHfz6ABUqJsUVbyLDW3Z08hA==
7nAdOLREOQFLfrv8ae4st8yEG1gjpCJs
HD53nVq5W+8zKjeAnUDT
udw2urI9JTRLfak=
eeyly1z1Ko4FGA==
VWym0IGvHmXECZ+AnUDT
Oez2q42RI520scgnuVUxpmA=
bZM6QYi3503V
kkZvoEkVm+eTBw==
HDJld+XLDUGV0YXCdjp7wg==
gW7mk4AU31LHCZ+AnUDT
b97QcjL0+t736HqYikbE
y3t7DryTIvEPDw==
jkALOMhiI53iVU/h
SPYaoUgOPlm69oOkZpap8JNArJg+Tg==
pitAx4hfYzNCQt45uqhMybBqnQ==
POcJnk8SZbDttDe6aVUxpmA=
quepsQLN/BFUinhanlUxpmA=
eBg80Zdun7Q5e7Hrsnaubn8c6OFoEYS39Bg=
o602hzL2/sl28SiAnUDT
zl4XMb0++3yPvDQ1Db4=
+ApLhBBQar9AjUJxQdsqZGwU
dJUZTLM2JzRLfak=
gilK68e/KZMdl+EVl6Dj3Z08hA==
OS6q51z19a4Hdx+cX1UxpmA=
cuzkjXZxtcDTzQch9iTJUOiCYZ+gRm4=
EqRTdCLkKo4FGA==
xG5Bi3Jvo7MALzLRc9kqZGwU
ydhQ87QHsSNw94SiY6Hb
t0A3cuTeNZjiVU/h
ZIw6d/t7IZziVU/h
teQ2ZRGQvVSAi74=
HxygVx1YApjiVU/h
Dg5Igy9sGHObiRtzIETeaB3BfJ+gRm4=
ZIvHqaSLvl1eqSCOB6k=
bCBL/MuWsInQGNuGdjp7wg==
phLNDc+Wk1aTvTQ1Db4=
O8KIwGQ5h5Gmzn/FdkZ9+3NwVc4=
Ci10mECILbQoYQAporBg9XNwVc4=
hkwqeFxZg3aJdv9Z39uMEHNwVc4=
Irh9v6KeIvEPDw==
k8knNtyrIvEPDw==
rkwrQczP9QdYllOudjp7wg==
DZM6T78yHzRLfak=
NNibtzLG4+Bbl6TJa2sjwT76c6Yn4IwbjeJZmw==
2I2i3Vlu4U7NCp+AnUDT
bB0DFoqhL4jDt0qqdjp7wg==
NFy0+7z7vb4JUAli8xT0LL54x9jlaXZJjA==
cf4CPb7MGhuODjQ1Db4=
OdCo5598p55yepX2
iLsPPbbMRaLiVU/h
sdBtD/2MfDZ0pMr7Z9cqZGwU
pl4rReWtIvEPDw==
DwlIiD+3503V
2oh594MGxkCKRHn4
mariorovera.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 4 IoCs
resource yara_rule behavioral2/memory/3032-137-0x0000000000400000-0x000000000042C000-memory.dmp xloader behavioral2/memory/3032-143-0x0000000000400000-0x000000000042C000-memory.dmp xloader behavioral2/memory/4272-146-0x0000000001390000-0x00000000013BC000-memory.dmp xloader behavioral2/memory/4272-149-0x0000000001390000-0x00000000013BC000-memory.dmp xloader -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\PBFPTXLXRPBH = "C:\\Program Files (x86)\\Mrxj8v\\n4x8pvlyd.exe" wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation PI.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 4000 set thread context of 3032 4000 PI.exe 82 PID 3032 set thread context of 1064 3032 PI.exe 38 PID 4272 set thread context of 1064 4272 wscript.exe 38 -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Mrxj8v\n4x8pvlyd.exe wscript.exe -
description ioc Process Key created \Registry\User\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 wscript.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 3032 PI.exe 3032 PI.exe 3032 PI.exe 3032 PI.exe 4272 wscript.exe 4272 wscript.exe 4272 wscript.exe 4272 wscript.exe 4272 wscript.exe 4272 wscript.exe 4272 wscript.exe 4272 wscript.exe 4272 wscript.exe 4272 wscript.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 3032 PI.exe 3032 PI.exe 3032 PI.exe 4272 wscript.exe 4272 wscript.exe 4272 wscript.exe 4272 wscript.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 3032 PI.exe Token: SeShutdownPrivilege 1064 Explorer.EXE Token: SeCreatePagefilePrivilege 1064 Explorer.EXE Token: SeShutdownPrivilege 1064 Explorer.EXE Token: SeCreatePagefilePrivilege 1064 Explorer.EXE Token: SeShutdownPrivilege 1064 Explorer.EXE Token: SeCreatePagefilePrivilege 1064 Explorer.EXE Token: SeShutdownPrivilege 1064 Explorer.EXE Token: SeCreatePagefilePrivilege 1064 Explorer.EXE Token: SeDebugPrivilege 4272 wscript.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 4000 wrote to memory of 3032 4000 PI.exe 82 PID 4000 wrote to memory of 3032 4000 PI.exe 82 PID 4000 wrote to memory of 3032 4000 PI.exe 82 PID 4000 wrote to memory of 3032 4000 PI.exe 82 PID 4000 wrote to memory of 3032 4000 PI.exe 82 PID 4000 wrote to memory of 3032 4000 PI.exe 82 PID 1064 wrote to memory of 4272 1064 Explorer.EXE 83 PID 1064 wrote to memory of 4272 1064 Explorer.EXE 83 PID 1064 wrote to memory of 4272 1064 Explorer.EXE 83 PID 4272 wrote to memory of 1808 4272 wscript.exe 87 PID 4272 wrote to memory of 1808 4272 wscript.exe 87 PID 4272 wrote to memory of 1808 4272 wscript.exe 87 PID 4272 wrote to memory of 1904 4272 wscript.exe 92 PID 4272 wrote to memory of 1904 4272 wscript.exe 92 PID 4272 wrote to memory of 1904 4272 wscript.exe 92 PID 4272 wrote to memory of 392 4272 wscript.exe 94 PID 4272 wrote to memory of 392 4272 wscript.exe 94 PID 4272 wrote to memory of 392 4272 wscript.exe 94 PID 4272 wrote to memory of 4056 4272 wscript.exe 96 PID 4272 wrote to memory of 4056 4272 wscript.exe 96 PID 4272 wrote to memory of 4056 4272 wscript.exe 96 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer wscript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PI.exe"C:\Users\Admin\AppData\Local\Temp\PI.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Users\Admin\AppData\Local\Temp\PI.exe"C:\Users\Admin\AppData\Local\Temp\PI.exe"2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3032
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4272 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\PI.exe"3⤵PID:1808
-
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵PID:1904
-
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵PID:392
-
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:4056
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40KB
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
Filesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574