Analysis
-
max time kernel
152s -
max time network
163s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
16/06/2022, 09:44
Static task
static1
Behavioral task
behavioral1
Sample
SR2022061584,pdf.exe
Resource
win7-20220414-en
General
-
Target
SR2022061584,pdf.exe
-
Size
230KB
-
MD5
c181d4072468279090f281c81a1cccec
-
SHA1
4eacb1d04de258fde250819018b5fba93e6bc77e
-
SHA256
347b2260600d99e1b3007aeaf18c01e4c5bb1d9f2b97eb371c6d2d69c8ee1169
-
SHA512
ddf8eec7a23289554b1dd863167324dfcf87d1e4d9caec97fe1fdcf56c2cf1a3970fc78d795ea7b3eb3b47c673ba485c7492883224f3323319f739c9d186f4a2
Malware Config
Extracted
xloader
2.6
uugs
dooflegogpriitives.com
designvak.com
burunghitam.com
sw-autotrader.com
rebelvulgar.top
brentwilsonphoto.com
masjidmuqarrabin.com
loyaltykleaners.com
rodfernandesmarketing.com
goshenlaboratory.com
golivehome.store
lensflareair.com
annistonescarra.com
pastedup.com
burinfohope-holding-group.com
monicaconsulting.com
theswanmarketing.com
guentherconstructionllc.com
citizenshipguides.com
aemsmc.com
wh1000.net
wcpdfschedule.com
ducandjohn.com
circumferencelads.com
ibmdrrealmatch.com
kekenapeps.com
theaffiliatesguide.com
xtjets.com
outlookrepairhelp.com
the7figurebookkeeper.com
huaxiazixun.net
fritzduda.site
mythicalcyber.com
aghlari.com
earntrading24.com
spainesthomes.com
saltandpepperpt.com
swrjzxw.com
masonjet.com
merri-automaten.store
miamivalley.xyz
argentinabound.com
haikezb.com
pleeder.com
deedeestreasures.com
kurisinsaat.info
humblebullykennelsstore.com
o2labs.xyz
thenftofficial.com
lifeonloan.com
toyibslotb.com
optimalfamilychiro.com
15xextremefatburner.com
attentionwater.com
infonedviga.site
davehewman.com
szcenturyplaza.com
syddes.com
417realestatepro.com
bluefiftyfoundation.com
tangkichco.com
4v5z41.xyz
montadakawmi.com
bluecollarsidehustles.com
thedentalmethoddallas.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 4 IoCs
resource yara_rule behavioral1/memory/1144-59-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral1/memory/1144-60-0x000000000041F370-mapping.dmp xloader behavioral1/memory/1144-62-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral1/memory/964-69-0x00000000000C0000-0x00000000000EB000-memory.dmp xloader -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run NETSTAT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\YJSDLR18N = "C:\\Program Files (x86)\\Kdbwtpt\\gdiypx0.exe" NETSTAT.EXE -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 108 set thread context of 1144 108 SR2022061584,pdf.exe 27 PID 1144 set thread context of 1228 1144 cvtres.exe 15 PID 964 set thread context of 1228 964 NETSTAT.EXE 15 -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Kdbwtpt\gdiypx0.exe NETSTAT.EXE -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 964 NETSTAT.EXE -
description ioc Process Key created \Registry\User\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 1144 cvtres.exe 1144 cvtres.exe 964 NETSTAT.EXE 964 NETSTAT.EXE 964 NETSTAT.EXE 964 NETSTAT.EXE 964 NETSTAT.EXE 964 NETSTAT.EXE 964 NETSTAT.EXE 964 NETSTAT.EXE 964 NETSTAT.EXE 964 NETSTAT.EXE 964 NETSTAT.EXE 964 NETSTAT.EXE 964 NETSTAT.EXE 964 NETSTAT.EXE 964 NETSTAT.EXE 964 NETSTAT.EXE 964 NETSTAT.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 1144 cvtres.exe 1144 cvtres.exe 1144 cvtres.exe 964 NETSTAT.EXE 964 NETSTAT.EXE 964 NETSTAT.EXE 964 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1144 cvtres.exe Token: SeDebugPrivilege 964 NETSTAT.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1228 Explorer.EXE 1228 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1228 Explorer.EXE 1228 Explorer.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 108 wrote to memory of 1144 108 SR2022061584,pdf.exe 27 PID 108 wrote to memory of 1144 108 SR2022061584,pdf.exe 27 PID 108 wrote to memory of 1144 108 SR2022061584,pdf.exe 27 PID 108 wrote to memory of 1144 108 SR2022061584,pdf.exe 27 PID 108 wrote to memory of 1144 108 SR2022061584,pdf.exe 27 PID 108 wrote to memory of 1144 108 SR2022061584,pdf.exe 27 PID 108 wrote to memory of 1144 108 SR2022061584,pdf.exe 27 PID 1228 wrote to memory of 964 1228 Explorer.EXE 28 PID 1228 wrote to memory of 964 1228 Explorer.EXE 28 PID 1228 wrote to memory of 964 1228 Explorer.EXE 28 PID 1228 wrote to memory of 964 1228 Explorer.EXE 28 PID 964 wrote to memory of 1984 964 NETSTAT.EXE 29 PID 964 wrote to memory of 1984 964 NETSTAT.EXE 29 PID 964 wrote to memory of 1984 964 NETSTAT.EXE 29 PID 964 wrote to memory of 1984 964 NETSTAT.EXE 29 PID 964 wrote to memory of 816 964 NETSTAT.EXE 32 PID 964 wrote to memory of 816 964 NETSTAT.EXE 32 PID 964 wrote to memory of 816 964 NETSTAT.EXE 32 PID 964 wrote to memory of 816 964 NETSTAT.EXE 32 PID 964 wrote to memory of 816 964 NETSTAT.EXE 32
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Users\Admin\AppData\Local\Temp\SR2022061584,pdf.exe"C:\Users\Admin\AppData\Local\Temp\SR2022061584,pdf.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:108 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1144
-
-
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Gathers network information
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"3⤵PID:1984
-
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:816
-
-