Analysis

  • max time kernel
    152s
  • max time network
    162s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    16/06/2022, 09:44

General

  • Target

    SR2022061584,pdf.exe

  • Size

    230KB

  • MD5

    c181d4072468279090f281c81a1cccec

  • SHA1

    4eacb1d04de258fde250819018b5fba93e6bc77e

  • SHA256

    347b2260600d99e1b3007aeaf18c01e4c5bb1d9f2b97eb371c6d2d69c8ee1169

  • SHA512

    ddf8eec7a23289554b1dd863167324dfcf87d1e4d9caec97fe1fdcf56c2cf1a3970fc78d795ea7b3eb3b47c673ba485c7492883224f3323319f739c9d186f4a2

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

uugs

Decoy

dooflegogpriitives.com

designvak.com

burunghitam.com

sw-autotrader.com

rebelvulgar.top

brentwilsonphoto.com

masjidmuqarrabin.com

loyaltykleaners.com

rodfernandesmarketing.com

goshenlaboratory.com

golivehome.store

lensflareair.com

annistonescarra.com

pastedup.com

burinfohope-holding-group.com

monicaconsulting.com

theswanmarketing.com

guentherconstructionllc.com

citizenshipguides.com

aemsmc.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

  • Xloader Payload 4 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • System policy modification 1 TTPs 1 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2040
    • C:\Users\Admin\AppData\Local\Temp\SR2022061584,pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\SR2022061584,pdf.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1672
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:3736
    • C:\Windows\SysWOW64\cmstp.exe
      "C:\Windows\SysWOW64\cmstp.exe"
      2⤵
      • Adds policy Run key to start application
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:3960
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
        3⤵
          PID:4804
        • C:\Windows\SysWOW64\cmd.exe
          /c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
          3⤵
            PID:4008

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\DB1

              Filesize

              40KB

              MD5

              b608d407fc15adea97c26936bc6f03f6

              SHA1

              953e7420801c76393902c0d6bb56148947e41571

              SHA256

              b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

              SHA512

              cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

            • memory/1672-130-0x00000000005B0000-0x00000000005EC000-memory.dmp

              Filesize

              240KB

            • memory/2040-136-0x00000000080B0000-0x00000000081BD000-memory.dmp

              Filesize

              1.1MB

            • memory/2040-146-0x00000000029C0000-0x0000000002A7D000-memory.dmp

              Filesize

              756KB

            • memory/2040-144-0x00000000029C0000-0x0000000002A7D000-memory.dmp

              Filesize

              756KB

            • memory/3736-132-0x0000000000400000-0x000000000042B000-memory.dmp

              Filesize

              172KB

            • memory/3736-133-0x0000000001170000-0x00000000014BA000-memory.dmp

              Filesize

              3.3MB

            • memory/3736-135-0x0000000001140000-0x0000000001151000-memory.dmp

              Filesize

              68KB

            • memory/3736-138-0x0000000000400000-0x000000000042B000-memory.dmp

              Filesize

              172KB

            • memory/3960-143-0x0000000002B80000-0x0000000002C10000-memory.dmp

              Filesize

              576KB

            • memory/3960-142-0x0000000002DE0000-0x000000000312A000-memory.dmp

              Filesize

              3.3MB

            • memory/3960-141-0x0000000000E00000-0x0000000000E2B000-memory.dmp

              Filesize

              172KB

            • memory/3960-140-0x0000000000220000-0x0000000000236000-memory.dmp

              Filesize

              88KB

            • memory/3960-145-0x0000000000E00000-0x0000000000E2B000-memory.dmp

              Filesize

              172KB