Analysis
-
max time kernel
152s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
16/06/2022, 09:44
Static task
static1
Behavioral task
behavioral1
Sample
SR2022061584,pdf.exe
Resource
win7-20220414-en
General
-
Target
SR2022061584,pdf.exe
-
Size
230KB
-
MD5
c181d4072468279090f281c81a1cccec
-
SHA1
4eacb1d04de258fde250819018b5fba93e6bc77e
-
SHA256
347b2260600d99e1b3007aeaf18c01e4c5bb1d9f2b97eb371c6d2d69c8ee1169
-
SHA512
ddf8eec7a23289554b1dd863167324dfcf87d1e4d9caec97fe1fdcf56c2cf1a3970fc78d795ea7b3eb3b47c673ba485c7492883224f3323319f739c9d186f4a2
Malware Config
Extracted
xloader
2.6
uugs
dooflegogpriitives.com
designvak.com
burunghitam.com
sw-autotrader.com
rebelvulgar.top
brentwilsonphoto.com
masjidmuqarrabin.com
loyaltykleaners.com
rodfernandesmarketing.com
goshenlaboratory.com
golivehome.store
lensflareair.com
annistonescarra.com
pastedup.com
burinfohope-holding-group.com
monicaconsulting.com
theswanmarketing.com
guentherconstructionllc.com
citizenshipguides.com
aemsmc.com
wh1000.net
wcpdfschedule.com
ducandjohn.com
circumferencelads.com
ibmdrrealmatch.com
kekenapeps.com
theaffiliatesguide.com
xtjets.com
outlookrepairhelp.com
the7figurebookkeeper.com
huaxiazixun.net
fritzduda.site
mythicalcyber.com
aghlari.com
earntrading24.com
spainesthomes.com
saltandpepperpt.com
swrjzxw.com
masonjet.com
merri-automaten.store
miamivalley.xyz
argentinabound.com
haikezb.com
pleeder.com
deedeestreasures.com
kurisinsaat.info
humblebullykennelsstore.com
o2labs.xyz
thenftofficial.com
lifeonloan.com
toyibslotb.com
optimalfamilychiro.com
15xextremefatburner.com
attentionwater.com
infonedviga.site
davehewman.com
szcenturyplaza.com
syddes.com
417realestatepro.com
bluefiftyfoundation.com
tangkichco.com
4v5z41.xyz
montadakawmi.com
bluecollarsidehustles.com
thedentalmethoddallas.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 4 IoCs
resource yara_rule behavioral2/memory/3736-132-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral2/memory/3736-138-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral2/memory/3960-141-0x0000000000E00000-0x0000000000E2B000-memory.dmp xloader behavioral2/memory/3960-145-0x0000000000E00000-0x0000000000E2B000-memory.dmp xloader -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cmstp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\CPXHR = "C:\\Program Files (x86)\\Lifm4\\igfxgxd0dxl.exe" cmstp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1672 set thread context of 3736 1672 SR2022061584,pdf.exe 79 PID 3736 set thread context of 2040 3736 cvtres.exe 35 PID 3960 set thread context of 2040 3960 cmstp.exe 35 -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Lifm4\igfxgxd0dxl.exe cmstp.exe -
description ioc Process Key created \Registry\User\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cmstp.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 3736 cvtres.exe 3736 cvtres.exe 3736 cvtres.exe 3736 cvtres.exe 3960 cmstp.exe 3960 cmstp.exe 3960 cmstp.exe 3960 cmstp.exe 3960 cmstp.exe 3960 cmstp.exe 3960 cmstp.exe 3960 cmstp.exe 3960 cmstp.exe 3960 cmstp.exe 3960 cmstp.exe 3960 cmstp.exe 3960 cmstp.exe 3960 cmstp.exe 3960 cmstp.exe 3960 cmstp.exe 3960 cmstp.exe 3960 cmstp.exe 3960 cmstp.exe 3960 cmstp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2040 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 3736 cvtres.exe 3736 cvtres.exe 3736 cvtres.exe 3960 cmstp.exe 3960 cmstp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3736 cvtres.exe Token: SeDebugPrivilege 3960 cmstp.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1672 wrote to memory of 3736 1672 SR2022061584,pdf.exe 79 PID 1672 wrote to memory of 3736 1672 SR2022061584,pdf.exe 79 PID 1672 wrote to memory of 3736 1672 SR2022061584,pdf.exe 79 PID 1672 wrote to memory of 3736 1672 SR2022061584,pdf.exe 79 PID 1672 wrote to memory of 3736 1672 SR2022061584,pdf.exe 79 PID 1672 wrote to memory of 3736 1672 SR2022061584,pdf.exe 79 PID 2040 wrote to memory of 3960 2040 Explorer.EXE 80 PID 2040 wrote to memory of 3960 2040 Explorer.EXE 80 PID 2040 wrote to memory of 3960 2040 Explorer.EXE 80 PID 3960 wrote to memory of 4804 3960 cmstp.exe 81 PID 3960 wrote to memory of 4804 3960 cmstp.exe 81 PID 3960 wrote to memory of 4804 3960 cmstp.exe 81 PID 3960 wrote to memory of 4008 3960 cmstp.exe 83 PID 3960 wrote to memory of 4008 3960 cmstp.exe 83 PID 3960 wrote to memory of 4008 3960 cmstp.exe 83 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer cmstp.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Users\Admin\AppData\Local\Temp\SR2022061584,pdf.exe"C:\Users\Admin\AppData\Local\Temp\SR2022061584,pdf.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3736
-
-
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3960 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"3⤵PID:4804
-
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵PID:4008
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40KB
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4