Analysis Overview
SHA256
80a37f830c71b22ed3225838f7e8b17f7b5ff5b98a8085661db151df14304fbb
Threat Level: Known bad
The file 216f40647e979192eb61192ce3cd8f26 was found to be: Known bad.
Malicious Activity Summary
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Xloader Payload
Suspicious use of SetThreadContext
N/A.
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-06-16 09:49
Signatures
N/A.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-16 09:49
Reported
2022-06-16 09:54
Platform
win7-20220414-en
Max time kernel
152s
Max time network
195s
Command Line
Signatures
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Xloader Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 964 set thread context of 1804 | N/A | C:\Users\Admin\AppData\Local\Temp\SR20220600525003,pdf.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe |
| PID 1804 set thread context of 1384 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | C:\Windows\Explorer.EXE |
| PID 1804 set thread context of 1384 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | C:\Windows\Explorer.EXE |
| PID 1976 set thread context of 1384 | N/A | C:\Windows\SysWOW64\help.exe | C:\Windows\Explorer.EXE |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\help.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\SR20220600525003,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\SR20220600525003,pdf.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.dacdem.com | udp |
| US | 8.8.8.8:53 | www.valleyinnswat.com | udp |
| US | 217.79.245.245:80 | www.valleyinnswat.com | tcp |
| US | 8.8.8.8:53 | www.secure-remove-devices.com | udp |
| US | 8.8.8.8:53 | www.davegwatkin.com | udp |
| US | 8.8.8.8:53 | www.zootowngravel.com | udp |
| US | 8.8.8.8:53 | www.6888tlbb.xyz | udp |
| US | 8.8.8.8:53 | www.pjhxsl.com | udp |
| CN | 23.251.62.137:80 | www.pjhxsl.com | tcp |
| US | 8.8.8.8:53 | www.blizzardboy.net | udp |
| US | 192.161.187.200:80 | www.blizzardboy.net | tcp |
| US | 8.8.8.8:53 | www.shahanhan.com | udp |
| US | 154.7.75.47:80 | www.shahanhan.com | tcp |
| US | 8.8.8.8:53 | www.street-art-ink.com | udp |
| CH | 217.26.61.86:80 | www.street-art-ink.com | tcp |
| US | 8.8.8.8:53 | www.sepetcin.com | udp |
| TR | 185.250.243.163:80 | www.sepetcin.com | tcp |
| US | 8.8.8.8:53 | www.stilghar.com | udp |
| US | 107.149.171.102:80 | www.stilghar.com | tcp |
Files
memory/964-54-0x0000000000880000-0x00000000008BC000-memory.dmp
memory/964-55-0x0000000000500000-0x0000000000534000-memory.dmp
memory/1804-57-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1804-56-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1804-60-0x000000000041F2C0-mapping.dmp
memory/1804-59-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1804-62-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1804-63-0x0000000000A60000-0x0000000000D63000-memory.dmp
memory/1804-64-0x0000000000290000-0x00000000002A1000-memory.dmp
memory/1384-65-0x0000000004AE0000-0x0000000004C50000-memory.dmp
memory/1804-67-0x0000000000330000-0x0000000000341000-memory.dmp
memory/1384-68-0x0000000004C50000-0x0000000004DBB000-memory.dmp
memory/1976-69-0x0000000000000000-mapping.dmp
memory/1804-70-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1976-72-0x0000000000080000-0x00000000000AB000-memory.dmp
memory/1976-71-0x0000000000EF0000-0x0000000000EF6000-memory.dmp
memory/1976-73-0x00000000007C0000-0x0000000000AC3000-memory.dmp
memory/2028-74-0x0000000000000000-mapping.dmp
memory/1976-75-0x00000000005D0000-0x0000000000660000-memory.dmp
memory/1384-76-0x0000000006A20000-0x0000000006BA8000-memory.dmp
memory/1976-77-0x0000000000080000-0x00000000000AB000-memory.dmp
memory/1384-78-0x0000000006A20000-0x0000000006BA8000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-16 09:49
Reported
2022-06-16 09:54
Platform
win10v2004-20220414-en
Max time kernel
152s
Max time network
162s
Command Line
Signatures
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Xloader Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1860 set thread context of 2408 | N/A | C:\Users\Admin\AppData\Local\Temp\SR20220600525003,pdf.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe |
| PID 2408 set thread context of 2640 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | C:\Windows\Explorer.EXE |
| PID 1984 set thread context of 2640 | N/A | C:\Windows\SysWOW64\msdt.exe | C:\Windows\Explorer.EXE |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msdt.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msdt.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msdt.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\SR20220600525003,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\SR20220600525003,pdf.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
Network
| Country | Destination | Domain | Proto |
| US | 20.189.173.1:443 | tcp | |
| GB | 92.123.140.25:80 | tcp | |
| US | 8.8.8.8:53 | www.stilghar.com | udp |
| US | 107.149.171.102:80 | www.stilghar.com | tcp |
| NL | 104.110.191.133:80 | tcp | |
| US | 8.8.8.8:53 | www.distritoxermar.com | udp |
| HK | 168.76.184.139:80 | www.distritoxermar.com | tcp |
| US | 8.8.8.8:53 | www.drecibo.com | udp |
| US | 31.170.160.68:80 | www.drecibo.com | tcp |
| US | 8.8.8.8:53 | www.drecibo.com | udp |
| US | 31.170.160.68:80 | www.drecibo.com | tcp |
| US | 8.8.8.8:53 | www.yaoih.com | udp |
| HK | 45.199.116.81:80 | www.yaoih.com | tcp |
| US | 8.8.8.8:53 | www.banlyeojob.com | udp |
| KR | 222.122.118.13:80 | www.banlyeojob.com | tcp |
| US | 8.8.8.8:53 | www.banlyeojob.com | udp |
| KR | 222.122.118.13:80 | www.banlyeojob.com | tcp |
| US | 8.8.8.8:53 | www.museatthemill.com | udp |
| US | 172.67.138.219:80 | www.museatthemill.com | tcp |
| US | 8.8.8.8:53 | www.totalvirtue.com | udp |
| US | 13.56.33.8:80 | www.totalvirtue.com | tcp |
Files
memory/1860-130-0x00000000006C0000-0x00000000006FC000-memory.dmp
memory/2408-131-0x0000000000000000-mapping.dmp
memory/2408-132-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2408-134-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2408-135-0x0000000001910000-0x0000000001C5A000-memory.dmp
memory/2408-136-0x0000000001410000-0x0000000001421000-memory.dmp
memory/2640-137-0x0000000007B70000-0x0000000007CB5000-memory.dmp
memory/1984-138-0x0000000000000000-mapping.dmp
memory/1984-139-0x00000000009B0000-0x0000000000A07000-memory.dmp
memory/1984-140-0x0000000000F10000-0x0000000000F3B000-memory.dmp
memory/4072-141-0x0000000000000000-mapping.dmp
memory/1984-142-0x00000000030B0000-0x00000000033FA000-memory.dmp
memory/1984-143-0x0000000002EE0000-0x0000000002F70000-memory.dmp
memory/2640-144-0x0000000008F20000-0x0000000009052000-memory.dmp
memory/1984-145-0x0000000000F10000-0x0000000000F3B000-memory.dmp
memory/2640-146-0x0000000008F20000-0x0000000009052000-memory.dmp