Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
16/06/2022, 09:50
Static task
static1
Behavioral task
behavioral1
Sample
WHMSHC22060125_SUR.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
WHMSHC22060125_SUR.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
WHMSHC22060126_SUR.pdf
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
WHMSHC22060126_SUR.pdf
Resource
win10v2004-20220414-en
General
-
Target
WHMSHC22060125_SUR.exe
-
Size
657KB
-
MD5
28d724fd6e55313ec7479eabf62ef11c
-
SHA1
5e63a0c3664276044f86a13519560313efcd16b3
-
SHA256
b326a836015d646984f10a251e4b6678a9822a1f365369512b80f0928b35299d
-
SHA512
e82554e6e9aa797dca588e83e396cf494aef67f1ac1ee24c818a66df79da2bb38aa3f3ef3091a9541a7d3d6847e905b8911e7a36ce11ab5749df11288e5cce1a
Malware Config
Extracted
xloader
2.6
a2es
glutenfreebahrain.com
sportrid.com
js-films.com
cie-revolver.com
outsourcinginstitutebd.com
roboticsdatascience.com
tebrunk.com
needgreatwork.com
df1b8j2iwbl33n.life
voluum-training.com
cherna-roza.com
xiyouap.com
bluefiftyfoundation.com
angolettomc.com
yhcp225.com
keondredejawn.com
ifeelsilky.com
coraorganizing.com
smartmindstutorials.com
tanphucuong.info
cxy.cool
criatorioimperial.online
timelyzer.com
chounvwd.com
taxidrivertrading.com
vooyage.xyz
mbtq.financial
tmshop.ma
newexmag.com
wildblumebmd.com
faucetvddw.club
sexism.info
precisionspinecolorado.com
jmigy.com
theplayhouse88.com
theskinrevive.com
envisionexpereience.com
matuschekandcompany.com
zouyuting.com
loansbill-pay.website
albertoalaniz.space
elfstore.net
klapia.online
panxiaozhi.net
soprodutosgeniais.com
amstorex.com
tiktokrycy41.xyz
datisbrick.com
hotelnoucanguillem.com
prekkr.com
jensenko.com
spiritualteashop.com
cyberdyne.world
0xauetw0ye50f.xyz
berendsit.com
kalycollcwn.info
tonenusdt.xyz
ckhla.com
igralki.com
princesskinnymixers.com
tvmountinstallguy.com
choicegoodsshop.com
diamont-services.com
mideazhiyou.com
katescakesandcreations.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 6 IoCs
resource yara_rule behavioral1/memory/1528-63-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral1/memory/1528-64-0x000000000041F2B0-mapping.dmp xloader behavioral1/memory/1528-66-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral1/memory/1528-74-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral1/memory/476-78-0x0000000000080000-0x00000000000AB000-memory.dmp xloader behavioral1/memory/476-81-0x0000000000080000-0x00000000000AB000-memory.dmp xloader -
Deletes itself 1 IoCs
pid Process 516 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TRZX0NNHW8 = "C:\\Program Files (x86)\\Al4nhgbh\\ThumbCachebbc.exe" svchost.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 780 set thread context of 1528 780 WHMSHC22060125_SUR.exe 27 PID 1528 set thread context of 1288 1528 WHMSHC22060125_SUR.exe 11 PID 1528 set thread context of 1288 1528 WHMSHC22060125_SUR.exe 11 PID 476 set thread context of 1288 476 svchost.exe 11 -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Al4nhgbh\ThumbCachebbc.exe svchost.exe -
description ioc Process Key created \Registry\User\S-1-5-21-1819626980-2277161760-1023733287-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 svchost.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
pid Process 1528 WHMSHC22060125_SUR.exe 1528 WHMSHC22060125_SUR.exe 1528 WHMSHC22060125_SUR.exe 476 svchost.exe 476 svchost.exe 476 svchost.exe 476 svchost.exe 476 svchost.exe 476 svchost.exe 476 svchost.exe 476 svchost.exe 476 svchost.exe 476 svchost.exe 476 svchost.exe 476 svchost.exe 476 svchost.exe 476 svchost.exe -
Suspicious behavior: MapViewOfSection 8 IoCs
pid Process 1528 WHMSHC22060125_SUR.exe 1528 WHMSHC22060125_SUR.exe 1528 WHMSHC22060125_SUR.exe 1528 WHMSHC22060125_SUR.exe 476 svchost.exe 476 svchost.exe 476 svchost.exe 476 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1528 WHMSHC22060125_SUR.exe Token: SeDebugPrivilege 476 svchost.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1288 Explorer.EXE 1288 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1288 Explorer.EXE 1288 Explorer.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 780 wrote to memory of 1528 780 WHMSHC22060125_SUR.exe 27 PID 780 wrote to memory of 1528 780 WHMSHC22060125_SUR.exe 27 PID 780 wrote to memory of 1528 780 WHMSHC22060125_SUR.exe 27 PID 780 wrote to memory of 1528 780 WHMSHC22060125_SUR.exe 27 PID 780 wrote to memory of 1528 780 WHMSHC22060125_SUR.exe 27 PID 780 wrote to memory of 1528 780 WHMSHC22060125_SUR.exe 27 PID 780 wrote to memory of 1528 780 WHMSHC22060125_SUR.exe 27 PID 1528 wrote to memory of 476 1528 WHMSHC22060125_SUR.exe 28 PID 1528 wrote to memory of 476 1528 WHMSHC22060125_SUR.exe 28 PID 1528 wrote to memory of 476 1528 WHMSHC22060125_SUR.exe 28 PID 1528 wrote to memory of 476 1528 WHMSHC22060125_SUR.exe 28 PID 476 wrote to memory of 516 476 svchost.exe 29 PID 476 wrote to memory of 516 476 svchost.exe 29 PID 476 wrote to memory of 516 476 svchost.exe 29 PID 476 wrote to memory of 516 476 svchost.exe 29 PID 476 wrote to memory of 1156 476 svchost.exe 32 PID 476 wrote to memory of 1156 476 svchost.exe 32 PID 476 wrote to memory of 1156 476 svchost.exe 32 PID 476 wrote to memory of 1156 476 svchost.exe 32 PID 476 wrote to memory of 1156 476 svchost.exe 32
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1288 -
C:\Users\Admin\AppData\Local\Temp\WHMSHC22060125_SUR.exe"C:\Users\Admin\AppData\Local\Temp\WHMSHC22060125_SUR.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Users\Admin\AppData\Local\Temp\WHMSHC22060125_SUR.exe"C:\Users\Admin\AppData\Local\Temp\WHMSHC22060125_SUR.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"4⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:476 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\WHMSHC22060125_SUR.exe"5⤵
- Deletes itself
PID:516
-
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"5⤵PID:1156
-
-
-
-