Analysis
-
max time kernel
166s -
max time network
222s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
16/06/2022, 09:50
Static task
static1
Behavioral task
behavioral1
Sample
WHMSHC22060125_SUR.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
WHMSHC22060125_SUR.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
WHMSHC22060126_SUR.pdf
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
WHMSHC22060126_SUR.pdf
Resource
win10v2004-20220414-en
General
-
Target
WHMSHC22060125_SUR.exe
-
Size
657KB
-
MD5
28d724fd6e55313ec7479eabf62ef11c
-
SHA1
5e63a0c3664276044f86a13519560313efcd16b3
-
SHA256
b326a836015d646984f10a251e4b6678a9822a1f365369512b80f0928b35299d
-
SHA512
e82554e6e9aa797dca588e83e396cf494aef67f1ac1ee24c818a66df79da2bb38aa3f3ef3091a9541a7d3d6847e905b8911e7a36ce11ab5749df11288e5cce1a
Malware Config
Extracted
xloader
2.6
a2es
glutenfreebahrain.com
sportrid.com
js-films.com
cie-revolver.com
outsourcinginstitutebd.com
roboticsdatascience.com
tebrunk.com
needgreatwork.com
df1b8j2iwbl33n.life
voluum-training.com
cherna-roza.com
xiyouap.com
bluefiftyfoundation.com
angolettomc.com
yhcp225.com
keondredejawn.com
ifeelsilky.com
coraorganizing.com
smartmindstutorials.com
tanphucuong.info
cxy.cool
criatorioimperial.online
timelyzer.com
chounvwd.com
taxidrivertrading.com
vooyage.xyz
mbtq.financial
tmshop.ma
newexmag.com
wildblumebmd.com
faucetvddw.club
sexism.info
precisionspinecolorado.com
jmigy.com
theplayhouse88.com
theskinrevive.com
envisionexpereience.com
matuschekandcompany.com
zouyuting.com
loansbill-pay.website
albertoalaniz.space
elfstore.net
klapia.online
panxiaozhi.net
soprodutosgeniais.com
amstorex.com
tiktokrycy41.xyz
datisbrick.com
hotelnoucanguillem.com
prekkr.com
jensenko.com
spiritualteashop.com
cyberdyne.world
0xauetw0ye50f.xyz
berendsit.com
kalycollcwn.info
tonenusdt.xyz
ckhla.com
igralki.com
princesskinnymixers.com
tvmountinstallguy.com
choicegoodsshop.com
diamont-services.com
mideazhiyou.com
katescakesandcreations.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 4 IoCs
resource yara_rule behavioral2/memory/2388-137-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral2/memory/2388-143-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral2/memory/3864-145-0x0000000001240000-0x000000000126B000-memory.dmp xloader behavioral2/memory/3864-151-0x0000000001240000-0x000000000126B000-memory.dmp xloader -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ipconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\N0XTI4Q8V = "C:\\Program Files (x86)\\Vjlkd\\xxll2v90gzg4yfnh.exe" ipconfig.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1000 set thread context of 2388 1000 WHMSHC22060125_SUR.exe 89 PID 2388 set thread context of 3152 2388 WHMSHC22060125_SUR.exe 36 PID 3864 set thread context of 3152 3864 ipconfig.exe 36 -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Vjlkd\xxll2v90gzg4yfnh.exe ipconfig.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 3864 ipconfig.exe -
description ioc Process Key created \Registry\User\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 36 IoCs
pid Process 2388 WHMSHC22060125_SUR.exe 2388 WHMSHC22060125_SUR.exe 2388 WHMSHC22060125_SUR.exe 2388 WHMSHC22060125_SUR.exe 3864 ipconfig.exe 3864 ipconfig.exe 3864 ipconfig.exe 3864 ipconfig.exe 3864 ipconfig.exe 3864 ipconfig.exe 3864 ipconfig.exe 3864 ipconfig.exe 3864 ipconfig.exe 3864 ipconfig.exe 3864 ipconfig.exe 3864 ipconfig.exe 3864 ipconfig.exe 3864 ipconfig.exe 3864 ipconfig.exe 3864 ipconfig.exe 3864 ipconfig.exe 3864 ipconfig.exe 3864 ipconfig.exe 3864 ipconfig.exe 3864 ipconfig.exe 3864 ipconfig.exe 3864 ipconfig.exe 3864 ipconfig.exe 3864 ipconfig.exe 3864 ipconfig.exe 3864 ipconfig.exe 3864 ipconfig.exe 3864 ipconfig.exe 3864 ipconfig.exe 3864 ipconfig.exe 3864 ipconfig.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3152 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 2388 WHMSHC22060125_SUR.exe 2388 WHMSHC22060125_SUR.exe 2388 WHMSHC22060125_SUR.exe 3864 ipconfig.exe 3864 ipconfig.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2388 WHMSHC22060125_SUR.exe Token: SeDebugPrivilege 3864 ipconfig.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1000 wrote to memory of 2388 1000 WHMSHC22060125_SUR.exe 89 PID 1000 wrote to memory of 2388 1000 WHMSHC22060125_SUR.exe 89 PID 1000 wrote to memory of 2388 1000 WHMSHC22060125_SUR.exe 89 PID 1000 wrote to memory of 2388 1000 WHMSHC22060125_SUR.exe 89 PID 1000 wrote to memory of 2388 1000 WHMSHC22060125_SUR.exe 89 PID 1000 wrote to memory of 2388 1000 WHMSHC22060125_SUR.exe 89 PID 3152 wrote to memory of 3864 3152 Explorer.EXE 90 PID 3152 wrote to memory of 3864 3152 Explorer.EXE 90 PID 3152 wrote to memory of 3864 3152 Explorer.EXE 90 PID 3864 wrote to memory of 4124 3864 ipconfig.exe 91 PID 3864 wrote to memory of 4124 3864 ipconfig.exe 91 PID 3864 wrote to memory of 4124 3864 ipconfig.exe 91
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Users\Admin\AppData\Local\Temp\WHMSHC22060125_SUR.exe"C:\Users\Admin\AppData\Local\Temp\WHMSHC22060125_SUR.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Users\Admin\AppData\Local\Temp\WHMSHC22060125_SUR.exe"C:\Users\Admin\AppData\Local\Temp\WHMSHC22060125_SUR.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2388
-
-
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\SysWOW64\ipconfig.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Gathers network information
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\WHMSHC22060125_SUR.exe"3⤵PID:4124
-
-