Analysis
-
max time kernel
168s -
max time network
176s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-06-2022 07:25
Static task
static1
Behavioral task
behavioral1
Sample
PROCUREMENT_001.js
Resource
win7-20220414-en
General
-
Target
PROCUREMENT_001.js
-
Size
396KB
-
MD5
ead2e4417e0ba32a086cbd96ffde7ce5
-
SHA1
0f47a3ec2a02054f1d54815544feaac77fb32793
-
SHA256
cbc74da583fc123ca5783a7c977f382af7a71a227888d95a9b8203bd0a2adf62
-
SHA512
e26c09f7e4318f62cc1e0f4f84e77cf28e6a3d68a0dfb20f84e8b849bc65bf06a4aca46c446c7ae7ea831b9ff047aa32fe6bb82b946e149d68bfa3df3f0efae4
Malware Config
Extracted
xloader
2.8
r4wf
eQLhwti8E4CX1m8bp0WK2Q==
axoAyf6nwR9Y43o1nFx+930=
vf9fMlHrgdcI
TRQU8PPgFWegAcLFsjQ5TUX2
CFXUiz7SjsLqcQ==
XKeIL6Nmg+8pokY+wjaooasXRQIt
NLSkgIdanO/4SNPAdlKUrIms7Q==
TTKhgqyuCnCmH7yGa12g8HXrnY/nKGI=
5X0d70pNfaYGRgI=
fXXOk9C1+U9bhkIBIqn8
dN7HmMiv/TtAgyP2tYrEG2Yq4Yw=
HRqUgbJeorn4Zg==
MZ7Sh6xm71vhCNLW
7iFsO188fKYGRgI=
o9VC9kgPVXmCz2gBIqn8
B0y+iMbD+lzhCNLW
ciUeBS0WbdHuVGH+xJU=
Q3334PeyxydNmzoBIqn8
kgHx3RbrgdcI
WQjgo8h9g6YGRgI=
5RSWW31YnAQ0ly3EKxV49Ju7soyJQA==
jnvHrOp+rylh3aQZihBxX5AXRQIt
UvzhyOTBC1WuFalOvTeQFGYq4Yw=
JZKCTnBTlejw6sWEQmBrwWQ=
PsvChalcbbW9/sl9iUyM/Y4MyIY=
twF0UY9YdMf/SOXm7kJHrIms7Q==
U8aniaNnU7TGF6KgX7kkEAfBuXDcuj58
d6kL7Q/Dsv8Qai4y5Dx+bHXrmY/nKGI=
Oy7kr7SLuiFlumMrnFx+930=
YKA43EILPp68Ls2R9Lu9Xg915Q==
OsbEm83iRasRDcDP
N7SzS9W0uRU3jEw+7ZvgQsW07A==
f3LUyOCo6jdfwW4AY1CXrIms7Q==
UVexkL12kKr2QwPEJZ0=
F5PLbMl0rduR24TB
yZuGQ1U5f6YGRgI=
HEOfhKiQJVuUF6ox6uNR0Q==
Y0y0eYw9Q5bD79Ruvg==
aILeq6iNyQqR24TB
dHbUZQWZqMpavHb50CBVrWo=
lEsUpuTUL4KuEa6EVT+F1B7Jgx0z
LDSDX4NENrXnVxAP2rblGjXr
blvKotCPoer5Rvy6VxBcwA==
KMS/ofYGorn4Zg==
EZW+YNdYd+M=
Bop1VFUuccfWIKWmp0WK2Q==
iQDv0R3h0/YxkBU=
NjOefp48RqfbFrOKbecxadZp8ZE=
kTsuEDj5OizhCNLW
w/RTHy0Lc7fSD97wsgCGrIms7Q==
8x18XKJyZ8T1aGH+xJU=
vmxeL0noCmyZBdKGyiE5TUX2
eF22k9DMDF2P/7CBQlx+930=
wO1QPF42ctH+cRIR1is5TUX2
HbqukMjFFHHhCNLW
D0qyl8BhFPRQybNMMafz
rPZqR1Xy/l2Z9H10TVx+930=
bJwP3QPxOZOO0no3oBxixV7nmo/nKGI=
mwL41gvf3SJgzbVlwoI=
dCYI1OqmwRErjloyoInfIWYq4Yw=
Sks251UsiN4K
6qGScqVeRZ7IIuHhx1R7o8aZiyMl
EDaaWIxK/t+R24TB
NSyQY6+MoLlHKmH+xJU=
heatedaffaisr.com
Extracted
vjw0rm
http://franmhort.duia.ro:8152
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\greatk.exe xloader C:\Users\Admin\AppData\Local\Temp\greatk.exe xloader behavioral1/memory/1740-68-0x0000000000090000-0x00000000000BC000-memory.dmp xloader behavioral1/memory/1740-72-0x0000000000090000-0x00000000000BC000-memory.dmp xloader -
Blocklisted process makes network request 5 IoCs
Processes:
wscript.exemsiexec.exeflow pid process 4 1528 wscript.exe 14 1740 msiexec.exe 18 1740 msiexec.exe 30 1528 wscript.exe 32 1740 msiexec.exe -
Executes dropped EXE 1 IoCs
Processes:
greatk.exepid process 860 greatk.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
greatk.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International\Geo\Nation greatk.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TKlRbFxljO.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TKlRbFxljO.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\TKlRbFxljO.js\"" wscript.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
greatk.exemsiexec.exedescription pid process target process PID 860 set thread context of 1312 860 greatk.exe Explorer.EXE PID 1740 set thread context of 1312 1740 msiexec.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
greatk.exemsiexec.exepid process 860 greatk.exe 860 greatk.exe 1740 msiexec.exe 1740 msiexec.exe 1740 msiexec.exe 1740 msiexec.exe 1740 msiexec.exe 1740 msiexec.exe 1740 msiexec.exe 1740 msiexec.exe 1740 msiexec.exe 1740 msiexec.exe 1740 msiexec.exe 1740 msiexec.exe 1740 msiexec.exe 1740 msiexec.exe 1740 msiexec.exe 1740 msiexec.exe 1740 msiexec.exe 1740 msiexec.exe 1740 msiexec.exe 1740 msiexec.exe 1740 msiexec.exe 1740 msiexec.exe 1740 msiexec.exe 1740 msiexec.exe 1740 msiexec.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
greatk.exemsiexec.exepid process 860 greatk.exe 860 greatk.exe 860 greatk.exe 1740 msiexec.exe 1740 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
greatk.exemsiexec.exedescription pid process Token: SeDebugPrivilege 860 greatk.exe Token: SeDebugPrivilege 1740 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1312 Explorer.EXE 1312 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1312 Explorer.EXE 1312 Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
wscript.exeExplorer.EXEmsiexec.exedescription pid process target process PID 532 wrote to memory of 1528 532 wscript.exe wscript.exe PID 532 wrote to memory of 1528 532 wscript.exe wscript.exe PID 532 wrote to memory of 1528 532 wscript.exe wscript.exe PID 532 wrote to memory of 860 532 wscript.exe greatk.exe PID 532 wrote to memory of 860 532 wscript.exe greatk.exe PID 532 wrote to memory of 860 532 wscript.exe greatk.exe PID 532 wrote to memory of 860 532 wscript.exe greatk.exe PID 1312 wrote to memory of 1740 1312 Explorer.EXE msiexec.exe PID 1312 wrote to memory of 1740 1312 Explorer.EXE msiexec.exe PID 1312 wrote to memory of 1740 1312 Explorer.EXE msiexec.exe PID 1312 wrote to memory of 1740 1312 Explorer.EXE msiexec.exe PID 1312 wrote to memory of 1740 1312 Explorer.EXE msiexec.exe PID 1312 wrote to memory of 1740 1312 Explorer.EXE msiexec.exe PID 1312 wrote to memory of 1740 1312 Explorer.EXE msiexec.exe PID 1740 wrote to memory of 1704 1740 msiexec.exe cmd.exe PID 1740 wrote to memory of 1704 1740 msiexec.exe cmd.exe PID 1740 wrote to memory of 1704 1740 msiexec.exe cmd.exe PID 1740 wrote to memory of 1704 1740 msiexec.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\PROCUREMENT_001.js2⤵
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\TKlRbFxljO.js"3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1528 -
C:\Users\Admin\AppData\Local\Temp\greatk.exe"C:\Users\Admin\AppData\Local\Temp\greatk.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:860 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\greatk.exe"3⤵PID:1704
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\greatk.exeFilesize
174KB
MD54e4fe9a1e4568efac0293fcaf431f2da
SHA1c17588029ab95904ab548b5c8fb4dc626e1d8d12
SHA256929b0c7d953ee579a49a6d4a9456a1a45a9f4e81933adf6a07b34d6669f096b6
SHA5127a323280ef25c208fbe726e5ba21200ec9af976f30da3ea330387afe95c41ad082404d4cd811672f0b7e9764759c8cc7b1b2252da242ff8253e429bb2cc7a461
-
C:\Users\Admin\AppData\Local\Temp\greatk.exeFilesize
174KB
MD54e4fe9a1e4568efac0293fcaf431f2da
SHA1c17588029ab95904ab548b5c8fb4dc626e1d8d12
SHA256929b0c7d953ee579a49a6d4a9456a1a45a9f4e81933adf6a07b34d6669f096b6
SHA5127a323280ef25c208fbe726e5ba21200ec9af976f30da3ea330387afe95c41ad082404d4cd811672f0b7e9764759c8cc7b1b2252da242ff8253e429bb2cc7a461
-
C:\Users\Admin\AppData\Roaming\TKlRbFxljO.jsFilesize
30KB
MD5e80c5a9f243cd8589446c7531265ad1c
SHA183fa6c700a036754f8f506ce7eea111cbb70fed8
SHA25681c5757f8a810180b55725f2778493af9ca1f25a87c7f9154646ceeac628cd37
SHA51224e26cba2e7076f2208306b93eadb61782d08029bda21433c682ba88333ab28225388a6823e7b566e5b18ce0b0a91dad20d64be59a03d5f22491a0a7496544ba
-
memory/532-54-0x000007FEFB6E1000-0x000007FEFB6E3000-memory.dmpFilesize
8KB
-
memory/860-57-0x0000000000000000-mapping.dmp
-
memory/860-60-0x0000000000790000-0x0000000000A93000-memory.dmpFilesize
3.0MB
-
memory/860-61-0x00000000001C0000-0x00000000001D1000-memory.dmpFilesize
68KB
-
memory/1312-71-0x0000000006530000-0x00000000065E6000-memory.dmpFilesize
728KB
-
memory/1312-62-0x0000000004C70000-0x0000000004E09000-memory.dmpFilesize
1.6MB
-
memory/1312-73-0x0000000006530000-0x00000000065E6000-memory.dmpFilesize
728KB
-
memory/1528-55-0x0000000000000000-mapping.dmp
-
memory/1704-66-0x0000000000000000-mapping.dmp
-
memory/1740-63-0x0000000000000000-mapping.dmp
-
memory/1740-68-0x0000000000090000-0x00000000000BC000-memory.dmpFilesize
176KB
-
memory/1740-69-0x0000000002250000-0x0000000002553000-memory.dmpFilesize
3.0MB
-
memory/1740-70-0x0000000000A60000-0x0000000000AF0000-memory.dmpFilesize
576KB
-
memory/1740-67-0x00000000009B0000-0x00000000009C4000-memory.dmpFilesize
80KB
-
memory/1740-72-0x0000000000090000-0x00000000000BC000-memory.dmpFilesize
176KB
-
memory/1740-64-0x0000000075711000-0x0000000075713000-memory.dmpFilesize
8KB