Analysis
-
max time kernel
149s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-06-2022 04:18
Static task
static1
Behavioral task
behavioral1
Sample
shipping documents.exe
Resource
win7-20220414-en
General
-
Target
shipping documents.exe
-
Size
545KB
-
MD5
9c51dcdcbb9a4cab887c3036bf8acea5
-
SHA1
7f0a99049ce06b600a89516d77adf3649593be21
-
SHA256
a12973c256e6565a0635fb0febaed5ed56f613d23b864df409f32f832a3af19f
-
SHA512
3022ec309b092bb79990ffead9240b27b1973b27c73b6f31a74cabcf854be72b4d67c504ed4c9f4218e4dae37b1825a29185ff55a566d582b1d3a316d3332f58
Malware Config
Extracted
xloader
2.9
gfv7
hd4AZDZ3XeSkZ9w0NRn2+JU=
6iAxmGKdumxFEgwp
jM6QcxNUSeCKaUdvvh3g9mffhosQ
d4CC0LS0DjTJS8FdXqd3soM=
S1LPlXEIJY52Og==
doeO7AimsF0NEvFgnIV5
W2TlzH/byHtUU3B7tw==
Y2RAbyZjex2qj6GQv4Q=
ftoOsCpZdfmALQ==
4kqL8v/6rDj8Ohs/wAjkb0gD5Gfiww==
8mVs/AkvwLnIWp4=
yfqAazgHioT8b9yHSKpLDtgY
EyWD5F+Wu3L0xq/VJXgdlnFvBDdUz5WM
jn9ty+pdRNdtcDhJ5k8nwZofm4EJ
s9XVNv4/aRDBUx4w
+vHFE7Fw1rnIWp4=
wC395Yvi6G/3yoWRGW1USxzshi3Dyw==
jcbufIN91gHAUK1RYUMYIdyqpDlUz5WM
iIyoIvZNXwPNmBlBxGk6+A==
C/hTD8h/KWLiMW4Mt/joXyz23Q==
V5ApC8yE9ga07OV4Q61LDtgY
xtLNTFFs/RCJA4orMGL9ApU=
/AKLeE8idfmALQ==
WJL8UAHhVg7FSqAxOWL9ApU=
9iK1jWPdwWJFEgwp
Rz0Nb3NpyLnIWp4=
th3awtVSNNiFPLlnLxPmXyz23Q==
PLAGb2JN/0tFEgwp
DwBJL0vXwz6VU3B7tw==
bOAIYklXEJsP7BUDjxTubP8Q
AzA1r1ApwbnIWp4=
GY7VFP8Z42Eu0zrPgv7M27H2j0s=
M1Xf2X3iJY52Og==
TniK5ZHG5YsoO/UBSCIK04Osyg==
bNielgswlcIx
BT5/syRLwuaFFoo=
zwZKrUOtnTLZkPUBUkIUo7nAxA==
S3TY7rP8Gao+W6GQv4Q=
8vR8aFToJinc8vkLXbaY8pHOkINUz5WM
fn99yILT1WJFEgwp
4CI0fVVcxeyXIYwwPVLo9Iw=
hq6/DbfACpAm
ZJBMLtsgRN6izYKOI6xLDtgY
0w51/t24cgbsNUTkoS3BBZM=
KigtlHKAVuSnOpkzO1Lo9Iw=
QJKEvBztdfmALQ==
JCr9WGswGbg7
cbnlTTM1lc+s9s/6j/3mXyz23Q==
nC9880u66IpFEgwp
8l0tFQeq3HFHilpg32RN0GRVOaxXKO8YOA==
aV4laF9ZdfmALQ==
p8+JhjIKxEMWa1707GVKBdbbhi3Dyw==
lsDLGs6vauq8ERrIkwrU1m76mhgPoVk=
VmL44pRG8A56zSK0xGk6+A==
0MtFU1jACpAm
ASApso7Btzm4sbLiY79LDtgY
ULrfRv1BUwzoty9HxGk6+A==
qasiAbIOJY52Og==
UZN9Xx2miW9FEgwp
zDMIAhSLts63jRpCxGk6+A==
f3gLFxpk+DG+U3B7tw==
qzWSblb1ernIWp4=
+CZPmjzmSGIHjN6BSapLDtgY
jsw3l0sshQ0MzjNRqA==
littlemountainnomad.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1376-62-0x0000000000400000-0x000000000042C000-memory.dmp xloader behavioral1/memory/1376-63-0x000000000041F810-mapping.dmp xloader behavioral1/memory/1376-69-0x0000000000400000-0x000000000042C000-memory.dmp xloader behavioral1/memory/1736-73-0x0000000000090000-0x00000000000BC000-memory.dmp xloader behavioral1/memory/1736-77-0x0000000000090000-0x00000000000BC000-memory.dmp xloader -
Blocklisted process makes network request 2 IoCs
Processes:
msiexec.exeflow pid process 13 1736 msiexec.exe 14 1736 msiexec.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
shipping documents.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\International\Geo\Nation shipping documents.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 940 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LNU4L = "C:\\Program Files (x86)\\Myjlhb6b\\wind4d8qfwh.exe" msiexec.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
shipping documents.exeshipping documents.exemsiexec.exedescription pid process target process PID 1948 set thread context of 1376 1948 shipping documents.exe shipping documents.exe PID 1376 set thread context of 1304 1376 shipping documents.exe Explorer.EXE PID 1736 set thread context of 1304 1736 msiexec.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Program Files (x86)\Myjlhb6b\wind4d8qfwh.exe msiexec.exe -
Processes:
msiexec.exedescription ioc process Key created \Registry\User\S-1-5-21-1819626980-2277161760-1023733287-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 msiexec.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
shipping documents.exemsiexec.exepid process 1376 shipping documents.exe 1376 shipping documents.exe 1736 msiexec.exe 1736 msiexec.exe 1736 msiexec.exe 1736 msiexec.exe 1736 msiexec.exe 1736 msiexec.exe 1736 msiexec.exe 1736 msiexec.exe 1736 msiexec.exe 1736 msiexec.exe 1736 msiexec.exe 1736 msiexec.exe 1736 msiexec.exe 1736 msiexec.exe 1736 msiexec.exe 1736 msiexec.exe 1736 msiexec.exe 1736 msiexec.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
shipping documents.exemsiexec.exepid process 1376 shipping documents.exe 1376 shipping documents.exe 1376 shipping documents.exe 1736 msiexec.exe 1736 msiexec.exe 1736 msiexec.exe 1736 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
shipping documents.exemsiexec.exedescription pid process Token: SeDebugPrivilege 1376 shipping documents.exe Token: SeDebugPrivilege 1736 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1304 Explorer.EXE 1304 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1304 Explorer.EXE 1304 Explorer.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
shipping documents.exeExplorer.EXEmsiexec.exedescription pid process target process PID 1948 wrote to memory of 1376 1948 shipping documents.exe shipping documents.exe PID 1948 wrote to memory of 1376 1948 shipping documents.exe shipping documents.exe PID 1948 wrote to memory of 1376 1948 shipping documents.exe shipping documents.exe PID 1948 wrote to memory of 1376 1948 shipping documents.exe shipping documents.exe PID 1948 wrote to memory of 1376 1948 shipping documents.exe shipping documents.exe PID 1948 wrote to memory of 1376 1948 shipping documents.exe shipping documents.exe PID 1948 wrote to memory of 1376 1948 shipping documents.exe shipping documents.exe PID 1304 wrote to memory of 1736 1304 Explorer.EXE msiexec.exe PID 1304 wrote to memory of 1736 1304 Explorer.EXE msiexec.exe PID 1304 wrote to memory of 1736 1304 Explorer.EXE msiexec.exe PID 1304 wrote to memory of 1736 1304 Explorer.EXE msiexec.exe PID 1304 wrote to memory of 1736 1304 Explorer.EXE msiexec.exe PID 1304 wrote to memory of 1736 1304 Explorer.EXE msiexec.exe PID 1304 wrote to memory of 1736 1304 Explorer.EXE msiexec.exe PID 1736 wrote to memory of 940 1736 msiexec.exe cmd.exe PID 1736 wrote to memory of 940 1736 msiexec.exe cmd.exe PID 1736 wrote to memory of 940 1736 msiexec.exe cmd.exe PID 1736 wrote to memory of 940 1736 msiexec.exe cmd.exe PID 1736 wrote to memory of 800 1736 msiexec.exe Firefox.exe PID 1736 wrote to memory of 800 1736 msiexec.exe Firefox.exe PID 1736 wrote to memory of 800 1736 msiexec.exe Firefox.exe PID 1736 wrote to memory of 800 1736 msiexec.exe Firefox.exe PID 1736 wrote to memory of 800 1736 msiexec.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\shipping documents.exe"C:\Users\Admin\AppData\Local\Temp\shipping documents.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\shipping documents.exe"{path}"3⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\shipping documents.exe"3⤵
- Deletes itself
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/940-71-0x0000000000000000-mapping.dmp
-
memory/1304-67-0x0000000006ED0000-0x0000000007031000-memory.dmpFilesize
1.4MB
-
memory/1304-78-0x0000000007040000-0x000000000718C000-memory.dmpFilesize
1.3MB
-
memory/1304-76-0x0000000007040000-0x000000000718C000-memory.dmpFilesize
1.3MB
-
memory/1376-66-0x0000000000220000-0x0000000000231000-memory.dmpFilesize
68KB
-
memory/1376-69-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1376-60-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1376-62-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1376-63-0x000000000041F810-mapping.dmp
-
memory/1376-65-0x0000000000810000-0x0000000000B13000-memory.dmpFilesize
3.0MB
-
memory/1376-59-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1736-68-0x0000000000000000-mapping.dmp
-
memory/1736-72-0x0000000000810000-0x0000000000824000-memory.dmpFilesize
80KB
-
memory/1736-73-0x0000000000090000-0x00000000000BC000-memory.dmpFilesize
176KB
-
memory/1736-74-0x0000000002390000-0x0000000002693000-memory.dmpFilesize
3.0MB
-
memory/1736-75-0x0000000000B50000-0x0000000000BE0000-memory.dmpFilesize
576KB
-
memory/1736-77-0x0000000000090000-0x00000000000BC000-memory.dmpFilesize
176KB
-
memory/1948-58-0x0000000000A40000-0x0000000000A72000-memory.dmpFilesize
200KB
-
memory/1948-54-0x0000000001300000-0x000000000138E000-memory.dmpFilesize
568KB
-
memory/1948-57-0x00000000056F0000-0x0000000005776000-memory.dmpFilesize
536KB
-
memory/1948-56-0x0000000000440000-0x000000000044A000-memory.dmpFilesize
40KB
-
memory/1948-55-0x0000000075401000-0x0000000075403000-memory.dmpFilesize
8KB