Analysis
-
max time kernel
148s -
max time network
147s -
platform
windows10_x64 -
resource
win10-20220414-en -
submitted
21/06/2022, 08:31
Static task
static1
General
-
Target
9454ba36d9a763b8543f599961cafb7a33397340ccb59b17921748771d49cd43.exe
-
Size
99KB
-
MD5
fc2ab61fce7f203add8bd65a77df7de5
-
SHA1
423261d0362864ecc99f05a726a940b33b69f5df
-
SHA256
9454ba36d9a763b8543f599961cafb7a33397340ccb59b17921748771d49cd43
-
SHA512
5c91637dd9083b7a1c98ccf0ad852582710ffe2d733e285e733439a1a0cae3535a1b2473f7d8e6a83ebc0545a106d806c896ae84d62bbe76077dfaeac8686e79
Malware Config
Extracted
xloader
2.6
uu0p
easeupp.com
ffffcc.xyz
commercialsymposium.com
bahamascargologistics.com
avajwelr.xyz
flipwatch.xyz
serprobumar.com
zlasher.store
zxlsn6.com
xiaojiaowanwan.com
hrkpacking.com
visitprnow.com
stkjzz.com
printfusion.net
blackoakssavannah.com
yuiseika.com
watnefarms.com
oneclickmsp.com
niu-tou.com
wholytraffic.com
selfplce.com
05mac.com
galaxy-med-systems.com
fokustestvoronka.online
enhandednice.com
ojay.xyz
silvermilecap.com
purintonco.online
halvesnwholes.com
visionsbeyondthelight.com
weightin.gold
doublelotusacu.com
mingoenterprises.net
kilostunners.store
hoken-soudan.life
frontporchbliss.com
meditransit.net
supertiresandwheels.com
novusr.com
sinvrealestate.com
princesscuttexas.com
chappyportal.com
jca-okayama.com
apefestotherside.com
yvesmoreaux.com
etsportscenter.net
needel.online
daidokorokara.net
aih.healthcare
click-tokens.com
frontrangeimages.com
lmwyldjkl2.top
ut1r92k4.xyz
the13thflooraustin.com
0531ddcc.com
souduresmartin.com
alphadegenclub.com
enjoypresenting.com
inter-ascot.com
obsidiancult.com
zxlh03.top
enoccomunicaciones.com
nft-coinsbase.com
cocovale.design
wona-nyc.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Xloader Payload 5 IoCs
resource yara_rule behavioral1/memory/208-240-0x000000000041F260-mapping.dmp xloader behavioral1/memory/208-247-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral1/memory/208-269-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral1/memory/3300-313-0x0000000003200000-0x000000000322B000-memory.dmp xloader behavioral1/memory/3300-322-0x0000000003200000-0x000000000322B000-memory.dmp xloader -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run msdt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\BBMDP6GHH4V = "C:\\Program Files (x86)\\Sffj82\\alrt54vjjo.exe" msdt.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 3984 set thread context of 208 3984 9454ba36d9a763b8543f599961cafb7a33397340ccb59b17921748771d49cd43.exe 69 PID 208 set thread context of 3028 208 InstallUtil.exe 17 PID 3300 set thread context of 3028 3300 msdt.exe 17 -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Sffj82\alrt54vjjo.exe msdt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
pid Process 3816 timeout.exe -
description ioc Process Key created \Registry\User\S-1-5-21-3578829114-180201921-3281645608-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 msdt.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
pid Process 3984 9454ba36d9a763b8543f599961cafb7a33397340ccb59b17921748771d49cd43.exe 3984 9454ba36d9a763b8543f599961cafb7a33397340ccb59b17921748771d49cd43.exe 208 InstallUtil.exe 208 InstallUtil.exe 208 InstallUtil.exe 208 InstallUtil.exe 3300 msdt.exe 3300 msdt.exe 3300 msdt.exe 3300 msdt.exe 3300 msdt.exe 3300 msdt.exe 3300 msdt.exe 3300 msdt.exe 3300 msdt.exe 3300 msdt.exe 3300 msdt.exe 3300 msdt.exe 3300 msdt.exe 3300 msdt.exe 3300 msdt.exe 3300 msdt.exe 3300 msdt.exe 3300 msdt.exe 3300 msdt.exe 3300 msdt.exe 3300 msdt.exe 3300 msdt.exe 3300 msdt.exe 3300 msdt.exe 3300 msdt.exe 3300 msdt.exe 3300 msdt.exe 3300 msdt.exe 3300 msdt.exe 3300 msdt.exe 3300 msdt.exe 3300 msdt.exe 3300 msdt.exe 3300 msdt.exe 3300 msdt.exe 3300 msdt.exe 3300 msdt.exe 3300 msdt.exe 3300 msdt.exe 3300 msdt.exe 3300 msdt.exe 3300 msdt.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3028 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 208 InstallUtil.exe 208 InstallUtil.exe 208 InstallUtil.exe 3300 msdt.exe 3300 msdt.exe 3300 msdt.exe 3300 msdt.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3984 9454ba36d9a763b8543f599961cafb7a33397340ccb59b17921748771d49cd43.exe Token: SeDebugPrivilege 208 InstallUtil.exe Token: SeDebugPrivilege 3300 msdt.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 3984 wrote to memory of 2676 3984 9454ba36d9a763b8543f599961cafb7a33397340ccb59b17921748771d49cd43.exe 66 PID 3984 wrote to memory of 2676 3984 9454ba36d9a763b8543f599961cafb7a33397340ccb59b17921748771d49cd43.exe 66 PID 3984 wrote to memory of 2676 3984 9454ba36d9a763b8543f599961cafb7a33397340ccb59b17921748771d49cd43.exe 66 PID 2676 wrote to memory of 3816 2676 cmd.exe 68 PID 2676 wrote to memory of 3816 2676 cmd.exe 68 PID 2676 wrote to memory of 3816 2676 cmd.exe 68 PID 3984 wrote to memory of 208 3984 9454ba36d9a763b8543f599961cafb7a33397340ccb59b17921748771d49cd43.exe 69 PID 3984 wrote to memory of 208 3984 9454ba36d9a763b8543f599961cafb7a33397340ccb59b17921748771d49cd43.exe 69 PID 3984 wrote to memory of 208 3984 9454ba36d9a763b8543f599961cafb7a33397340ccb59b17921748771d49cd43.exe 69 PID 3984 wrote to memory of 208 3984 9454ba36d9a763b8543f599961cafb7a33397340ccb59b17921748771d49cd43.exe 69 PID 3984 wrote to memory of 208 3984 9454ba36d9a763b8543f599961cafb7a33397340ccb59b17921748771d49cd43.exe 69 PID 3984 wrote to memory of 208 3984 9454ba36d9a763b8543f599961cafb7a33397340ccb59b17921748771d49cd43.exe 69 PID 3028 wrote to memory of 3300 3028 Explorer.EXE 70 PID 3028 wrote to memory of 3300 3028 Explorer.EXE 70 PID 3028 wrote to memory of 3300 3028 Explorer.EXE 70 PID 3300 wrote to memory of 2700 3300 msdt.exe 71 PID 3300 wrote to memory of 2700 3300 msdt.exe 71 PID 3300 wrote to memory of 2700 3300 msdt.exe 71 PID 3300 wrote to memory of 1924 3300 msdt.exe 73 PID 3300 wrote to memory of 1924 3300 msdt.exe 73 PID 3300 wrote to memory of 1924 3300 msdt.exe 73 PID 3300 wrote to memory of 3360 3300 msdt.exe 75 PID 3300 wrote to memory of 3360 3300 msdt.exe 75 PID 3300 wrote to memory of 3360 3300 msdt.exe 75
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Users\Admin\AppData\Local\Temp\9454ba36d9a763b8543f599961cafb7a33397340ccb59b17921748771d49cd43.exe"C:\Users\Admin\AppData\Local\Temp\9454ba36d9a763b8543f599961cafb7a33397340ccb59b17921748771d49cd43.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 203⤵
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\timeout.exetimeout 204⤵
- Delays execution with timeout.exe
PID:3816
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:208
-
-
-
C:\Windows\SysWOW64\msdt.exe"C:\Windows\SysWOW64\msdt.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"3⤵PID:2700
-
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵PID:1924
-
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:3360
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40KB
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4