Resubmissions
21/06/2022, 09:20
220621-lazeyscffm 10Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21/06/2022, 09:20
Behavioral task
behavioral1
Sample
pay2.exe
Resource
win7-20220414-en
General
-
Target
pay2.exe
-
Size
174KB
-
MD5
4b052ae067d179b1e9626c250771002e
-
SHA1
a37c079cc492f9ebcb5fefc440db929007e3f409
-
SHA256
c4692b54a5619346cd90557fc71a3bcb9a5712d40b5e30411a87f4bec4697005
-
SHA512
ea186cfbaac1e7fbaff049c258eb3b10c6d11fb01415dc2c4e4292637cba825697e360170803338d451aa333d6c7a4e78223d8c37f73a7ab6a70b65a7e656ce2
Malware Config
Extracted
xloader
2.8
utg6
HH9H3kXZHIk0wrXfJq4s5Q==
dJojMwcUlkY3/12Ghl4=
M97sg6hotTOvNY1D
6o+YPIQARtqPHA4sKdmWYke8FA==
Pt71lrWLDblvQJ9A
K0fU6/BseTox+kSSmYQw5NtN00EV7tXr
4sohLE0CeRrTl+2X03jpYke8FA==
zrcKky6asFs+yUeWmQ==
VodJdmzh+A==
gobc7RDsOEAw9A==
xEYVn8uhKPPkPWuJo43QVuWhzgLM
Fw9Ybr9DXRz9jnd/jXvyYke8FA==
VCyIpJ9WjQS9AUudt5mWvMjCzE4=
0a6vT2kQTs1+SYepk6NO
TGCqvhzKUAj3RWvPX/5G
h4bU7i39XUJV4szsQt9e/A==
vwqYIIH/DLW3bpeqo3HpYke8FA==
vxbocZI8hKNcZb9Moli2Yv0dHg==
7JCQHUYhm19m7lrqPADuDrOhzgLM
gJjwBFXqM6BPYIxcaVY=
WYIgwTrqZQGsZbXL+PhR
KgZciArIHaFgamqJiWNdf06wJKXE
wZTaBoYqaPCuscppu3S2YTPnXIwV7tXr
NHsMkedknR+6CS+x2N5XPQWw
S/TxBpFMlwC28DmHhDhu+LOhzgLM
T5koS4H1Nch/iJC+6Yo3TuH+CEkA/ts=
1rvxCZROuEe9DhJch18=
KaxpFKG2wPS9+VbBPUn1n0S4
JhBkc8xMWSMxNkKOy3u0w4E=
MHUGjeB2vkgOxwKUJq4s5Q==
qGZvI3kPEcKCR4nfJq4s5Q==
oIrHwQHPIaNi6XsbeDTt7Q==
yc4MEk0V3skwRjs=
mEBH0fncP79+vdfn+ObrEt8TEEkA/ts=
dZoswFAcrnokNl+MnnHsYke8FA==
5OkmQrlCTQm36+lX
ms5RddVuqiL1PmrPX/5G
47fByGIP4oh1
Tuvnd5paqRveLIxcaVY=
KQpN+Bfe8JpFTzk=
3Q+uQqhS1oBGyUeWmQ==
I8zS5FwEVuirvBWjzHu0w4E=
Xsnefbe/NLR7
ZcmcQrdFXiYYX6ZKpGpdgzcxDEkA/ts=
qQbDVdWUolIZ7gtI
r/B9q+deOEAw9A==
a+jHZXcxhQbB+UWNiEIwPtXwJVjT4NQ=
xfd2BJxuFckwRjs=
gjRJa9peOEAw9A==
AHBF3Ta66MkwRjs=
0DQPpwW1BYNNyUeWmQ==
MjRyieFfoHPB/azPX/5G
h5rUfrs2eQhvQJ9A
6JyirxST08DN2BccXWKRyMjCzE4=
/jO+R7tYrIt4/GTPX/5G
LGzpEm8Yj1tf4OxAkjhq3XNkSFEV7tXr
PNTt91DJB5tSWoxcaVY=
BHxU+jEHtja36+lX
AVnS6zey83kcKTuMzHu0w4E=
N2LwByXjYiwR3hlqnSVW4J2Z3xjV
21Qhs8VuzJ0NGCI=
CXl2DSDgqV1QkgZelaFO
BzbD3QrpOEAw9A==
oKTh9lvw8JpFTzk=
propagandefilms.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 4 IoCs
resource yara_rule behavioral1/memory/2024-61-0x0000000000080000-0x00000000000AC000-memory.dmp xloader behavioral1/memory/2024-64-0x0000000000080000-0x00000000000AC000-memory.dmp xloader behavioral1/files/0x000800000001230e-68.dat xloader behavioral1/files/0x000800000001230e-70.dat xloader -
Executes dropped EXE 1 IoCs
pid Process 872 user7nmtbv.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International\Geo\Nation pay2.exe -
Deletes itself 1 IoCs
pid Process 1744 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run systray.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JX4LG0T0V6 = "C:\\Program Files (x86)\\Nljod5z\\user7nmtbv.exe" systray.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 800 set thread context of 1212 800 pay2.exe 15 PID 2024 set thread context of 1212 2024 systray.exe 15 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Nljod5z\user7nmtbv.exe Explorer.EXE File opened for modification C:\Program Files (x86)\Nljod5z\user7nmtbv.exe systray.exe -
description ioc Process Key created \Registry\User\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 systray.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
pid Process 800 pay2.exe 800 pay2.exe 2024 systray.exe 2024 systray.exe 2024 systray.exe 2024 systray.exe 2024 systray.exe 2024 systray.exe 2024 systray.exe 2024 systray.exe 2024 systray.exe 2024 systray.exe 2024 systray.exe 2024 systray.exe 2024 systray.exe 2024 systray.exe 2024 systray.exe 2024 systray.exe 2024 systray.exe 2024 systray.exe 2024 systray.exe 2024 systray.exe 2024 systray.exe 2024 systray.exe 872 user7nmtbv.exe 2024 systray.exe 2024 systray.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1212 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 800 pay2.exe 800 pay2.exe 800 pay2.exe 2024 systray.exe 2024 systray.exe 2024 systray.exe 2024 systray.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 800 pay2.exe Token: SeDebugPrivilege 2024 systray.exe Token: SeDebugPrivilege 872 user7nmtbv.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1212 Explorer.EXE 1212 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1212 Explorer.EXE 1212 Explorer.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1212 wrote to memory of 2024 1212 Explorer.EXE 28 PID 1212 wrote to memory of 2024 1212 Explorer.EXE 28 PID 1212 wrote to memory of 2024 1212 Explorer.EXE 28 PID 1212 wrote to memory of 2024 1212 Explorer.EXE 28 PID 2024 wrote to memory of 1744 2024 systray.exe 29 PID 2024 wrote to memory of 1744 2024 systray.exe 29 PID 2024 wrote to memory of 1744 2024 systray.exe 29 PID 2024 wrote to memory of 1744 2024 systray.exe 29 PID 2024 wrote to memory of 460 2024 systray.exe 32 PID 2024 wrote to memory of 460 2024 systray.exe 32 PID 2024 wrote to memory of 460 2024 systray.exe 32 PID 2024 wrote to memory of 460 2024 systray.exe 32 PID 2024 wrote to memory of 460 2024 systray.exe 32 PID 1212 wrote to memory of 872 1212 Explorer.EXE 33 PID 1212 wrote to memory of 872 1212 Explorer.EXE 33 PID 1212 wrote to memory of 872 1212 Explorer.EXE 33 PID 1212 wrote to memory of 872 1212 Explorer.EXE 33
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Users\Admin\AppData\Local\Temp\pay2.exe"C:\Users\Admin\AppData\Local\Temp\pay2.exe"2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:800
-
-
C:\Windows\SysWOW64\systray.exe"C:\Windows\SysWOW64\systray.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\pay2.exe"3⤵
- Deletes itself
PID:1744
-
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:460
-
-
-
C:\Program Files (x86)\Nljod5z\user7nmtbv.exe"C:\Program Files (x86)\Nljod5z\user7nmtbv.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:872
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
174KB
MD54b052ae067d179b1e9626c250771002e
SHA1a37c079cc492f9ebcb5fefc440db929007e3f409
SHA256c4692b54a5619346cd90557fc71a3bcb9a5712d40b5e30411a87f4bec4697005
SHA512ea186cfbaac1e7fbaff049c258eb3b10c6d11fb01415dc2c4e4292637cba825697e360170803338d451aa333d6c7a4e78223d8c37f73a7ab6a70b65a7e656ce2
-
Filesize
174KB
MD54b052ae067d179b1e9626c250771002e
SHA1a37c079cc492f9ebcb5fefc440db929007e3f409
SHA256c4692b54a5619346cd90557fc71a3bcb9a5712d40b5e30411a87f4bec4697005
SHA512ea186cfbaac1e7fbaff049c258eb3b10c6d11fb01415dc2c4e4292637cba825697e360170803338d451aa333d6c7a4e78223d8c37f73a7ab6a70b65a7e656ce2