Resubmissions
21/06/2022, 09:20
220621-lazeyscffm 10Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21/06/2022, 09:20
Behavioral task
behavioral1
Sample
pay2.exe
Resource
win7-20220414-en
General
-
Target
pay2.exe
-
Size
174KB
-
MD5
4b052ae067d179b1e9626c250771002e
-
SHA1
a37c079cc492f9ebcb5fefc440db929007e3f409
-
SHA256
c4692b54a5619346cd90557fc71a3bcb9a5712d40b5e30411a87f4bec4697005
-
SHA512
ea186cfbaac1e7fbaff049c258eb3b10c6d11fb01415dc2c4e4292637cba825697e360170803338d451aa333d6c7a4e78223d8c37f73a7ab6a70b65a7e656ce2
Malware Config
Extracted
xloader
2.8
utg6
HH9H3kXZHIk0wrXfJq4s5Q==
dJojMwcUlkY3/12Ghl4=
M97sg6hotTOvNY1D
6o+YPIQARtqPHA4sKdmWYke8FA==
Pt71lrWLDblvQJ9A
K0fU6/BseTox+kSSmYQw5NtN00EV7tXr
4sohLE0CeRrTl+2X03jpYke8FA==
zrcKky6asFs+yUeWmQ==
VodJdmzh+A==
gobc7RDsOEAw9A==
xEYVn8uhKPPkPWuJo43QVuWhzgLM
Fw9Ybr9DXRz9jnd/jXvyYke8FA==
VCyIpJ9WjQS9AUudt5mWvMjCzE4=
0a6vT2kQTs1+SYepk6NO
TGCqvhzKUAj3RWvPX/5G
h4bU7i39XUJV4szsQt9e/A==
vwqYIIH/DLW3bpeqo3HpYke8FA==
vxbocZI8hKNcZb9Moli2Yv0dHg==
7JCQHUYhm19m7lrqPADuDrOhzgLM
gJjwBFXqM6BPYIxcaVY=
WYIgwTrqZQGsZbXL+PhR
KgZciArIHaFgamqJiWNdf06wJKXE
wZTaBoYqaPCuscppu3S2YTPnXIwV7tXr
NHsMkedknR+6CS+x2N5XPQWw
S/TxBpFMlwC28DmHhDhu+LOhzgLM
T5koS4H1Nch/iJC+6Yo3TuH+CEkA/ts=
1rvxCZROuEe9DhJch18=
KaxpFKG2wPS9+VbBPUn1n0S4
JhBkc8xMWSMxNkKOy3u0w4E=
MHUGjeB2vkgOxwKUJq4s5Q==
qGZvI3kPEcKCR4nfJq4s5Q==
oIrHwQHPIaNi6XsbeDTt7Q==
yc4MEk0V3skwRjs=
mEBH0fncP79+vdfn+ObrEt8TEEkA/ts=
dZoswFAcrnokNl+MnnHsYke8FA==
5OkmQrlCTQm36+lX
ms5RddVuqiL1PmrPX/5G
47fByGIP4oh1
Tuvnd5paqRveLIxcaVY=
KQpN+Bfe8JpFTzk=
3Q+uQqhS1oBGyUeWmQ==
I8zS5FwEVuirvBWjzHu0w4E=
Xsnefbe/NLR7
ZcmcQrdFXiYYX6ZKpGpdgzcxDEkA/ts=
qQbDVdWUolIZ7gtI
r/B9q+deOEAw9A==
a+jHZXcxhQbB+UWNiEIwPtXwJVjT4NQ=
xfd2BJxuFckwRjs=
gjRJa9peOEAw9A==
AHBF3Ta66MkwRjs=
0DQPpwW1BYNNyUeWmQ==
MjRyieFfoHPB/azPX/5G
h5rUfrs2eQhvQJ9A
6JyirxST08DN2BccXWKRyMjCzE4=
/jO+R7tYrIt4/GTPX/5G
LGzpEm8Yj1tf4OxAkjhq3XNkSFEV7tXr
PNTt91DJB5tSWoxcaVY=
BHxU+jEHtja36+lX
AVnS6zey83kcKTuMzHu0w4E=
N2LwByXjYiwR3hlqnSVW4J2Z3xjV
21Qhs8VuzJ0NGCI=
CXl2DSDgqV1QkgZelaFO
BzbD3QrpOEAw9A==
oKTh9lvw8JpFTzk=
propagandefilms.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Xloader Payload 4 IoCs
resource yara_rule behavioral2/memory/664-135-0x0000000000F30000-0x0000000000F5C000-memory.dmp xloader behavioral2/memory/664-139-0x0000000000F30000-0x0000000000F5C000-memory.dmp xloader behavioral2/files/0x0006000000023330-148.dat xloader behavioral2/files/0x0006000000023330-149.dat xloader -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run msdt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\K6ADFTBP = "C:\\Program Files (x86)\\D9r0tsbm\\8pxdufwvxg4rtb.exe" msdt.exe -
Executes dropped EXE 1 IoCs
pid Process 952 8pxdufwvxg4rtb.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation pay2.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1868 set thread context of 3168 1868 pay2.exe 31 PID 664 set thread context of 3168 664 msdt.exe 31 -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\D9r0tsbm\8pxdufwvxg4rtb.exe msdt.exe File opened for modification C:\Program Files (x86)\D9r0tsbm Explorer.EXE File created C:\Program Files (x86)\D9r0tsbm\8pxdufwvxg4rtb.exe Explorer.EXE File opened for modification C:\Program Files (x86)\D9r0tsbm\8pxdufwvxg4rtb.exe Explorer.EXE -
description ioc Process Key created \Registry\User\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 msdt.exe -
Suspicious behavior: EnumeratesProcesses 58 IoCs
pid Process 1868 pay2.exe 1868 pay2.exe 1868 pay2.exe 1868 pay2.exe 664 msdt.exe 664 msdt.exe 664 msdt.exe 664 msdt.exe 664 msdt.exe 664 msdt.exe 664 msdt.exe 664 msdt.exe 664 msdt.exe 664 msdt.exe 664 msdt.exe 664 msdt.exe 664 msdt.exe 664 msdt.exe 664 msdt.exe 664 msdt.exe 664 msdt.exe 664 msdt.exe 664 msdt.exe 664 msdt.exe 664 msdt.exe 664 msdt.exe 664 msdt.exe 664 msdt.exe 664 msdt.exe 664 msdt.exe 664 msdt.exe 664 msdt.exe 664 msdt.exe 664 msdt.exe 664 msdt.exe 664 msdt.exe 664 msdt.exe 664 msdt.exe 664 msdt.exe 664 msdt.exe 664 msdt.exe 664 msdt.exe 952 8pxdufwvxg4rtb.exe 952 8pxdufwvxg4rtb.exe 664 msdt.exe 664 msdt.exe 664 msdt.exe 664 msdt.exe 664 msdt.exe 664 msdt.exe 664 msdt.exe 664 msdt.exe 664 msdt.exe 664 msdt.exe 664 msdt.exe 664 msdt.exe 664 msdt.exe 664 msdt.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3168 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 1868 pay2.exe 1868 pay2.exe 1868 pay2.exe 664 msdt.exe 664 msdt.exe 664 msdt.exe 664 msdt.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1868 pay2.exe Token: SeDebugPrivilege 664 msdt.exe Token: SeDebugPrivilege 952 8pxdufwvxg4rtb.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 3168 wrote to memory of 664 3168 Explorer.EXE 81 PID 3168 wrote to memory of 664 3168 Explorer.EXE 81 PID 3168 wrote to memory of 664 3168 Explorer.EXE 81 PID 664 wrote to memory of 4548 664 msdt.exe 84 PID 664 wrote to memory of 4548 664 msdt.exe 84 PID 664 wrote to memory of 4548 664 msdt.exe 84 PID 664 wrote to memory of 2444 664 msdt.exe 93 PID 664 wrote to memory of 2444 664 msdt.exe 93 PID 664 wrote to memory of 2444 664 msdt.exe 93 PID 664 wrote to memory of 3712 664 msdt.exe 95 PID 664 wrote to memory of 3712 664 msdt.exe 95 PID 664 wrote to memory of 3712 664 msdt.exe 95 PID 664 wrote to memory of 4944 664 msdt.exe 97 PID 664 wrote to memory of 4944 664 msdt.exe 97 PID 664 wrote to memory of 4944 664 msdt.exe 97 PID 3168 wrote to memory of 952 3168 Explorer.EXE 98 PID 3168 wrote to memory of 952 3168 Explorer.EXE 98 PID 3168 wrote to memory of 952 3168 Explorer.EXE 98
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Users\Admin\AppData\Local\Temp\pay2.exe"C:\Users\Admin\AppData\Local\Temp\pay2.exe"2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1868
-
-
C:\Windows\SysWOW64\msdt.exe"C:\Windows\SysWOW64\msdt.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:664 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\pay2.exe"3⤵PID:4548
-
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵PID:2444
-
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵PID:3712
-
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:4944
-
-
-
C:\Program Files (x86)\D9r0tsbm\8pxdufwvxg4rtb.exe"C:\Program Files (x86)\D9r0tsbm\8pxdufwvxg4rtb.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:952
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
174KB
MD54b052ae067d179b1e9626c250771002e
SHA1a37c079cc492f9ebcb5fefc440db929007e3f409
SHA256c4692b54a5619346cd90557fc71a3bcb9a5712d40b5e30411a87f4bec4697005
SHA512ea186cfbaac1e7fbaff049c258eb3b10c6d11fb01415dc2c4e4292637cba825697e360170803338d451aa333d6c7a4e78223d8c37f73a7ab6a70b65a7e656ce2
-
Filesize
174KB
MD54b052ae067d179b1e9626c250771002e
SHA1a37c079cc492f9ebcb5fefc440db929007e3f409
SHA256c4692b54a5619346cd90557fc71a3bcb9a5712d40b5e30411a87f4bec4697005
SHA512ea186cfbaac1e7fbaff049c258eb3b10c6d11fb01415dc2c4e4292637cba825697e360170803338d451aa333d6c7a4e78223d8c37f73a7ab6a70b65a7e656ce2
-
Filesize
40KB
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
Filesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574