Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21/06/2022, 09:23
Behavioral task
behavioral1
Sample
1.exe
Resource
win7-20220414-en
General
-
Target
1.exe
-
Size
176KB
-
MD5
509edfdb29a62b6e704548051f8288d7
-
SHA1
092709e1a4bdb9e154201f243faf7be0a6754806
-
SHA256
61f7409c356d9376b580f156b4b775fb91aa34a4687642bc9c7f4673cffca0ca
-
SHA512
10f97e788c0753de73f47ce30eb0617d84db1731e3279aa96343ce7fbf77b6ae6b073a6fad3dfafd26bbf10928a0ce1daf35aa382d8d2b717d182aab235ee954
Malware Config
Extracted
xloader
2.8
uniz
ZBCuBDslv1vmdg==
Tf0bKIL7UwC+XwBS
YQAj8CUa+qQn4NVV
c2VpeA0CV0kHeeq31nYPNgE=
Yhin8SpRfm1NbLm9nOThBw==
eyIn8RqE6k/h/YkDntqoMKVA
W/mS4B+Zbo6mZ6024Q==
96FIkNOqhgj5rKAYr7S/JxaIrKNEEg==
z4QXqB6NZViPQvPsHTgCGh6OaJ9DEAhD/Zw+pQ==
z3D/WJZrRZ9wJDa2GIMXEA==
sWh+QWdXHJePJ/l5/zU6iQNdX3UE
FL1V2Tmuv1vmdg==
IeL4/3li2MqV2ubg7g==
UPqU6i+W7FlT8Jizi83T
xFoDgOwNGwmcN0Q6GIMXEA==
M+T00gzvwwvEZnXypOfsKPBJzu70TAs=
JuD4/pF5R4qIiFWoGIMXEA==
fiy88SOceKo2PHU=
Tf+kJJDy0LB5sg7b73YPNgE=
952zrSIBT08QrIzqdJpPQ0Jq8yO1s2OpNg==
vGqbjAJmNjsNecfW5A==
xXWFQW9aJYU/unC/W3dfkGznxQius2OpNg==
+LZMxjQ3lGq5vQNH
rlj2kf1o11cwapC2ywM=
bh03DlEzFn5Czp8azBPkPTCEEg==
MtJfqdK/CQXKjJC2ywM=
yW6EkSH5TFwcZ6024Q==
tThlY824iu/oY6+BaOohnVV6Cw==
XwTpKqjUO7ygYQ==
kzLKWeZhLyg4MRv9F3YPNgE=
ax34PA3cv1vmdg==
YQ6g5zIXI3oiTZC2ywM=
WwmdObUhBuKv0CQURWhr11Njzu70TAs=
Ap2vxTYFWTLaln/yhdHrTtMbCXJLToAR
R/iF3CaGYHV6ibWSuNZxbv9dX3UE
+LhQjLmieAPK+I+NwN208TFdX3UE
38qqZJuO5K+rZ6024Q==
vlj5gOxDnSPqEomEpcmCfgNdX3UE
vmyTUHxhuouIg6iu1PW989dWLmAE2tUm/Zw+pQ==
bho190q3jJpQgyH6HTdDmQOJHw==
UhQw7Taff6o2PHU=
hkZVJlC6InU/+Oxa5QqoMKVA
cDNHWOPLk/benHUMntOwUdNZ
fSC9R7cZO7ygYQ==
o052dPbjvCv+Z6024Q==
H9vw7G9Qp4LVrLg/4w==
EMJFkMcvjO72nmezi83T
2JghriuL2VYUIpizi83T
6o+YbbhgbOXe
9Z26frKnOtnq9/nsAgjbDRwmwUk=
u2qGPmdrP7/WkDyeLFf4B6fSP5N49rK5OxgFHGxS
ROQB0BR/U0ENecfW5A==
XREl5xwZ4lAO0/HH+XYPNgE=
eTZMYNezgd9hQvFQ
H8Nn6nrYMo6YGbs6yxMdeQFdX3UE
Yxo1EEq1e6o2PHU=
/6Q6+Ccjv1vmdg==
/Ja4bnLOO7ygYQ==
Rd6GDG9g/KSy3Bj6AnYPNgE=
DqdIzEKvgqo2PHU=
246TZn9zN4sRHZWzi83T
35gmdpiLXaOmZ6024Q==
M9Z3/Y/1UK1hQvFQ
DcDR2EdBEGWs1RD8BXYPNgE=
senior-living-homes1.life
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 4 IoCs
resource yara_rule behavioral1/memory/876-61-0x0000000000080000-0x00000000000AC000-memory.dmp xloader behavioral1/memory/876-64-0x0000000000080000-0x00000000000AC000-memory.dmp xloader behavioral1/files/0x0006000000015027-68.dat xloader behavioral1/files/0x0006000000015027-70.dat xloader -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cmmon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\JRMXEFPPWFM = "C:\\Program Files (x86)\\Ger1tiv_h\\mfcer-p6tep.exe" cmmon32.exe -
Executes dropped EXE 1 IoCs
pid Process 1564 mfcer-p6tep.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\International\Geo\Nation 1.exe -
Deletes itself 1 IoCs
pid Process 964 cmd.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1520 set thread context of 1296 1520 1.exe 14 PID 876 set thread context of 1296 876 cmmon32.exe 14 -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Ger1tiv_h\mfcer-p6tep.exe cmmon32.exe File created C:\Program Files (x86)\Ger1tiv_h\mfcer-p6tep.exe Explorer.EXE -
description ioc Process Key created \Registry\User\S-1-5-21-2277218442-1199762539-2004043321-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cmmon32.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
pid Process 1520 1.exe 1520 1.exe 876 cmmon32.exe 876 cmmon32.exe 876 cmmon32.exe 876 cmmon32.exe 876 cmmon32.exe 876 cmmon32.exe 876 cmmon32.exe 876 cmmon32.exe 876 cmmon32.exe 876 cmmon32.exe 876 cmmon32.exe 876 cmmon32.exe 876 cmmon32.exe 876 cmmon32.exe 876 cmmon32.exe 876 cmmon32.exe 876 cmmon32.exe 876 cmmon32.exe 876 cmmon32.exe 876 cmmon32.exe 876 cmmon32.exe 1564 mfcer-p6tep.exe 876 cmmon32.exe 876 cmmon32.exe 876 cmmon32.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 1520 1.exe 1520 1.exe 1520 1.exe 876 cmmon32.exe 876 cmmon32.exe 876 cmmon32.exe 876 cmmon32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1520 1.exe Token: SeDebugPrivilege 876 cmmon32.exe Token: SeDebugPrivilege 1564 mfcer-p6tep.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1296 Explorer.EXE 1296 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1296 Explorer.EXE 1296 Explorer.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1296 wrote to memory of 876 1296 Explorer.EXE 28 PID 1296 wrote to memory of 876 1296 Explorer.EXE 28 PID 1296 wrote to memory of 876 1296 Explorer.EXE 28 PID 1296 wrote to memory of 876 1296 Explorer.EXE 28 PID 876 wrote to memory of 964 876 cmmon32.exe 29 PID 876 wrote to memory of 964 876 cmmon32.exe 29 PID 876 wrote to memory of 964 876 cmmon32.exe 29 PID 876 wrote to memory of 964 876 cmmon32.exe 29 PID 876 wrote to memory of 1812 876 cmmon32.exe 32 PID 876 wrote to memory of 1812 876 cmmon32.exe 32 PID 876 wrote to memory of 1812 876 cmmon32.exe 32 PID 876 wrote to memory of 1812 876 cmmon32.exe 32 PID 876 wrote to memory of 1812 876 cmmon32.exe 32 PID 1296 wrote to memory of 1564 1296 Explorer.EXE 33 PID 1296 wrote to memory of 1564 1296 Explorer.EXE 33 PID 1296 wrote to memory of 1564 1296 Explorer.EXE 33 PID 1296 wrote to memory of 1564 1296 Explorer.EXE 33
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1520
-
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\1.exe"3⤵
- Deletes itself
PID:964
-
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:1812
-
-
-
C:\Program Files (x86)\Ger1tiv_h\mfcer-p6tep.exe"C:\Program Files (x86)\Ger1tiv_h\mfcer-p6tep.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1564
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
176KB
MD5509edfdb29a62b6e704548051f8288d7
SHA1092709e1a4bdb9e154201f243faf7be0a6754806
SHA25661f7409c356d9376b580f156b4b775fb91aa34a4687642bc9c7f4673cffca0ca
SHA51210f97e788c0753de73f47ce30eb0617d84db1731e3279aa96343ce7fbf77b6ae6b073a6fad3dfafd26bbf10928a0ce1daf35aa382d8d2b717d182aab235ee954
-
Filesize
176KB
MD5509edfdb29a62b6e704548051f8288d7
SHA1092709e1a4bdb9e154201f243faf7be0a6754806
SHA25661f7409c356d9376b580f156b4b775fb91aa34a4687642bc9c7f4673cffca0ca
SHA51210f97e788c0753de73f47ce30eb0617d84db1731e3279aa96343ce7fbf77b6ae6b073a6fad3dfafd26bbf10928a0ce1daf35aa382d8d2b717d182aab235ee954