Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21/06/2022, 09:23
Behavioral task
behavioral1
Sample
1.exe
Resource
win7-20220414-en
General
-
Target
1.exe
-
Size
176KB
-
MD5
509edfdb29a62b6e704548051f8288d7
-
SHA1
092709e1a4bdb9e154201f243faf7be0a6754806
-
SHA256
61f7409c356d9376b580f156b4b775fb91aa34a4687642bc9c7f4673cffca0ca
-
SHA512
10f97e788c0753de73f47ce30eb0617d84db1731e3279aa96343ce7fbf77b6ae6b073a6fad3dfafd26bbf10928a0ce1daf35aa382d8d2b717d182aab235ee954
Malware Config
Extracted
xloader
2.8
uniz
ZBCuBDslv1vmdg==
Tf0bKIL7UwC+XwBS
YQAj8CUa+qQn4NVV
c2VpeA0CV0kHeeq31nYPNgE=
Yhin8SpRfm1NbLm9nOThBw==
eyIn8RqE6k/h/YkDntqoMKVA
W/mS4B+Zbo6mZ6024Q==
96FIkNOqhgj5rKAYr7S/JxaIrKNEEg==
z4QXqB6NZViPQvPsHTgCGh6OaJ9DEAhD/Zw+pQ==
z3D/WJZrRZ9wJDa2GIMXEA==
sWh+QWdXHJePJ/l5/zU6iQNdX3UE
FL1V2Tmuv1vmdg==
IeL4/3li2MqV2ubg7g==
UPqU6i+W7FlT8Jizi83T
xFoDgOwNGwmcN0Q6GIMXEA==
M+T00gzvwwvEZnXypOfsKPBJzu70TAs=
JuD4/pF5R4qIiFWoGIMXEA==
fiy88SOceKo2PHU=
Tf+kJJDy0LB5sg7b73YPNgE=
952zrSIBT08QrIzqdJpPQ0Jq8yO1s2OpNg==
vGqbjAJmNjsNecfW5A==
xXWFQW9aJYU/unC/W3dfkGznxQius2OpNg==
+LZMxjQ3lGq5vQNH
rlj2kf1o11cwapC2ywM=
bh03DlEzFn5Czp8azBPkPTCEEg==
MtJfqdK/CQXKjJC2ywM=
yW6EkSH5TFwcZ6024Q==
tThlY824iu/oY6+BaOohnVV6Cw==
XwTpKqjUO7ygYQ==
kzLKWeZhLyg4MRv9F3YPNgE=
ax34PA3cv1vmdg==
YQ6g5zIXI3oiTZC2ywM=
WwmdObUhBuKv0CQURWhr11Njzu70TAs=
Ap2vxTYFWTLaln/yhdHrTtMbCXJLToAR
R/iF3CaGYHV6ibWSuNZxbv9dX3UE
+LhQjLmieAPK+I+NwN208TFdX3UE
38qqZJuO5K+rZ6024Q==
vlj5gOxDnSPqEomEpcmCfgNdX3UE
vmyTUHxhuouIg6iu1PW989dWLmAE2tUm/Zw+pQ==
bho190q3jJpQgyH6HTdDmQOJHw==
UhQw7Taff6o2PHU=
hkZVJlC6InU/+Oxa5QqoMKVA
cDNHWOPLk/benHUMntOwUdNZ
fSC9R7cZO7ygYQ==
o052dPbjvCv+Z6024Q==
H9vw7G9Qp4LVrLg/4w==
EMJFkMcvjO72nmezi83T
2JghriuL2VYUIpizi83T
6o+YbbhgbOXe
9Z26frKnOtnq9/nsAgjbDRwmwUk=
u2qGPmdrP7/WkDyeLFf4B6fSP5N49rK5OxgFHGxS
ROQB0BR/U0ENecfW5A==
XREl5xwZ4lAO0/HH+XYPNgE=
eTZMYNezgd9hQvFQ
H8Nn6nrYMo6YGbs6yxMdeQFdX3UE
Yxo1EEq1e6o2PHU=
/6Q6+Ccjv1vmdg==
/Ja4bnLOO7ygYQ==
Rd6GDG9g/KSy3Bj6AnYPNgE=
DqdIzEKvgqo2PHU=
246TZn9zN4sRHZWzi83T
35gmdpiLXaOmZ6024Q==
M9Z3/Y/1UK1hQvFQ
DcDR2EdBEGWs1RD8BXYPNgE=
senior-living-homes1.life
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Xloader Payload 4 IoCs
resource yara_rule behavioral2/memory/4644-137-0x0000000000340000-0x000000000036C000-memory.dmp xloader behavioral2/memory/4644-140-0x0000000000340000-0x000000000036C000-memory.dmp xloader behavioral2/files/0x0003000000000721-147.dat xloader behavioral2/files/0x0003000000000721-148.dat xloader -
Executes dropped EXE 1 IoCs
pid Process 4928 chkdskp6ql.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 1.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run NETSTAT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XBML08-X = "C:\\Program Files (x86)\\Dqdf8\\chkdskp6ql.exe" NETSTAT.EXE -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1088 set thread context of 3084 1088 1.exe 44 PID 4644 set thread context of 3084 4644 NETSTAT.EXE 44 -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Dqdf8\chkdskp6ql.exe NETSTAT.EXE File opened for modification C:\Program Files (x86)\Dqdf8 Explorer.EXE File created C:\Program Files (x86)\Dqdf8\chkdskp6ql.exe Explorer.EXE File opened for modification C:\Program Files (x86)\Dqdf8\chkdskp6ql.exe Explorer.EXE -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 4644 NETSTAT.EXE -
description ioc Process Key created \Registry\User\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 60 IoCs
pid Process 1088 1.exe 1088 1.exe 1088 1.exe 1088 1.exe 4644 NETSTAT.EXE 4644 NETSTAT.EXE 4644 NETSTAT.EXE 4644 NETSTAT.EXE 4644 NETSTAT.EXE 4644 NETSTAT.EXE 4644 NETSTAT.EXE 4644 NETSTAT.EXE 4644 NETSTAT.EXE 4644 NETSTAT.EXE 4644 NETSTAT.EXE 4644 NETSTAT.EXE 4644 NETSTAT.EXE 4644 NETSTAT.EXE 4644 NETSTAT.EXE 4644 NETSTAT.EXE 4644 NETSTAT.EXE 4644 NETSTAT.EXE 4644 NETSTAT.EXE 4644 NETSTAT.EXE 4644 NETSTAT.EXE 4644 NETSTAT.EXE 4644 NETSTAT.EXE 4644 NETSTAT.EXE 4644 NETSTAT.EXE 4644 NETSTAT.EXE 4644 NETSTAT.EXE 4644 NETSTAT.EXE 4644 NETSTAT.EXE 4644 NETSTAT.EXE 4644 NETSTAT.EXE 4644 NETSTAT.EXE 4644 NETSTAT.EXE 4644 NETSTAT.EXE 4644 NETSTAT.EXE 4644 NETSTAT.EXE 4644 NETSTAT.EXE 4644 NETSTAT.EXE 4644 NETSTAT.EXE 4644 NETSTAT.EXE 4644 NETSTAT.EXE 4644 NETSTAT.EXE 4928 chkdskp6ql.exe 4928 chkdskp6ql.exe 4644 NETSTAT.EXE 4644 NETSTAT.EXE 4644 NETSTAT.EXE 4644 NETSTAT.EXE 4644 NETSTAT.EXE 4644 NETSTAT.EXE 4644 NETSTAT.EXE 4644 NETSTAT.EXE 4644 NETSTAT.EXE 4644 NETSTAT.EXE 4644 NETSTAT.EXE 4644 NETSTAT.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3084 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 1088 1.exe 1088 1.exe 1088 1.exe 4644 NETSTAT.EXE 4644 NETSTAT.EXE 4644 NETSTAT.EXE 4644 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1088 1.exe Token: SeDebugPrivilege 4644 NETSTAT.EXE Token: SeDebugPrivilege 4928 chkdskp6ql.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 3084 wrote to memory of 4644 3084 Explorer.EXE 79 PID 3084 wrote to memory of 4644 3084 Explorer.EXE 79 PID 3084 wrote to memory of 4644 3084 Explorer.EXE 79 PID 4644 wrote to memory of 1988 4644 NETSTAT.EXE 80 PID 4644 wrote to memory of 1988 4644 NETSTAT.EXE 80 PID 4644 wrote to memory of 1988 4644 NETSTAT.EXE 80 PID 4644 wrote to memory of 3992 4644 NETSTAT.EXE 89 PID 4644 wrote to memory of 3992 4644 NETSTAT.EXE 89 PID 4644 wrote to memory of 3992 4644 NETSTAT.EXE 89 PID 4644 wrote to memory of 2960 4644 NETSTAT.EXE 91 PID 4644 wrote to memory of 2960 4644 NETSTAT.EXE 91 PID 4644 wrote to memory of 2960 4644 NETSTAT.EXE 91 PID 4644 wrote to memory of 4448 4644 NETSTAT.EXE 93 PID 4644 wrote to memory of 4448 4644 NETSTAT.EXE 93 PID 4644 wrote to memory of 4448 4644 NETSTAT.EXE 93 PID 3084 wrote to memory of 4928 3084 Explorer.EXE 94 PID 3084 wrote to memory of 4928 3084 Explorer.EXE 94 PID 3084 wrote to memory of 4928 3084 Explorer.EXE 94
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3084 -
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1088
-
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Gathers network information
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\1.exe"3⤵PID:1988
-
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵PID:3992
-
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵PID:2960
-
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:4448
-
-
-
C:\Program Files (x86)\Dqdf8\chkdskp6ql.exe"C:\Program Files (x86)\Dqdf8\chkdskp6ql.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4928
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
176KB
MD5509edfdb29a62b6e704548051f8288d7
SHA1092709e1a4bdb9e154201f243faf7be0a6754806
SHA25661f7409c356d9376b580f156b4b775fb91aa34a4687642bc9c7f4673cffca0ca
SHA51210f97e788c0753de73f47ce30eb0617d84db1731e3279aa96343ce7fbf77b6ae6b073a6fad3dfafd26bbf10928a0ce1daf35aa382d8d2b717d182aab235ee954
-
Filesize
176KB
MD5509edfdb29a62b6e704548051f8288d7
SHA1092709e1a4bdb9e154201f243faf7be0a6754806
SHA25661f7409c356d9376b580f156b4b775fb91aa34a4687642bc9c7f4673cffca0ca
SHA51210f97e788c0753de73f47ce30eb0617d84db1731e3279aa96343ce7fbf77b6ae6b073a6fad3dfafd26bbf10928a0ce1daf35aa382d8d2b717d182aab235ee954
-
Filesize
40KB
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
Filesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574