Analysis Overview
SHA256
7e05b0a9ffe1cfbc4cb926477d044ad7b6046352f8734b95037e4f5ef21bca99
Threat Level: Known bad
The file AWB_811470484778.exe was found to be: Known bad.
Malicious Activity Summary
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Xloader Payload
Deletes itself
Suspicious use of SetThreadContext
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-06-21 11:02
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-21 11:02
Reported
2022-06-21 11:05
Platform
win7-20220414-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Xloader Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1092 set thread context of 1120 | N/A | C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe | C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe |
| PID 1120 set thread context of 1276 | N/A | C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe | C:\Windows\Explorer.EXE |
| PID 968 set thread context of 1276 | N/A | C:\Windows\SysWOW64\help.exe | C:\Windows\Explorer.EXE |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\help.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe
"C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe"
C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe
"C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe"
C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.tbrme.com | udp |
| GB | 94.136.40.51:80 | www.tbrme.com | tcp |
| US | 8.8.8.8:53 | www.fzl-fs.com | udp |
| US | 173.232.23.215:80 | www.fzl-fs.com | tcp |
| US | 8.8.8.8:53 | www.sinergiberkaryabersama.com | udp |
| ID | 103.145.226.75:80 | www.sinergiberkaryabersama.com | tcp |
| US | 8.8.8.8:53 | www.globalfrances.com | udp |
| US | 185.230.63.161:80 | www.globalfrances.com | tcp |
| US | 8.8.8.8:53 | www.takeyourshot3500.pro | udp |
| US | 8.8.8.8:53 | www.newleafremodel.com | udp |
| US | 34.102.136.180:80 | www.newleafremodel.com | tcp |
| US | 8.8.8.8:53 | www.eventsp.xyz | udp |
| US | 8.8.8.8:53 | www.newleafremodel.com | udp |
| US | 34.102.136.180:80 | www.newleafremodel.com | tcp |
| US | 8.8.8.8:53 | www.christinesyquia.com | udp |
| US | 8.8.8.8:53 | www.jenaeeaginshair.com | udp |
| US | 198.54.117.210:80 | www.jenaeeaginshair.com | tcp |
| US | 8.8.8.8:53 | www.stanegroupe.com | udp |
| FR | 213.186.33.5:80 | www.stanegroupe.com | tcp |
Files
memory/1092-54-0x0000000000F20000-0x0000000000F98000-memory.dmp
memory/1092-55-0x0000000075F61000-0x0000000075F63000-memory.dmp
memory/1092-56-0x00000000004B0000-0x00000000004BE000-memory.dmp
memory/1092-57-0x0000000000EB0000-0x0000000000F18000-memory.dmp
memory/1092-58-0x0000000000B80000-0x0000000000BB0000-memory.dmp
memory/1120-59-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1120-60-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1120-62-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1120-63-0x000000000041D470-mapping.dmp
memory/1120-65-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1120-66-0x0000000000770000-0x0000000000A73000-memory.dmp
memory/1276-68-0x0000000004C60000-0x0000000004D23000-memory.dmp
memory/1120-67-0x0000000000210000-0x0000000000221000-memory.dmp
memory/968-69-0x0000000000000000-mapping.dmp
memory/968-70-0x0000000000C60000-0x0000000000C66000-memory.dmp
memory/968-71-0x0000000000080000-0x00000000000A9000-memory.dmp
memory/596-72-0x0000000000000000-mapping.dmp
memory/968-73-0x0000000000910000-0x0000000000C13000-memory.dmp
memory/968-74-0x0000000000440000-0x00000000004D0000-memory.dmp
memory/1276-75-0x0000000004EE0000-0x000000000506D000-memory.dmp
memory/968-76-0x0000000000080000-0x00000000000A9000-memory.dmp
memory/1276-77-0x0000000004EE0000-0x000000000506D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-21 11:02
Reported
2022-06-21 11:05
Platform
win10v2004-20220414-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Xloader Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2268 set thread context of 4148 | N/A | C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe | C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe |
| PID 4148 set thread context of 2668 | N/A | C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe | C:\Windows\Explorer.EXE |
| PID 1300 set thread context of 2668 | N/A | C:\Windows\SysWOW64\netsh.exe | C:\Windows\Explorer.EXE |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe
"C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe"
C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe
"C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe"
C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe
"C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe"
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 20.190.160.67:443 | tcp | |
| NL | 20.190.160.136:443 | tcp | |
| US | 52.182.143.208:443 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| NL | 87.248.202.1:80 | tcp | |
| NL | 20.190.160.71:443 | tcp | |
| US | 8.8.8.8:53 | www.skateboardlovers.com | udp |
| US | 209.99.64.43:80 | www.skateboardlovers.com | tcp |
| US | 8.8.8.8:53 | www.69988.club | udp |
| HK | 103.250.6.230:80 | www.69988.club | tcp |
| US | 8.8.8.8:53 | www.freshiestuning.com | udp |
| US | 199.34.228.189:80 | www.freshiestuning.com | tcp |
| US | 8.8.8.8:53 | www.korenshop.com | udp |
| SG | 52.221.125.89:80 | www.korenshop.com | tcp |
| US | 8.8.8.8:53 | www.forge21.xyz | udp |
| SG | 47.241.169.27:80 | www.forge21.xyz | tcp |
| US | 8.8.8.8:53 | www.pokerdominogame.com | udp |
| US | 172.67.217.21:80 | www.pokerdominogame.com | tcp |
| US | 8.8.8.8:53 | www.cactus-aio.com | udp |
| US | 8.8.8.8:53 | www.cabanatvs.com | udp |
| US | 8.8.8.8:53 | www.puzzlelux.com | udp |
| US | 15.197.142.173:80 | www.puzzlelux.com | tcp |
| US | 8.8.8.8:53 | www.lens-experts.com | udp |
| US | 8.8.8.8:53 | www.hdwiz.online | udp |
| US | 8.8.8.8:53 | www.sjsteinhardt.com | udp |
| US | 15.197.142.173:80 | www.sjsteinhardt.com | tcp |
| US | 8.8.8.8:53 | www.jenaeeaginshair.com | udp |
| US | 198.54.117.212:80 | www.jenaeeaginshair.com | tcp |
| US | 8.8.8.8:53 | www.doitlive.online | udp |
| US | 66.96.162.136:80 | www.doitlive.online | tcp |
Files
memory/2268-130-0x00000000004A0000-0x0000000000518000-memory.dmp
memory/2268-131-0x0000000005440000-0x00000000059E4000-memory.dmp
memory/2268-132-0x0000000004F30000-0x0000000004FC2000-memory.dmp
memory/2268-133-0x0000000004EB0000-0x0000000004EBA000-memory.dmp
memory/2268-134-0x0000000008BD0000-0x0000000008C6C000-memory.dmp
memory/1200-135-0x0000000000000000-mapping.dmp
memory/4148-136-0x0000000000000000-mapping.dmp
memory/4148-137-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4148-139-0x0000000000400000-0x0000000000429000-memory.dmp
memory/4148-140-0x00000000011C0000-0x000000000150A000-memory.dmp
memory/2668-142-0x00000000078C0000-0x000000000797D000-memory.dmp
memory/4148-141-0x0000000000D00000-0x0000000000D11000-memory.dmp
memory/1300-143-0x0000000000000000-mapping.dmp
memory/1300-144-0x0000000001370000-0x000000000138E000-memory.dmp
memory/1300-145-0x0000000000D00000-0x0000000000D29000-memory.dmp
memory/4424-146-0x0000000000000000-mapping.dmp
memory/1300-147-0x00000000016F0000-0x0000000001A3A000-memory.dmp
memory/1300-148-0x00000000012C0000-0x0000000001350000-memory.dmp
memory/1300-149-0x0000000000D00000-0x0000000000D29000-memory.dmp
memory/2668-150-0x0000000007E90000-0x0000000007F6D000-memory.dmp
memory/2668-151-0x0000000007E90000-0x0000000007F6D000-memory.dmp