Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21/06/2022, 10:21
Static task
static1
Behavioral task
behavioral1
Sample
networksec.exe
Resource
win7-20220414-en
General
-
Target
networksec.exe
-
Size
467KB
-
MD5
0a7ee72e2b57214272b36a91835ece31
-
SHA1
4f8ba6b8eee9c2f612cd046b34905cd110ec1b12
-
SHA256
25773608894ed7dced5dd50dc02483ffdd6d9ee3d79333aa8292c5d2a2586e21
-
SHA512
22d253e97694d8c62bd188c3ce9008445b3e41389672049ff8d768746fff3fba20a5025ca535b804a9bf976435cb7836e8d728009327c55ada359d2ee35c9f5b
Malware Config
Extracted
xloader
2.6
a2es
glutenfreebahrain.com
sportrid.com
js-films.com
cie-revolver.com
outsourcinginstitutebd.com
roboticsdatascience.com
tebrunk.com
needgreatwork.com
df1b8j2iwbl33n.life
voluum-training.com
cherna-roza.com
xiyouap.com
bluefiftyfoundation.com
angolettomc.com
yhcp225.com
keondredejawn.com
ifeelsilky.com
coraorganizing.com
smartmindstutorials.com
tanphucuong.info
cxy.cool
criatorioimperial.online
timelyzer.com
chounvwd.com
taxidrivertrading.com
vooyage.xyz
mbtq.financial
tmshop.ma
newexmag.com
wildblumebmd.com
faucetvddw.club
sexism.info
precisionspinecolorado.com
jmigy.com
theplayhouse88.com
theskinrevive.com
envisionexpereience.com
matuschekandcompany.com
zouyuting.com
loansbill-pay.website
albertoalaniz.space
elfstore.net
klapia.online
panxiaozhi.net
soprodutosgeniais.com
amstorex.com
tiktokrycy41.xyz
datisbrick.com
hotelnoucanguillem.com
prekkr.com
jensenko.com
spiritualteashop.com
cyberdyne.world
0xauetw0ye50f.xyz
berendsit.com
kalycollcwn.info
tonenusdt.xyz
ckhla.com
igralki.com
princesskinnymixers.com
tvmountinstallguy.com
choicegoodsshop.com
diamont-services.com
mideazhiyou.com
katescakesandcreations.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 6 IoCs
resource yara_rule behavioral1/memory/1632-62-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral1/memory/1632-63-0x000000000041F2B0-mapping.dmp xloader behavioral1/memory/1632-65-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral1/memory/1632-73-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral1/memory/804-77-0x0000000000080000-0x00000000000AB000-memory.dmp xloader behavioral1/memory/804-80-0x0000000000080000-0x00000000000AB000-memory.dmp xloader -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\BX44A = "C:\\Program Files (x86)\\Y0x6h\\gdie2aprv_h.exe" svchost.exe -
Deletes itself 1 IoCs
pid Process 1688 cmd.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2040 set thread context of 1632 2040 networksec.exe 26 PID 1632 set thread context of 1248 1632 networksec.exe 12 PID 1632 set thread context of 1248 1632 networksec.exe 12 PID 804 set thread context of 1248 804 svchost.exe 12 -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Y0x6h\gdie2aprv_h.exe svchost.exe -
description ioc Process Key created \Registry\User\S-1-5-21-790309383-526510583-3802439154-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 svchost.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1632 networksec.exe 1632 networksec.exe 1632 networksec.exe 804 svchost.exe 804 svchost.exe 804 svchost.exe 804 svchost.exe 804 svchost.exe 804 svchost.exe 804 svchost.exe 804 svchost.exe 804 svchost.exe 804 svchost.exe 804 svchost.exe -
Suspicious behavior: MapViewOfSection 8 IoCs
pid Process 1632 networksec.exe 1632 networksec.exe 1632 networksec.exe 1632 networksec.exe 804 svchost.exe 804 svchost.exe 804 svchost.exe 804 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1632 networksec.exe Token: SeDebugPrivilege 804 svchost.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1248 Explorer.EXE 1248 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1248 Explorer.EXE 1248 Explorer.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2040 wrote to memory of 1632 2040 networksec.exe 26 PID 2040 wrote to memory of 1632 2040 networksec.exe 26 PID 2040 wrote to memory of 1632 2040 networksec.exe 26 PID 2040 wrote to memory of 1632 2040 networksec.exe 26 PID 2040 wrote to memory of 1632 2040 networksec.exe 26 PID 2040 wrote to memory of 1632 2040 networksec.exe 26 PID 2040 wrote to memory of 1632 2040 networksec.exe 26 PID 1248 wrote to memory of 804 1248 Explorer.EXE 27 PID 1248 wrote to memory of 804 1248 Explorer.EXE 27 PID 1248 wrote to memory of 804 1248 Explorer.EXE 27 PID 1248 wrote to memory of 804 1248 Explorer.EXE 27 PID 804 wrote to memory of 1688 804 svchost.exe 28 PID 804 wrote to memory of 1688 804 svchost.exe 28 PID 804 wrote to memory of 1688 804 svchost.exe 28 PID 804 wrote to memory of 1688 804 svchost.exe 28 PID 804 wrote to memory of 888 804 svchost.exe 31 PID 804 wrote to memory of 888 804 svchost.exe 31 PID 804 wrote to memory of 888 804 svchost.exe 31 PID 804 wrote to memory of 888 804 svchost.exe 31 PID 804 wrote to memory of 888 804 svchost.exe 31
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Users\Admin\AppData\Local\Temp\networksec.exe"C:\Users\Admin\AppData\Local\Temp\networksec.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Users\Admin\AppData\Local\Temp\networksec.exe"C:\Users\Admin\AppData\Local\Temp\networksec.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1632
-
-
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\networksec.exe"3⤵
- Deletes itself
PID:1688
-
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:888
-
-