Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
22-06-2022 05:56
Static task
static1
Behavioral task
behavioral1
Sample
ef43e97cb61e5d54d4953a4d3278f220.exe
Resource
win7-20220414-en
General
-
Target
ef43e97cb61e5d54d4953a4d3278f220.exe
-
Size
828KB
-
MD5
ef43e97cb61e5d54d4953a4d3278f220
-
SHA1
16e593f0ddae9e67c5dd725d383552a0414ab292
-
SHA256
45d1b699698ba99b1a8c51ef57d3ed895b762f418cc05f8c54425e3cebcea4c0
-
SHA512
3e978d30d2bf94a2fe506c44f7bafb94cc3fe8a50a8db1232c2de6b34fd22fd9ec951c63290e3983c42bdf278e00d940c49858b1faa61bdf90bf299532631b71
Malware Config
Extracted
xloader
2.6
pdrq
welchsunstar.com
mppservicesllc.com
wiresofteflon.com
brabov.xyz
compnonoch.site
yourbuilderworks.com
iamsamirahman.com
eriqoes.com
eastudio.design
skyearth-est.com
teethfitness.com
razaancreates.com
shfbfs.com
joyfulbrokekids.com
kjbolden.com
howirep.com
deedeesmainecoons.website
e-powair.com
aheatea.com
shalfey0009.xyz
designcolor.style
netflixpaymentpending.ca
bothoitrang3.site
motondiarts.com
staynmocean.com
miamivideoshows.com
berendsit.com
yndzjs.com
yiwenhome.xyz
royaldeals.net
clearvison-ts.com
peluqueriasusanagalan.com
thelittlewellnessstudio.com
gurulotaska.com
smgsj.com
followpanelbd.com
prinirwedding.com
3559.fyi
amcvips.com
bigroof.top
chipbio-zt.com
candelasluxuryretreat.com
jboycephotography.com
affiliateindex.xyz
grannysseasonings.com
lcl-inc-test.com
beadallcreations.jewelry
yzzhome.top
tobe-science.com
cincinnaticustomrenovation.com
survaicommercial.xyz
businessdirectorymania.com
phqworld.com
miamigocars.com
labfour.systems
gregoryzeitler.com
dj-mary.com
one1-day.com
vegfiber.com
sfbayraw.net
xn--bndarsloto-s4a.com
felipesb.com
108580.com
1swj06mjrowgi.xyz
koalaglen.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
ef43e97cb61e5d54d4953a4d3278f220.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions ef43e97cb61e5d54d4953a4d3278f220.exe -
Xloader Payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1940-67-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral1/memory/1940-68-0x000000000041F270-mapping.dmp xloader behavioral1/memory/1940-71-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral1/memory/1192-78-0x0000000000080000-0x00000000000AB000-memory.dmp xloader behavioral1/memory/1192-82-0x0000000000080000-0x00000000000AB000-memory.dmp xloader -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\9RDHPR4P_FC = "C:\\Program Files (x86)\\Ltr4tq2eh\\servicesnng4l.exe" svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
servicesnng4l.exepid process 1624 servicesnng4l.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
ef43e97cb61e5d54d4953a4d3278f220.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools ef43e97cb61e5d54d4953a4d3278f220.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
ef43e97cb61e5d54d4953a4d3278f220.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ef43e97cb61e5d54d4953a4d3278f220.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ef43e97cb61e5d54d4953a4d3278f220.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
ef43e97cb61e5d54d4953a4d3278f220.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum ef43e97cb61e5d54d4953a4d3278f220.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 ef43e97cb61e5d54d4953a4d3278f220.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
ef43e97cb61e5d54d4953a4d3278f220.exeRegSvcs.exesvchost.exedescription pid process target process PID 2020 set thread context of 1940 2020 ef43e97cb61e5d54d4953a4d3278f220.exe RegSvcs.exe PID 1940 set thread context of 1300 1940 RegSvcs.exe Explorer.EXE PID 1192 set thread context of 1300 1192 svchost.exe Explorer.EXE -
Drops file in Program Files directory 2 IoCs
Processes:
svchost.exeExplorer.EXEdescription ioc process File opened for modification C:\Program Files (x86)\Ltr4tq2eh\servicesnng4l.exe svchost.exe File created C:\Program Files (x86)\Ltr4tq2eh\servicesnng4l.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Processes:
svchost.exedescription ioc process Key created \Registry\User\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 svchost.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
ef43e97cb61e5d54d4953a4d3278f220.exepowershell.exeRegSvcs.exesvchost.exepid process 2020 ef43e97cb61e5d54d4953a4d3278f220.exe 2020 ef43e97cb61e5d54d4953a4d3278f220.exe 2020 ef43e97cb61e5d54d4953a4d3278f220.exe 2020 ef43e97cb61e5d54d4953a4d3278f220.exe 1696 powershell.exe 1940 RegSvcs.exe 1940 RegSvcs.exe 1192 svchost.exe 1192 svchost.exe 1192 svchost.exe 1192 svchost.exe 1192 svchost.exe 1192 svchost.exe 1192 svchost.exe 1192 svchost.exe 1192 svchost.exe 1192 svchost.exe 1192 svchost.exe 1192 svchost.exe 1192 svchost.exe 1192 svchost.exe 1192 svchost.exe 1192 svchost.exe 1192 svchost.exe 1192 svchost.exe 1192 svchost.exe 1192 svchost.exe 1192 svchost.exe 1192 svchost.exe 1192 svchost.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
RegSvcs.exesvchost.exepid process 1940 RegSvcs.exe 1940 RegSvcs.exe 1940 RegSvcs.exe 1192 svchost.exe 1192 svchost.exe 1192 svchost.exe 1192 svchost.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
ef43e97cb61e5d54d4953a4d3278f220.exepowershell.exeRegSvcs.exesvchost.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 2020 ef43e97cb61e5d54d4953a4d3278f220.exe Token: SeDebugPrivilege 1696 powershell.exe Token: SeDebugPrivilege 1940 RegSvcs.exe Token: SeDebugPrivilege 1192 svchost.exe Token: SeShutdownPrivilege 1300 Explorer.EXE Token: SeShutdownPrivilege 1300 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1300 Explorer.EXE 1300 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1300 Explorer.EXE 1300 Explorer.EXE -
Suspicious use of WriteProcessMemory 45 IoCs
Processes:
ef43e97cb61e5d54d4953a4d3278f220.exeExplorer.EXEsvchost.exedescription pid process target process PID 2020 wrote to memory of 1696 2020 ef43e97cb61e5d54d4953a4d3278f220.exe powershell.exe PID 2020 wrote to memory of 1696 2020 ef43e97cb61e5d54d4953a4d3278f220.exe powershell.exe PID 2020 wrote to memory of 1696 2020 ef43e97cb61e5d54d4953a4d3278f220.exe powershell.exe PID 2020 wrote to memory of 1696 2020 ef43e97cb61e5d54d4953a4d3278f220.exe powershell.exe PID 2020 wrote to memory of 624 2020 ef43e97cb61e5d54d4953a4d3278f220.exe schtasks.exe PID 2020 wrote to memory of 624 2020 ef43e97cb61e5d54d4953a4d3278f220.exe schtasks.exe PID 2020 wrote to memory of 624 2020 ef43e97cb61e5d54d4953a4d3278f220.exe schtasks.exe PID 2020 wrote to memory of 624 2020 ef43e97cb61e5d54d4953a4d3278f220.exe schtasks.exe PID 2020 wrote to memory of 1948 2020 ef43e97cb61e5d54d4953a4d3278f220.exe RegSvcs.exe PID 2020 wrote to memory of 1948 2020 ef43e97cb61e5d54d4953a4d3278f220.exe RegSvcs.exe PID 2020 wrote to memory of 1948 2020 ef43e97cb61e5d54d4953a4d3278f220.exe RegSvcs.exe PID 2020 wrote to memory of 1948 2020 ef43e97cb61e5d54d4953a4d3278f220.exe RegSvcs.exe PID 2020 wrote to memory of 1948 2020 ef43e97cb61e5d54d4953a4d3278f220.exe RegSvcs.exe PID 2020 wrote to memory of 1948 2020 ef43e97cb61e5d54d4953a4d3278f220.exe RegSvcs.exe PID 2020 wrote to memory of 1948 2020 ef43e97cb61e5d54d4953a4d3278f220.exe RegSvcs.exe PID 2020 wrote to memory of 1940 2020 ef43e97cb61e5d54d4953a4d3278f220.exe RegSvcs.exe PID 2020 wrote to memory of 1940 2020 ef43e97cb61e5d54d4953a4d3278f220.exe RegSvcs.exe PID 2020 wrote to memory of 1940 2020 ef43e97cb61e5d54d4953a4d3278f220.exe RegSvcs.exe PID 2020 wrote to memory of 1940 2020 ef43e97cb61e5d54d4953a4d3278f220.exe RegSvcs.exe PID 2020 wrote to memory of 1940 2020 ef43e97cb61e5d54d4953a4d3278f220.exe RegSvcs.exe PID 2020 wrote to memory of 1940 2020 ef43e97cb61e5d54d4953a4d3278f220.exe RegSvcs.exe PID 2020 wrote to memory of 1940 2020 ef43e97cb61e5d54d4953a4d3278f220.exe RegSvcs.exe PID 2020 wrote to memory of 1940 2020 ef43e97cb61e5d54d4953a4d3278f220.exe RegSvcs.exe PID 2020 wrote to memory of 1940 2020 ef43e97cb61e5d54d4953a4d3278f220.exe RegSvcs.exe PID 2020 wrote to memory of 1940 2020 ef43e97cb61e5d54d4953a4d3278f220.exe RegSvcs.exe PID 1300 wrote to memory of 1192 1300 Explorer.EXE svchost.exe PID 1300 wrote to memory of 1192 1300 Explorer.EXE svchost.exe PID 1300 wrote to memory of 1192 1300 Explorer.EXE svchost.exe PID 1300 wrote to memory of 1192 1300 Explorer.EXE svchost.exe PID 1192 wrote to memory of 892 1192 svchost.exe cmd.exe PID 1192 wrote to memory of 892 1192 svchost.exe cmd.exe PID 1192 wrote to memory of 892 1192 svchost.exe cmd.exe PID 1192 wrote to memory of 892 1192 svchost.exe cmd.exe PID 1192 wrote to memory of 1728 1192 svchost.exe Firefox.exe PID 1192 wrote to memory of 1728 1192 svchost.exe Firefox.exe PID 1192 wrote to memory of 1728 1192 svchost.exe Firefox.exe PID 1192 wrote to memory of 1728 1192 svchost.exe Firefox.exe PID 1192 wrote to memory of 1728 1192 svchost.exe Firefox.exe PID 1300 wrote to memory of 1624 1300 Explorer.EXE servicesnng4l.exe PID 1300 wrote to memory of 1624 1300 Explorer.EXE servicesnng4l.exe PID 1300 wrote to memory of 1624 1300 Explorer.EXE servicesnng4l.exe PID 1300 wrote to memory of 1624 1300 Explorer.EXE servicesnng4l.exe PID 1300 wrote to memory of 1624 1300 Explorer.EXE servicesnng4l.exe PID 1300 wrote to memory of 1624 1300 Explorer.EXE servicesnng4l.exe PID 1300 wrote to memory of 1624 1300 Explorer.EXE servicesnng4l.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ef43e97cb61e5d54d4953a4d3278f220.exe"C:\Users\Admin\AppData\Local\Temp\ef43e97cb61e5d54d4953a4d3278f220.exe"2⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\lIaHFEbpq.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lIaHFEbpq" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFFD3.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Program Files (x86)\Ltr4tq2eh\servicesnng4l.exe"C:\Program Files (x86)\Ltr4tq2eh\servicesnng4l.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Ltr4tq2eh\servicesnng4l.exeFilesize
44KB
MD50e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
C:\Program Files (x86)\Ltr4tq2eh\servicesnng4l.exeFilesize
44KB
MD50e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
C:\Users\Admin\AppData\Local\Temp\tmpFFD3.tmpFilesize
1KB
MD5f0c219e7c32ef968c4e091c7b2749470
SHA1dd0f8bd01b2682e2ab54c9981e69670c6103a50b
SHA25653611234b36a01f82d62ad960d14626fd6532b2bf92cef5f4e68cab166ba8837
SHA5123539b587776ec02046f54907f7966b548c1ffa3e67a90b4aeaf2f78d9ba3ab0c980505a853256500b1e055298d9e85b3fb0b3c713ba823d3a4a78ac6101d49ad
-
memory/624-60-0x0000000000000000-mapping.dmp
-
memory/892-76-0x0000000000000000-mapping.dmp
-
memory/1192-80-0x0000000000460000-0x00000000004F0000-memory.dmpFilesize
576KB
-
memory/1192-78-0x0000000000080000-0x00000000000AB000-memory.dmpFilesize
172KB
-
memory/1192-75-0x0000000000000000-mapping.dmp
-
memory/1192-77-0x0000000000700000-0x0000000000708000-memory.dmpFilesize
32KB
-
memory/1192-79-0x0000000000A40000-0x0000000000D43000-memory.dmpFilesize
3.0MB
-
memory/1192-82-0x0000000000080000-0x00000000000AB000-memory.dmpFilesize
172KB
-
memory/1300-83-0x0000000004130000-0x00000000041EE000-memory.dmpFilesize
760KB
-
memory/1300-81-0x0000000004130000-0x00000000041EE000-memory.dmpFilesize
760KB
-
memory/1300-74-0x0000000004400000-0x00000000044D0000-memory.dmpFilesize
832KB
-
memory/1624-89-0x0000000000350000-0x0000000000370000-memory.dmpFilesize
128KB
-
memory/1624-85-0x0000000000000000-mapping.dmp
-
memory/1624-88-0x00000000003D0000-0x00000000003DE000-memory.dmpFilesize
56KB
-
memory/1696-70-0x000000006E790000-0x000000006ED3B000-memory.dmpFilesize
5.7MB
-
memory/1696-59-0x0000000000000000-mapping.dmp
-
memory/1940-73-0x00000000001A0000-0x00000000001B1000-memory.dmpFilesize
68KB
-
memory/1940-72-0x00000000008F0000-0x0000000000BF3000-memory.dmpFilesize
3.0MB
-
memory/1940-71-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/1940-68-0x000000000041F270-mapping.dmp
-
memory/1940-67-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/1940-65-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/1940-64-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2020-54-0x00000000010A0000-0x0000000001176000-memory.dmpFilesize
856KB
-
memory/2020-63-0x0000000000ED0000-0x0000000000F02000-memory.dmpFilesize
200KB
-
memory/2020-58-0x0000000005CB0000-0x0000000005D1A000-memory.dmpFilesize
424KB
-
memory/2020-57-0x0000000000610000-0x000000000061A000-memory.dmpFilesize
40KB
-
memory/2020-56-0x0000000000420000-0x000000000042E000-memory.dmpFilesize
56KB
-
memory/2020-55-0x00000000755C1000-0x00000000755C3000-memory.dmpFilesize
8KB