Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
27-06-2022 14:13
Static task
static1
Behavioral task
behavioral1
Sample
shipping document.exe
Resource
win7-20220414-en
General
-
Target
shipping document.exe
-
Size
521KB
-
MD5
557350a46a849eb9ae8bc28a629bf3d5
-
SHA1
8a773187553730b62bc9ba58457b8a97523f953e
-
SHA256
576d080b4cab07bd5c3ef3e5d6a222b91744368ed837a3e56eb89772c1b5a1de
-
SHA512
aee4d4881f1d20b7837f690291702c7ead7c6900f0a68fa29f6c5fbd06fc91d7d13f893b70543c172d3a3732d47262aeca3209af81cc396eddc3dd3412ccad64
Malware Config
Extracted
xloader
2.6
pdrq
welchsunstar.com
mppservicesllc.com
wiresofteflon.com
brabov.xyz
compnonoch.site
yourbuilderworks.com
iamsamirahman.com
eriqoes.com
eastudio.design
skyearth-est.com
teethfitness.com
razaancreates.com
shfbfs.com
joyfulbrokekids.com
kjbolden.com
howirep.com
deedeesmainecoons.website
e-powair.com
aheatea.com
shalfey0009.xyz
designcolor.style
netflixpaymentpending.ca
bothoitrang3.site
motondiarts.com
staynmocean.com
miamivideoshows.com
berendsit.com
yndzjs.com
yiwenhome.xyz
royaldeals.net
clearvison-ts.com
peluqueriasusanagalan.com
thelittlewellnessstudio.com
gurulotaska.com
smgsj.com
followpanelbd.com
prinirwedding.com
3559.fyi
amcvips.com
bigroof.top
chipbio-zt.com
candelasluxuryretreat.com
jboycephotography.com
affiliateindex.xyz
grannysseasonings.com
lcl-inc-test.com
beadallcreations.jewelry
yzzhome.top
tobe-science.com
cincinnaticustomrenovation.com
survaicommercial.xyz
businessdirectorymania.com
phqworld.com
miamigocars.com
labfour.systems
gregoryzeitler.com
dj-mary.com
one1-day.com
vegfiber.com
sfbayraw.net
xn--bndarsloto-s4a.com
felipesb.com
108580.com
1swj06mjrowgi.xyz
koalaglen.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
shipping document.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions shipping document.exe -
Xloader Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/336-67-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral1/memory/336-68-0x000000000041F270-mapping.dmp xloader behavioral1/memory/336-75-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral1/memory/336-79-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral1/memory/1368-82-0x0000000000080000-0x00000000000AB000-memory.dmp xloader behavioral1/memory/1368-86-0x0000000000080000-0x00000000000AB000-memory.dmp xloader -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
chkdsk.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run chkdsk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\BX48F = "C:\\Program Files (x86)\\Cgralan\\msqdfl.exe" chkdsk.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
shipping document.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools shipping document.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
shipping document.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion shipping document.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion shipping document.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
shipping document.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum shipping document.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 shipping document.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
shipping document.exeRegSvcs.exechkdsk.exedescription pid process target process PID 1056 set thread context of 336 1056 shipping document.exe RegSvcs.exe PID 336 set thread context of 1220 336 RegSvcs.exe Explorer.EXE PID 336 set thread context of 1220 336 RegSvcs.exe Explorer.EXE PID 1368 set thread context of 1220 1368 chkdsk.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
chkdsk.exedescription ioc process File opened for modification C:\Program Files (x86)\Cgralan\msqdfl.exe chkdsk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
chkdsk.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Processes:
chkdsk.exedescription ioc process Key created \Registry\User\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 chkdsk.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
shipping document.exeRegSvcs.exepowershell.exechkdsk.exepid process 1056 shipping document.exe 1056 shipping document.exe 336 RegSvcs.exe 336 RegSvcs.exe 1512 powershell.exe 336 RegSvcs.exe 1368 chkdsk.exe 1368 chkdsk.exe 1368 chkdsk.exe 1368 chkdsk.exe 1368 chkdsk.exe 1368 chkdsk.exe 1368 chkdsk.exe 1368 chkdsk.exe 1368 chkdsk.exe 1368 chkdsk.exe 1368 chkdsk.exe 1368 chkdsk.exe 1368 chkdsk.exe 1368 chkdsk.exe 1368 chkdsk.exe 1368 chkdsk.exe 1368 chkdsk.exe 1368 chkdsk.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
RegSvcs.exechkdsk.exepid process 336 RegSvcs.exe 336 RegSvcs.exe 336 RegSvcs.exe 336 RegSvcs.exe 1368 chkdsk.exe 1368 chkdsk.exe 1368 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
shipping document.exeRegSvcs.exepowershell.exechkdsk.exedescription pid process Token: SeDebugPrivilege 1056 shipping document.exe Token: SeDebugPrivilege 336 RegSvcs.exe Token: SeDebugPrivilege 1512 powershell.exe Token: SeDebugPrivilege 1368 chkdsk.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1220 Explorer.EXE 1220 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1220 Explorer.EXE 1220 Explorer.EXE -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
shipping document.exeRegSvcs.exechkdsk.exedescription pid process target process PID 1056 wrote to memory of 1512 1056 shipping document.exe powershell.exe PID 1056 wrote to memory of 1512 1056 shipping document.exe powershell.exe PID 1056 wrote to memory of 1512 1056 shipping document.exe powershell.exe PID 1056 wrote to memory of 1512 1056 shipping document.exe powershell.exe PID 1056 wrote to memory of 320 1056 shipping document.exe schtasks.exe PID 1056 wrote to memory of 320 1056 shipping document.exe schtasks.exe PID 1056 wrote to memory of 320 1056 shipping document.exe schtasks.exe PID 1056 wrote to memory of 320 1056 shipping document.exe schtasks.exe PID 1056 wrote to memory of 336 1056 shipping document.exe RegSvcs.exe PID 1056 wrote to memory of 336 1056 shipping document.exe RegSvcs.exe PID 1056 wrote to memory of 336 1056 shipping document.exe RegSvcs.exe PID 1056 wrote to memory of 336 1056 shipping document.exe RegSvcs.exe PID 1056 wrote to memory of 336 1056 shipping document.exe RegSvcs.exe PID 1056 wrote to memory of 336 1056 shipping document.exe RegSvcs.exe PID 1056 wrote to memory of 336 1056 shipping document.exe RegSvcs.exe PID 1056 wrote to memory of 336 1056 shipping document.exe RegSvcs.exe PID 1056 wrote to memory of 336 1056 shipping document.exe RegSvcs.exe PID 1056 wrote to memory of 336 1056 shipping document.exe RegSvcs.exe PID 336 wrote to memory of 1368 336 RegSvcs.exe chkdsk.exe PID 336 wrote to memory of 1368 336 RegSvcs.exe chkdsk.exe PID 336 wrote to memory of 1368 336 RegSvcs.exe chkdsk.exe PID 336 wrote to memory of 1368 336 RegSvcs.exe chkdsk.exe PID 1368 wrote to memory of 688 1368 chkdsk.exe cmd.exe PID 1368 wrote to memory of 688 1368 chkdsk.exe cmd.exe PID 1368 wrote to memory of 688 1368 chkdsk.exe cmd.exe PID 1368 wrote to memory of 688 1368 chkdsk.exe cmd.exe PID 1368 wrote to memory of 1040 1368 chkdsk.exe Firefox.exe PID 1368 wrote to memory of 1040 1368 chkdsk.exe Firefox.exe PID 1368 wrote to memory of 1040 1368 chkdsk.exe Firefox.exe PID 1368 wrote to memory of 1040 1368 chkdsk.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1220 -
C:\Users\Admin\AppData\Local\Temp\shipping document.exe"C:\Users\Admin\AppData\Local\Temp\shipping document.exe"2⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ylJHrC.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1512 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ylJHrC" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6E1F.tmp"3⤵
- Creates scheduled task(s)
PID:320 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:336 -
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"4⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"5⤵PID:688
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"5⤵PID:1040
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp6E1F.tmpFilesize
1KB
MD58d90d1cf57addf10ccd50715c1376e78
SHA1cffc59ee9f80627c3a84afabb3e37a789804a2d3
SHA2564109231c719120236b9acc8d5e71e701eda99c1a810f6e8cecd80ab3c9e5fdb7
SHA5127344eb7702628c3d004b60143a7ce23a34f2006018a1d7a86b6189c8c0ae6e61de17dcef149139707e2c75ee062f3e6a132a09990c0683dcee785faf17032719
-
memory/320-60-0x0000000000000000-mapping.dmp
-
memory/336-72-0x0000000000A60000-0x0000000000D63000-memory.dmpFilesize
3.0MB
-
memory/336-79-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/336-76-0x0000000000230000-0x0000000000241000-memory.dmpFilesize
68KB
-
memory/336-75-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/336-73-0x00000000001F0000-0x0000000000201000-memory.dmpFilesize
68KB
-
memory/336-68-0x000000000041F270-mapping.dmp
-
memory/336-67-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/336-64-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/336-65-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/688-80-0x0000000000000000-mapping.dmp
-
memory/1056-63-0x00000000047C0000-0x00000000047F2000-memory.dmpFilesize
200KB
-
memory/1056-55-0x00000000764C1000-0x00000000764C3000-memory.dmpFilesize
8KB
-
memory/1056-57-0x00000000002E0000-0x00000000002EA000-memory.dmpFilesize
40KB
-
memory/1056-56-0x00000000002B0000-0x00000000002CC000-memory.dmpFilesize
112KB
-
memory/1056-58-0x00000000046E0000-0x000000000474A000-memory.dmpFilesize
424KB
-
memory/1056-54-0x0000000000F80000-0x0000000001008000-memory.dmpFilesize
544KB
-
memory/1220-85-0x0000000004DB0000-0x0000000004F2B000-memory.dmpFilesize
1.5MB
-
memory/1220-74-0x0000000004B20000-0x0000000004CA6000-memory.dmpFilesize
1.5MB
-
memory/1220-87-0x0000000004DB0000-0x0000000004F2B000-memory.dmpFilesize
1.5MB
-
memory/1220-77-0x0000000004CB0000-0x0000000004DA3000-memory.dmpFilesize
972KB
-
memory/1368-78-0x0000000000000000-mapping.dmp
-
memory/1368-81-0x0000000000D70000-0x0000000000D77000-memory.dmpFilesize
28KB
-
memory/1368-82-0x0000000000080000-0x00000000000AB000-memory.dmpFilesize
172KB
-
memory/1368-83-0x0000000002180000-0x0000000002483000-memory.dmpFilesize
3.0MB
-
memory/1368-84-0x0000000000550000-0x00000000005E0000-memory.dmpFilesize
576KB
-
memory/1368-86-0x0000000000080000-0x00000000000AB000-memory.dmpFilesize
172KB
-
memory/1512-71-0x000000006E2C0000-0x000000006E86B000-memory.dmpFilesize
5.7MB
-
memory/1512-69-0x000000006E2C0000-0x000000006E86B000-memory.dmpFilesize
5.7MB
-
memory/1512-59-0x0000000000000000-mapping.dmp