Analysis
-
max time kernel
152s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
27-06-2022 14:13
Static task
static1
Behavioral task
behavioral1
Sample
shipping document.exe
Resource
win7-20220414-en
General
-
Target
shipping document.exe
-
Size
521KB
-
MD5
557350a46a849eb9ae8bc28a629bf3d5
-
SHA1
8a773187553730b62bc9ba58457b8a97523f953e
-
SHA256
576d080b4cab07bd5c3ef3e5d6a222b91744368ed837a3e56eb89772c1b5a1de
-
SHA512
aee4d4881f1d20b7837f690291702c7ead7c6900f0a68fa29f6c5fbd06fc91d7d13f893b70543c172d3a3732d47262aeca3209af81cc396eddc3dd3412ccad64
Malware Config
Extracted
xloader
2.6
pdrq
welchsunstar.com
mppservicesllc.com
wiresofteflon.com
brabov.xyz
compnonoch.site
yourbuilderworks.com
iamsamirahman.com
eriqoes.com
eastudio.design
skyearth-est.com
teethfitness.com
razaancreates.com
shfbfs.com
joyfulbrokekids.com
kjbolden.com
howirep.com
deedeesmainecoons.website
e-powair.com
aheatea.com
shalfey0009.xyz
designcolor.style
netflixpaymentpending.ca
bothoitrang3.site
motondiarts.com
staynmocean.com
miamivideoshows.com
berendsit.com
yndzjs.com
yiwenhome.xyz
royaldeals.net
clearvison-ts.com
peluqueriasusanagalan.com
thelittlewellnessstudio.com
gurulotaska.com
smgsj.com
followpanelbd.com
prinirwedding.com
3559.fyi
amcvips.com
bigroof.top
chipbio-zt.com
candelasluxuryretreat.com
jboycephotography.com
affiliateindex.xyz
grannysseasonings.com
lcl-inc-test.com
beadallcreations.jewelry
yzzhome.top
tobe-science.com
cincinnaticustomrenovation.com
survaicommercial.xyz
businessdirectorymania.com
phqworld.com
miamigocars.com
labfour.systems
gregoryzeitler.com
dj-mary.com
one1-day.com
vegfiber.com
sfbayraw.net
xn--bndarsloto-s4a.com
felipesb.com
108580.com
1swj06mjrowgi.xyz
koalaglen.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
shipping document.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions shipping document.exe -
Xloader Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/3148-145-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral2/memory/3148-154-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral2/memory/2020-160-0x0000000000DA0000-0x0000000000DCB000-memory.dmp xloader behavioral2/memory/2020-171-0x0000000000DA0000-0x0000000000DCB000-memory.dmp xloader -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
shipping document.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools shipping document.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
shipping document.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion shipping document.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion shipping document.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
shipping document.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation shipping document.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
NETSTAT.EXEdescription ioc process Key created \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run NETSTAT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VBFDTXEPWR = "C:\\Program Files (x86)\\D2d9\\zb-hdxsrmp.exe" NETSTAT.EXE -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
shipping document.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum shipping document.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 shipping document.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
shipping document.exeRegSvcs.exeNETSTAT.EXEdescription pid process target process PID 4660 set thread context of 3148 4660 shipping document.exe RegSvcs.exe PID 3148 set thread context of 2832 3148 RegSvcs.exe Explorer.EXE PID 2020 set thread context of 2832 2020 NETSTAT.EXE Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
NETSTAT.EXEdescription ioc process File opened for modification C:\Program Files (x86)\D2d9\zb-hdxsrmp.exe NETSTAT.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 2020 NETSTAT.EXE -
Processes:
NETSTAT.EXEdescription ioc process Key created \Registry\User\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 53 IoCs
Processes:
shipping document.exepowershell.exeRegSvcs.exeNETSTAT.EXEpid process 4660 shipping document.exe 4660 shipping document.exe 4660 shipping document.exe 4660 shipping document.exe 4660 shipping document.exe 4660 shipping document.exe 4660 shipping document.exe 4660 shipping document.exe 4660 shipping document.exe 1600 powershell.exe 3148 RegSvcs.exe 3148 RegSvcs.exe 3148 RegSvcs.exe 3148 RegSvcs.exe 1600 powershell.exe 2020 NETSTAT.EXE 2020 NETSTAT.EXE 2020 NETSTAT.EXE 2020 NETSTAT.EXE 2020 NETSTAT.EXE 2020 NETSTAT.EXE 2020 NETSTAT.EXE 2020 NETSTAT.EXE 2020 NETSTAT.EXE 2020 NETSTAT.EXE 2020 NETSTAT.EXE 2020 NETSTAT.EXE 2020 NETSTAT.EXE 2020 NETSTAT.EXE 2020 NETSTAT.EXE 2020 NETSTAT.EXE 2020 NETSTAT.EXE 2020 NETSTAT.EXE 2020 NETSTAT.EXE 2020 NETSTAT.EXE 2020 NETSTAT.EXE 2020 NETSTAT.EXE 2020 NETSTAT.EXE 2020 NETSTAT.EXE 2020 NETSTAT.EXE 2020 NETSTAT.EXE 2020 NETSTAT.EXE 2020 NETSTAT.EXE 2020 NETSTAT.EXE 2020 NETSTAT.EXE 2020 NETSTAT.EXE 2020 NETSTAT.EXE 2020 NETSTAT.EXE 2020 NETSTAT.EXE 2020 NETSTAT.EXE 2020 NETSTAT.EXE 2020 NETSTAT.EXE 2020 NETSTAT.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2832 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
RegSvcs.exeNETSTAT.EXEpid process 3148 RegSvcs.exe 3148 RegSvcs.exe 3148 RegSvcs.exe 2020 NETSTAT.EXE 2020 NETSTAT.EXE 2020 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
shipping document.exepowershell.exeRegSvcs.exeNETSTAT.EXEExplorer.EXEdescription pid process Token: SeDebugPrivilege 4660 shipping document.exe Token: SeDebugPrivilege 1600 powershell.exe Token: SeDebugPrivilege 3148 RegSvcs.exe Token: SeDebugPrivilege 2020 NETSTAT.EXE Token: SeShutdownPrivilege 2832 Explorer.EXE Token: SeCreatePagefilePrivilege 2832 Explorer.EXE -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
shipping document.exeExplorer.EXENETSTAT.EXEdescription pid process target process PID 4660 wrote to memory of 1600 4660 shipping document.exe powershell.exe PID 4660 wrote to memory of 1600 4660 shipping document.exe powershell.exe PID 4660 wrote to memory of 1600 4660 shipping document.exe powershell.exe PID 4660 wrote to memory of 4404 4660 shipping document.exe schtasks.exe PID 4660 wrote to memory of 4404 4660 shipping document.exe schtasks.exe PID 4660 wrote to memory of 4404 4660 shipping document.exe schtasks.exe PID 4660 wrote to memory of 3204 4660 shipping document.exe RegSvcs.exe PID 4660 wrote to memory of 3204 4660 shipping document.exe RegSvcs.exe PID 4660 wrote to memory of 3204 4660 shipping document.exe RegSvcs.exe PID 4660 wrote to memory of 4696 4660 shipping document.exe RegSvcs.exe PID 4660 wrote to memory of 4696 4660 shipping document.exe RegSvcs.exe PID 4660 wrote to memory of 4696 4660 shipping document.exe RegSvcs.exe PID 4660 wrote to memory of 1876 4660 shipping document.exe RegSvcs.exe PID 4660 wrote to memory of 1876 4660 shipping document.exe RegSvcs.exe PID 4660 wrote to memory of 1876 4660 shipping document.exe RegSvcs.exe PID 4660 wrote to memory of 3148 4660 shipping document.exe RegSvcs.exe PID 4660 wrote to memory of 3148 4660 shipping document.exe RegSvcs.exe PID 4660 wrote to memory of 3148 4660 shipping document.exe RegSvcs.exe PID 4660 wrote to memory of 3148 4660 shipping document.exe RegSvcs.exe PID 4660 wrote to memory of 3148 4660 shipping document.exe RegSvcs.exe PID 4660 wrote to memory of 3148 4660 shipping document.exe RegSvcs.exe PID 2832 wrote to memory of 2020 2832 Explorer.EXE NETSTAT.EXE PID 2832 wrote to memory of 2020 2832 Explorer.EXE NETSTAT.EXE PID 2832 wrote to memory of 2020 2832 Explorer.EXE NETSTAT.EXE PID 2020 wrote to memory of 4428 2020 NETSTAT.EXE cmd.exe PID 2020 wrote to memory of 4428 2020 NETSTAT.EXE cmd.exe PID 2020 wrote to memory of 4428 2020 NETSTAT.EXE cmd.exe PID 2020 wrote to memory of 3056 2020 NETSTAT.EXE cmd.exe PID 2020 wrote to memory of 3056 2020 NETSTAT.EXE cmd.exe PID 2020 wrote to memory of 3056 2020 NETSTAT.EXE cmd.exe PID 2020 wrote to memory of 4420 2020 NETSTAT.EXE cmd.exe PID 2020 wrote to memory of 4420 2020 NETSTAT.EXE cmd.exe PID 2020 wrote to memory of 4420 2020 NETSTAT.EXE cmd.exe PID 2020 wrote to memory of 1060 2020 NETSTAT.EXE Firefox.exe PID 2020 wrote to memory of 1060 2020 NETSTAT.EXE Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Users\Admin\AppData\Local\Temp\shipping document.exe"C:\Users\Admin\AppData\Local\Temp\shipping document.exe"2⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ylJHrC.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1600 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ylJHrC" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2625.tmp"3⤵
- Creates scheduled task(s)
PID:4404 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵PID:3204
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵PID:4696
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵PID:1876
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3148 -
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Gathers network information
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵PID:4428
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵PID:3056
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵PID:4420
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:1060
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
40KB
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
C:\Users\Admin\AppData\Local\Temp\tmp2625.tmpFilesize
1KB
MD50883eb6b8c9055717ea6b65ed8e30253
SHA1983b49da6b704eeb8f089800b3eb49cf5ec1117e
SHA256ce26020ab20abf5038ba3c2d772e856d00b4a139445fd11e5d7775470ebcc88f
SHA5120b13851d4b4d93f36f2b048aa69f5495d0fbadd05eea337645b7247cf66b0c71f402967b8e84fdae0c3b37252a8d2f80f7f32e9a01e71e8c897968f883206572
-
memory/1600-140-0x0000000005680000-0x0000000005CA8000-memory.dmpFilesize
6.2MB
-
memory/1600-163-0x00000000075C0000-0x00000000075DA000-memory.dmpFilesize
104KB
-
memory/1600-166-0x0000000007800000-0x000000000780E000-memory.dmpFilesize
56KB
-
memory/1600-136-0x0000000000000000-mapping.dmp
-
memory/1600-165-0x0000000007850000-0x00000000078E6000-memory.dmpFilesize
600KB
-
memory/1600-138-0x00000000029C0000-0x00000000029F6000-memory.dmpFilesize
216KB
-
memory/1600-168-0x00000000078F0000-0x00000000078F8000-memory.dmpFilesize
32KB
-
memory/1600-155-0x0000000006880000-0x00000000068B2000-memory.dmpFilesize
200KB
-
memory/1600-164-0x0000000007640000-0x000000000764A000-memory.dmpFilesize
40KB
-
memory/1600-167-0x0000000007910000-0x000000000792A000-memory.dmpFilesize
104KB
-
memory/1600-150-0x00000000062C0000-0x00000000062DE000-memory.dmpFilesize
120KB
-
memory/1600-161-0x0000000007C10000-0x000000000828A000-memory.dmpFilesize
6.5MB
-
memory/1600-157-0x0000000006860000-0x000000000687E000-memory.dmpFilesize
120KB
-
memory/1600-146-0x00000000051E0000-0x0000000005202000-memory.dmpFilesize
136KB
-
memory/1600-147-0x0000000005500000-0x0000000005566000-memory.dmpFilesize
408KB
-
memory/1600-156-0x0000000071620000-0x000000007166C000-memory.dmpFilesize
304KB
-
memory/1876-143-0x0000000000000000-mapping.dmp
-
memory/2020-153-0x0000000000000000-mapping.dmp
-
memory/2020-169-0x00000000015B0000-0x0000000001640000-memory.dmpFilesize
576KB
-
memory/2020-171-0x0000000000DA0000-0x0000000000DCB000-memory.dmpFilesize
172KB
-
memory/2020-162-0x0000000001770000-0x0000000001ABA000-memory.dmpFilesize
3.3MB
-
memory/2020-160-0x0000000000DA0000-0x0000000000DCB000-memory.dmpFilesize
172KB
-
memory/2020-159-0x0000000000890000-0x000000000089B000-memory.dmpFilesize
44KB
-
memory/2832-172-0x0000000008170000-0x0000000008208000-memory.dmpFilesize
608KB
-
memory/2832-152-0x00000000084B0000-0x00000000085B7000-memory.dmpFilesize
1.0MB
-
memory/2832-170-0x0000000008170000-0x0000000008208000-memory.dmpFilesize
608KB
-
memory/3056-173-0x0000000000000000-mapping.dmp
-
memory/3148-144-0x0000000000000000-mapping.dmp
-
memory/3148-148-0x00000000018F0000-0x0000000001C3A000-memory.dmpFilesize
3.3MB
-
memory/3148-151-0x00000000015F0000-0x0000000001601000-memory.dmpFilesize
68KB
-
memory/3148-154-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3148-145-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/3204-141-0x0000000000000000-mapping.dmp
-
memory/4404-137-0x0000000000000000-mapping.dmp
-
memory/4420-175-0x0000000000000000-mapping.dmp
-
memory/4428-158-0x0000000000000000-mapping.dmp
-
memory/4660-134-0x00000000086B0000-0x000000000874C000-memory.dmpFilesize
624KB
-
memory/4660-133-0x0000000004A80000-0x0000000004A8A000-memory.dmpFilesize
40KB
-
memory/4660-135-0x00000000089E0000-0x0000000008A46000-memory.dmpFilesize
408KB
-
memory/4660-130-0x0000000000050000-0x00000000000D8000-memory.dmpFilesize
544KB
-
memory/4660-132-0x0000000004AB0000-0x0000000004B42000-memory.dmpFilesize
584KB
-
memory/4660-131-0x0000000004FC0000-0x0000000005564000-memory.dmpFilesize
5.6MB
-
memory/4696-142-0x0000000000000000-mapping.dmp