Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
05-07-2022 12:31
Static task
static1
Behavioral task
behavioral1
Sample
fzejdpOSxr_bin.js
Resource
win7-20220414-en
General
-
Target
fzejdpOSxr_bin.js
-
Size
359KB
-
MD5
84fa540039df7abc11a136c8a43fde22
-
SHA1
175daef8a581ff8ae86cded1cb6f68373d665dda
-
SHA256
d5e68b8de115bfa8d06d5f407c3e6f9c95f545ff4a9ee16f9ba2706993cdd7c0
-
SHA512
7715e6ae047fdfee1ba18aa1adccb28f1608b591a5e710c687f8c599486163b85a432edbbebdeef2301cf779c969cfee1578ad75a57aceb6f8589b2c054595b5
Malware Config
Extracted
xloader
2.6
mdzq
leop.red
actoconcept.fr
doesmee.com
goplygolf.com
cqshki.net
leflegme.com
wgamersport.xyz
4513367.com
shpoweronline.com
ingeniousconsultingservices.com
dentaldenalia.com
saaraba.net
artnow.media
sbwyt.com
nortonrosefulbrigiht.com
autorad.xyz
clergyfundingandinsurance.com
boarko.com
xn--zoom-kh4j.com
739lakemuirdr.com
nhcabling.com
la-bites.com
bostoncleaners.net
q5p0ih89ufw9q5a.site
davincimarblle.com
albite.xyz
earaproperties.com
xn--vsqs7b5yfhum230a.xn--55qx5d
marketreservation.com
n5ply9.com
bestquest.club
hs8068.com
uniqloot.com
arcadestatus.com
seidsaleh.com
a4africa.com
renchies.com
sunilrpatel.com
pdbet168.com
yzshm.com
zhongheyouzhi.com
citraudaysinfinity.com
dk2arnw64qr9vd.life
bornean.website
italianchef.menu
slotdanatanpapotongan.com
aplomber.com
strictlyusedgolfokc.com
westfargo.xyz
46magic.com
desenvolvimento-curso.online
bynicholls.com
wintegrative.com
help-dunya-international.com
swindonconcretepumps.com
ghantasaala.com
fishgaudy.space
hml.email
colwoodrealtyauction.com
markjfinlay.com
madelineagnes.site
thecoastalgranddaughter.com
kreditrechner.pro
thebolingerfamily.com
marijevanrijn.site
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Xloader Payload 6 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\bin.exe xloader C:\Users\Admin\AppData\Local\Temp\bin.exe xloader behavioral2/memory/1628-141-0x0000000000980000-0x00000000009AB000-memory.dmp xloader behavioral2/memory/1628-144-0x0000000000980000-0x00000000009AB000-memory.dmp xloader C:\Program Files (x86)\Sp0ylupl0\vdbono8wb.exe xloader C:\Program Files (x86)\Sp0ylupl0\vdbono8wb.exe xloader -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DZNHHVQ8W = "C:\\Program Files (x86)\\Sp0ylupl0\\vdbono8wb.exe" wscript.exe -
Executes dropped EXE 2 IoCs
Processes:
bin.exevdbono8wb.exepid process 4080 bin.exe 2288 vdbono8wb.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation wscript.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
bin.exewscript.exedescription pid process target process PID 4080 set thread context of 2812 4080 bin.exe Explorer.EXE PID 1628 set thread context of 2812 1628 wscript.exe Explorer.EXE -
Drops file in Program Files directory 4 IoCs
Processes:
wscript.exeExplorer.EXEdescription ioc process File opened for modification C:\Program Files (x86)\Sp0ylupl0\vdbono8wb.exe wscript.exe File opened for modification C:\Program Files (x86)\Sp0ylupl0 Explorer.EXE File created C:\Program Files (x86)\Sp0ylupl0\vdbono8wb.exe Explorer.EXE File opened for modification C:\Program Files (x86)\Sp0ylupl0\vdbono8wb.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
wscript.exedescription ioc process Key created \Registry\User\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 wscript.exe -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
bin.exewscript.exevdbono8wb.exepid process 4080 bin.exe 4080 bin.exe 4080 bin.exe 4080 bin.exe 1628 wscript.exe 1628 wscript.exe 1628 wscript.exe 1628 wscript.exe 1628 wscript.exe 1628 wscript.exe 1628 wscript.exe 1628 wscript.exe 1628 wscript.exe 1628 wscript.exe 1628 wscript.exe 1628 wscript.exe 1628 wscript.exe 1628 wscript.exe 1628 wscript.exe 1628 wscript.exe 1628 wscript.exe 1628 wscript.exe 1628 wscript.exe 1628 wscript.exe 1628 wscript.exe 1628 wscript.exe 1628 wscript.exe 1628 wscript.exe 1628 wscript.exe 1628 wscript.exe 1628 wscript.exe 1628 wscript.exe 1628 wscript.exe 1628 wscript.exe 1628 wscript.exe 1628 wscript.exe 1628 wscript.exe 1628 wscript.exe 1628 wscript.exe 1628 wscript.exe 1628 wscript.exe 1628 wscript.exe 1628 wscript.exe 1628 wscript.exe 1628 wscript.exe 1628 wscript.exe 2288 vdbono8wb.exe 2288 vdbono8wb.exe 1628 wscript.exe 1628 wscript.exe 1628 wscript.exe 1628 wscript.exe 1628 wscript.exe 1628 wscript.exe 1628 wscript.exe 1628 wscript.exe 1628 wscript.exe 1628 wscript.exe 1628 wscript.exe 1628 wscript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2812 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
bin.exewscript.exepid process 4080 bin.exe 4080 bin.exe 4080 bin.exe 1628 wscript.exe 1628 wscript.exe 1628 wscript.exe 1628 wscript.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
bin.exewscript.exevdbono8wb.exedescription pid process Token: SeDebugPrivilege 4080 bin.exe Token: SeDebugPrivilege 1628 wscript.exe Token: SeDebugPrivilege 2288 vdbono8wb.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
wscript.exeExplorer.EXEwscript.exedescription pid process target process PID 3216 wrote to memory of 1256 3216 wscript.exe wscript.exe PID 3216 wrote to memory of 1256 3216 wscript.exe wscript.exe PID 3216 wrote to memory of 4080 3216 wscript.exe bin.exe PID 3216 wrote to memory of 4080 3216 wscript.exe bin.exe PID 3216 wrote to memory of 4080 3216 wscript.exe bin.exe PID 2812 wrote to memory of 1628 2812 Explorer.EXE wscript.exe PID 2812 wrote to memory of 1628 2812 Explorer.EXE wscript.exe PID 2812 wrote to memory of 1628 2812 Explorer.EXE wscript.exe PID 1628 wrote to memory of 1600 1628 wscript.exe cmd.exe PID 1628 wrote to memory of 1600 1628 wscript.exe cmd.exe PID 1628 wrote to memory of 1600 1628 wscript.exe cmd.exe PID 1628 wrote to memory of 4616 1628 wscript.exe cmd.exe PID 1628 wrote to memory of 4616 1628 wscript.exe cmd.exe PID 1628 wrote to memory of 4616 1628 wscript.exe cmd.exe PID 1628 wrote to memory of 3900 1628 wscript.exe cmd.exe PID 1628 wrote to memory of 3900 1628 wscript.exe cmd.exe PID 1628 wrote to memory of 3900 1628 wscript.exe cmd.exe PID 1628 wrote to memory of 4692 1628 wscript.exe Firefox.exe PID 1628 wrote to memory of 4692 1628 wscript.exe Firefox.exe PID 1628 wrote to memory of 4692 1628 wscript.exe Firefox.exe PID 2812 wrote to memory of 2288 2812 Explorer.EXE vdbono8wb.exe PID 2812 wrote to memory of 2288 2812 Explorer.EXE vdbono8wb.exe PID 2812 wrote to memory of 2288 2812 Explorer.EXE vdbono8wb.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer wscript.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\fzejdpOSxr_bin.js2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\qNMQUcivjU.js"3⤵
-
C:\Users\Admin\AppData\Local\Temp\bin.exe"C:\Users\Admin\AppData\Local\Temp\bin.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\bin.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Program Files (x86)\Sp0ylupl0\vdbono8wb.exe"C:\Program Files (x86)\Sp0ylupl0\vdbono8wb.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Sp0ylupl0\vdbono8wb.exeFilesize
171KB
MD5f1a3c7fee5a476470f039c5a89ccfe51
SHA1c76f1eb2a872c295e656d49b3ddb27a98c03a3b2
SHA25609060292de9b8bf9081d8375c348294c9ac72e087320ec2d8e0a5b48acc5e1cc
SHA512d97550f40ead367d53306b6a7e741242824c5bcba93ed0dfa6b8411a21f4fcbc0dd87a2f0d97cef6052cc097265afd79bfd72ebf4311416d5e1a637e314e8ba0
-
C:\Program Files (x86)\Sp0ylupl0\vdbono8wb.exeFilesize
171KB
MD5f1a3c7fee5a476470f039c5a89ccfe51
SHA1c76f1eb2a872c295e656d49b3ddb27a98c03a3b2
SHA25609060292de9b8bf9081d8375c348294c9ac72e087320ec2d8e0a5b48acc5e1cc
SHA512d97550f40ead367d53306b6a7e741242824c5bcba93ed0dfa6b8411a21f4fcbc0dd87a2f0d97cef6052cc097265afd79bfd72ebf4311416d5e1a637e314e8ba0
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
40KB
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
C:\Users\Admin\AppData\Local\Temp\bin.exeFilesize
171KB
MD5f1a3c7fee5a476470f039c5a89ccfe51
SHA1c76f1eb2a872c295e656d49b3ddb27a98c03a3b2
SHA25609060292de9b8bf9081d8375c348294c9ac72e087320ec2d8e0a5b48acc5e1cc
SHA512d97550f40ead367d53306b6a7e741242824c5bcba93ed0dfa6b8411a21f4fcbc0dd87a2f0d97cef6052cc097265afd79bfd72ebf4311416d5e1a637e314e8ba0
-
C:\Users\Admin\AppData\Local\Temp\bin.exeFilesize
171KB
MD5f1a3c7fee5a476470f039c5a89ccfe51
SHA1c76f1eb2a872c295e656d49b3ddb27a98c03a3b2
SHA25609060292de9b8bf9081d8375c348294c9ac72e087320ec2d8e0a5b48acc5e1cc
SHA512d97550f40ead367d53306b6a7e741242824c5bcba93ed0dfa6b8411a21f4fcbc0dd87a2f0d97cef6052cc097265afd79bfd72ebf4311416d5e1a637e314e8ba0
-
C:\Users\Admin\AppData\Roaming\qNMQUcivjU.jsFilesize
18KB
MD57ed08a6a01849656952a26779ddebdb8
SHA180c1ac073671679fa8696e2f2b35aec5ac13adf2
SHA256842f1ec25f5540d2aa87f279b362e06636b929d4c7a7dc812ebfdcd655df7d7e
SHA5129052be1db12d30f26ea5dfb35c2fa25c0db6f231f5546f04bccfdc19a621a186f47d964325bd9dd941ac3d36e91c505a0692ee10a42b6752778e34f36e8c3e2a
-
memory/1256-130-0x0000000000000000-mapping.dmp
-
memory/1600-139-0x0000000000000000-mapping.dmp
-
memory/1628-142-0x0000000002EA0000-0x00000000031EA000-memory.dmpFilesize
3.3MB
-
memory/1628-141-0x0000000000980000-0x00000000009AB000-memory.dmpFilesize
172KB
-
memory/1628-138-0x0000000000000000-mapping.dmp
-
memory/1628-143-0x0000000002CD0000-0x0000000002D60000-memory.dmpFilesize
576KB
-
memory/1628-144-0x0000000000980000-0x00000000009AB000-memory.dmpFilesize
172KB
-
memory/1628-140-0x0000000000E70000-0x0000000000E97000-memory.dmpFilesize
156KB
-
memory/2288-151-0x0000000000000000-mapping.dmp
-
memory/2288-154-0x00000000019A0000-0x0000000001CEA000-memory.dmpFilesize
3.3MB
-
memory/2812-146-0x0000000008470000-0x0000000008561000-memory.dmpFilesize
964KB
-
memory/2812-137-0x0000000008320000-0x000000000846D000-memory.dmpFilesize
1.3MB
-
memory/2812-145-0x0000000008470000-0x0000000008561000-memory.dmpFilesize
964KB
-
memory/3900-149-0x0000000000000000-mapping.dmp
-
memory/4080-136-0x0000000001470000-0x0000000001481000-memory.dmpFilesize
68KB
-
memory/4080-135-0x0000000001100000-0x000000000144A000-memory.dmpFilesize
3.3MB
-
memory/4080-132-0x0000000000000000-mapping.dmp
-
memory/4616-147-0x0000000000000000-mapping.dmp