Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
06-07-2022 20:07
Static task
static1
Behavioral task
behavioral1
Sample
Drawing Image PDF.exe
Resource
win7-20220414-en
General
-
Target
Drawing Image PDF.exe
-
Size
713KB
-
MD5
d7ce2f78a17847431c921087487a8b91
-
SHA1
3a2b899ebfdac8a82b66bd95c4838162e066672e
-
SHA256
db4c0badc999b10f0dae3d1d80b59c3748de2f6f913fb7bff2d9303e4396a1b4
-
SHA512
519fd6855a7a22e42e363955593c108d498b2528dd8d3bc2bff2eaf7236be4af83d14c2c3cb90a347ce851286ac3859322cba7e8fed84e4873be29547223f47c
Malware Config
Extracted
xloader
2.9
k25e
Xvh6mA98aHhdW5PD
XpSglwzNIOqe9g==
RWuFLgQ7oCzN4U/2/A==
nf6FGPYyk+veLC0=
FnN4A9ALIOqe9g==
kcXTjYT8eRm8DQOuLW8mYOG8eN8=
yryblm3yv9iO+HZOTbxhSw/FtNcRng==
ZRazQ2DW84uiZaiw6w==
Is1fie9gWoUuX+Czzuk=
lV9ffbe7SO6B
Pj79m1gaBi8Fajo=
tTdnWml24M1Y4Q==
Zq3U8oC/5/SW
l2f5LrEsED3jSoYw/zoy2Q==
oM3TbW/saRS2N3Yqzi31mZoiw9go9Ck=
AyPthJYMGC4dRr3a
uJNV6qnUOsB4lGP6oRHjc00=
09OYj9e/5/SW
9UFZgN4YDzDkQTvg4KFqn2facZ19aGuv
F5PHzC1g0IBdW5PD
0efCe0KLXGwTa2ccNdBZkXnLpsPk
1SdigRqSiLpZoqA2/zoy2Q==
x2LgZ5D7IOqe9g==
XPqSsPx3ZIQqYJC8xjP1l/v/sTF9aGuv
9t2qVFfGJrynw7Vv9A==
Y7YCaBZJqSfd4U/2/A==
xuS8Z23aDPegBXMx/zoy2Q==
zNuyVARFPVQCa5U94WovD1dZ6GLs
Kk5kFBiJBqFcoJk1/zoy2Q==
9XPJHl3e1QnrHFVx9A==
soUiwJ3iUNZ/19OEGkY32yWfQMI=
S1EkvGqjDI49cajCZLdeduG8eN8=
Kg3EZCFQxVTwVOCzzuk=
pgM7UpTOvtaG0sMrhiKk
KYOMNj694M1Y4Q==
Ue9rlCmWfXosfOYUqZGAsVo=
k/EOFpIE8/6gC322ujsuc+G8eN8=
q+0DDZoTEiboMWTAZb+CMFI=
Vjcis7ZBk+veLC0=
pF985gsGJ+veLC0=
45cVNoav4M1Y4Q==
SBWvUhFVO1YVgPBY1P4=
y0il4iNWwWANZ5U3/zoy2Q==
8xUgLJUEORbPA9Ve9FoIUnYUwtgo9Ck=
tJ9iAB2gC5Z9ucfN
tXMOoKMj9Qm0EVQrhiKk
A3W102TRrsZ0r+gSHZp8u2HLy/n9
/q84vqkoCBvOQ73nAMS3o3b8
Ea3/NoLEt9yO20krhiKk
iKuyuPEeIDDdF08rhiKk
88ONNEa1KLRw2E8rhiKk
vPKHHvUIVeveLC0=
E991Csr8avWgAnMx/zoy2Q==
bY+rVzBkbIsmcNsSRey3o3b8
LofU7HziZQGrJV8YopGAsVo=
jTvI9EF5VVoZaGIarJGAsVo=
W7UiTtZoRF7+aaA6/zoy2Q==
aJ2mufsgBiLWOzX2JcEuXE6+YZ59aGuv
n1/rj7c+njjkJxHH/zoy2Q==
e46QH2R84M1Y4Q==
4Qsdwq0slfzmS4WfpNiCmXnLpsPk
x54mNp8UCC4dRr3a
76U2u3m4KdyE4AHCba9WdOG8eN8=
e/xBr6oge+veLC0=
rt-cards.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1996-62-0x0000000000400000-0x000000000042C000-memory.dmp xloader behavioral1/memory/1996-63-0x000000000041F680-mapping.dmp xloader behavioral1/memory/1996-69-0x0000000000400000-0x000000000042C000-memory.dmp xloader behavioral1/memory/1280-73-0x00000000000C0000-0x00000000000EC000-memory.dmp xloader behavioral1/memory/1280-76-0x00000000000C0000-0x00000000000EC000-memory.dmp xloader -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
cmmon32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cmmon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\HHVH04IX_6Y = "C:\\Program Files (x86)\\Lshl\\igfxz6axv4a8.exe" cmmon32.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Drawing Image PDF.exeRegSvcs.execmmon32.exedescription pid process target process PID 1936 set thread context of 1996 1936 Drawing Image PDF.exe RegSvcs.exe PID 1996 set thread context of 1320 1996 RegSvcs.exe Explorer.EXE PID 1280 set thread context of 1320 1280 cmmon32.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
cmmon32.exedescription ioc process File opened for modification C:\Program Files (x86)\Lshl\igfxz6axv4a8.exe cmmon32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
cmmon32.exedescription ioc process Key created \Registry\User\S-1-5-21-1819626980-2277161760-1023733287-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cmmon32.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
Processes:
RegSvcs.execmmon32.exepid process 1996 RegSvcs.exe 1996 RegSvcs.exe 1280 cmmon32.exe 1280 cmmon32.exe 1280 cmmon32.exe 1280 cmmon32.exe 1280 cmmon32.exe 1280 cmmon32.exe 1280 cmmon32.exe 1280 cmmon32.exe 1280 cmmon32.exe 1280 cmmon32.exe 1280 cmmon32.exe 1280 cmmon32.exe 1280 cmmon32.exe 1280 cmmon32.exe 1280 cmmon32.exe 1280 cmmon32.exe 1280 cmmon32.exe 1280 cmmon32.exe 1280 cmmon32.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
RegSvcs.execmmon32.exepid process 1996 RegSvcs.exe 1996 RegSvcs.exe 1996 RegSvcs.exe 1280 cmmon32.exe 1280 cmmon32.exe 1280 cmmon32.exe 1280 cmmon32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
RegSvcs.execmmon32.exedescription pid process Token: SeDebugPrivilege 1996 RegSvcs.exe Token: SeDebugPrivilege 1280 cmmon32.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1320 Explorer.EXE 1320 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1320 Explorer.EXE 1320 Explorer.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
Drawing Image PDF.exeExplorer.EXEcmmon32.exedescription pid process target process PID 1936 wrote to memory of 1996 1936 Drawing Image PDF.exe RegSvcs.exe PID 1936 wrote to memory of 1996 1936 Drawing Image PDF.exe RegSvcs.exe PID 1936 wrote to memory of 1996 1936 Drawing Image PDF.exe RegSvcs.exe PID 1936 wrote to memory of 1996 1936 Drawing Image PDF.exe RegSvcs.exe PID 1936 wrote to memory of 1996 1936 Drawing Image PDF.exe RegSvcs.exe PID 1936 wrote to memory of 1996 1936 Drawing Image PDF.exe RegSvcs.exe PID 1936 wrote to memory of 1996 1936 Drawing Image PDF.exe RegSvcs.exe PID 1936 wrote to memory of 1996 1936 Drawing Image PDF.exe RegSvcs.exe PID 1936 wrote to memory of 1996 1936 Drawing Image PDF.exe RegSvcs.exe PID 1936 wrote to memory of 1996 1936 Drawing Image PDF.exe RegSvcs.exe PID 1320 wrote to memory of 1280 1320 Explorer.EXE cmmon32.exe PID 1320 wrote to memory of 1280 1320 Explorer.EXE cmmon32.exe PID 1320 wrote to memory of 1280 1320 Explorer.EXE cmmon32.exe PID 1320 wrote to memory of 1280 1320 Explorer.EXE cmmon32.exe PID 1280 wrote to memory of 364 1280 cmmon32.exe cmd.exe PID 1280 wrote to memory of 364 1280 cmmon32.exe cmd.exe PID 1280 wrote to memory of 364 1280 cmmon32.exe cmd.exe PID 1280 wrote to memory of 364 1280 cmmon32.exe cmd.exe PID 1280 wrote to memory of 1500 1280 cmmon32.exe Firefox.exe PID 1280 wrote to memory of 1500 1280 cmmon32.exe Firefox.exe PID 1280 wrote to memory of 1500 1280 cmmon32.exe Firefox.exe PID 1280 wrote to memory of 1500 1280 cmmon32.exe Firefox.exe PID 1280 wrote to memory of 1500 1280 cmmon32.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Drawing Image PDF.exe"C:\Users\Admin\AppData\Local\Temp\Drawing Image PDF.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/364-70-0x0000000000000000-mapping.dmp
-
memory/1280-76-0x00000000000C0000-0x00000000000EC000-memory.dmpFilesize
176KB
-
memory/1280-72-0x0000000000B30000-0x0000000000E33000-memory.dmpFilesize
3.0MB
-
memory/1280-68-0x0000000000000000-mapping.dmp
-
memory/1280-73-0x00000000000C0000-0x00000000000EC000-memory.dmpFilesize
176KB
-
memory/1280-74-0x0000000000860000-0x00000000008F0000-memory.dmpFilesize
576KB
-
memory/1280-71-0x0000000000EE0000-0x0000000000EED000-memory.dmpFilesize
52KB
-
memory/1320-77-0x0000000006490000-0x00000000065FC000-memory.dmpFilesize
1.4MB
-
memory/1320-75-0x0000000006490000-0x00000000065FC000-memory.dmpFilesize
1.4MB
-
memory/1320-67-0x0000000003D10000-0x0000000003E12000-memory.dmpFilesize
1.0MB
-
memory/1936-54-0x0000000001180000-0x0000000001238000-memory.dmpFilesize
736KB
-
memory/1936-58-0x0000000000B60000-0x0000000000B92000-memory.dmpFilesize
200KB
-
memory/1936-57-0x00000000060F0000-0x0000000006174000-memory.dmpFilesize
528KB
-
memory/1936-56-0x0000000000520000-0x000000000052A000-memory.dmpFilesize
40KB
-
memory/1936-55-0x00000000757C1000-0x00000000757C3000-memory.dmpFilesize
8KB
-
memory/1996-59-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1996-69-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1996-66-0x00000000001A0000-0x00000000001B1000-memory.dmpFilesize
68KB
-
memory/1996-64-0x0000000000B50000-0x0000000000E53000-memory.dmpFilesize
3.0MB
-
memory/1996-63-0x000000000041F680-mapping.dmp
-
memory/1996-62-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1996-60-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB