Analysis
-
max time kernel
149s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
06-07-2022 20:09
Static task
static1
Behavioral task
behavioral1
Sample
Drawing Image PDF.exe
Resource
win7-20220414-en
General
-
Target
Drawing Image PDF.exe
-
Size
713KB
-
MD5
d7ce2f78a17847431c921087487a8b91
-
SHA1
3a2b899ebfdac8a82b66bd95c4838162e066672e
-
SHA256
db4c0badc999b10f0dae3d1d80b59c3748de2f6f913fb7bff2d9303e4396a1b4
-
SHA512
519fd6855a7a22e42e363955593c108d498b2528dd8d3bc2bff2eaf7236be4af83d14c2c3cb90a347ce851286ac3859322cba7e8fed84e4873be29547223f47c
Malware Config
Extracted
xloader
2.9
k25e
Xvh6mA98aHhdW5PD
XpSglwzNIOqe9g==
RWuFLgQ7oCzN4U/2/A==
nf6FGPYyk+veLC0=
FnN4A9ALIOqe9g==
kcXTjYT8eRm8DQOuLW8mYOG8eN8=
yryblm3yv9iO+HZOTbxhSw/FtNcRng==
ZRazQ2DW84uiZaiw6w==
Is1fie9gWoUuX+Czzuk=
lV9ffbe7SO6B
Pj79m1gaBi8Fajo=
tTdnWml24M1Y4Q==
Zq3U8oC/5/SW
l2f5LrEsED3jSoYw/zoy2Q==
oM3TbW/saRS2N3Yqzi31mZoiw9go9Ck=
AyPthJYMGC4dRr3a
uJNV6qnUOsB4lGP6oRHjc00=
09OYj9e/5/SW
9UFZgN4YDzDkQTvg4KFqn2facZ19aGuv
F5PHzC1g0IBdW5PD
0efCe0KLXGwTa2ccNdBZkXnLpsPk
1SdigRqSiLpZoqA2/zoy2Q==
x2LgZ5D7IOqe9g==
XPqSsPx3ZIQqYJC8xjP1l/v/sTF9aGuv
9t2qVFfGJrynw7Vv9A==
Y7YCaBZJqSfd4U/2/A==
xuS8Z23aDPegBXMx/zoy2Q==
zNuyVARFPVQCa5U94WovD1dZ6GLs
Kk5kFBiJBqFcoJk1/zoy2Q==
9XPJHl3e1QnrHFVx9A==
soUiwJ3iUNZ/19OEGkY32yWfQMI=
S1EkvGqjDI49cajCZLdeduG8eN8=
Kg3EZCFQxVTwVOCzzuk=
pgM7UpTOvtaG0sMrhiKk
KYOMNj694M1Y4Q==
Ue9rlCmWfXosfOYUqZGAsVo=
k/EOFpIE8/6gC322ujsuc+G8eN8=
q+0DDZoTEiboMWTAZb+CMFI=
Vjcis7ZBk+veLC0=
pF985gsGJ+veLC0=
45cVNoav4M1Y4Q==
SBWvUhFVO1YVgPBY1P4=
y0il4iNWwWANZ5U3/zoy2Q==
8xUgLJUEORbPA9Ve9FoIUnYUwtgo9Ck=
tJ9iAB2gC5Z9ucfN
tXMOoKMj9Qm0EVQrhiKk
A3W102TRrsZ0r+gSHZp8u2HLy/n9
/q84vqkoCBvOQ73nAMS3o3b8
Ea3/NoLEt9yO20krhiKk
iKuyuPEeIDDdF08rhiKk
88ONNEa1KLRw2E8rhiKk
vPKHHvUIVeveLC0=
E991Csr8avWgAnMx/zoy2Q==
bY+rVzBkbIsmcNsSRey3o3b8
LofU7HziZQGrJV8YopGAsVo=
jTvI9EF5VVoZaGIarJGAsVo=
W7UiTtZoRF7+aaA6/zoy2Q==
aJ2mufsgBiLWOzX2JcEuXE6+YZ59aGuv
n1/rj7c+njjkJxHH/zoy2Q==
e46QH2R84M1Y4Q==
4Qsdwq0slfzmS4WfpNiCmXnLpsPk
x54mNp8UCC4dRr3a
76U2u3m4KdyE4AHCba9WdOG8eN8=
e/xBr6oge+veLC0=
rt-cards.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1228-62-0x0000000000400000-0x000000000042C000-memory.dmp xloader behavioral1/memory/1228-63-0x000000000041F680-mapping.dmp xloader behavioral1/memory/1228-65-0x0000000000400000-0x000000000042C000-memory.dmp xloader behavioral1/memory/1744-71-0x00000000001D0000-0x00000000001FC000-memory.dmp xloader behavioral1/memory/1744-76-0x00000000001D0000-0x00000000001FC000-memory.dmp xloader -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
cscript.exedescription ioc process Key created \Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run cscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LRJ8IL4XCN = "C:\\Program Files (x86)\\Nhbwt\\userpbc.exe" cscript.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Drawing Image PDF.exeRegSvcs.execscript.exedescription pid process target process PID 948 set thread context of 1228 948 Drawing Image PDF.exe RegSvcs.exe PID 1228 set thread context of 1256 1228 RegSvcs.exe Explorer.EXE PID 1744 set thread context of 1256 1744 cscript.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
cscript.exedescription ioc process File opened for modification C:\Program Files (x86)\Nhbwt\userpbc.exe cscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
cscript.exedescription ioc process Key created \Registry\User\S-1-5-21-2277218442-1199762539-2004043321-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cscript.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
Processes:
RegSvcs.execscript.exepid process 1228 RegSvcs.exe 1228 RegSvcs.exe 1744 cscript.exe 1744 cscript.exe 1744 cscript.exe 1744 cscript.exe 1744 cscript.exe 1744 cscript.exe 1744 cscript.exe 1744 cscript.exe 1744 cscript.exe 1744 cscript.exe 1744 cscript.exe 1744 cscript.exe 1744 cscript.exe 1744 cscript.exe 1744 cscript.exe 1744 cscript.exe 1744 cscript.exe 1744 cscript.exe 1744 cscript.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
RegSvcs.execscript.exepid process 1228 RegSvcs.exe 1228 RegSvcs.exe 1228 RegSvcs.exe 1744 cscript.exe 1744 cscript.exe 1744 cscript.exe 1744 cscript.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
RegSvcs.execscript.exedescription pid process Token: SeDebugPrivilege 1228 RegSvcs.exe Token: SeDebugPrivilege 1744 cscript.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1256 Explorer.EXE 1256 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1256 Explorer.EXE 1256 Explorer.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
Drawing Image PDF.exeExplorer.EXEcscript.exedescription pid process target process PID 948 wrote to memory of 1228 948 Drawing Image PDF.exe RegSvcs.exe PID 948 wrote to memory of 1228 948 Drawing Image PDF.exe RegSvcs.exe PID 948 wrote to memory of 1228 948 Drawing Image PDF.exe RegSvcs.exe PID 948 wrote to memory of 1228 948 Drawing Image PDF.exe RegSvcs.exe PID 948 wrote to memory of 1228 948 Drawing Image PDF.exe RegSvcs.exe PID 948 wrote to memory of 1228 948 Drawing Image PDF.exe RegSvcs.exe PID 948 wrote to memory of 1228 948 Drawing Image PDF.exe RegSvcs.exe PID 948 wrote to memory of 1228 948 Drawing Image PDF.exe RegSvcs.exe PID 948 wrote to memory of 1228 948 Drawing Image PDF.exe RegSvcs.exe PID 948 wrote to memory of 1228 948 Drawing Image PDF.exe RegSvcs.exe PID 1256 wrote to memory of 1744 1256 Explorer.EXE cscript.exe PID 1256 wrote to memory of 1744 1256 Explorer.EXE cscript.exe PID 1256 wrote to memory of 1744 1256 Explorer.EXE cscript.exe PID 1256 wrote to memory of 1744 1256 Explorer.EXE cscript.exe PID 1744 wrote to memory of 708 1744 cscript.exe cmd.exe PID 1744 wrote to memory of 708 1744 cscript.exe cmd.exe PID 1744 wrote to memory of 708 1744 cscript.exe cmd.exe PID 1744 wrote to memory of 708 1744 cscript.exe cmd.exe PID 1744 wrote to memory of 1740 1744 cscript.exe Firefox.exe PID 1744 wrote to memory of 1740 1744 cscript.exe Firefox.exe PID 1744 wrote to memory of 1740 1744 cscript.exe Firefox.exe PID 1744 wrote to memory of 1740 1744 cscript.exe Firefox.exe PID 1744 wrote to memory of 1740 1744 cscript.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Drawing Image PDF.exe"C:\Users\Admin\AppData\Local\Temp\Drawing Image PDF.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/708-72-0x0000000000000000-mapping.dmp
-
memory/948-54-0x0000000000F90000-0x0000000001048000-memory.dmpFilesize
736KB
-
memory/948-55-0x0000000075DF1000-0x0000000075DF3000-memory.dmpFilesize
8KB
-
memory/948-56-0x0000000000540000-0x000000000054A000-memory.dmpFilesize
40KB
-
memory/948-57-0x0000000005410000-0x0000000005494000-memory.dmpFilesize
528KB
-
memory/948-58-0x00000000005B0000-0x00000000005E2000-memory.dmpFilesize
200KB
-
memory/1228-66-0x00000000008A0000-0x0000000000BA3000-memory.dmpFilesize
3.0MB
-
memory/1228-59-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1228-63-0x000000000041F680-mapping.dmp
-
memory/1228-65-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1228-60-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1228-67-0x0000000000220000-0x0000000000231000-memory.dmpFilesize
68KB
-
memory/1228-62-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1256-68-0x0000000006600000-0x00000000066E7000-memory.dmpFilesize
924KB
-
memory/1256-75-0x00000000068D0000-0x00000000069CA000-memory.dmpFilesize
1000KB
-
memory/1256-77-0x00000000068D0000-0x00000000069CA000-memory.dmpFilesize
1000KB
-
memory/1744-69-0x0000000000000000-mapping.dmp
-
memory/1744-70-0x00000000002B0000-0x00000000002D2000-memory.dmpFilesize
136KB
-
memory/1744-71-0x00000000001D0000-0x00000000001FC000-memory.dmpFilesize
176KB
-
memory/1744-73-0x0000000001F90000-0x0000000002293000-memory.dmpFilesize
3.0MB
-
memory/1744-74-0x00000000004A0000-0x0000000000530000-memory.dmpFilesize
576KB
-
memory/1744-76-0x00000000001D0000-0x00000000001FC000-memory.dmpFilesize
176KB