Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
25-07-2022 06:15
Static task
static1
Behavioral task
behavioral1
Sample
55f9aca129149b9bfd4e9685cf1e52b394dda7b2a47a3f989e46f12e5c306907.exe
Resource
win7-20220718-en
General
-
Target
55f9aca129149b9bfd4e9685cf1e52b394dda7b2a47a3f989e46f12e5c306907.exe
-
Size
655KB
-
MD5
52c7af6bc13670eb0b4b830d4f60fd7b
-
SHA1
b6d3c5f7f912ef524dc7e2679a6e205a0fb88b13
-
SHA256
55f9aca129149b9bfd4e9685cf1e52b394dda7b2a47a3f989e46f12e5c306907
-
SHA512
6f6a0482962d39e3bd5fedf8c3db14607fc0cce81b544df5578aa8f408a18c106b58c5d8b7c8fdd5e8cafac30477a892cd3203cb452fd321d8e2397baa850bae
Malware Config
Extracted
xloader
2.3
o8g5
janeyelizarobertson.online
skachat-mp3.com
teamugoldzulu.com
qizuibashe.com
futuregainz.net
deedlife.com
findersguilde.com
memountainbikeadventures.com
carflagsmagnets.com
queenofheartsshop.com
jematai.com
adriannawilleford.com
dryfamwines.com
capitalsorted.com
runtaoyan.com
1833sell911.com
ysh9006.com
fouracrefoods.com
greenfieldjack.net
jokerjackpot888.com
eurekastove.com
mujermaspanama.com
jewelersgoingdigital.com
khalsapagree.com
do-not-lose-hope.com
heathenweddings.com
betauvf.com
suitablechoices.com
4504miranoct.com
getmedicarechoices.com
bestkidproducts.com
scratchglazing.com
thisgypsy.life
castaliahome.com
35k-comm.com
vaporforrest.store
lionssharebakery.com
hgghmoney.com
findmaritimeattorney.club
hospudkausklenaru.com
bingent.info
mng-electrique.com
rocketgoldcorp.com
grovesbizdirectory.com
thefitgirlcollective.com
constech.online
assetrecoveryauthority.com
betweenthepagesblog.com
thefourseasonsshaving.com
cindywindy.com
discz.info
balanceqa.com
tahitianfood.com
ygkcg532n04dgb.xyz
sophists.expert
findhomesinnormanok.com
chloecovesbgm.net
gethyperrelief.com
jillpatrick.com
chillerpros.com
anyuapp1.com
oceancolourworld.com
cissycouture.com
1907coffeelab.com
apuestasdeportivasbet.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4692-137-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/4692-142-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/4848-146-0x0000000000770000-0x0000000000799000-memory.dmp xloader behavioral2/memory/4848-150-0x0000000000770000-0x0000000000799000-memory.dmp xloader -
Executes dropped EXE 2 IoCs
Processes:
ffgnb.exed11bbh6a.exepid process 3576 ffgnb.exe 4692 d11bbh6a.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
ffgnb.exed11bbh6a.exeNETSTAT.EXEdescription pid process target process PID 3576 set thread context of 4692 3576 ffgnb.exe d11bbh6a.exe PID 4692 set thread context of 2164 4692 d11bbh6a.exe Explorer.EXE PID 4848 set thread context of 2164 4848 NETSTAT.EXE Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 4848 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ffgnb.exed11bbh6a.exeNETSTAT.EXEpid process 3576 ffgnb.exe 3576 ffgnb.exe 3576 ffgnb.exe 3576 ffgnb.exe 3576 ffgnb.exe 3576 ffgnb.exe 3576 ffgnb.exe 3576 ffgnb.exe 4692 d11bbh6a.exe 4692 d11bbh6a.exe 4692 d11bbh6a.exe 4692 d11bbh6a.exe 4848 NETSTAT.EXE 4848 NETSTAT.EXE 4848 NETSTAT.EXE 4848 NETSTAT.EXE 4848 NETSTAT.EXE 4848 NETSTAT.EXE 4848 NETSTAT.EXE 4848 NETSTAT.EXE 4848 NETSTAT.EXE 4848 NETSTAT.EXE 4848 NETSTAT.EXE 4848 NETSTAT.EXE 4848 NETSTAT.EXE 4848 NETSTAT.EXE 4848 NETSTAT.EXE 4848 NETSTAT.EXE 4848 NETSTAT.EXE 4848 NETSTAT.EXE 4848 NETSTAT.EXE 4848 NETSTAT.EXE 4848 NETSTAT.EXE 4848 NETSTAT.EXE 4848 NETSTAT.EXE 4848 NETSTAT.EXE 4848 NETSTAT.EXE 4848 NETSTAT.EXE 4848 NETSTAT.EXE 4848 NETSTAT.EXE 4848 NETSTAT.EXE 4848 NETSTAT.EXE 4848 NETSTAT.EXE 4848 NETSTAT.EXE 4848 NETSTAT.EXE 4848 NETSTAT.EXE 4848 NETSTAT.EXE 4848 NETSTAT.EXE 4848 NETSTAT.EXE 4848 NETSTAT.EXE 4848 NETSTAT.EXE 4848 NETSTAT.EXE 4848 NETSTAT.EXE 4848 NETSTAT.EXE 4848 NETSTAT.EXE 4848 NETSTAT.EXE 4848 NETSTAT.EXE 4848 NETSTAT.EXE 4848 NETSTAT.EXE 4848 NETSTAT.EXE 4848 NETSTAT.EXE 4848 NETSTAT.EXE 4848 NETSTAT.EXE 4848 NETSTAT.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2164 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
ffgnb.exed11bbh6a.exeNETSTAT.EXEpid process 3576 ffgnb.exe 4692 d11bbh6a.exe 4692 d11bbh6a.exe 4692 d11bbh6a.exe 4848 NETSTAT.EXE 4848 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
d11bbh6a.exeNETSTAT.EXEdescription pid process Token: SeDebugPrivilege 4692 d11bbh6a.exe Token: SeDebugPrivilege 4848 NETSTAT.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
55f9aca129149b9bfd4e9685cf1e52b394dda7b2a47a3f989e46f12e5c306907.exeffgnb.exeExplorer.EXENETSTAT.EXEdescription pid process target process PID 4392 wrote to memory of 3576 4392 55f9aca129149b9bfd4e9685cf1e52b394dda7b2a47a3f989e46f12e5c306907.exe ffgnb.exe PID 4392 wrote to memory of 3576 4392 55f9aca129149b9bfd4e9685cf1e52b394dda7b2a47a3f989e46f12e5c306907.exe ffgnb.exe PID 4392 wrote to memory of 3576 4392 55f9aca129149b9bfd4e9685cf1e52b394dda7b2a47a3f989e46f12e5c306907.exe ffgnb.exe PID 3576 wrote to memory of 4692 3576 ffgnb.exe d11bbh6a.exe PID 3576 wrote to memory of 4692 3576 ffgnb.exe d11bbh6a.exe PID 3576 wrote to memory of 4692 3576 ffgnb.exe d11bbh6a.exe PID 3576 wrote to memory of 4692 3576 ffgnb.exe d11bbh6a.exe PID 2164 wrote to memory of 4848 2164 Explorer.EXE NETSTAT.EXE PID 2164 wrote to memory of 4848 2164 Explorer.EXE NETSTAT.EXE PID 2164 wrote to memory of 4848 2164 Explorer.EXE NETSTAT.EXE PID 4848 wrote to memory of 4900 4848 NETSTAT.EXE cmd.exe PID 4848 wrote to memory of 4900 4848 NETSTAT.EXE cmd.exe PID 4848 wrote to memory of 4900 4848 NETSTAT.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\55f9aca129149b9bfd4e9685cf1e52b394dda7b2a47a3f989e46f12e5c306907.exe"C:\Users\Admin\AppData\Local\Temp\55f9aca129149b9bfd4e9685cf1e52b394dda7b2a47a3f989e46f12e5c306907.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ffgnb.exeC:\Users\Admin\AppData\Local\Temp\ffgnb.exe C:\Users\Admin\AppData\Local\Temp\yttpclsuz.un3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\d11bbh6a.exeC:\Users\Admin\AppData\Local\Temp\ffgnb.exe C:\Users\Admin\AppData\Local\Temp\yttpclsuz.un4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\d11bbh6a.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\d11bbh6a.exeFilesize
872KB
MD5535dd1329aef11bf4654b3270f026d5b
SHA19c84de0bde8333f852120ab40710545b3f799300
SHA256b31445fc4b8803d1b7122a6563002cfe3e925ffd1fdc9b84fba6fc78f6a8b955
SHA512a552e20a09a796a6e3e18dece308880069c958cf9136bb4fc3ee726d6bc9b2f8eddbcff06ff9f9ded4dd268f5d0f39d516ad42ecce6455a4bf5cf4f3cb4c4ecc
-
C:\Users\Admin\AppData\Local\Temp\d11bbh6a.exeFilesize
872KB
MD5535dd1329aef11bf4654b3270f026d5b
SHA19c84de0bde8333f852120ab40710545b3f799300
SHA256b31445fc4b8803d1b7122a6563002cfe3e925ffd1fdc9b84fba6fc78f6a8b955
SHA512a552e20a09a796a6e3e18dece308880069c958cf9136bb4fc3ee726d6bc9b2f8eddbcff06ff9f9ded4dd268f5d0f39d516ad42ecce6455a4bf5cf4f3cb4c4ecc
-
C:\Users\Admin\AppData\Local\Temp\ffgnb.exeFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\ffgnb.exeFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\lijkyiskt.wbFilesize
161KB
MD5435a073304527536e8a4bd1ae42f0758
SHA1dd0d1940a2296bd300d4616950cdeccde490fc55
SHA256cf42f72db083c9cb43c7a079fb78285204c5049dfee5d5500ee7af21d2750560
SHA51235404d899ecd17156bf4abd40272efd56cd973408df79c5c6e3f37da0aefeae9b80188eff28ed8dbdeb2e408922da0007461c808db892e118f15a2d27e4283a4
-
C:\Users\Admin\AppData\Local\Temp\yttpclsuz.unFilesize
320KB
MD5ca41cb20cdf27dc176635396d890b37a
SHA1c0f0be5e238f5ae58fcfe48ce3293527bd446c5f
SHA256414fa3842e5ef26c75893358286177912e5c288f7d3988fe524ff813ee90ad8f
SHA512536e5841c351301f6774a61578bd0f57d9e91fdf5b345a1d56e1aed8f76c3dba7a63e07917de8bff9b0bdd3ca9cf9a259c1ca9902373873940143deeb29511c1
-
memory/2164-140-0x0000000002B00000-0x0000000002BB5000-memory.dmpFilesize
724KB
-
memory/2164-151-0x0000000002D40000-0x0000000002DF5000-memory.dmpFilesize
724KB
-
memory/2164-149-0x0000000002D40000-0x0000000002DF5000-memory.dmpFilesize
724KB
-
memory/3576-130-0x0000000000000000-mapping.dmp
-
memory/4692-135-0x0000000000000000-mapping.dmp
-
memory/4692-142-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4692-139-0x0000000000180000-0x0000000000190000-memory.dmpFilesize
64KB
-
memory/4692-138-0x0000000000E60000-0x00000000011AA000-memory.dmpFilesize
3.3MB
-
memory/4692-137-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4848-141-0x0000000000000000-mapping.dmp
-
memory/4848-145-0x0000000000910000-0x000000000091B000-memory.dmpFilesize
44KB
-
memory/4848-147-0x0000000001100000-0x000000000144A000-memory.dmpFilesize
3.3MB
-
memory/4848-146-0x0000000000770000-0x0000000000799000-memory.dmpFilesize
164KB
-
memory/4848-148-0x0000000001010000-0x000000000109F000-memory.dmpFilesize
572KB
-
memory/4848-150-0x0000000000770000-0x0000000000799000-memory.dmpFilesize
164KB
-
memory/4900-144-0x0000000000000000-mapping.dmp