Overview
overview
10Static
static
1033.exe
windows10-2004-x64
1034.exe
windows10-2004-x64
1035.exe
windows10-2004-x64
1036.exe
windows10-2004-x64
1037.exe
windows10-2004-x64
1038.exe
windows10-2004-x64
1039.exe
windows10-2004-x64
1040.exe
windows10-2004-x64
1041.exe
windows10-2004-x64
1042.exe
windows10-2004-x64
1043.exe
windows10-2004-x64
1044.exe
windows10-2004-x64
1045.exe
windows10-2004-x64
1046.exe
windows10-2004-x64
10Analysis
-
max time kernel
160s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02-09-2022 03:27
Behavioral task
behavioral1
Sample
33.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral2
Sample
34.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral3
Sample
35.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral4
Sample
36.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
37.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral6
Sample
38.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral7
Sample
39.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral8
Sample
40.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral9
Sample
41.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral10
Sample
42.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral11
Sample
43.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral12
Sample
44.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral13
Sample
45.exe
Resource
win10v2004-20220812-en
General
-
Target
41.exe
-
Size
176KB
-
MD5
228b0bc29a751779e97f60e14a1b9f57
-
SHA1
0c735257db6d9afc8ee6a656a8634310411a049f
-
SHA256
5480ecfb5e60326a88fe45eb2adf3d9bc67e26fc2fc7800609a467e6a5f77444
-
SHA512
9a22551428299be14f05dfe3f0f1d710a1a15b794da3e0671abadd934fc576ba022458579d73cfe777c3599fd3c8859c118fa1b632cc7ce2c67108ad42af95f1
-
SSDEEP
3072:yTjyF3P55Z+0IhW59LQUlOsdZNjIZfR5/VUmhFaIItneeVw65z:33h5JI8LQKj3NjIZfR5/uCFaIItlVw6
Malware Config
Signatures
-
Xloader payload 2 IoCs
Processes:
resource yara_rule behavioral9/memory/4928-138-0x0000000000C00000-0x0000000000C2C000-memory.dmp xloader behavioral9/memory/4928-140-0x0000000000C00000-0x0000000000C2C000-memory.dmp xloader -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
cmstp.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cmstp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\C0ST8PIXTHQ = "C:\\Program Files (x86)\\Fqra\\phn0in_6zpl8lh.exe" cmstp.exe -
Blocklisted process makes network request 3 IoCs
Processes:
cmstp.exeflow pid process 48 4928 cmstp.exe 52 4928 cmstp.exe 79 4928 cmstp.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
41.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 41.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
41.execmstp.exedescription pid process target process PID 380 set thread context of 3092 380 41.exe Explorer.EXE PID 4928 set thread context of 3092 4928 cmstp.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
cmstp.exedescription ioc process File opened for modification C:\Program Files (x86)\Fqra\phn0in_6zpl8lh.exe cmstp.exe -
Processes:
cmstp.exedescription ioc process Key created \Registry\User\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cmstp.exe -
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
41.execmstp.exepid process 380 41.exe 380 41.exe 380 41.exe 380 41.exe 4928 cmstp.exe 4928 cmstp.exe 4928 cmstp.exe 4928 cmstp.exe 4928 cmstp.exe 4928 cmstp.exe 4928 cmstp.exe 4928 cmstp.exe 4928 cmstp.exe 4928 cmstp.exe 4928 cmstp.exe 4928 cmstp.exe 4928 cmstp.exe 4928 cmstp.exe 4928 cmstp.exe 4928 cmstp.exe 4928 cmstp.exe 4928 cmstp.exe 4928 cmstp.exe 4928 cmstp.exe 4928 cmstp.exe 4928 cmstp.exe 4928 cmstp.exe 4928 cmstp.exe 4928 cmstp.exe 4928 cmstp.exe 4928 cmstp.exe 4928 cmstp.exe 4928 cmstp.exe 4928 cmstp.exe 4928 cmstp.exe 4928 cmstp.exe 4928 cmstp.exe 4928 cmstp.exe 4928 cmstp.exe 4928 cmstp.exe 4928 cmstp.exe 4928 cmstp.exe 4928 cmstp.exe 4928 cmstp.exe 4928 cmstp.exe 4928 cmstp.exe 4928 cmstp.exe 4928 cmstp.exe 4928 cmstp.exe 4928 cmstp.exe 4928 cmstp.exe 4928 cmstp.exe 4928 cmstp.exe 4928 cmstp.exe 4928 cmstp.exe 4928 cmstp.exe 4928 cmstp.exe 4928 cmstp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3092 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
41.execmstp.exepid process 380 41.exe 380 41.exe 380 41.exe 4928 cmstp.exe 4928 cmstp.exe 4928 cmstp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
41.execmstp.exedescription pid process Token: SeDebugPrivilege 380 41.exe Token: SeDebugPrivilege 4928 cmstp.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Explorer.EXEcmstp.exedescription pid process target process PID 3092 wrote to memory of 4928 3092 Explorer.EXE cmstp.exe PID 3092 wrote to memory of 4928 3092 Explorer.EXE cmstp.exe PID 3092 wrote to memory of 4928 3092 Explorer.EXE cmstp.exe PID 4928 wrote to memory of 1288 4928 cmstp.exe cmd.exe PID 4928 wrote to memory of 1288 4928 cmstp.exe cmd.exe PID 4928 wrote to memory of 1288 4928 cmstp.exe cmd.exe PID 4928 wrote to memory of 2312 4928 cmstp.exe Firefox.exe PID 4928 wrote to memory of 2312 4928 cmstp.exe Firefox.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
cmstp.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer cmstp.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\41.exe"C:\Users\Admin\AppData\Local\Temp\41.exe"2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Adds policy Run key to start application
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\41.exe"3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/380-132-0x0000000000AC0000-0x0000000000E0A000-memory.dmpFilesize
3.3MB
-
memory/380-133-0x00000000005F0000-0x0000000000601000-memory.dmpFilesize
68KB
-
memory/1288-136-0x0000000000000000-mapping.dmp
-
memory/3092-134-0x0000000007CD0000-0x0000000007D99000-memory.dmpFilesize
804KB
-
memory/3092-142-0x0000000008620000-0x0000000008792000-memory.dmpFilesize
1.4MB
-
memory/3092-143-0x0000000008620000-0x0000000008792000-memory.dmpFilesize
1.4MB
-
memory/4928-135-0x0000000000000000-mapping.dmp
-
memory/4928-137-0x00000000008C0000-0x00000000008D6000-memory.dmpFilesize
88KB
-
memory/4928-139-0x0000000002B40000-0x0000000002E8A000-memory.dmpFilesize
3.3MB
-
memory/4928-138-0x0000000000C00000-0x0000000000C2C000-memory.dmpFilesize
176KB
-
memory/4928-140-0x0000000000C00000-0x0000000000C2C000-memory.dmpFilesize
176KB
-
memory/4928-141-0x00000000028E0000-0x0000000002970000-memory.dmpFilesize
576KB