Analysis
-
max time kernel
142s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
05-10-2022 00:28
Static task
static1
Behavioral task
behavioral1
Sample
RLOI JS01-2.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
RLOI JS01-2.exe
Resource
win10v2004-20220812-en
General
-
Target
RLOI JS01-2.exe
-
Size
370KB
-
MD5
82773c3d9fe4c2aecf34451f482e29c4
-
SHA1
6051b7f6a267911b4536c8c467b7237ccfd0cece
-
SHA256
c48c54a2b2b453e86b248a1ea9dbfe0d5b533db99e431dc8635c2763420c1afd
-
SHA512
e7c9eb748f5f1531273475afd563dd6e7da3a1731f7835d0b3b613675aa9065539f00fb320fe121f1999d012b4e7c9a9c220868e09533331b8d4dd0e0953a016
-
SSDEEP
6144:lTouKrWBEu3/Z2lpGDHU3ykJ1tC/cr+GM3qnWEbhGi:lToPWBv/cpGrU3y8tGclMreX
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
xbadflzhw.exepid process 976 xbadflzhw.exe -
Loads dropped DLL 7 IoCs
Processes:
RLOI JS01-2.exexbadflzhw.exexbadflzhw.exepid process 1204 RLOI JS01-2.exe 1204 RLOI JS01-2.exe 1204 RLOI JS01-2.exe 1204 RLOI JS01-2.exe 1204 RLOI JS01-2.exe 976 xbadflzhw.exe 1504 xbadflzhw.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
xbadflzhw.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook xbadflzhw.exe Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook xbadflzhw.exe Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook xbadflzhw.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
xbadflzhw.exedescription pid process target process PID 976 set thread context of 1504 976 xbadflzhw.exe xbadflzhw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
xbadflzhw.exedescription pid process Token: SeDebugPrivilege 1504 xbadflzhw.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
RLOI JS01-2.exexbadflzhw.exedescription pid process target process PID 1204 wrote to memory of 976 1204 RLOI JS01-2.exe xbadflzhw.exe PID 1204 wrote to memory of 976 1204 RLOI JS01-2.exe xbadflzhw.exe PID 1204 wrote to memory of 976 1204 RLOI JS01-2.exe xbadflzhw.exe PID 1204 wrote to memory of 976 1204 RLOI JS01-2.exe xbadflzhw.exe PID 976 wrote to memory of 1504 976 xbadflzhw.exe xbadflzhw.exe PID 976 wrote to memory of 1504 976 xbadflzhw.exe xbadflzhw.exe PID 976 wrote to memory of 1504 976 xbadflzhw.exe xbadflzhw.exe PID 976 wrote to memory of 1504 976 xbadflzhw.exe xbadflzhw.exe PID 976 wrote to memory of 1504 976 xbadflzhw.exe xbadflzhw.exe -
outlook_office_path 1 IoCs
Processes:
xbadflzhw.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook xbadflzhw.exe -
outlook_win_path 1 IoCs
Processes:
xbadflzhw.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook xbadflzhw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RLOI JS01-2.exe"C:\Users\Admin\AppData\Local\Temp\RLOI JS01-2.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\xbadflzhw.exe"C:\Users\Admin\AppData\Local\Temp\xbadflzhw.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\xbadflzhw.exe"C:\Users\Admin\AppData\Local\Temp\xbadflzhw.exe"3⤵
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\cbxzgdpwgp.fFilesize
4KB
MD5abd574f1939214a11f1da45515793443
SHA1ab409b781452345c431deb3f2d57864fa96b284d
SHA256b7a19a9d2efd461d66706c5e86397c6e1625e6fad4ac2302258f3f9e7d4ae90b
SHA512129ca74cd491040c8b3f4d2a4cfa41ec02c6ae093331a970dcdbc2c0fa06038f471739701f7101236af8d994253c66604c4a33e0bdf68730ad3ee037ff9ba3a5
-
C:\Users\Admin\AppData\Local\Temp\xbadflzhw.exeFilesize
5KB
MD572799033862c59dd05e3f9f4d8d207b1
SHA135213e76519590866a0438e2aad3f8f9676bcde6
SHA2563d7d31595a832c1639140e4dbb4087302cb6a165208ecf897530394ae61c0a14
SHA512b71029cbcecc1ecb70d36e5917f1011ac655448f8a28c8af02a8a8bfebb57acb57b52a0b6fa7195fca990e4375cb9354d1f1b93e3a0bae601a965c472d457b01
-
C:\Users\Admin\AppData\Local\Temp\xbadflzhw.exeFilesize
5KB
MD572799033862c59dd05e3f9f4d8d207b1
SHA135213e76519590866a0438e2aad3f8f9676bcde6
SHA2563d7d31595a832c1639140e4dbb4087302cb6a165208ecf897530394ae61c0a14
SHA512b71029cbcecc1ecb70d36e5917f1011ac655448f8a28c8af02a8a8bfebb57acb57b52a0b6fa7195fca990e4375cb9354d1f1b93e3a0bae601a965c472d457b01
-
C:\Users\Admin\AppData\Local\Temp\xbadflzhw.exeFilesize
5KB
MD572799033862c59dd05e3f9f4d8d207b1
SHA135213e76519590866a0438e2aad3f8f9676bcde6
SHA2563d7d31595a832c1639140e4dbb4087302cb6a165208ecf897530394ae61c0a14
SHA512b71029cbcecc1ecb70d36e5917f1011ac655448f8a28c8af02a8a8bfebb57acb57b52a0b6fa7195fca990e4375cb9354d1f1b93e3a0bae601a965c472d457b01
-
C:\Users\Admin\AppData\Local\Temp\yzoshoiydx.qFilesize
104KB
MD59be9047854d35fe77b8bb9f3f4b5ba3d
SHA19f3cf7f31e3c97481af049c5556f0b1d86300fb1
SHA256bbe16f8662580d956ebb86f4d9342bbdb4ae7dd23d60b0db4dff2f91a36ce738
SHA51204cba44edc77957ca3fe6452d6c5af2ed0abbeb686505418761bd11c9832bd8b8b4c30c0c3e4679e8a061e6bfa8404a0a809676e6eb97bd46f86c523370af5f9
-
\Users\Admin\AppData\Local\Temp\xbadflzhw.exeFilesize
5KB
MD572799033862c59dd05e3f9f4d8d207b1
SHA135213e76519590866a0438e2aad3f8f9676bcde6
SHA2563d7d31595a832c1639140e4dbb4087302cb6a165208ecf897530394ae61c0a14
SHA512b71029cbcecc1ecb70d36e5917f1011ac655448f8a28c8af02a8a8bfebb57acb57b52a0b6fa7195fca990e4375cb9354d1f1b93e3a0bae601a965c472d457b01
-
\Users\Admin\AppData\Local\Temp\xbadflzhw.exeFilesize
5KB
MD572799033862c59dd05e3f9f4d8d207b1
SHA135213e76519590866a0438e2aad3f8f9676bcde6
SHA2563d7d31595a832c1639140e4dbb4087302cb6a165208ecf897530394ae61c0a14
SHA512b71029cbcecc1ecb70d36e5917f1011ac655448f8a28c8af02a8a8bfebb57acb57b52a0b6fa7195fca990e4375cb9354d1f1b93e3a0bae601a965c472d457b01
-
\Users\Admin\AppData\Local\Temp\xbadflzhw.exeFilesize
5KB
MD572799033862c59dd05e3f9f4d8d207b1
SHA135213e76519590866a0438e2aad3f8f9676bcde6
SHA2563d7d31595a832c1639140e4dbb4087302cb6a165208ecf897530394ae61c0a14
SHA512b71029cbcecc1ecb70d36e5917f1011ac655448f8a28c8af02a8a8bfebb57acb57b52a0b6fa7195fca990e4375cb9354d1f1b93e3a0bae601a965c472d457b01
-
\Users\Admin\AppData\Local\Temp\xbadflzhw.exeFilesize
5KB
MD572799033862c59dd05e3f9f4d8d207b1
SHA135213e76519590866a0438e2aad3f8f9676bcde6
SHA2563d7d31595a832c1639140e4dbb4087302cb6a165208ecf897530394ae61c0a14
SHA512b71029cbcecc1ecb70d36e5917f1011ac655448f8a28c8af02a8a8bfebb57acb57b52a0b6fa7195fca990e4375cb9354d1f1b93e3a0bae601a965c472d457b01
-
\Users\Admin\AppData\Local\Temp\xbadflzhw.exeFilesize
5KB
MD572799033862c59dd05e3f9f4d8d207b1
SHA135213e76519590866a0438e2aad3f8f9676bcde6
SHA2563d7d31595a832c1639140e4dbb4087302cb6a165208ecf897530394ae61c0a14
SHA512b71029cbcecc1ecb70d36e5917f1011ac655448f8a28c8af02a8a8bfebb57acb57b52a0b6fa7195fca990e4375cb9354d1f1b93e3a0bae601a965c472d457b01
-
\Users\Admin\AppData\Local\Temp\xbadflzhw.exeFilesize
5KB
MD572799033862c59dd05e3f9f4d8d207b1
SHA135213e76519590866a0438e2aad3f8f9676bcde6
SHA2563d7d31595a832c1639140e4dbb4087302cb6a165208ecf897530394ae61c0a14
SHA512b71029cbcecc1ecb70d36e5917f1011ac655448f8a28c8af02a8a8bfebb57acb57b52a0b6fa7195fca990e4375cb9354d1f1b93e3a0bae601a965c472d457b01
-
memory/976-60-0x0000000000000000-mapping.dmp
-
memory/1204-54-0x0000000074E41000-0x0000000074E43000-memory.dmpFilesize
8KB
-
memory/1504-66-0x00000000004139DE-mapping.dmp