Analysis
-
max time kernel
218s -
max time network
271s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 14:55
Static task
static1
Behavioral task
behavioral1
Sample
doc001876543456781987651000_pdf .exe
Resource
win7-20221111-en
General
-
Target
doc001876543456781987651000_pdf .exe
-
Size
857KB
-
MD5
862a815ffdf58d6c2ae62a2948658e74
-
SHA1
df09b761005eba5e45cc3c1503cf2761077d4c49
-
SHA256
c40018a8c58d463f829a97d5c5280c2b5292573cbd321f042e7225db4bff6d95
-
SHA512
95a79ac52b0b36b4232fdd7a49dca9dfd1be0ae5bc9ae98020e4150e8c8d5859103cf8a7d07773f86ee1841939817022071f46e7893c09826ff204ceab690099
-
SSDEEP
12288:L2/pKmJAagHvRnAmqgc/SdORHmV1ujAcV0szEZbnRQuNbNhPDDSXG:L2/pL+RvCT/SoRHmKgszEZNZH4G
Malware Config
Extracted
xloader
2.6
b6qc
etofood.com
bigtimberroofingnc.com
jacque.doctor
9588uy.site
nosceremonies-lefilm.com
xposetattoosjaipur.com
universalwebbinq.com
klthealthfrancesarl.com
tinyhome.deals
neroivr.com
floridaappeals.net
vladartsmith.com
chatbothealthcare.com
akutansi.online
appointmentcart.com
vertue.xyz
healthplanslakeland.com
es-verification.biz
thatsod.com
521ini.xyz
tarjeteala.store
qamst.com
solutionard.com
ru-xvideos.mobi
resco-pe.com
betmonde581.com
mortgagethru.com
agrimin.store
cateringwarszawa.online
ip-art-gallery.com
rajfillters.com
biwbuyingnow.website
farmdogcanada.com
sdsgmsqnlxs.com
fa1028.xyz
flyvr.xyz
e-lovac.com
creambuyonline.com
payment-travel.com
qfort.xyz
blueskycr.com
plasterprostucco.com
frontflipmarketing.com
jsq2.com
billsweb.site
huafeishiye217.com
pegtarazimod.info
emergencytowingoakforest.com
ptzcnq.com
cd-packaging-solutions.com
faqelectronics.website
xynf03.com
quititamorn.com
nownon.com
dachik.com
hendrecords.com
ready4charging.com
warnor.world
www6658yy.com
scentedejuice.com
goonerfodder.com
outcastclass.com
esmicasasv.com
peopleshous.com
cloudinfra-demo1.net
Signatures
-
Xloader payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1952-62-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral1/memory/1952-63-0x000000000041F310-mapping.dmp xloader behavioral1/memory/1952-65-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral1/memory/928-71-0x0000000000070000-0x000000000009B000-memory.dmp xloader behavioral1/memory/928-76-0x0000000000070000-0x000000000009B000-memory.dmp xloader -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\XTXXEX50_D9 = "C:\\Program Files (x86)\\Bd0h4kzi\\winrfih0.exe" wscript.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 684 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
doc001876543456781987651000_pdf .exedoc001876543456781987651000_pdf .exewscript.exedescription pid process target process PID 856 set thread context of 1952 856 doc001876543456781987651000_pdf .exe doc001876543456781987651000_pdf .exe PID 1952 set thread context of 1236 1952 doc001876543456781987651000_pdf .exe Explorer.EXE PID 928 set thread context of 1236 928 wscript.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
wscript.exedescription ioc process File opened for modification C:\Program Files (x86)\Bd0h4kzi\winrfih0.exe wscript.exe -
Processes:
wscript.exedescription ioc process Key created \Registry\User\S-1-5-21-1214520366-621468234-4062160515-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 wscript.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
doc001876543456781987651000_pdf .exewscript.exepid process 1952 doc001876543456781987651000_pdf .exe 1952 doc001876543456781987651000_pdf .exe 928 wscript.exe 928 wscript.exe 928 wscript.exe 928 wscript.exe 928 wscript.exe 928 wscript.exe 928 wscript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1236 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
doc001876543456781987651000_pdf .exewscript.exepid process 1952 doc001876543456781987651000_pdf .exe 1952 doc001876543456781987651000_pdf .exe 1952 doc001876543456781987651000_pdf .exe 928 wscript.exe 928 wscript.exe 928 wscript.exe 928 wscript.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
doc001876543456781987651000_pdf .exewscript.exedescription pid process Token: SeDebugPrivilege 1952 doc001876543456781987651000_pdf .exe Token: SeDebugPrivilege 928 wscript.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1236 Explorer.EXE 1236 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1236 Explorer.EXE 1236 Explorer.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
doc001876543456781987651000_pdf .exeExplorer.EXEwscript.exedescription pid process target process PID 856 wrote to memory of 1952 856 doc001876543456781987651000_pdf .exe doc001876543456781987651000_pdf .exe PID 856 wrote to memory of 1952 856 doc001876543456781987651000_pdf .exe doc001876543456781987651000_pdf .exe PID 856 wrote to memory of 1952 856 doc001876543456781987651000_pdf .exe doc001876543456781987651000_pdf .exe PID 856 wrote to memory of 1952 856 doc001876543456781987651000_pdf .exe doc001876543456781987651000_pdf .exe PID 856 wrote to memory of 1952 856 doc001876543456781987651000_pdf .exe doc001876543456781987651000_pdf .exe PID 856 wrote to memory of 1952 856 doc001876543456781987651000_pdf .exe doc001876543456781987651000_pdf .exe PID 856 wrote to memory of 1952 856 doc001876543456781987651000_pdf .exe doc001876543456781987651000_pdf .exe PID 1236 wrote to memory of 928 1236 Explorer.EXE wscript.exe PID 1236 wrote to memory of 928 1236 Explorer.EXE wscript.exe PID 1236 wrote to memory of 928 1236 Explorer.EXE wscript.exe PID 1236 wrote to memory of 928 1236 Explorer.EXE wscript.exe PID 928 wrote to memory of 684 928 wscript.exe cmd.exe PID 928 wrote to memory of 684 928 wscript.exe cmd.exe PID 928 wrote to memory of 684 928 wscript.exe cmd.exe PID 928 wrote to memory of 684 928 wscript.exe cmd.exe PID 928 wrote to memory of 1188 928 wscript.exe Firefox.exe PID 928 wrote to memory of 1188 928 wscript.exe Firefox.exe PID 928 wrote to memory of 1188 928 wscript.exe Firefox.exe PID 928 wrote to memory of 1188 928 wscript.exe Firefox.exe PID 928 wrote to memory of 1188 928 wscript.exe Firefox.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer wscript.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\doc001876543456781987651000_pdf .exe"C:\Users\Admin\AppData\Local\Temp\doc001876543456781987651000_pdf .exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\doc001876543456781987651000_pdf .exe"C:\Users\Admin\AppData\Local\Temp\doc001876543456781987651000_pdf .exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\doc001876543456781987651000_pdf .exe"3⤵
- Deletes itself
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/684-73-0x0000000000000000-mapping.dmp
-
memory/856-55-0x0000000075831000-0x0000000075833000-memory.dmpFilesize
8KB
-
memory/856-56-0x0000000000960000-0x0000000000976000-memory.dmpFilesize
88KB
-
memory/856-57-0x0000000005E30000-0x0000000005EBE000-memory.dmpFilesize
568KB
-
memory/856-58-0x00000000042E0000-0x0000000004312000-memory.dmpFilesize
200KB
-
memory/856-54-0x0000000000E00000-0x0000000000EDC000-memory.dmpFilesize
880KB
-
memory/928-69-0x0000000000000000-mapping.dmp
-
memory/928-71-0x0000000000070000-0x000000000009B000-memory.dmpFilesize
172KB
-
memory/928-76-0x0000000000070000-0x000000000009B000-memory.dmpFilesize
172KB
-
memory/928-74-0x00000000022A0000-0x0000000002330000-memory.dmpFilesize
576KB
-
memory/928-70-0x00000000003A0000-0x00000000003C6000-memory.dmpFilesize
152KB
-
memory/928-72-0x0000000001F90000-0x0000000002293000-memory.dmpFilesize
3.0MB
-
memory/1236-78-0x00000000043D0000-0x00000000044BF000-memory.dmpFilesize
956KB
-
memory/1236-68-0x0000000004C10000-0x0000000004D7A000-memory.dmpFilesize
1.4MB
-
memory/1236-75-0x00000000043D0000-0x00000000044BF000-memory.dmpFilesize
956KB
-
memory/1952-59-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/1952-67-0x0000000000140000-0x0000000000151000-memory.dmpFilesize
68KB
-
memory/1952-66-0x00000000008D0000-0x0000000000BD3000-memory.dmpFilesize
3.0MB
-
memory/1952-65-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/1952-63-0x000000000041F310-mapping.dmp
-
memory/1952-62-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/1952-60-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB