Analysis Overview
SHA256
7d850c7483817ae91c6b6dde59c22141b754d04ec2e0985ffcd85b08f2e9ae58
Threat Level: Known bad
The file 7d850c7483817ae91c6b6dde59c22141b754d04ec2e0985ffcd85b08f2e9ae58 was found to be: Known bad.
Malicious Activity Summary
Formbook
Xloader
Xloader payload
Blocklisted process makes network request
Adds policy Run key to start application
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
Drops file in Program Files directory
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
System policy modification
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-19 07:32
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-19 07:32
Reported
2023-01-19 07:35
Platform
win7-20221111-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Formbook
Xloader
Xloader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\SysWOW64\cmstp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\HZ7TPFNH_LH8 = "C:\\Program Files (x86)\\Lphsd\\userk6ql94x.exe" | C:\Windows\SysWOW64\cmstp.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmstp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmstp.exe | N/A |
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1736 set thread context of 944 | N/A | C:\Users\Admin\AppData\Local\Temp\7d850c7483817ae91c6b6dde59c22141b754d04ec2e0985ffcd85b08f2e9ae58.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe |
| PID 944 set thread context of 1220 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | C:\Windows\Explorer.EXE |
| PID 692 set thread context of 1220 | N/A | C:\Windows\SysWOW64\cmstp.exe | C:\Windows\Explorer.EXE |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Lphsd\userk6ql94x.exe | C:\Windows\SysWOW64\cmstp.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \Registry\User\S-1-5-21-1214520366-621468234-4062160515-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 | C:\Windows\SysWOW64\cmstp.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmstp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmstp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmstp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmstp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\cmstp.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Windows\SysWOW64\cmstp.exe | N/A |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\7d850c7483817ae91c6b6dde59c22141b754d04ec2e0985ffcd85b08f2e9ae58.exe
"C:\Users\Admin\AppData\Local\Temp\7d850c7483817ae91c6b6dde59c22141b754d04ec2e0985ffcd85b08f2e9ae58.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | www.alignedmagic.com | udp |
| N/A | 205.196.208.27:80 | www.alignedmagic.com | tcp |
| N/A | 8.8.8.8:53 | www.line-view.com | udp |
| N/A | 34.102.136.180:80 | www.line-view.com | tcp |
| N/A | 8.8.8.8:53 | www.leadswebhosting.com | udp |
| N/A | 38.59.0.170:80 | www.leadswebhosting.com | tcp |
| N/A | 8.8.8.8:53 | www.fxivcama.com | udp |
| N/A | 69.57.161.210:80 | www.fxivcama.com | tcp |
| N/A | 8.8.8.8:53 | www.freecrdditreport.com | udp |
| N/A | 212.32.237.90:80 | www.freecrdditreport.com | tcp |
| N/A | 212.32.237.90:80 | www.freecrdditreport.com | tcp |
| N/A | 8.8.8.8:53 | www.groupeinvictuscorporation.com | udp |
| N/A | 98.124.224.17:80 | www.groupeinvictuscorporation.com | tcp |
| N/A | 98.124.224.17:80 | www.groupeinvictuscorporation.com | tcp |
| N/A | 8.8.8.8:53 | www.hhhzzz.xyz | udp |
| N/A | 199.101.171.148:80 | www.hhhzzz.xyz | tcp |
| N/A | 199.101.171.148:80 | www.hhhzzz.xyz | tcp |
| N/A | 8.8.8.8:53 | www.hhhzzz.xyz | udp |
| N/A | 199.101.171.148:80 | www.hhhzzz.xyz | tcp |
| N/A | 199.101.171.148:80 | www.hhhzzz.xyz | tcp |
| N/A | 8.8.8.8:53 | www.zs-yaoshi.com | udp |
| N/A | 38.6.101.104:80 | www.zs-yaoshi.com | tcp |
| N/A | 38.6.101.104:80 | www.zs-yaoshi.com | tcp |
| N/A | 8.8.8.8:53 | www.elegantmuka.com | udp |
| N/A | 185.93.165.172:80 | www.elegantmuka.com | tcp |
Files
memory/1736-54-0x0000000000F40000-0x0000000000F80000-memory.dmp
memory/1736-55-0x0000000000AC0000-0x0000000000AFC000-memory.dmp
memory/1736-56-0x0000000000460000-0x000000000046E000-memory.dmp
memory/1736-57-0x00000000005D0000-0x00000000005D8000-memory.dmp
memory/944-58-0x0000000000400000-0x000000000042B000-memory.dmp
memory/944-59-0x0000000000400000-0x000000000042B000-memory.dmp
memory/944-61-0x0000000000400000-0x000000000042B000-memory.dmp
memory/944-62-0x000000000041F1F0-mapping.dmp
memory/944-64-0x0000000000400000-0x000000000042B000-memory.dmp
memory/944-65-0x0000000000770000-0x0000000000A73000-memory.dmp
memory/944-66-0x00000000003C0000-0x00000000003D1000-memory.dmp
memory/1220-67-0x00000000048C0000-0x000000000497D000-memory.dmp
memory/692-68-0x0000000000000000-mapping.dmp
memory/692-69-0x00000000767C1000-0x00000000767C3000-memory.dmp
memory/692-70-0x0000000000E90000-0x0000000000EA8000-memory.dmp
memory/692-71-0x0000000000090000-0x00000000000BB000-memory.dmp
memory/1864-72-0x0000000000000000-mapping.dmp
memory/692-73-0x0000000000B30000-0x0000000000E33000-memory.dmp
memory/692-74-0x0000000000A30000-0x0000000000AC0000-memory.dmp
memory/1220-75-0x0000000004B00000-0x0000000004BAF000-memory.dmp
memory/692-76-0x0000000000090000-0x00000000000BB000-memory.dmp
memory/1220-77-0x0000000004B00000-0x0000000004BAF000-memory.dmp
memory/1220-78-0x000007FEF65C0000-0x000007FEF6703000-memory.dmp
memory/1220-79-0x000007FF32680000-0x000007FF3268A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-19 07:32
Reported
2023-01-19 07:35
Platform
win10v2004-20220812-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Xloader
Xloader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1264 set thread context of 1600 | N/A | C:\Users\Admin\AppData\Local\Temp\7d850c7483817ae91c6b6dde59c22141b754d04ec2e0985ffcd85b08f2e9ae58.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe |
| PID 1600 set thread context of 3048 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | C:\Windows\Explorer.EXE |
| PID 4340 set thread context of 3048 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\Explorer.EXE |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7d850c7483817ae91c6b6dde59c22141b754d04ec2e0985ffcd85b08f2e9ae58.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\7d850c7483817ae91c6b6dde59c22141b754d04ec2e0985ffcd85b08f2e9ae58.exe
"C:\Users\Admin\AppData\Local\Temp\7d850c7483817ae91c6b6dde59c22141b754d04ec2e0985ffcd85b08f2e9ae58.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 20.42.65.85:443 | tcp | |
| N/A | 8.8.8.8:53 | www.happy-tile.com | udp |
| N/A | 8.8.8.8:53 | www.plumberbalanced.com | udp |
| N/A | 8.8.8.8:53 | www.hhhzzz.xyz | udp |
| N/A | 199.101.171.148:80 | www.hhhzzz.xyz | tcp |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 95.101.78.106:80 | tcp | |
| N/A | 87.248.202.1:80 | tcp | |
| N/A | 87.248.202.1:80 | tcp | |
| N/A | 8.8.8.8:53 | www.hhhzzz.xyz | udp |
| N/A | 199.101.171.148:80 | www.hhhzzz.xyz | tcp |
| N/A | 8.8.8.8:53 | www.zs-yaoshi.com | udp |
| N/A | 38.6.101.104:80 | www.zs-yaoshi.com | tcp |
| N/A | 8.8.8.8:53 | www.nxteam.net | udp |
| N/A | 8.8.8.8:53 | www.ink-desk.com | udp |
| N/A | 8.8.8.8:53 | www.originalfatfrog.com | udp |
| N/A | 81.17.241.117:80 | www.originalfatfrog.com | tcp |
| N/A | 8.8.8.8:53 | www.theearthresidencia.com | udp |
| N/A | 66.235.200.147:80 | www.theearthresidencia.com | tcp |
| N/A | 8.8.8.8:53 | www.line-view.com | udp |
| N/A | 34.102.136.180:80 | www.line-view.com | tcp |
| N/A | 8.8.8.8:53 | www.moradagroup.tech | udp |
| N/A | 8.8.8.8:53 | www.international-ipo.com | udp |
| N/A | 54.178.236.58:80 | www.international-ipo.com | tcp |
| N/A | 8.8.8.8:53 | www.international-ipo.com | udp |
| N/A | 54.178.236.58:80 | www.international-ipo.com | tcp |
| N/A | 8.8.8.8:53 | www.zhouwuxiawu.com | udp |
| N/A | 8.8.8.8:53 | www.crememeup.store | udp |
| N/A | 81.88.57.68:80 | www.crememeup.store | tcp |
| N/A | 35.75.83.150:80 | www.international-ipo.com | tcp |
Files
memory/1264-132-0x0000000000E00000-0x0000000000E40000-memory.dmp
memory/680-133-0x0000000000000000-mapping.dmp
memory/1600-134-0x0000000000000000-mapping.dmp
memory/1600-135-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1600-137-0x00000000019D0000-0x0000000001D1A000-memory.dmp
memory/1600-138-0x0000000001510000-0x0000000001521000-memory.dmp
memory/3048-139-0x00000000075E0000-0x000000000772E000-memory.dmp
memory/4340-140-0x0000000000000000-mapping.dmp
memory/1600-141-0x0000000000400000-0x000000000042B000-memory.dmp
memory/5024-142-0x0000000000000000-mapping.dmp
memory/4340-143-0x00000000004D0000-0x00000000004E4000-memory.dmp
memory/4340-144-0x0000000000520000-0x000000000054B000-memory.dmp
memory/4340-145-0x00000000023C0000-0x000000000270A000-memory.dmp
memory/4340-146-0x00000000021F0000-0x0000000002280000-memory.dmp
memory/4340-147-0x0000000000520000-0x000000000054B000-memory.dmp
memory/3048-148-0x0000000007D30000-0x0000000007E8A000-memory.dmp
memory/3048-149-0x0000000007D30000-0x0000000007E8A000-memory.dmp