Analysis Overview
SHA256
d036c4b1a4ff6265030084d453558c56f6a2d19b5a6af25943c47bc96895891c
Threat Level: Known bad
The file d036c4b1a4ff6265030084d453558c56f6a2d19b5a6af25943c47bc96895891c was found to be: Known bad.
Malicious Activity Summary
Formbook
Xloader
Xloader payload
Executes dropped EXE
Checks computer location settings
Reads user/profile data of web browsers
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in Program Files directory
Program crash
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
Modifies Internet Explorer settings
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-25 20:02
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-25 20:02
Reported
2023-01-25 20:04
Platform
win10v2004-20221111-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Formbook
Xloader
Xloader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\D8p8xnhtp\st3dufwclv.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\chkdsk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\V0XPQ2EPL8 = "C:\\Program Files (x86)\\D8p8xnhtp\\st3dufwclv.exe" | C:\Windows\SysWOW64\chkdsk.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1436 set thread context of 3484 | N/A | C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe | C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe |
| PID 3484 set thread context of 2584 | N/A | C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe | C:\Windows\Explorer.EXE |
| PID 1732 set thread context of 2584 | N/A | C:\Windows\SysWOW64\chkdsk.exe | C:\Windows\Explorer.EXE |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\D8p8xnhtp\st3dufwclv.exe | C:\Windows\SysWOW64\chkdsk.exe | N/A |
| File opened for modification | C:\Program Files (x86)\D8p8xnhtp | C:\Windows\Explorer.EXE | N/A |
| File created | C:\Program Files (x86)\D8p8xnhtp\st3dufwclv.exe | C:\Windows\Explorer.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\D8p8xnhtp\st3dufwclv.exe | C:\Windows\Explorer.EXE | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Program Files (x86)\D8p8xnhtp\st3dufwclv.exe |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\chkdsk.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \Registry\User\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 | C:\Windows\SysWOW64\chkdsk.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\chkdsk.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\chkdsk.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\chkdsk.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\chkdsk.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\chkdsk.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\d036c4b1a4ff6265030084d453558c56f6a2d19b5a6af25943c47bc96895891c.exe
"C:\Users\Admin\AppData\Local\Temp\d036c4b1a4ff6265030084d453558c56f6a2d19b5a6af25943c47bc96895891c.exe"
C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe
"C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe" C:\Users\Admin\AppData\Local\Temp\ucpha.v
C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe
"C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe"
C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe"
C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
C:\Program Files (x86)\D8p8xnhtp\st3dufwclv.exe
"C:\Program Files (x86)\D8p8xnhtp\st3dufwclv.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1360 -ip 1360
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 468
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | www.ppparadise.xyz | udp |
| N/A | 133.167.73.73:80 | www.ppparadise.xyz | tcp |
| N/A | 8.8.8.8:53 | www.gaymusclebigblackd.site | udp |
| N/A | 8.8.8.8:53 | www.crimsonnight.org | udp |
| N/A | 34.117.168.233:80 | www.crimsonnight.org | tcp |
| N/A | 104.46.162.226:443 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 8.8.8.8:53 | www.look856.com | udp |
| N/A | 180.215.68.138:80 | www.look856.com | tcp |
| N/A | 8.8.8.8:53 | www.thespiritsoldiers.com | udp |
| N/A | 34.102.136.180:80 | www.thespiritsoldiers.com | tcp |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 8.8.8.8:53 | www.valenteimmigration.com | udp |
| N/A | 8.8.8.8:53 | www.nortonarmouriesfilm.com | udp |
| N/A | 104.21.4.103:80 | www.nortonarmouriesfilm.com | tcp |
| N/A | 8.8.8.8:53 | www.peiphitan.com | udp |
| N/A | 192.64.115.133:80 | www.peiphitan.com | tcp |
| N/A | 8.8.8.8:53 | www.unimeet.club | udp |
| N/A | 34.117.168.233:80 | www.unimeet.club | tcp |
| N/A | 34.117.168.233:80 | www.unimeet.club | tcp |
| N/A | 8.8.8.8:53 | www.anglicanadebrasilia.com | udp |
| N/A | 149.62.37.97:80 | www.anglicanadebrasilia.com | tcp |
| N/A | 149.62.37.97:80 | www.anglicanadebrasilia.com | tcp |
| N/A | 8.8.8.8:53 | www.edfitzgerald.org | udp |
| N/A | 167.114.206.193:80 | www.edfitzgerald.org | tcp |
| N/A | 167.114.206.193:80 | www.edfitzgerald.org | tcp |
| N/A | 8.8.8.8:53 | www.casakeysshoalbay.com | udp |
| N/A | 8.8.8.8:53 | www.the83company.com | udp |
| N/A | 212.1.210.69:80 | www.the83company.com | tcp |
| N/A | 212.1.210.69:80 | www.the83company.com | tcp |
| N/A | 8.8.8.8:53 | www.drzjup.space | udp |
| N/A | 172.255.33.179:80 | www.drzjup.space | tcp |
| N/A | 172.255.33.179:80 | www.drzjup.space | tcp |
| N/A | 8.8.8.8:53 | www.midundao.net | udp |
| N/A | 172.247.35.173:80 | www.midundao.net | tcp |
| N/A | 172.247.35.173:80 | www.midundao.net | tcp |
| N/A | 34.102.136.180:80 | www.thespiritsoldiers.com | tcp |
| N/A | 8.8.8.8:53 | www.ballysportspluse.com | udp |
| N/A | 199.59.243.222:80 | www.ballysportspluse.com | tcp |
| N/A | 199.59.243.222:80 | www.ballysportspluse.com | tcp |
| N/A | 8.8.8.8:53 | www.orange-foam.com | udp |
| N/A | 3.74.97.207:80 | www.orange-foam.com | tcp |
| N/A | 3.74.97.207:80 | www.orange-foam.com | tcp |
| N/A | 8.8.8.8:53 | www.gaoguiclub.com | udp |
| N/A | 45.200.207.118:80 | www.gaoguiclub.com | tcp |
| N/A | 45.200.207.118:80 | www.gaoguiclub.com | tcp |
| N/A | 8.8.8.8:53 | www.kcgjz.top | udp |
| N/A | 188.114.97.0:80 | www.kcgjz.top | tcp |
| N/A | 188.114.97.0:80 | www.kcgjz.top | tcp |
| N/A | 180.215.68.138:80 | www.look856.com | tcp |
| N/A | 180.215.68.138:80 | www.look856.com | tcp |
Files
memory/1436-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe
| MD5 | d8394c44bc790e1bdab00823f689c1bd |
| SHA1 | 735d8986424e2ab3440f49a7a720ecaad43d491d |
| SHA256 | 234d80febbdd23b49a2ff5db4e51aa33e82cd77ff082ac6e8f32078cdd701007 |
| SHA512 | c6dd135932d86f6a7ae2b82045e024fddad3ce7286672c134e8314d2a7a003d237b4b62141b67c7947e6ca1fffa78047e015c5e714cfb56739ef152485cd559e |
C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe
| MD5 | d8394c44bc790e1bdab00823f689c1bd |
| SHA1 | 735d8986424e2ab3440f49a7a720ecaad43d491d |
| SHA256 | 234d80febbdd23b49a2ff5db4e51aa33e82cd77ff082ac6e8f32078cdd701007 |
| SHA512 | c6dd135932d86f6a7ae2b82045e024fddad3ce7286672c134e8314d2a7a003d237b4b62141b67c7947e6ca1fffa78047e015c5e714cfb56739ef152485cd559e |
C:\Users\Admin\AppData\Local\Temp\ucpha.v
| MD5 | d934356067b6133646fad1aa12371a1e |
| SHA1 | 23fe2ea62be0949a32ea6609345a8b8d27ce3757 |
| SHA256 | 81f2eb3bd3c2135b0d6abdcc4f2e6427a76dac558928d4c8beb648a045010ae5 |
| SHA512 | 26b50a5599353328bfc4609754ead9efd9e4084e4fdb6a9479ad56ea79aed81648de897e66c3dd1c9de1cdb6eba04855e4498f0d8d09f7804224ba27ceab91d8 |
C:\Users\Admin\AppData\Local\Temp\hcmpu.cqa
| MD5 | 28eed71dacb4522dbf2c1aeca39e2c5d |
| SHA1 | b5633dcf66f1657552ba992c55e7124250c23a35 |
| SHA256 | 22bfb554d299b3fc4686643b0522384db2c92ebf64bd80475439b8dd9bbe7bc5 |
| SHA512 | 7f08bc8237868fb6509baafd3c4a01663b0577ebec86aef9cb185bec13acb8c5787604329a85c74a2ebbc3f39933929a2f36ea21513330124bd2d66363e54cae |
memory/3484-137-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\xnozsgld.exe
| MD5 | d8394c44bc790e1bdab00823f689c1bd |
| SHA1 | 735d8986424e2ab3440f49a7a720ecaad43d491d |
| SHA256 | 234d80febbdd23b49a2ff5db4e51aa33e82cd77ff082ac6e8f32078cdd701007 |
| SHA512 | c6dd135932d86f6a7ae2b82045e024fddad3ce7286672c134e8314d2a7a003d237b4b62141b67c7947e6ca1fffa78047e015c5e714cfb56739ef152485cd559e |
memory/3484-139-0x0000000000400000-0x000000000042C000-memory.dmp
memory/3484-140-0x0000000000A60000-0x0000000000DAA000-memory.dmp
memory/3484-141-0x0000000000500000-0x0000000000511000-memory.dmp
memory/2584-142-0x00000000028B0000-0x00000000029BE000-memory.dmp
memory/1732-143-0x0000000000000000-mapping.dmp
memory/3484-144-0x0000000000400000-0x000000000042C000-memory.dmp
memory/5028-145-0x0000000000000000-mapping.dmp
memory/1732-147-0x00000000008D0000-0x00000000008FC000-memory.dmp
memory/1732-146-0x0000000000470000-0x000000000047A000-memory.dmp
memory/1732-148-0x0000000001000000-0x000000000134A000-memory.dmp
memory/1732-149-0x0000000000EA0000-0x0000000000F30000-memory.dmp
memory/2584-150-0x0000000008150000-0x00000000082AE000-memory.dmp
memory/1732-151-0x00000000008D0000-0x00000000008FC000-memory.dmp
memory/2584-152-0x0000000008150000-0x00000000082AE000-memory.dmp
memory/3444-153-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\DB1
| MD5 | b608d407fc15adea97c26936bc6f03f6 |
| SHA1 | 953e7420801c76393902c0d6bb56148947e41571 |
| SHA256 | b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf |
| SHA512 | cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4 |
memory/2244-155-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\DB1
| MD5 | 349e6eb110e34a08924d92f6b334801d |
| SHA1 | bdfb289daff51890cc71697b6322aa4b35ec9169 |
| SHA256 | c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a |
| SHA512 | 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574 |
C:\Program Files (x86)\D8p8xnhtp\st3dufwclv.exe
| MD5 | d8394c44bc790e1bdab00823f689c1bd |
| SHA1 | 735d8986424e2ab3440f49a7a720ecaad43d491d |
| SHA256 | 234d80febbdd23b49a2ff5db4e51aa33e82cd77ff082ac6e8f32078cdd701007 |
| SHA512 | c6dd135932d86f6a7ae2b82045e024fddad3ce7286672c134e8314d2a7a003d237b4b62141b67c7947e6ca1fffa78047e015c5e714cfb56739ef152485cd559e |
C:\Program Files (x86)\D8p8xnhtp\st3dufwclv.exe
| MD5 | d8394c44bc790e1bdab00823f689c1bd |
| SHA1 | 735d8986424e2ab3440f49a7a720ecaad43d491d |
| SHA256 | 234d80febbdd23b49a2ff5db4e51aa33e82cd77ff082ac6e8f32078cdd701007 |
| SHA512 | c6dd135932d86f6a7ae2b82045e024fddad3ce7286672c134e8314d2a7a003d237b4b62141b67c7947e6ca1fffa78047e015c5e714cfb56739ef152485cd559e |
memory/1360-157-0x0000000000000000-mapping.dmp