Analysis Overview
SHA256
28775ce1bdb5ca7b38745997d9c843f3ff46143879a2cd9f9c5be68c0b238ceb
Threat Level: Known bad
The file 28775ce1bdb5ca7b38745997d9c843f3ff46143879a2cd9f9c5be68c0b238ceb was found to be: Known bad.
Malicious Activity Summary
Xloader family
Formbook
Formbook family
Xloader
Xloader payload
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Program crash
Unsigned PE
Enumerates physical storage devices
NSIS installer
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-21 19:52
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-21 19:52
Reported
2024-11-21 19:55
Platform
win10v2004-20241007-en
Max time kernel
96s
Max time network
143s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rqpwm.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\rqpwm.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\rqpwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b304ea7c0c21af9a1e1787461fb6577cd05a358fad427a8c33a531449928e700.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5056 wrote to memory of 4788 | N/A | C:\Users\Admin\AppData\Local\Temp\b304ea7c0c21af9a1e1787461fb6577cd05a358fad427a8c33a531449928e700.exe | C:\Users\Admin\AppData\Local\Temp\rqpwm.exe |
| PID 5056 wrote to memory of 4788 | N/A | C:\Users\Admin\AppData\Local\Temp\b304ea7c0c21af9a1e1787461fb6577cd05a358fad427a8c33a531449928e700.exe | C:\Users\Admin\AppData\Local\Temp\rqpwm.exe |
| PID 5056 wrote to memory of 4788 | N/A | C:\Users\Admin\AppData\Local\Temp\b304ea7c0c21af9a1e1787461fb6577cd05a358fad427a8c33a531449928e700.exe | C:\Users\Admin\AppData\Local\Temp\rqpwm.exe |
| PID 4788 wrote to memory of 452 | N/A | C:\Users\Admin\AppData\Local\Temp\rqpwm.exe | C:\Users\Admin\AppData\Local\Temp\rqpwm.exe |
| PID 4788 wrote to memory of 452 | N/A | C:\Users\Admin\AppData\Local\Temp\rqpwm.exe | C:\Users\Admin\AppData\Local\Temp\rqpwm.exe |
| PID 4788 wrote to memory of 452 | N/A | C:\Users\Admin\AppData\Local\Temp\rqpwm.exe | C:\Users\Admin\AppData\Local\Temp\rqpwm.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\b304ea7c0c21af9a1e1787461fb6577cd05a358fad427a8c33a531449928e700.exe
"C:\Users\Admin\AppData\Local\Temp\b304ea7c0c21af9a1e1787461fb6577cd05a358fad427a8c33a531449928e700.exe"
C:\Users\Admin\AppData\Local\Temp\rqpwm.exe
"C:\Users\Admin\AppData\Local\Temp\rqpwm.exe" C:\Users\Admin\AppData\Local\Temp\ggzllxjrbu.d
C:\Users\Admin\AppData\Local\Temp\rqpwm.exe
"C:\Users\Admin\AppData\Local\Temp\rqpwm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4788 -ip 4788
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 564
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.36.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\rqpwm.exe
| MD5 | c7b994bf4057f869fbf0fdd87058a5b1 |
| SHA1 | 49cd3cb0e992b570ddfb82ee539c91e924fae42d |
| SHA256 | 9713a086074e9951c6ba4aff6f801c62ca11935aaea623047f21c6b1516174ac |
| SHA512 | b3d511e62c54aa201d00b83e520b714efb295a39030b98558d88b499e90b1d2606ca58dbb3aea4e602912ada7c9582738083ae44890b2a183a262bacb8d1b0d9 |
C:\Users\Admin\AppData\Local\Temp\ggzllxjrbu.d
| MD5 | eb6b8d229b54bed8469fb9bcebcaa22d |
| SHA1 | f4bd8ee98476e8520f2e6b8e014f47002555d7e0 |
| SHA256 | 447204de0bb3b29b0a80fe2d233448dc095825ad00df559278a2a7df01b9be4a |
| SHA512 | 39ee1775c22328314c2682bbf93252f87cdb03e8d86c612eb8252729b4ae41c06d0953d3f99c925a2747398e2d175d0b76556d37f600f9e4a3c059a24912694c |
memory/4788-7-0x0000000000680000-0x0000000000682000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ajxwfn.ya
| MD5 | e9dc02fcc8d07b8c9fb94bfdafd649dc |
| SHA1 | 4073f8fd24f056a7d1dc8057ac3b9856b3c5acf8 |
| SHA256 | ebcbf2884bbab2f4659135df86ee673072f4b4de530b703674fbb92731f893cb |
| SHA512 | a1abdb620261820d7575c8e9d85a7ef53df46d8980950a3d3db239e72fca86c951306b8066868f61f8b69d25006316d9265317d580eea5012fbfe5ef8e9a0bda |
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-21 19:52
Reported
2024-11-21 19:55
Platform
win7-20240903-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\rqpwm.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\rqpwm.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2504 wrote to memory of 1036 | N/A | C:\Users\Admin\AppData\Local\Temp\rqpwm.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2504 wrote to memory of 1036 | N/A | C:\Users\Admin\AppData\Local\Temp\rqpwm.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2504 wrote to memory of 1036 | N/A | C:\Users\Admin\AppData\Local\Temp\rqpwm.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2504 wrote to memory of 1036 | N/A | C:\Users\Admin\AppData\Local\Temp\rqpwm.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\rqpwm.exe
"C:\Users\Admin\AppData\Local\Temp\rqpwm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 204
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-21 19:52
Reported
2024-11-21 19:55
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\rqpwm.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\rqpwm.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\rqpwm.exe
"C:\Users\Admin\AppData\Local\Temp\rqpwm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4664 -ip 4664
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 532
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.36.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.36.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-21 19:52
Reported
2024-11-21 19:55
Platform
win7-20241010-en
Max time kernel
148s
Max time network
123s
Command Line
Signatures
Formbook
Formbook family
Xloader
Xloader family
Xloader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\rqpwm.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rqpwm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rqpwm.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b304ea7c0c21af9a1e1787461fb6577cd05a358fad427a8c33a531449928e700.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b304ea7c0c21af9a1e1787461fb6577cd05a358fad427a8c33a531449928e700.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rqpwm.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2356 set thread context of 1976 | N/A | C:\Users\Admin\AppData\Local\Temp\rqpwm.exe | C:\Users\Admin\AppData\Local\Temp\rqpwm.exe |
| PID 1976 set thread context of 1408 | N/A | C:\Users\Admin\AppData\Local\Temp\rqpwm.exe | C:\Windows\Explorer.EXE |
| PID 2772 set thread context of 1408 | N/A | C:\Windows\SysWOW64\systray.exe | C:\Windows\Explorer.EXE |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b304ea7c0c21af9a1e1787461fb6577cd05a358fad427a8c33a531449928e700.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\rqpwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\systray.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rqpwm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rqpwm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rqpwm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rqpwm.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\systray.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\systray.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\rqpwm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\systray.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\b304ea7c0c21af9a1e1787461fb6577cd05a358fad427a8c33a531449928e700.exe
"C:\Users\Admin\AppData\Local\Temp\b304ea7c0c21af9a1e1787461fb6577cd05a358fad427a8c33a531449928e700.exe"
C:\Users\Admin\AppData\Local\Temp\rqpwm.exe
"C:\Users\Admin\AppData\Local\Temp\rqpwm.exe" C:\Users\Admin\AppData\Local\Temp\ggzllxjrbu.d
C:\Users\Admin\AppData\Local\Temp\rqpwm.exe
"C:\Users\Admin\AppData\Local\Temp\rqpwm.exe"
C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\rqpwm.exe"
Network
Files
\Users\Admin\AppData\Local\Temp\rqpwm.exe
| MD5 | c7b994bf4057f869fbf0fdd87058a5b1 |
| SHA1 | 49cd3cb0e992b570ddfb82ee539c91e924fae42d |
| SHA256 | 9713a086074e9951c6ba4aff6f801c62ca11935aaea623047f21c6b1516174ac |
| SHA512 | b3d511e62c54aa201d00b83e520b714efb295a39030b98558d88b499e90b1d2606ca58dbb3aea4e602912ada7c9582738083ae44890b2a183a262bacb8d1b0d9 |
memory/2356-11-0x00000000001B0000-0x00000000001B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ggzllxjrbu.d
| MD5 | eb6b8d229b54bed8469fb9bcebcaa22d |
| SHA1 | f4bd8ee98476e8520f2e6b8e014f47002555d7e0 |
| SHA256 | 447204de0bb3b29b0a80fe2d233448dc095825ad00df559278a2a7df01b9be4a |
| SHA512 | 39ee1775c22328314c2682bbf93252f87cdb03e8d86c612eb8252729b4ae41c06d0953d3f99c925a2747398e2d175d0b76556d37f600f9e4a3c059a24912694c |
C:\Users\Admin\AppData\Local\Temp\ajxwfn.ya
| MD5 | e9dc02fcc8d07b8c9fb94bfdafd649dc |
| SHA1 | 4073f8fd24f056a7d1dc8057ac3b9856b3c5acf8 |
| SHA256 | ebcbf2884bbab2f4659135df86ee673072f4b4de530b703674fbb92731f893cb |
| SHA512 | a1abdb620261820d7575c8e9d85a7ef53df46d8980950a3d3db239e72fca86c951306b8066868f61f8b69d25006316d9265317d580eea5012fbfe5ef8e9a0bda |
memory/1976-15-0x0000000000400000-0x000000000042C000-memory.dmp
memory/1976-19-0x0000000000400000-0x000000000042C000-memory.dmp
memory/1408-20-0x0000000000010000-0x0000000000020000-memory.dmp
memory/1408-21-0x0000000006640000-0x000000000672C000-memory.dmp
memory/2772-26-0x0000000000BA0000-0x0000000000BA5000-memory.dmp
memory/2772-22-0x0000000000BA0000-0x0000000000BA5000-memory.dmp
memory/2772-27-0x00000000000C0000-0x00000000000EC000-memory.dmp
memory/1408-28-0x0000000006640000-0x000000000672C000-memory.dmp
memory/1408-30-0x0000000003AC0000-0x0000000003CC0000-memory.dmp