Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
15-01-2021 07:10
Static task
static1
Behavioral task
behavioral1
Sample
Packing list • Invoice • Country of origin.exe
Resource
win7v20201028
General
-
Target
Packing list • Invoice • Country of origin.exe
-
Size
377KB
-
MD5
573ad7a8627f24f2e6fc4aa3c53f6328
-
SHA1
2e292b7e6f41b0fd7dd31424989e5640f6e41e38
-
SHA256
b4a9843d6c2869da17c9fb36d3aae7b869f3df444280943e07f3944f6408f086
-
SHA512
750436f6da6c8daed66b61433789dc6a76a49bab86f2d5ef43434d9e77ed702ea5cc020981d9382b2ec8f1c0584d6600897efa67763e513a2569417e54222bc3
Malware Config
Extracted
formbook
http://www.4mzn-l1mit.com/x2ee/
imarrawk.com
focusonyouwa.com
thedallygrind.com
hexa4shop.com
rebeccaroni.com
rocketmortgageliar.net
roomkoala.com
zewkr.com
gighomesale.com
xenonsunglasses.com
clqck.com
alittlereward.com
neuroeka.digital
gadgetsat.online
steigersteel.com
fsjdc.com
realnie-svingeri.site
directcare.pro
mo-kita.com
faxbbs.com
magenx2.info
alrihabexpress.com
mandarinorientalcondosboca.com
submitahero.com
bloglifeme.com
31camillestreet.com
christinemchughic.com
dingtaifeng.ltd
sculpturepaintingvietnam.com
maga-tramontina.com
hotelmeriya.com
genumkm-pertamina.com
vihaanmoorthy.com
putramandiricyber.com
gzlydt.com
ahlussunnahfortaleza.com
suksuk.net
matilier.com
housepopup.com
pro-traffic.group
gentsclubdubai.com
saideheng.com
artsfam.com
garimaproperties.com
waf.design
ugcfashion.com
sieuthiansach.com
herbcraze420.com
ninetydollarwebsites.com
sutiabodybeauty.com
wy113l.com
myenterprisedesk.com
theskinnyspritz.com
datasoma.digital
wefixpclaptop.com
kathleendenese.com
thehuntingandfishingshow.com
puequefun.com
markenvandrerhjem.com
greenvillehorticulturellc.com
annmargaretkeller.com
treasurespoint.com
chegemblocsbattle.com
biciesentieri.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1216-6-0x000000000041D010-mapping.dmp xloader behavioral1/memory/1216-5-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral1/memory/1516-8-0x0000000000000000-mapping.dmp xloader -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 300 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Packing list • Invoice • Country of origin.exePacking list • Invoice • Country of origin.execontrol.exedescription pid process target process PID 532 set thread context of 1216 532 Packing list • Invoice • Country of origin.exe Packing list • Invoice • Country of origin.exe PID 1216 set thread context of 1260 1216 Packing list • Invoice • Country of origin.exe Explorer.EXE PID 1516 set thread context of 1260 1516 control.exe Explorer.EXE -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
Packing list • Invoice • Country of origin.execontrol.exepid process 1216 Packing list • Invoice • Country of origin.exe 1216 Packing list • Invoice • Country of origin.exe 1516 control.exe 1516 control.exe 1516 control.exe 1516 control.exe 1516 control.exe 1516 control.exe 1516 control.exe 1516 control.exe 1516 control.exe 1516 control.exe 1516 control.exe 1516 control.exe 1516 control.exe 1516 control.exe 1516 control.exe 1516 control.exe 1516 control.exe 1516 control.exe 1516 control.exe 1516 control.exe 1516 control.exe 1516 control.exe 1516 control.exe 1516 control.exe 1516 control.exe 1516 control.exe 1516 control.exe 1516 control.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
Packing list • Invoice • Country of origin.exePacking list • Invoice • Country of origin.execontrol.exepid process 532 Packing list • Invoice • Country of origin.exe 1216 Packing list • Invoice • Country of origin.exe 1216 Packing list • Invoice • Country of origin.exe 1216 Packing list • Invoice • Country of origin.exe 1516 control.exe 1516 control.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Packing list • Invoice • Country of origin.execontrol.exedescription pid process Token: SeDebugPrivilege 1216 Packing list • Invoice • Country of origin.exe Token: SeDebugPrivilege 1516 control.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1260 Explorer.EXE 1260 Explorer.EXE 1260 Explorer.EXE 1260 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1260 Explorer.EXE 1260 Explorer.EXE 1260 Explorer.EXE 1260 Explorer.EXE -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
Packing list • Invoice • Country of origin.execmd.exeExplorer.EXEcontrol.exedescription pid process target process PID 532 wrote to memory of 1436 532 Packing list • Invoice • Country of origin.exe cmd.exe PID 532 wrote to memory of 1436 532 Packing list • Invoice • Country of origin.exe cmd.exe PID 532 wrote to memory of 1436 532 Packing list • Invoice • Country of origin.exe cmd.exe PID 532 wrote to memory of 1436 532 Packing list • Invoice • Country of origin.exe cmd.exe PID 532 wrote to memory of 1316 532 Packing list • Invoice • Country of origin.exe cmd.exe PID 532 wrote to memory of 1316 532 Packing list • Invoice • Country of origin.exe cmd.exe PID 532 wrote to memory of 1316 532 Packing list • Invoice • Country of origin.exe cmd.exe PID 532 wrote to memory of 1316 532 Packing list • Invoice • Country of origin.exe cmd.exe PID 532 wrote to memory of 1216 532 Packing list • Invoice • Country of origin.exe Packing list • Invoice • Country of origin.exe PID 532 wrote to memory of 1216 532 Packing list • Invoice • Country of origin.exe Packing list • Invoice • Country of origin.exe PID 532 wrote to memory of 1216 532 Packing list • Invoice • Country of origin.exe Packing list • Invoice • Country of origin.exe PID 532 wrote to memory of 1216 532 Packing list • Invoice • Country of origin.exe Packing list • Invoice • Country of origin.exe PID 1316 wrote to memory of 908 1316 cmd.exe schtasks.exe PID 1316 wrote to memory of 908 1316 cmd.exe schtasks.exe PID 1316 wrote to memory of 908 1316 cmd.exe schtasks.exe PID 1316 wrote to memory of 908 1316 cmd.exe schtasks.exe PID 532 wrote to memory of 1216 532 Packing list • Invoice • Country of origin.exe Packing list • Invoice • Country of origin.exe PID 1260 wrote to memory of 1516 1260 Explorer.EXE control.exe PID 1260 wrote to memory of 1516 1260 Explorer.EXE control.exe PID 1260 wrote to memory of 1516 1260 Explorer.EXE control.exe PID 1260 wrote to memory of 1516 1260 Explorer.EXE control.exe PID 1516 wrote to memory of 300 1516 control.exe cmd.exe PID 1516 wrote to memory of 300 1516 control.exe cmd.exe PID 1516 wrote to memory of 300 1516 control.exe cmd.exe PID 1516 wrote to memory of 300 1516 control.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Packing list • Invoice • Country of origin.exe"C:\Users\Admin\AppData\Local\Temp\Packing list • Invoice • Country of origin.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\e3bc0ade3cf146ebb0444cf186a5e7a1.xml"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\e3bc0ade3cf146ebb0444cf186a5e7a1.xml"4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Packing list • Invoice • Country of origin.exe"C:\Users\Admin\AppData\Local\Temp\Packing list • Invoice • Country of origin.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\control.exe"C:\Windows\SysWOW64\control.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Packing list • Invoice • Country of origin.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e3bc0ade3cf146ebb0444cf186a5e7a1.xmlMD5
a035055e1c80bc652520df45650c690f
SHA137b8364ad46e17199eb5a7ee89bb506bba384adb
SHA2562b9948d34674d0fc0f9cb290da8298441b56205f6e341e3cfa1954df42c2b655
SHA512678279d1bfc8a71c27a5a2c3afa5fd266882a62610863a3e4ebc2489f17827ed4c680c89e6b8b52621320500294d2df9888259ccdc5d38def43e739c1f325fc1
-
memory/300-10-0x0000000000000000-mapping.dmp
-
memory/908-4-0x0000000000000000-mapping.dmp
-
memory/1216-6-0x000000000041D010-mapping.dmp
-
memory/1216-5-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1316-3-0x0000000000000000-mapping.dmp
-
memory/1436-2-0x0000000000000000-mapping.dmp
-
memory/1516-8-0x0000000000000000-mapping.dmp
-
memory/1516-9-0x00000000008C0000-0x00000000008DF000-memory.dmpFilesize
124KB
-
memory/1516-11-0x00000000040D0000-0x0000000004224000-memory.dmpFilesize
1.3MB