Analysis
-
max time kernel
151s -
max time network
145s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
08-04-2021 07:05
Static task
static1
Behavioral task
behavioral1
Sample
PaymentAdvice.exe
Resource
win7v20201028
General
-
Target
PaymentAdvice.exe
-
Size
388KB
-
MD5
6f7b859f349e73f24ddffa5bf11bbe27
-
SHA1
87e76a368434c54cc4904ea4219e14c25f9ba7e6
-
SHA256
f45a023c86d834183f3073c05227d6f40686aef4a71b3893b823be493d7aae83
-
SHA512
8b2a3d9360c358358ae7750df53d5072aad39d27ca87d2ed14908c65acdca66070b7bb379c2950008f03b03ccc1dbd9a6d0836934c508283fcf55cde4e5c1f5b
Malware Config
Extracted
xloader
2.3
http://www.saturnkorp.net/c22b/
westendjanakpuri.com
sylvianicolades.com
xhvai.com
vitalinfusionofarizona.com
orangeecho.com
middletonyork.net
nature-powered.com
securemanchester.com
hispanicalinguablog.com
vtz6whu5254xb1.xyz
forceshutdown.com
apointlessspace.net
wildsoulsport.com
baa-bee.com
unmanglement.com
njtiy.com
misery-indexrain.com
buybox.guru
abolishlawinforcement.com
healthforherraleigh.clinic
merakart.com
thetrentproject.com
tobaccoroadinvitational.com
sgdivergence.com
skmoil.com
bornforbetterthings.com
tianyulian.com
pwjol.com
roab.store
thebellabloom.com
innerpeacehabits.com
curtex.info
worshipher.net
puebloregentseniorliving.com
profoundai.net
yupinduoge.com
draftsofsilence.com
plataformaporelmarcanario.com
grandrapidshemorrhoidclinic.com
crossfut.net
cobourgautoglass.com
whowetrust.com
anchor-little.com
antiqollection.com
wvregistration.com
droplites.com
creditiscrucial.com
simdikikitap.com
deltaeleveight.com
webinast.com
brandschutzglas.com
brightsidebeans.com
weatherdekniagara.com
dajiangzhibo12.com
transporteyflete.com
dulzdude.com
tmancar.com
tristatecandlesupply.net
thehealthierdonut.com
francacheladesigns.com
enerav.com
highsiddityminks.com
aitelco.net
prulib.com
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1528-6-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1660-14-0x0000000000080000-0x00000000000A9000-memory.dmp xloader -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 744 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
PaymentAdvice.exepid process 1904 PaymentAdvice.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
PaymentAdvice.exePaymentAdvice.exemsdt.exedescription pid process target process PID 1904 set thread context of 1528 1904 PaymentAdvice.exe PaymentAdvice.exe PID 1528 set thread context of 1236 1528 PaymentAdvice.exe Explorer.EXE PID 1660 set thread context of 1236 1660 msdt.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
PaymentAdvice.exemsdt.exepid process 1528 PaymentAdvice.exe 1528 PaymentAdvice.exe 1660 msdt.exe 1660 msdt.exe 1660 msdt.exe 1660 msdt.exe 1660 msdt.exe 1660 msdt.exe 1660 msdt.exe 1660 msdt.exe 1660 msdt.exe 1660 msdt.exe 1660 msdt.exe 1660 msdt.exe 1660 msdt.exe 1660 msdt.exe 1660 msdt.exe 1660 msdt.exe 1660 msdt.exe 1660 msdt.exe 1660 msdt.exe 1660 msdt.exe 1660 msdt.exe 1660 msdt.exe 1660 msdt.exe 1660 msdt.exe 1660 msdt.exe 1660 msdt.exe 1660 msdt.exe 1660 msdt.exe 1660 msdt.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
PaymentAdvice.exePaymentAdvice.exemsdt.exepid process 1904 PaymentAdvice.exe 1528 PaymentAdvice.exe 1528 PaymentAdvice.exe 1528 PaymentAdvice.exe 1660 msdt.exe 1660 msdt.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PaymentAdvice.exemsdt.exedescription pid process Token: SeDebugPrivilege 1528 PaymentAdvice.exe Token: SeDebugPrivilege 1660 msdt.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1236 Explorer.EXE 1236 Explorer.EXE 1236 Explorer.EXE 1236 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1236 Explorer.EXE 1236 Explorer.EXE 1236 Explorer.EXE 1236 Explorer.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
PaymentAdvice.exeExplorer.EXEmsdt.exedescription pid process target process PID 1904 wrote to memory of 1528 1904 PaymentAdvice.exe PaymentAdvice.exe PID 1904 wrote to memory of 1528 1904 PaymentAdvice.exe PaymentAdvice.exe PID 1904 wrote to memory of 1528 1904 PaymentAdvice.exe PaymentAdvice.exe PID 1904 wrote to memory of 1528 1904 PaymentAdvice.exe PaymentAdvice.exe PID 1904 wrote to memory of 1528 1904 PaymentAdvice.exe PaymentAdvice.exe PID 1236 wrote to memory of 1660 1236 Explorer.EXE msdt.exe PID 1236 wrote to memory of 1660 1236 Explorer.EXE msdt.exe PID 1236 wrote to memory of 1660 1236 Explorer.EXE msdt.exe PID 1236 wrote to memory of 1660 1236 Explorer.EXE msdt.exe PID 1660 wrote to memory of 744 1660 msdt.exe cmd.exe PID 1660 wrote to memory of 744 1660 msdt.exe cmd.exe PID 1660 wrote to memory of 744 1660 msdt.exe cmd.exe PID 1660 wrote to memory of 744 1660 msdt.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PaymentAdvice.exe"C:\Users\Admin\AppData\Local\Temp\PaymentAdvice.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PaymentAdvice.exe"C:\Users\Admin\AppData\Local\Temp\PaymentAdvice.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\msdt.exe"C:\Windows\SysWOW64\msdt.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\PaymentAdvice.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsc1343.tmp\u58vwjsm3.dllMD5
3293e2ef6fb642ddbeb3b075f4a794ab
SHA1ee5ec10d846c1ddf448c1df40bd01d3e3c2182be
SHA256ae959236ee2f7db81b1aec7e89ca0c62bce23229d857017c1a9e7072e560ea3e
SHA51267777001312443126d690cf8759b02aa269bfc5feb67994e5e5aa374f411b80fd38408d5de928ac9ab9b50b55f1682b971559abac3ab7f8262380583d925750c
-
memory/744-12-0x0000000000000000-mapping.dmp
-
memory/1236-9-0x0000000005110000-0x00000000051F4000-memory.dmpFilesize
912KB
-
memory/1236-17-0x0000000006570000-0x000000000663B000-memory.dmpFilesize
812KB
-
memory/1528-7-0x0000000000950000-0x0000000000C53000-memory.dmpFilesize
3.0MB
-
memory/1528-8-0x00000000003C0000-0x00000000003D1000-memory.dmpFilesize
68KB
-
memory/1528-6-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1528-4-0x000000000041D0A0-mapping.dmp
-
memory/1660-10-0x0000000000000000-mapping.dmp
-
memory/1660-13-0x0000000000760000-0x0000000000854000-memory.dmpFilesize
976KB
-
memory/1660-14-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/1660-15-0x0000000002230000-0x0000000002533000-memory.dmpFilesize
3.0MB
-
memory/1660-16-0x0000000001F80000-0x0000000002010000-memory.dmpFilesize
576KB
-
memory/1904-2-0x0000000075781000-0x0000000075783000-memory.dmpFilesize
8KB
-
memory/1904-5-0x00000000003E0000-0x00000000003E2000-memory.dmpFilesize
8KB