Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
08-04-2021 07:05
Static task
static1
Behavioral task
behavioral1
Sample
PaymentAdvice.exe
Resource
win7v20201028
General
-
Target
PaymentAdvice.exe
-
Size
388KB
-
MD5
6f7b859f349e73f24ddffa5bf11bbe27
-
SHA1
87e76a368434c54cc4904ea4219e14c25f9ba7e6
-
SHA256
f45a023c86d834183f3073c05227d6f40686aef4a71b3893b823be493d7aae83
-
SHA512
8b2a3d9360c358358ae7750df53d5072aad39d27ca87d2ed14908c65acdca66070b7bb379c2950008f03b03ccc1dbd9a6d0836934c508283fcf55cde4e5c1f5b
Malware Config
Extracted
xloader
2.3
http://www.saturnkorp.net/c22b/
westendjanakpuri.com
sylvianicolades.com
xhvai.com
vitalinfusionofarizona.com
orangeecho.com
middletonyork.net
nature-powered.com
securemanchester.com
hispanicalinguablog.com
vtz6whu5254xb1.xyz
forceshutdown.com
apointlessspace.net
wildsoulsport.com
baa-bee.com
unmanglement.com
njtiy.com
misery-indexrain.com
buybox.guru
abolishlawinforcement.com
healthforherraleigh.clinic
merakart.com
thetrentproject.com
tobaccoroadinvitational.com
sgdivergence.com
skmoil.com
bornforbetterthings.com
tianyulian.com
pwjol.com
roab.store
thebellabloom.com
innerpeacehabits.com
curtex.info
worshipher.net
puebloregentseniorliving.com
profoundai.net
yupinduoge.com
draftsofsilence.com
plataformaporelmarcanario.com
grandrapidshemorrhoidclinic.com
crossfut.net
cobourgautoglass.com
whowetrust.com
anchor-little.com
antiqollection.com
wvregistration.com
droplites.com
creditiscrucial.com
simdikikitap.com
deltaeleveight.com
webinast.com
brandschutzglas.com
brightsidebeans.com
weatherdekniagara.com
dajiangzhibo12.com
transporteyflete.com
dulzdude.com
tmancar.com
tristatecandlesupply.net
thehealthierdonut.com
francacheladesigns.com
enerav.com
highsiddityminks.com
aitelco.net
prulib.com
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3020-5-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/3116-12-0x0000000003020000-0x0000000003049000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
PaymentAdvice.exepid process 640 PaymentAdvice.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
PaymentAdvice.exePaymentAdvice.exeexplorer.exedescription pid process target process PID 640 set thread context of 3020 640 PaymentAdvice.exe PaymentAdvice.exe PID 3020 set thread context of 3040 3020 PaymentAdvice.exe Explorer.EXE PID 3116 set thread context of 3040 3116 explorer.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
PaymentAdvice.exeexplorer.exepid process 3020 PaymentAdvice.exe 3020 PaymentAdvice.exe 3020 PaymentAdvice.exe 3020 PaymentAdvice.exe 3116 explorer.exe 3116 explorer.exe 3116 explorer.exe 3116 explorer.exe 3116 explorer.exe 3116 explorer.exe 3116 explorer.exe 3116 explorer.exe 3116 explorer.exe 3116 explorer.exe 3116 explorer.exe 3116 explorer.exe 3116 explorer.exe 3116 explorer.exe 3116 explorer.exe 3116 explorer.exe 3116 explorer.exe 3116 explorer.exe 3116 explorer.exe 3116 explorer.exe 3116 explorer.exe 3116 explorer.exe 3116 explorer.exe 3116 explorer.exe 3116 explorer.exe 3116 explorer.exe 3116 explorer.exe 3116 explorer.exe 3116 explorer.exe 3116 explorer.exe 3116 explorer.exe 3116 explorer.exe 3116 explorer.exe 3116 explorer.exe 3116 explorer.exe 3116 explorer.exe 3116 explorer.exe 3116 explorer.exe 3116 explorer.exe 3116 explorer.exe 3116 explorer.exe 3116 explorer.exe 3116 explorer.exe 3116 explorer.exe 3116 explorer.exe 3116 explorer.exe 3116 explorer.exe 3116 explorer.exe 3116 explorer.exe 3116 explorer.exe 3116 explorer.exe 3116 explorer.exe 3116 explorer.exe 3116 explorer.exe 3116 explorer.exe 3116 explorer.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
PaymentAdvice.exePaymentAdvice.exeexplorer.exepid process 640 PaymentAdvice.exe 3020 PaymentAdvice.exe 3020 PaymentAdvice.exe 3020 PaymentAdvice.exe 3116 explorer.exe 3116 explorer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PaymentAdvice.exeexplorer.exedescription pid process Token: SeDebugPrivilege 3020 PaymentAdvice.exe Token: SeDebugPrivilege 3116 explorer.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3040 Explorer.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
PaymentAdvice.exeExplorer.EXEexplorer.exedescription pid process target process PID 640 wrote to memory of 3020 640 PaymentAdvice.exe PaymentAdvice.exe PID 640 wrote to memory of 3020 640 PaymentAdvice.exe PaymentAdvice.exe PID 640 wrote to memory of 3020 640 PaymentAdvice.exe PaymentAdvice.exe PID 640 wrote to memory of 3020 640 PaymentAdvice.exe PaymentAdvice.exe PID 3040 wrote to memory of 3116 3040 Explorer.EXE explorer.exe PID 3040 wrote to memory of 3116 3040 Explorer.EXE explorer.exe PID 3040 wrote to memory of 3116 3040 Explorer.EXE explorer.exe PID 3116 wrote to memory of 2400 3116 explorer.exe cmd.exe PID 3116 wrote to memory of 2400 3116 explorer.exe cmd.exe PID 3116 wrote to memory of 2400 3116 explorer.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PaymentAdvice.exe"C:\Users\Admin\AppData\Local\Temp\PaymentAdvice.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PaymentAdvice.exe"C:\Users\Admin\AppData\Local\Temp\PaymentAdvice.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\PaymentAdvice.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsd5B94.tmp\u58vwjsm3.dllMD5
3293e2ef6fb642ddbeb3b075f4a794ab
SHA1ee5ec10d846c1ddf448c1df40bd01d3e3c2182be
SHA256ae959236ee2f7db81b1aec7e89ca0c62bce23229d857017c1a9e7072e560ea3e
SHA51267777001312443126d690cf8759b02aa269bfc5feb67994e5e5aa374f411b80fd38408d5de928ac9ab9b50b55f1682b971559abac3ab7f8262380583d925750c
-
memory/640-3-0x0000000002760000-0x0000000002762000-memory.dmpFilesize
8KB
-
memory/2400-10-0x0000000000000000-mapping.dmp
-
memory/3020-4-0x000000000041D0A0-mapping.dmp
-
memory/3020-6-0x00000000009D0000-0x0000000000CF0000-memory.dmpFilesize
3.1MB
-
memory/3020-5-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/3020-7-0x0000000000D10000-0x0000000000D21000-memory.dmpFilesize
68KB
-
memory/3040-8-0x0000000006780000-0x00000000068E4000-memory.dmpFilesize
1.4MB
-
memory/3040-15-0x0000000006D90000-0x0000000006E7D000-memory.dmpFilesize
948KB
-
memory/3116-9-0x0000000000000000-mapping.dmp
-
memory/3116-12-0x0000000003020000-0x0000000003049000-memory.dmpFilesize
164KB
-
memory/3116-11-0x0000000000880000-0x0000000000CBF000-memory.dmpFilesize
4.2MB
-
memory/3116-13-0x0000000004F20000-0x0000000005240000-memory.dmpFilesize
3.1MB
-
memory/3116-14-0x0000000004D80000-0x0000000004E10000-memory.dmpFilesize
576KB