Analysis
-
max time kernel
149s -
max time network
181s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
27-07-2021 12:42
Static task
static1
Behavioral task
behavioral1
Sample
Pagos-133, 195 & 285/Documento de Pago/Pago-133.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Pagos-133, 195 & 285/Documento de Pago/Pago-195.exe
Resource
win7v20210408
General
-
Target
Pagos-133, 195 & 285/Documento de Pago/Pago-133.exe
-
Size
423KB
-
MD5
42cfb7889c4a5fb1e3ab405d6749ff5c
-
SHA1
a652bb67bb18c540b8b730f8ec82557fc3f9e4cd
-
SHA256
f68c7bdc06b19a327f1428383d0df7b73158abb5604f2368f04233ba0020953c
-
SHA512
3bc5864d22bfd533c53df4b59f7e458c6334e5fdaab48ef35b8abc2f7d8d63f884a672e0b35bc9a851a080995ba084fd9dcdc40a590c86c83141dbdce958a20b
Malware Config
Extracted
xloader
2.3
http://www.northriverlawns.com/q3t0/
xn--n8jh0ox33v9th.club
realestateactiongroup.com
theblackcottage.com
iptvfresh.com
firstseviceresidential.com
enhancemarketingsolutions.com
matchawali.com
lockedselfstorage.com
laurencervera.com
waffleicionados.com
ryanplumbingandmechanical.com
mahalabartlemathiassen.com
enter-flowers.com
berlinclick.com
pop.direct
dangeranimalsfounded.press
sweetwhiskerscreamery.com
acaciamultimedia.com
thejoyfulmark.com
bspceducation.com
1933ejaniceway.com
xn--infus-fsa.com
monumenthomes18.com
aiaipot.com
jenole.com
lvvmall.com
woodriverdelivers.com
cunerier.com
ztxwnqe.icu
bulletraces.store
qwgkj.com
painloss.online
kutyc.com
hitbars.space
yoursimplepropertysolution.com
jiuzuofang.com
mercadovdp.com
mentorlawgroup.com
myfoodylife.com
growthmindsetactivator.com
pussy888-pussy888.com
boozateria.com
binklo.com
thecarmasseur.com
aura-tic.com
protonselangorkl.com
inapickle.world
decktwelve.com
supasaj.com
domentemenegi57.net
aquifestas.com
liusco.com
andrewsteelsells.com
sppeconsult.com
rehabrunrate.info
fisherstransmission.com
hgai168.com
mattspears.com
ouchiworks.net
acbjewellery.com
lakesview.estate
bedrocktools.store
mecanico.guru
tribkart.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1700-61-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1448-68-0x00000000000C0000-0x00000000000E9000-memory.dmp xloader -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1532 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Pago-133.exePago-133.exesvchost.exedescription pid process target process PID 1072 set thread context of 1700 1072 Pago-133.exe Pago-133.exe PID 1700 set thread context of 1288 1700 Pago-133.exe Explorer.EXE PID 1448 set thread context of 1288 1448 svchost.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
Pago-133.exesvchost.exepid process 1700 Pago-133.exe 1700 Pago-133.exe 1448 svchost.exe 1448 svchost.exe 1448 svchost.exe 1448 svchost.exe 1448 svchost.exe 1448 svchost.exe 1448 svchost.exe 1448 svchost.exe 1448 svchost.exe 1448 svchost.exe 1448 svchost.exe 1448 svchost.exe 1448 svchost.exe 1448 svchost.exe 1448 svchost.exe 1448 svchost.exe 1448 svchost.exe 1448 svchost.exe 1448 svchost.exe 1448 svchost.exe 1448 svchost.exe 1448 svchost.exe 1448 svchost.exe 1448 svchost.exe 1448 svchost.exe 1448 svchost.exe 1448 svchost.exe 1448 svchost.exe 1448 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1288 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
Pago-133.exePago-133.exesvchost.exepid process 1072 Pago-133.exe 1700 Pago-133.exe 1700 Pago-133.exe 1700 Pago-133.exe 1448 svchost.exe 1448 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Pago-133.exesvchost.exedescription pid process Token: SeDebugPrivilege 1700 Pago-133.exe Token: SeDebugPrivilege 1448 svchost.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1288 Explorer.EXE 1288 Explorer.EXE 1288 Explorer.EXE 1288 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1288 Explorer.EXE 1288 Explorer.EXE 1288 Explorer.EXE 1288 Explorer.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Pago-133.exeExplorer.EXEsvchost.exedescription pid process target process PID 1072 wrote to memory of 1700 1072 Pago-133.exe Pago-133.exe PID 1072 wrote to memory of 1700 1072 Pago-133.exe Pago-133.exe PID 1072 wrote to memory of 1700 1072 Pago-133.exe Pago-133.exe PID 1072 wrote to memory of 1700 1072 Pago-133.exe Pago-133.exe PID 1072 wrote to memory of 1700 1072 Pago-133.exe Pago-133.exe PID 1288 wrote to memory of 1448 1288 Explorer.EXE svchost.exe PID 1288 wrote to memory of 1448 1288 Explorer.EXE svchost.exe PID 1288 wrote to memory of 1448 1288 Explorer.EXE svchost.exe PID 1288 wrote to memory of 1448 1288 Explorer.EXE svchost.exe PID 1448 wrote to memory of 1532 1448 svchost.exe cmd.exe PID 1448 wrote to memory of 1532 1448 svchost.exe cmd.exe PID 1448 wrote to memory of 1532 1448 svchost.exe cmd.exe PID 1448 wrote to memory of 1532 1448 svchost.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Pagos-133, 195 & 285\Documento de Pago\Pago-133.exe"C:\Users\Admin\AppData\Local\Temp\Pagos-133, 195 & 285\Documento de Pago\Pago-133.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Pagos-133, 195 & 285\Documento de Pago\Pago-133.exe"C:\Users\Admin\AppData\Local\Temp\Pagos-133, 195 & 285\Documento de Pago\Pago-133.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Pagos-133, 195 & 285\Documento de Pago\Pago-133.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1072-60-0x0000000000250000-0x0000000000252000-memory.dmpFilesize
8KB
-
memory/1288-64-0x0000000005080000-0x000000000517E000-memory.dmpFilesize
1016KB
-
memory/1288-71-0x0000000006F50000-0x00000000070BD000-memory.dmpFilesize
1.4MB
-
memory/1448-67-0x0000000000230000-0x0000000000238000-memory.dmpFilesize
32KB
-
memory/1448-65-0x0000000000000000-mapping.dmp
-
memory/1448-68-0x00000000000C0000-0x00000000000E9000-memory.dmpFilesize
164KB
-
memory/1448-69-0x0000000000730000-0x0000000000A33000-memory.dmpFilesize
3.0MB
-
memory/1448-70-0x00000000004A0000-0x0000000000530000-memory.dmpFilesize
576KB
-
memory/1448-72-0x00000000752F1000-0x00000000752F3000-memory.dmpFilesize
8KB
-
memory/1532-66-0x0000000000000000-mapping.dmp
-
memory/1700-62-0x0000000000810000-0x0000000000B13000-memory.dmpFilesize
3.0MB
-
memory/1700-63-0x00000000002C0000-0x00000000002D1000-memory.dmpFilesize
68KB
-
memory/1700-59-0x000000000041D080-mapping.dmp
-
memory/1700-61-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB