Analysis
-
max time kernel
149s -
max time network
193s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
27-07-2021 13:12
Static task
static1
Behavioral task
behavioral1
Sample
Payment_invoice.exe
Resource
win7v20210410
General
-
Target
Payment_invoice.exe
-
Size
638KB
-
MD5
29645cb14447ff578aaa9dc4243f11e6
-
SHA1
cae1f1cfae48a35897e6c64b4f5b3de807af9aa4
-
SHA256
08893f139b09f2dc17635f17baf1f34d2fdf730ea44a41ba54b914ffc024f0c9
-
SHA512
36bbcc580af0e2b33bfd351fa4693ed40ee9485d099767612e8d45c6e0643f28f3b39915a56f98529c9ad8a4e16dd6888144e6ba9e6ccd7e3a765c27294e01cf
Malware Config
Extracted
xloader
2.3
http://www.illoftapartments.com/uecu/
ishtarhotel.com
woodstrends.icu
jalenowens.com
manno.expert
ssg1asia.com
telepathylaw.com
quickoprintnv.com
abrosnm3.com
lumberjackcatering.com
beachujamaica.com
thomasjeffersonbyrd.com
starryfinds.com
shelavish2.com
royalglamempirellc.com
deixandomeuemprego.com
alexgoestech.xyz
opticamn.com
fermanchevybrandon.com
milbodegas.info
adunarsrl.com
dataatlus.com
missabrams.com
beaconservicesuk.com
tvforpc.website
dipmarketingagency.com
milsontt.com
londonsashwindowsservices.com
feedmysheepdaily.com
firsttimephysics.com
hosefire.com
southdocknj.com
idfstool.com
drelip.com
decayette.com
awakenedgodsofbeauty.com
easttexasranch.com
risinglanka.com
meetingoffices.com
vase-composition.com
kupon.asia
alltimeselfstorage.com
gatorbrewcoffee.com
api-pay-agent.com
height-project.online
flbtyc638.com
psdmoravita.com
highbrowhairstudio.com
deepblueriver.com
yh22022.com
sts-100.com
michaelfmoore.com
alzheimers.computer
produtos-servicos.website
zyuyktlcu.icu
ezewasser.com
outstanding-palisade.com
saioura.com
core.run
allaboutlifeblog.com
foodolog.net
somerderm.com
scootrlv.com
ahjjbxg.com
gasworldchampionships.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/268-65-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral1/memory/268-66-0x000000000041D020-mapping.dmp xloader behavioral1/memory/888-72-0x00000000000D0000-0x00000000000F8000-memory.dmp xloader -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Payment_invoice.exeRegSvcs.exehelp.exedescription pid process target process PID 1076 set thread context of 268 1076 Payment_invoice.exe RegSvcs.exe PID 268 set thread context of 1264 268 RegSvcs.exe Explorer.EXE PID 888 set thread context of 1264 888 help.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
Payment_invoice.exeRegSvcs.exehelp.exepid process 1076 Payment_invoice.exe 268 RegSvcs.exe 268 RegSvcs.exe 888 help.exe 888 help.exe 888 help.exe 888 help.exe 888 help.exe 888 help.exe 888 help.exe 888 help.exe 888 help.exe 888 help.exe 888 help.exe 888 help.exe 888 help.exe 888 help.exe 888 help.exe 888 help.exe 888 help.exe 888 help.exe 888 help.exe 888 help.exe 888 help.exe 888 help.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
RegSvcs.exehelp.exepid process 268 RegSvcs.exe 268 RegSvcs.exe 268 RegSvcs.exe 888 help.exe 888 help.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Payment_invoice.exeRegSvcs.exehelp.exedescription pid process Token: SeDebugPrivilege 1076 Payment_invoice.exe Token: SeDebugPrivilege 268 RegSvcs.exe Token: SeDebugPrivilege 888 help.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1264 Explorer.EXE 1264 Explorer.EXE 1264 Explorer.EXE 1264 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1264 Explorer.EXE 1264 Explorer.EXE 1264 Explorer.EXE 1264 Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
Payment_invoice.exeExplorer.EXEhelp.exedescription pid process target process PID 1076 wrote to memory of 268 1076 Payment_invoice.exe RegSvcs.exe PID 1076 wrote to memory of 268 1076 Payment_invoice.exe RegSvcs.exe PID 1076 wrote to memory of 268 1076 Payment_invoice.exe RegSvcs.exe PID 1076 wrote to memory of 268 1076 Payment_invoice.exe RegSvcs.exe PID 1076 wrote to memory of 268 1076 Payment_invoice.exe RegSvcs.exe PID 1076 wrote to memory of 268 1076 Payment_invoice.exe RegSvcs.exe PID 1076 wrote to memory of 268 1076 Payment_invoice.exe RegSvcs.exe PID 1076 wrote to memory of 268 1076 Payment_invoice.exe RegSvcs.exe PID 1076 wrote to memory of 268 1076 Payment_invoice.exe RegSvcs.exe PID 1076 wrote to memory of 268 1076 Payment_invoice.exe RegSvcs.exe PID 1264 wrote to memory of 888 1264 Explorer.EXE help.exe PID 1264 wrote to memory of 888 1264 Explorer.EXE help.exe PID 1264 wrote to memory of 888 1264 Explorer.EXE help.exe PID 1264 wrote to memory of 888 1264 Explorer.EXE help.exe PID 888 wrote to memory of 712 888 help.exe cmd.exe PID 888 wrote to memory of 712 888 help.exe cmd.exe PID 888 wrote to memory of 712 888 help.exe cmd.exe PID 888 wrote to memory of 712 888 help.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Payment_invoice.exe"C:\Users\Admin\AppData\Local\Temp\Payment_invoice.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/268-65-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/268-68-0x0000000000170000-0x0000000000180000-memory.dmpFilesize
64KB
-
memory/268-67-0x0000000000990000-0x0000000000C93000-memory.dmpFilesize
3.0MB
-
memory/268-66-0x000000000041D020-mapping.dmp
-
memory/712-73-0x0000000000000000-mapping.dmp
-
memory/888-72-0x00000000000D0000-0x00000000000F8000-memory.dmpFilesize
160KB
-
memory/888-70-0x0000000000000000-mapping.dmp
-
memory/888-71-0x0000000000150000-0x0000000000156000-memory.dmpFilesize
24KB
-
memory/888-74-0x0000000000840000-0x0000000000B43000-memory.dmpFilesize
3.0MB
-
memory/888-75-0x0000000000510000-0x000000000059F000-memory.dmpFilesize
572KB
-
memory/888-77-0x00000000753B1000-0x00000000753B3000-memory.dmpFilesize
8KB
-
memory/1076-64-0x0000000000FB0000-0x0000000000FE1000-memory.dmpFilesize
196KB
-
memory/1076-63-0x0000000005F70000-0x0000000005FF2000-memory.dmpFilesize
520KB
-
memory/1076-62-0x0000000000590000-0x0000000000592000-memory.dmpFilesize
8KB
-
memory/1076-59-0x0000000001020000-0x0000000001021000-memory.dmpFilesize
4KB
-
memory/1076-61-0x0000000004CF0000-0x0000000004CF1000-memory.dmpFilesize
4KB
-
memory/1264-69-0x0000000006EE0000-0x0000000007038000-memory.dmpFilesize
1.3MB
-
memory/1264-76-0x00000000066F0000-0x00000000067C5000-memory.dmpFilesize
852KB