Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
27-07-2021 13:13
Static task
static1
Behavioral task
behavioral1
Sample
Payment_invoice.exe
Resource
win7v20210410
General
-
Target
Payment_invoice.exe
-
Size
638KB
-
MD5
29645cb14447ff578aaa9dc4243f11e6
-
SHA1
cae1f1cfae48a35897e6c64b4f5b3de807af9aa4
-
SHA256
08893f139b09f2dc17635f17baf1f34d2fdf730ea44a41ba54b914ffc024f0c9
-
SHA512
36bbcc580af0e2b33bfd351fa4693ed40ee9485d099767612e8d45c6e0643f28f3b39915a56f98529c9ad8a4e16dd6888144e6ba9e6ccd7e3a765c27294e01cf
Malware Config
Extracted
xloader
2.3
http://www.illoftapartments.com/uecu/
ishtarhotel.com
woodstrends.icu
jalenowens.com
manno.expert
ssg1asia.com
telepathylaw.com
quickoprintnv.com
abrosnm3.com
lumberjackcatering.com
beachujamaica.com
thomasjeffersonbyrd.com
starryfinds.com
shelavish2.com
royalglamempirellc.com
deixandomeuemprego.com
alexgoestech.xyz
opticamn.com
fermanchevybrandon.com
milbodegas.info
adunarsrl.com
dataatlus.com
missabrams.com
beaconservicesuk.com
tvforpc.website
dipmarketingagency.com
milsontt.com
londonsashwindowsservices.com
feedmysheepdaily.com
firsttimephysics.com
hosefire.com
southdocknj.com
idfstool.com
drelip.com
decayette.com
awakenedgodsofbeauty.com
easttexasranch.com
risinglanka.com
meetingoffices.com
vase-composition.com
kupon.asia
alltimeselfstorage.com
gatorbrewcoffee.com
api-pay-agent.com
height-project.online
flbtyc638.com
psdmoravita.com
highbrowhairstudio.com
deepblueriver.com
yh22022.com
sts-100.com
michaelfmoore.com
alzheimers.computer
produtos-servicos.website
zyuyktlcu.icu
ezewasser.com
outstanding-palisade.com
saioura.com
core.run
allaboutlifeblog.com
foodolog.net
somerderm.com
scootrlv.com
ahjjbxg.com
gasworldchampionships.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/936-124-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral2/memory/936-125-0x000000000041D020-mapping.dmp xloader behavioral2/memory/2820-131-0x0000000000DD0000-0x0000000000DF8000-memory.dmp xloader -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Payment_invoice.exeRegSvcs.execolorcpl.exedescription pid process target process PID 740 set thread context of 936 740 Payment_invoice.exe RegSvcs.exe PID 936 set thread context of 2536 936 RegSvcs.exe Explorer.EXE PID 2820 set thread context of 2536 2820 colorcpl.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 48 IoCs
Processes:
RegSvcs.execolorcpl.exepid process 936 RegSvcs.exe 936 RegSvcs.exe 936 RegSvcs.exe 936 RegSvcs.exe 2820 colorcpl.exe 2820 colorcpl.exe 2820 colorcpl.exe 2820 colorcpl.exe 2820 colorcpl.exe 2820 colorcpl.exe 2820 colorcpl.exe 2820 colorcpl.exe 2820 colorcpl.exe 2820 colorcpl.exe 2820 colorcpl.exe 2820 colorcpl.exe 2820 colorcpl.exe 2820 colorcpl.exe 2820 colorcpl.exe 2820 colorcpl.exe 2820 colorcpl.exe 2820 colorcpl.exe 2820 colorcpl.exe 2820 colorcpl.exe 2820 colorcpl.exe 2820 colorcpl.exe 2820 colorcpl.exe 2820 colorcpl.exe 2820 colorcpl.exe 2820 colorcpl.exe 2820 colorcpl.exe 2820 colorcpl.exe 2820 colorcpl.exe 2820 colorcpl.exe 2820 colorcpl.exe 2820 colorcpl.exe 2820 colorcpl.exe 2820 colorcpl.exe 2820 colorcpl.exe 2820 colorcpl.exe 2820 colorcpl.exe 2820 colorcpl.exe 2820 colorcpl.exe 2820 colorcpl.exe 2820 colorcpl.exe 2820 colorcpl.exe 2820 colorcpl.exe 2820 colorcpl.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2536 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
RegSvcs.execolorcpl.exepid process 936 RegSvcs.exe 936 RegSvcs.exe 936 RegSvcs.exe 2820 colorcpl.exe 2820 colorcpl.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Payment_invoice.exeRegSvcs.execolorcpl.exedescription pid process Token: SeDebugPrivilege 740 Payment_invoice.exe Token: SeDebugPrivilege 936 RegSvcs.exe Token: SeDebugPrivilege 2820 colorcpl.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 2536 Explorer.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Payment_invoice.exeExplorer.EXEcolorcpl.exedescription pid process target process PID 740 wrote to memory of 936 740 Payment_invoice.exe RegSvcs.exe PID 740 wrote to memory of 936 740 Payment_invoice.exe RegSvcs.exe PID 740 wrote to memory of 936 740 Payment_invoice.exe RegSvcs.exe PID 740 wrote to memory of 936 740 Payment_invoice.exe RegSvcs.exe PID 740 wrote to memory of 936 740 Payment_invoice.exe RegSvcs.exe PID 740 wrote to memory of 936 740 Payment_invoice.exe RegSvcs.exe PID 2536 wrote to memory of 2820 2536 Explorer.EXE colorcpl.exe PID 2536 wrote to memory of 2820 2536 Explorer.EXE colorcpl.exe PID 2536 wrote to memory of 2820 2536 Explorer.EXE colorcpl.exe PID 2820 wrote to memory of 3500 2820 colorcpl.exe cmd.exe PID 2820 wrote to memory of 3500 2820 colorcpl.exe cmd.exe PID 2820 wrote to memory of 3500 2820 colorcpl.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Payment_invoice.exe"C:\Users\Admin\AppData\Local\Temp\Payment_invoice.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\colorcpl.exe"C:\Windows\SysWOW64\colorcpl.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/740-114-0x00000000008E0000-0x00000000008E1000-memory.dmpFilesize
4KB
-
memory/740-116-0x0000000005610000-0x0000000005611000-memory.dmpFilesize
4KB
-
memory/740-117-0x00000000051C0000-0x00000000051C1000-memory.dmpFilesize
4KB
-
memory/740-118-0x0000000005340000-0x0000000005341000-memory.dmpFilesize
4KB
-
memory/740-119-0x0000000005110000-0x000000000560E000-memory.dmpFilesize
5.0MB
-
memory/740-120-0x00000000086F0000-0x00000000086F2000-memory.dmpFilesize
8KB
-
memory/740-121-0x0000000008830000-0x0000000008831000-memory.dmpFilesize
4KB
-
memory/740-122-0x0000000006CE0000-0x0000000006D62000-memory.dmpFilesize
520KB
-
memory/740-123-0x0000000006C10000-0x0000000006C41000-memory.dmpFilesize
196KB
-
memory/936-125-0x000000000041D020-mapping.dmp
-
memory/936-124-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/936-127-0x0000000000FD0000-0x0000000000FE0000-memory.dmpFilesize
64KB
-
memory/936-126-0x00000000014F0000-0x0000000001810000-memory.dmpFilesize
3.1MB
-
memory/2536-128-0x0000000002720000-0x00000000027DA000-memory.dmpFilesize
744KB
-
memory/2536-135-0x0000000005E10000-0x0000000005F3E000-memory.dmpFilesize
1.2MB
-
memory/2820-129-0x0000000000000000-mapping.dmp
-
memory/2820-131-0x0000000000DD0000-0x0000000000DF8000-memory.dmpFilesize
160KB
-
memory/2820-132-0x0000000004FC0000-0x00000000052E0000-memory.dmpFilesize
3.1MB
-
memory/2820-130-0x00000000013A0000-0x00000000013B9000-memory.dmpFilesize
100KB
-
memory/2820-134-0x0000000004DA0000-0x0000000004E2F000-memory.dmpFilesize
572KB
-
memory/3500-133-0x0000000000000000-mapping.dmp