Analysis
-
max time kernel
148s -
max time network
194s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
27-07-2021 23:51
Static task
static1
Behavioral task
behavioral1
Sample
Invoice #210722 14,890 $.exe
Resource
win7v20210410
General
-
Target
Invoice #210722 14,890 $.exe
-
Size
700KB
-
MD5
9f049132f0c15e8687a0b670deab0960
-
SHA1
37ded4a6085ad07cfbc97ac43d8fcfa5c81e8cbf
-
SHA256
89fd73d17d825a1e661f69b41ffd9fcd9f5a3d044159763cbc82ffd0210eb78a
-
SHA512
6fb576e6fe3c7fdcd84a1e0ff0cb7d6f4d859aedc2e759128cc596a3ec1875dd51edb2fd462b8140b5f7aeec02c044ec139ae70c5a606c5ee3beaebb7136ad53
Malware Config
Extracted
xloader
2.3
http://www.appackersandmoversbengaluru.com/p4se/
weightlossforprofessionals.com
talkotstopandshop.com
everesttechsolutions.com
garboarts.com
esubastas-online.com
electriclastmile.com
tomio.tech
jacoty.com
knot-tied-up.com
energychoicesim.com
rocketcompaniessham.com
madarasapattinam.com
promosplace.com
newstarchurch.com
thesaleskitchen.com
slingmodeinc.com
jobresulthub.com
pillclk.com
shipu119.com
sibalcar.com
quotovate.com
bluecoyotecontracting.com
hc68kr.com
laundry39.com
vietthaivt.com
ikonflorida.com
xn--sm2b97e.com
innovisional.co.uk
spacecityscouples.com
slmccallum.com
hro41.com
theyardcardzstore.com
primewildlife.com
xn--seranderturzm-ebc.com
stilesandhansen.com
bvlesty.com
hejiayin.com
philosophersdojo.com
aworldofsofas.com
itile.net
unitronicdealers.com
savasoguz.com
magetu.info
devgmor.com
villasabai.com
pipipenguin.com
furnishessentials.com
patchmonitoring.com
michaelhumphriesrealestate.com
pratikahealth.com
caswellcu.com
lakeportal.com
weedyourmind.com
cardamommm.com
freshstartrestorationllcmd.com
mastercardbhdleon.com
ceramiccottageco.com
magiczneszkielka.com
casebookconnet.com
recharge.directory
phoneprivacyscreen.com
mumbaindicator.com
jumboprovacy.com
streamerdojo.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/740-67-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/740-68-0x000000000041D0F0-mapping.dmp xloader behavioral1/memory/616-75-0x0000000000080000-0x00000000000A9000-memory.dmp xloader -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 588 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Invoice #210722 14,890 $.exeInvoice #210722 14,890 $.execontrol.exedescription pid process target process PID 1104 set thread context of 740 1104 Invoice #210722 14,890 $.exe Invoice #210722 14,890 $.exe PID 740 set thread context of 1356 740 Invoice #210722 14,890 $.exe Explorer.EXE PID 616 set thread context of 1356 616 control.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
Invoice #210722 14,890 $.execontrol.exepid process 740 Invoice #210722 14,890 $.exe 740 Invoice #210722 14,890 $.exe 616 control.exe 616 control.exe 616 control.exe 616 control.exe 616 control.exe 616 control.exe 616 control.exe 616 control.exe 616 control.exe 616 control.exe 616 control.exe 616 control.exe 616 control.exe 616 control.exe 616 control.exe 616 control.exe 616 control.exe 616 control.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Invoice #210722 14,890 $.execontrol.exepid process 740 Invoice #210722 14,890 $.exe 740 Invoice #210722 14,890 $.exe 740 Invoice #210722 14,890 $.exe 616 control.exe 616 control.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Invoice #210722 14,890 $.execontrol.exedescription pid process Token: SeDebugPrivilege 740 Invoice #210722 14,890 $.exe Token: SeDebugPrivilege 616 control.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1356 Explorer.EXE 1356 Explorer.EXE 1356 Explorer.EXE 1356 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1356 Explorer.EXE 1356 Explorer.EXE 1356 Explorer.EXE 1356 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Invoice #210722 14,890 $.exeExplorer.EXEcontrol.exedescription pid process target process PID 1104 wrote to memory of 740 1104 Invoice #210722 14,890 $.exe Invoice #210722 14,890 $.exe PID 1104 wrote to memory of 740 1104 Invoice #210722 14,890 $.exe Invoice #210722 14,890 $.exe PID 1104 wrote to memory of 740 1104 Invoice #210722 14,890 $.exe Invoice #210722 14,890 $.exe PID 1104 wrote to memory of 740 1104 Invoice #210722 14,890 $.exe Invoice #210722 14,890 $.exe PID 1104 wrote to memory of 740 1104 Invoice #210722 14,890 $.exe Invoice #210722 14,890 $.exe PID 1104 wrote to memory of 740 1104 Invoice #210722 14,890 $.exe Invoice #210722 14,890 $.exe PID 1104 wrote to memory of 740 1104 Invoice #210722 14,890 $.exe Invoice #210722 14,890 $.exe PID 1356 wrote to memory of 616 1356 Explorer.EXE control.exe PID 1356 wrote to memory of 616 1356 Explorer.EXE control.exe PID 1356 wrote to memory of 616 1356 Explorer.EXE control.exe PID 1356 wrote to memory of 616 1356 Explorer.EXE control.exe PID 616 wrote to memory of 588 616 control.exe cmd.exe PID 616 wrote to memory of 588 616 control.exe cmd.exe PID 616 wrote to memory of 588 616 control.exe cmd.exe PID 616 wrote to memory of 588 616 control.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Invoice #210722 14,890 $.exe"C:\Users\Admin\AppData\Local\Temp\Invoice #210722 14,890 $.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Invoice #210722 14,890 $.exe"C:\Users\Admin\AppData\Local\Temp\Invoice #210722 14,890 $.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\control.exe"C:\Windows\SysWOW64\control.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Invoice #210722 14,890 $.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/588-76-0x0000000000000000-mapping.dmp
-
memory/616-72-0x0000000000000000-mapping.dmp
-
memory/616-78-0x0000000000560000-0x00000000005EF000-memory.dmpFilesize
572KB
-
memory/616-77-0x0000000002140000-0x0000000002443000-memory.dmpFilesize
3.0MB
-
memory/616-75-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/616-74-0x00000000003D0000-0x00000000003EF000-memory.dmpFilesize
124KB
-
memory/616-73-0x00000000753E1000-0x00000000753E3000-memory.dmpFilesize
8KB
-
memory/740-69-0x0000000000970000-0x0000000000C73000-memory.dmpFilesize
3.0MB
-
memory/740-70-0x0000000000260000-0x0000000000270000-memory.dmpFilesize
64KB
-
memory/740-68-0x000000000041D0F0-mapping.dmp
-
memory/740-67-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1104-60-0x0000000001030000-0x0000000001031000-memory.dmpFilesize
4KB
-
memory/1104-66-0x00000000009F0000-0x0000000000A1F000-memory.dmpFilesize
188KB
-
memory/1104-65-0x0000000005140000-0x00000000051B4000-memory.dmpFilesize
464KB
-
memory/1104-64-0x0000000000900000-0x000000000091B000-memory.dmpFilesize
108KB
-
memory/1104-63-0x0000000000FC0000-0x0000000000FC1000-memory.dmpFilesize
4KB
-
memory/1104-62-0x00000000049A0000-0x0000000004A4A000-memory.dmpFilesize
680KB
-
memory/1356-71-0x0000000006590000-0x0000000006697000-memory.dmpFilesize
1.0MB
-
memory/1356-79-0x0000000004D70000-0x0000000004E3A000-memory.dmpFilesize
808KB