Analysis
-
max time kernel
166s -
max time network
178s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
30-08-2021 13:51
Static task
static1
Behavioral task
behavioral1
Sample
Invoice pdf.exe
Resource
win7v20210408
General
-
Target
Invoice pdf.exe
-
Size
680KB
-
MD5
3a91f6caa3965066b881d1de7a67f1b9
-
SHA1
6097fcf7687e0ec485eae2d57cf9b993ab520375
-
SHA256
3085d62628657edccc65a18edda86f253fb86712a4e50b1cf67828bfa2d33e80
-
SHA512
516b5704221bc49d607b80bafd6841976019f908869449c97f6a27c2840d43f62c76af2c5e464fb6b3f04079045b95883d3ed7fd684be1a269ec1663ba2b2dfb
Malware Config
Extracted
xloader
2.3
k8b5
http://www.chongzhi365.com/k8b5/
sardamedicals.com
reelectkendavis4council.com
coreconsultation.com
fajarazhary.com
mybitearner.com
brightpet.info
voicewithchoice.com
bailbondscompany.xyz
7133333333.com
delights.info
gawlvegdr.icu
sdqhpm.com
we2savvyok.com
primallifeathlete.com
gdsinglecell.com
isokineticmachines.com
smartneckrelax.com
gardenvintage.com
hiphopvolume.com
medicapoint.com
crybebe.com
elevatedgameplay.com
armespublishing.com
pathsiteofficial.com
xn--e-2fa.com
besoxie.com
pro-montage.com
smartsmsfloan.net
gafinstallations.com
osk2279.com
sexcam-live-sex.net
supermomsd.com
villa-sardi.com
nkb-webmart.com
vaaccidentdoctorsnearme.net
sewcialdistancesewing.com
smodery.com
mimik33.com
employeepremiumassistance.com
chenqixuan.com
whyyousuckatgolfmovie.com
scholarshdesk.xyz
suenosenescena.com
ombaked.com
growingbargains.com
growbigelite.com
michalwroblewski.online
selfpublishingprojectmgmt.com
salir.info
lutherdanavan.com
caraccidentlawyernearme.net
portraitverse.com
secure-alerts901.info
reviewscanada.com
andreasaction.com
mblinks.net
regulationtoshop.com
borderless-farm.com
excitingdailyshop.com
pawandalmia.net
greatplainsjane.com
operacionapoyo.com
26gibraltardrive.com
getportlandjustice.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/192-124-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/192-125-0x000000000041D0B0-mapping.dmp xloader behavioral2/memory/1364-132-0x0000000002A60000-0x0000000002A89000-memory.dmp xloader -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Invoice pdf.exeInvoice pdf.exesystray.exedescription pid process target process PID 3932 set thread context of 192 3932 Invoice pdf.exe Invoice pdf.exe PID 192 set thread context of 3000 192 Invoice pdf.exe Explorer.EXE PID 1364 set thread context of 3000 1364 systray.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 42 IoCs
Processes:
Invoice pdf.exeInvoice pdf.exesystray.exepid process 3932 Invoice pdf.exe 3932 Invoice pdf.exe 192 Invoice pdf.exe 192 Invoice pdf.exe 192 Invoice pdf.exe 192 Invoice pdf.exe 1364 systray.exe 1364 systray.exe 1364 systray.exe 1364 systray.exe 1364 systray.exe 1364 systray.exe 1364 systray.exe 1364 systray.exe 1364 systray.exe 1364 systray.exe 1364 systray.exe 1364 systray.exe 1364 systray.exe 1364 systray.exe 1364 systray.exe 1364 systray.exe 1364 systray.exe 1364 systray.exe 1364 systray.exe 1364 systray.exe 1364 systray.exe 1364 systray.exe 1364 systray.exe 1364 systray.exe 1364 systray.exe 1364 systray.exe 1364 systray.exe 1364 systray.exe 1364 systray.exe 1364 systray.exe 1364 systray.exe 1364 systray.exe 1364 systray.exe 1364 systray.exe 1364 systray.exe 1364 systray.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3000 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Invoice pdf.exesystray.exepid process 192 Invoice pdf.exe 192 Invoice pdf.exe 192 Invoice pdf.exe 1364 systray.exe 1364 systray.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Invoice pdf.exeInvoice pdf.exesystray.exedescription pid process Token: SeDebugPrivilege 3932 Invoice pdf.exe Token: SeDebugPrivilege 192 Invoice pdf.exe Token: SeDebugPrivilege 1364 systray.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3000 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Invoice pdf.exeExplorer.EXEsystray.exedescription pid process target process PID 3932 wrote to memory of 3612 3932 Invoice pdf.exe Invoice pdf.exe PID 3932 wrote to memory of 3612 3932 Invoice pdf.exe Invoice pdf.exe PID 3932 wrote to memory of 3612 3932 Invoice pdf.exe Invoice pdf.exe PID 3932 wrote to memory of 192 3932 Invoice pdf.exe Invoice pdf.exe PID 3932 wrote to memory of 192 3932 Invoice pdf.exe Invoice pdf.exe PID 3932 wrote to memory of 192 3932 Invoice pdf.exe Invoice pdf.exe PID 3932 wrote to memory of 192 3932 Invoice pdf.exe Invoice pdf.exe PID 3932 wrote to memory of 192 3932 Invoice pdf.exe Invoice pdf.exe PID 3932 wrote to memory of 192 3932 Invoice pdf.exe Invoice pdf.exe PID 3000 wrote to memory of 1364 3000 Explorer.EXE systray.exe PID 3000 wrote to memory of 1364 3000 Explorer.EXE systray.exe PID 3000 wrote to memory of 1364 3000 Explorer.EXE systray.exe PID 1364 wrote to memory of 2352 1364 systray.exe cmd.exe PID 1364 wrote to memory of 2352 1364 systray.exe cmd.exe PID 1364 wrote to memory of 2352 1364 systray.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Invoice pdf.exe"C:\Users\Admin\AppData\Local\Temp\Invoice pdf.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Invoice pdf.exe"C:\Users\Admin\AppData\Local\Temp\Invoice pdf.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Invoice pdf.exe"C:\Users\Admin\AppData\Local\Temp\Invoice pdf.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\systray.exe"C:\Windows\SysWOW64\systray.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Invoice pdf.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/192-124-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/192-126-0x0000000001790000-0x0000000001AB0000-memory.dmpFilesize
3.1MB
-
memory/192-127-0x0000000001360000-0x0000000001370000-memory.dmpFilesize
64KB
-
memory/192-125-0x000000000041D0B0-mapping.dmp
-
memory/1364-131-0x0000000000A10000-0x0000000000A16000-memory.dmpFilesize
24KB
-
memory/1364-129-0x0000000000000000-mapping.dmp
-
memory/1364-134-0x00000000040E0000-0x000000000416F000-memory.dmpFilesize
572KB
-
memory/1364-132-0x0000000002A60000-0x0000000002A89000-memory.dmpFilesize
164KB
-
memory/1364-133-0x0000000004190000-0x00000000044B0000-memory.dmpFilesize
3.1MB
-
memory/2352-130-0x0000000000000000-mapping.dmp
-
memory/3000-128-0x00000000066E0000-0x0000000006814000-memory.dmpFilesize
1.2MB
-
memory/3000-135-0x0000000006FA0000-0x000000000712D000-memory.dmpFilesize
1.6MB
-
memory/3932-117-0x0000000005080000-0x0000000005081000-memory.dmpFilesize
4KB
-
memory/3932-116-0x0000000005580000-0x0000000005581000-memory.dmpFilesize
4KB
-
memory/3932-120-0x0000000005300000-0x0000000005316000-memory.dmpFilesize
88KB
-
memory/3932-118-0x0000000005080000-0x000000000557E000-memory.dmpFilesize
5.0MB
-
memory/3932-114-0x0000000000740000-0x0000000000741000-memory.dmpFilesize
4KB
-
memory/3932-119-0x0000000005010000-0x0000000005011000-memory.dmpFilesize
4KB
-
memory/3932-123-0x0000000009CA0000-0x0000000009CCB000-memory.dmpFilesize
172KB
-
memory/3932-122-0x00000000075D0000-0x0000000007631000-memory.dmpFilesize
388KB
-
memory/3932-121-0x0000000007430000-0x0000000007431000-memory.dmpFilesize
4KB