Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
02-09-2021 08:37
Static task
static1
Behavioral task
behavioral1
Sample
Invoice remittance 52286.js
Resource
win7-en
General
-
Target
Invoice remittance 52286.js
-
Size
317KB
-
MD5
c0fd4d06d9d01680a307ffcf75355352
-
SHA1
2daeb72092e39bcf668815ab472c6010436f5e47
-
SHA256
e3f3d8e11b4dcac7bc9f7ba3e88659ecfabe9e03b42c9728ff01d1ee73ba0261
-
SHA512
0ee84815dd36fb7ffbe5d07427fb0c2849795b50be115fa92b813ba823f8c7d4a2031f1d2c70ccd02cb148fe3106e0a8dc5d804162de0007fa7155b92e984f74
Malware Config
Extracted
xloader
2.3
n64d
http://www.bughtmisly.com/n64d/
hayominta.com
dunstabzug.website
fafmediagroup.com
keepamericagreatagain-again.com
15jizhi.com
hachiden.net
manifestarz.com
bridgeschc.com
floving.com
tintaalairelibre.com
ditsawong.com
dabanse.com
choiceschristianliving.com
pcojapan-online.com
unityinsport.com
hersvin.com
suhaizat.com
vitaliyvs.com
equipmunks.com
yfhzx.com
groupshead.net
agag9.com
mydreamhomemakeover.com
mealplanin5.com
nucaltech.com
wickedowlfilms.com
thebestgenerallegalhelp.website
casadolcelbc.com
6961199.com
bonecustoms.com
indiabazaarwholesale.com
farhangeedalat.com
decoratorsyork.com
rqjgjj.com
rumbroker.com
lescostard.com
spetergroup.com
rezonnance.com
tnprivateschoolsassociation.com
suay.cat
hellofromjesus.com
chochesantojitos.com
hxt6lq.com
prosperitybpo.com
sucessfulwithniecy.com
sambleya.com
diversepowersolutions.net
groupettconstruction.com
hiddejames.com
blockbusters-coaching.net
karizcustomizeme.com
petersonpaintpapering.com
lifstorm.info
facilitaiting-fairy.com
inquirysolutions.net
x1v5a.xyz
outlet-tees.com
ajhedison.com
pascal-lissouba.com
rodengocalcio.com
vent4rent.com
southcoastpphotographic.com
brenz-store.com
colemanwolf.net
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\bin.exe xloader C:\Users\Admin\AppData\Roaming\bin.exe xloader behavioral2/memory/3008-125-0x0000000002E30000-0x0000000002E58000-memory.dmp xloader -
Blocklisted process makes network request 17 IoCs
Processes:
wscript.exeflow pid process 6 3992 wscript.exe 13 3992 wscript.exe 15 3992 wscript.exe 19 3992 wscript.exe 23 3992 wscript.exe 27 3992 wscript.exe 30 3992 wscript.exe 35 3992 wscript.exe 38 3992 wscript.exe 41 3992 wscript.exe 46 3992 wscript.exe 51 3992 wscript.exe 54 3992 wscript.exe 57 3992 wscript.exe 60 3992 wscript.exe 63 3992 wscript.exe 65 3992 wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
bin.exepid process 3888 bin.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\abQJTxmwNy.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\abQJTxmwNy.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\abQJTxmwNy.js\"" wscript.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
bin.execmd.exedescription pid process target process PID 3888 set thread context of 2996 3888 bin.exe Explorer.EXE PID 3008 set thread context of 2996 3008 cmd.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
bin.execmd.exepid process 3888 bin.exe 3888 bin.exe 3888 bin.exe 3888 bin.exe 3008 cmd.exe 3008 cmd.exe 3008 cmd.exe 3008 cmd.exe 3008 cmd.exe 3008 cmd.exe 3008 cmd.exe 3008 cmd.exe 3008 cmd.exe 3008 cmd.exe 3008 cmd.exe 3008 cmd.exe 3008 cmd.exe 3008 cmd.exe 3008 cmd.exe 3008 cmd.exe 3008 cmd.exe 3008 cmd.exe 3008 cmd.exe 3008 cmd.exe 3008 cmd.exe 3008 cmd.exe 3008 cmd.exe 3008 cmd.exe 3008 cmd.exe 3008 cmd.exe 3008 cmd.exe 3008 cmd.exe 3008 cmd.exe 3008 cmd.exe 3008 cmd.exe 3008 cmd.exe 3008 cmd.exe 3008 cmd.exe 3008 cmd.exe 3008 cmd.exe 3008 cmd.exe 3008 cmd.exe 3008 cmd.exe 3008 cmd.exe 3008 cmd.exe 3008 cmd.exe 3008 cmd.exe 3008 cmd.exe 3008 cmd.exe 3008 cmd.exe 3008 cmd.exe 3008 cmd.exe 3008 cmd.exe 3008 cmd.exe 3008 cmd.exe 3008 cmd.exe 3008 cmd.exe 3008 cmd.exe 3008 cmd.exe 3008 cmd.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2996 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
bin.execmd.exepid process 3888 bin.exe 3888 bin.exe 3888 bin.exe 3008 cmd.exe 3008 cmd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
bin.execmd.exedescription pid process Token: SeDebugPrivilege 3888 bin.exe Token: SeDebugPrivilege 3008 cmd.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 2996 Explorer.EXE 2996 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 2996 Explorer.EXE 2996 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 2996 Explorer.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
wscript.exeExplorer.EXEcmd.exedescription pid process target process PID 628 wrote to memory of 3992 628 wscript.exe wscript.exe PID 628 wrote to memory of 3992 628 wscript.exe wscript.exe PID 628 wrote to memory of 3888 628 wscript.exe bin.exe PID 628 wrote to memory of 3888 628 wscript.exe bin.exe PID 628 wrote to memory of 3888 628 wscript.exe bin.exe PID 2996 wrote to memory of 3008 2996 Explorer.EXE cmd.exe PID 2996 wrote to memory of 3008 2996 Explorer.EXE cmd.exe PID 2996 wrote to memory of 3008 2996 Explorer.EXE cmd.exe PID 3008 wrote to memory of 3256 3008 cmd.exe cmd.exe PID 3008 wrote to memory of 3256 3008 cmd.exe cmd.exe PID 3008 wrote to memory of 3256 3008 cmd.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Invoice remittance 52286.js"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\abQJTxmwNy.js"3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\bin.exe"C:\Users\Admin\AppData\Roaming\bin.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Roaming\bin.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\abQJTxmwNy.jsMD5
3f7b92769fc59d8adc125b4d4e8adee4
SHA1b3ea6913dcf3681572a1db1f429cc5e1e49b060e
SHA256e1fccde6528046c2c1e41096085c199efaddc1393d42f6696165aeec43c9a209
SHA512659caad97e885af9d5f2dece465873b517fc34a5c67f5f0aba08b9ef868cca57fe025ed9979bd0933e46ee45792d5b424bd99a24c4449c5b739f17e0b6bdf01f
-
C:\Users\Admin\AppData\Roaming\bin.exeMD5
79d02002f7841dceae1bc53186c94b67
SHA13bf5dc0017d1239d962a80d48236c785b56cb78a
SHA256251a226acb74675f4650739fd13adb1c1b468e53936ccc6385dbbdacb5220ade
SHA512abc48c2c32ef4eef177c9904fd162cf65c98fe180e2435c3e9fd22506a400eb43f576a7731de02fc50dcfdafc59047695c4b1e74d8863e1c58c422ad7363a17e
-
C:\Users\Admin\AppData\Roaming\bin.exeMD5
79d02002f7841dceae1bc53186c94b67
SHA13bf5dc0017d1239d962a80d48236c785b56cb78a
SHA256251a226acb74675f4650739fd13adb1c1b468e53936ccc6385dbbdacb5220ade
SHA512abc48c2c32ef4eef177c9904fd162cf65c98fe180e2435c3e9fd22506a400eb43f576a7731de02fc50dcfdafc59047695c4b1e74d8863e1c58c422ad7363a17e
-
memory/2996-128-0x0000000005550000-0x000000000560C000-memory.dmpFilesize
752KB
-
memory/2996-121-0x00000000053F0000-0x000000000554B000-memory.dmpFilesize
1.4MB
-
memory/3008-124-0x0000000000A10000-0x0000000000A69000-memory.dmpFilesize
356KB
-
memory/3008-127-0x0000000003490000-0x000000000351F000-memory.dmpFilesize
572KB
-
memory/3008-126-0x0000000002E60000-0x0000000002FAA000-memory.dmpFilesize
1.3MB
-
memory/3008-122-0x0000000000000000-mapping.dmp
-
memory/3008-125-0x0000000002E30000-0x0000000002E58000-memory.dmpFilesize
160KB
-
memory/3256-123-0x0000000000000000-mapping.dmp
-
memory/3888-119-0x00000000012D0000-0x00000000015F0000-memory.dmpFilesize
3.1MB
-
memory/3888-120-0x0000000000CD0000-0x0000000000E1A000-memory.dmpFilesize
1.3MB
-
memory/3888-116-0x0000000000000000-mapping.dmp
-
memory/3992-114-0x0000000000000000-mapping.dmp