Analysis
-
max time kernel
154s -
max time network
188s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
02-09-2021 05:48
Static task
static1
Behavioral task
behavioral1
Sample
Invoice remittance 52286.js
Resource
win7v20210408
General
-
Target
Invoice remittance 52286.js
-
Size
317KB
-
MD5
c0fd4d06d9d01680a307ffcf75355352
-
SHA1
2daeb72092e39bcf668815ab472c6010436f5e47
-
SHA256
e3f3d8e11b4dcac7bc9f7ba3e88659ecfabe9e03b42c9728ff01d1ee73ba0261
-
SHA512
0ee84815dd36fb7ffbe5d07427fb0c2849795b50be115fa92b813ba823f8c7d4a2031f1d2c70ccd02cb148fe3106e0a8dc5d804162de0007fa7155b92e984f74
Malware Config
Extracted
xloader
2.3
n64d
http://www.bughtmisly.com/n64d/
hayominta.com
dunstabzug.website
fafmediagroup.com
keepamericagreatagain-again.com
15jizhi.com
hachiden.net
manifestarz.com
bridgeschc.com
floving.com
tintaalairelibre.com
ditsawong.com
dabanse.com
choiceschristianliving.com
pcojapan-online.com
unityinsport.com
hersvin.com
suhaizat.com
vitaliyvs.com
equipmunks.com
yfhzx.com
groupshead.net
agag9.com
mydreamhomemakeover.com
mealplanin5.com
nucaltech.com
wickedowlfilms.com
thebestgenerallegalhelp.website
casadolcelbc.com
6961199.com
bonecustoms.com
indiabazaarwholesale.com
farhangeedalat.com
decoratorsyork.com
rqjgjj.com
rumbroker.com
lescostard.com
spetergroup.com
rezonnance.com
tnprivateschoolsassociation.com
suay.cat
hellofromjesus.com
chochesantojitos.com
hxt6lq.com
prosperitybpo.com
sucessfulwithniecy.com
sambleya.com
diversepowersolutions.net
groupettconstruction.com
hiddejames.com
blockbusters-coaching.net
karizcustomizeme.com
petersonpaintpapering.com
lifstorm.info
facilitaiting-fairy.com
inquirysolutions.net
x1v5a.xyz
outlet-tees.com
ajhedison.com
pascal-lissouba.com
rodengocalcio.com
vent4rent.com
southcoastpphotographic.com
brenz-store.com
colemanwolf.net
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\bin.exe xloader C:\Users\Admin\AppData\Roaming\bin.exe xloader behavioral1/memory/1964-73-0x0000000000080000-0x00000000000A8000-memory.dmp xloader -
Blocklisted process makes network request 17 IoCs
Processes:
wscript.exeflow pid process 7 1996 wscript.exe 8 1996 wscript.exe 11 1996 wscript.exe 17 1996 wscript.exe 21 1996 wscript.exe 25 1996 wscript.exe 31 1996 wscript.exe 34 1996 wscript.exe 39 1996 wscript.exe 42 1996 wscript.exe 45 1996 wscript.exe 48 1996 wscript.exe 50 1996 wscript.exe 51 1996 wscript.exe 57 1996 wscript.exe 61 1996 wscript.exe 64 1996 wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
bin.exepid process 1764 bin.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\abQJTxmwNy.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\abQJTxmwNy.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\abQJTxmwNy.js\"" wscript.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
bin.exeraserver.exedescription pid process target process PID 1764 set thread context of 1244 1764 bin.exe Explorer.EXE PID 1964 set thread context of 1244 1964 raserver.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
bin.exeraserver.exepid process 1764 bin.exe 1764 bin.exe 1964 raserver.exe 1964 raserver.exe 1964 raserver.exe 1964 raserver.exe 1964 raserver.exe 1964 raserver.exe 1964 raserver.exe 1964 raserver.exe 1964 raserver.exe 1964 raserver.exe 1964 raserver.exe 1964 raserver.exe 1964 raserver.exe 1964 raserver.exe 1964 raserver.exe 1964 raserver.exe 1964 raserver.exe 1964 raserver.exe 1964 raserver.exe 1964 raserver.exe 1964 raserver.exe 1964 raserver.exe 1964 raserver.exe 1964 raserver.exe 1964 raserver.exe 1964 raserver.exe 1964 raserver.exe 1964 raserver.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1244 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
bin.exeraserver.exepid process 1764 bin.exe 1764 bin.exe 1764 bin.exe 1964 raserver.exe 1964 raserver.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
bin.exeraserver.exedescription pid process Token: SeDebugPrivilege 1764 bin.exe Token: SeDebugPrivilege 1964 raserver.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1244 Explorer.EXE 1244 Explorer.EXE 1244 Explorer.EXE 1244 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1244 Explorer.EXE 1244 Explorer.EXE 1244 Explorer.EXE 1244 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
wscript.exeExplorer.EXEraserver.exedescription pid process target process PID 1736 wrote to memory of 1996 1736 wscript.exe wscript.exe PID 1736 wrote to memory of 1996 1736 wscript.exe wscript.exe PID 1736 wrote to memory of 1996 1736 wscript.exe wscript.exe PID 1736 wrote to memory of 1764 1736 wscript.exe bin.exe PID 1736 wrote to memory of 1764 1736 wscript.exe bin.exe PID 1736 wrote to memory of 1764 1736 wscript.exe bin.exe PID 1736 wrote to memory of 1764 1736 wscript.exe bin.exe PID 1244 wrote to memory of 1964 1244 Explorer.EXE raserver.exe PID 1244 wrote to memory of 1964 1244 Explorer.EXE raserver.exe PID 1244 wrote to memory of 1964 1244 Explorer.EXE raserver.exe PID 1244 wrote to memory of 1964 1244 Explorer.EXE raserver.exe PID 1964 wrote to memory of 1108 1964 raserver.exe cmd.exe PID 1964 wrote to memory of 1108 1964 raserver.exe cmd.exe PID 1964 wrote to memory of 1108 1964 raserver.exe cmd.exe PID 1964 wrote to memory of 1108 1964 raserver.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Invoice remittance 52286.js"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\abQJTxmwNy.js"3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\bin.exe"C:\Users\Admin\AppData\Roaming\bin.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\raserver.exe"C:\Windows\SysWOW64\raserver.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Roaming\bin.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\abQJTxmwNy.jsMD5
3f7b92769fc59d8adc125b4d4e8adee4
SHA1b3ea6913dcf3681572a1db1f429cc5e1e49b060e
SHA256e1fccde6528046c2c1e41096085c199efaddc1393d42f6696165aeec43c9a209
SHA512659caad97e885af9d5f2dece465873b517fc34a5c67f5f0aba08b9ef868cca57fe025ed9979bd0933e46ee45792d5b424bd99a24c4449c5b739f17e0b6bdf01f
-
C:\Users\Admin\AppData\Roaming\bin.exeMD5
79d02002f7841dceae1bc53186c94b67
SHA13bf5dc0017d1239d962a80d48236c785b56cb78a
SHA256251a226acb74675f4650739fd13adb1c1b468e53936ccc6385dbbdacb5220ade
SHA512abc48c2c32ef4eef177c9904fd162cf65c98fe180e2435c3e9fd22506a400eb43f576a7731de02fc50dcfdafc59047695c4b1e74d8863e1c58c422ad7363a17e
-
C:\Users\Admin\AppData\Roaming\bin.exeMD5
79d02002f7841dceae1bc53186c94b67
SHA13bf5dc0017d1239d962a80d48236c785b56cb78a
SHA256251a226acb74675f4650739fd13adb1c1b468e53936ccc6385dbbdacb5220ade
SHA512abc48c2c32ef4eef177c9904fd162cf65c98fe180e2435c3e9fd22506a400eb43f576a7731de02fc50dcfdafc59047695c4b1e74d8863e1c58c422ad7363a17e
-
memory/1108-71-0x0000000000000000-mapping.dmp
-
memory/1244-76-0x0000000003BB0000-0x0000000003C48000-memory.dmpFilesize
608KB
-
memory/1244-67-0x0000000002980000-0x0000000002A3A000-memory.dmpFilesize
744KB
-
memory/1736-60-0x000007FEFC031000-0x000007FEFC033000-memory.dmpFilesize
8KB
-
memory/1764-63-0x0000000000000000-mapping.dmp
-
memory/1764-66-0x00000000000A0000-0x00000000000B0000-memory.dmpFilesize
64KB
-
memory/1764-65-0x0000000000900000-0x0000000000C03000-memory.dmpFilesize
3.0MB
-
memory/1964-68-0x0000000000000000-mapping.dmp
-
memory/1964-69-0x0000000075551000-0x0000000075553000-memory.dmpFilesize
8KB
-
memory/1964-74-0x0000000000B40000-0x0000000000E43000-memory.dmpFilesize
3.0MB
-
memory/1964-73-0x0000000000080000-0x00000000000A8000-memory.dmpFilesize
160KB
-
memory/1964-72-0x0000000000FD0000-0x0000000000FEC000-memory.dmpFilesize
112KB
-
memory/1964-75-0x00000000002E0000-0x000000000036F000-memory.dmpFilesize
572KB
-
memory/1996-61-0x0000000000000000-mapping.dmp