Analysis
-
max time kernel
156s -
max time network
184s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
15-09-2021 06:52
Static task
static1
Behavioral task
behavioral1
Sample
Unpaid invoice.exe
Resource
win7v20210408
General
-
Target
Unpaid invoice.exe
-
Size
548KB
-
MD5
3ade5b9b508051cc39c1c610f4af5a12
-
SHA1
662056878a2b1fb1e99d1f74bb0e8694904fdccd
-
SHA256
207dff33f6f91f114deae60a6cb3a404a5f40bc607fb6015f680c8980af7ac16
-
SHA512
a99f9f23663bc09fca19a96968a15014679e8bbe2bb4a6f64897a34b86faf72848af138b4dbdcda1ef19d4e2488e81dc447c50af5e05f2c67cf7521b070c3d0f
Malware Config
Extracted
xloader
2.3
b6cu
http://www.allfyllofficial.com/b6cu/
sxdiyan.com
web0084.com
cpafirmspokane.com
la-bio-geo.com
chacrit.com
stuntfighting.com
rjsworkshop.com
themillennialsfinest.com
thefrontrealestate.com
chairmn.com
best1korea.com
gudssutu.icu
backupchip.net
shrikanthamimports.com
sportrecoverysleeve.com
healthy-shack.com
investperwear.com
intertradeperu.com
resonantonshop.com
greghugheslaw.com
instrumentum.store
creative-cloud.info
sansfoundations.com
pmca.asia
night.doctor
19v5.com
cmas.life
yhanlikho.com
kartikpatelrealtor.com
viralpagi.com
samsonengineeringco.com
mh666.cool
laboratoriosjj.com
produklokal.com
tjhysb.com
solutions-oigroup.com
chictarh.com
gotmail.info
yourvalue.online
mylinkreview.com
champonpowerequipment.com
starcoupeownersindonesia.com
buzagialtligi.com
botol2-lasdnk.com
blunss.info
l3-construction.com
fmodesign.com
silkraga.com
editimpact.com
unionairjordanla.com
lacageavin.com
gushixiu.com
cleanlast.com
awvpvkmzxa.com
xiaosandao.com
nldcostmetics.com
prosperitywithsoul.com
kheticulture.com
booksbykimberlyeandco.com
creativehughes.com
mobilewz.com
arerasols.com
w-hanaemi-personal.com
dynamonetwork.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/608-68-0x000000000041D0B0-mapping.dmp xloader behavioral1/memory/608-67-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1360-78-0x00000000000D0000-0x00000000000F9000-memory.dmp xloader -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1660 cmd.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
Unpaid invoice.exeUnpaid invoice.exemsdt.exedescription pid process target process PID 1812 set thread context of 608 1812 Unpaid invoice.exe Unpaid invoice.exe PID 608 set thread context of 1212 608 Unpaid invoice.exe Explorer.EXE PID 608 set thread context of 1212 608 Unpaid invoice.exe Explorer.EXE PID 1360 set thread context of 1212 1360 msdt.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
Unpaid invoice.exeUnpaid invoice.exemsdt.exepid process 1812 Unpaid invoice.exe 1812 Unpaid invoice.exe 608 Unpaid invoice.exe 608 Unpaid invoice.exe 608 Unpaid invoice.exe 1360 msdt.exe 1360 msdt.exe 1360 msdt.exe 1360 msdt.exe 1360 msdt.exe 1360 msdt.exe 1360 msdt.exe 1360 msdt.exe 1360 msdt.exe 1360 msdt.exe 1360 msdt.exe 1360 msdt.exe 1360 msdt.exe 1360 msdt.exe 1360 msdt.exe 1360 msdt.exe 1360 msdt.exe 1360 msdt.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
Unpaid invoice.exemsdt.exepid process 608 Unpaid invoice.exe 608 Unpaid invoice.exe 608 Unpaid invoice.exe 608 Unpaid invoice.exe 1360 msdt.exe 1360 msdt.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Unpaid invoice.exeUnpaid invoice.exemsdt.exedescription pid process Token: SeDebugPrivilege 1812 Unpaid invoice.exe Token: SeDebugPrivilege 608 Unpaid invoice.exe Token: SeDebugPrivilege 1360 msdt.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
Unpaid invoice.exeExplorer.EXEmsdt.exedescription pid process target process PID 1812 wrote to memory of 1620 1812 Unpaid invoice.exe schtasks.exe PID 1812 wrote to memory of 1620 1812 Unpaid invoice.exe schtasks.exe PID 1812 wrote to memory of 1620 1812 Unpaid invoice.exe schtasks.exe PID 1812 wrote to memory of 1620 1812 Unpaid invoice.exe schtasks.exe PID 1812 wrote to memory of 608 1812 Unpaid invoice.exe Unpaid invoice.exe PID 1812 wrote to memory of 608 1812 Unpaid invoice.exe Unpaid invoice.exe PID 1812 wrote to memory of 608 1812 Unpaid invoice.exe Unpaid invoice.exe PID 1812 wrote to memory of 608 1812 Unpaid invoice.exe Unpaid invoice.exe PID 1812 wrote to memory of 608 1812 Unpaid invoice.exe Unpaid invoice.exe PID 1812 wrote to memory of 608 1812 Unpaid invoice.exe Unpaid invoice.exe PID 1812 wrote to memory of 608 1812 Unpaid invoice.exe Unpaid invoice.exe PID 1212 wrote to memory of 1360 1212 Explorer.EXE msdt.exe PID 1212 wrote to memory of 1360 1212 Explorer.EXE msdt.exe PID 1212 wrote to memory of 1360 1212 Explorer.EXE msdt.exe PID 1212 wrote to memory of 1360 1212 Explorer.EXE msdt.exe PID 1360 wrote to memory of 1660 1360 msdt.exe cmd.exe PID 1360 wrote to memory of 1660 1360 msdt.exe cmd.exe PID 1360 wrote to memory of 1660 1360 msdt.exe cmd.exe PID 1360 wrote to memory of 1660 1360 msdt.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Unpaid invoice.exe"C:\Users\Admin\AppData\Local\Temp\Unpaid invoice.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NBYchW" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC62C.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Unpaid invoice.exe"C:\Users\Admin\AppData\Local\Temp\Unpaid invoice.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\msdt.exe"C:\Windows\SysWOW64\msdt.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Unpaid invoice.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/608-69-0x0000000000820000-0x0000000000B23000-memory.dmpFilesize
3.0MB
-
memory/608-70-0x0000000000080000-0x0000000000090000-memory.dmpFilesize
64KB
-
memory/608-72-0x0000000000220000-0x0000000000230000-memory.dmpFilesize
64KB
-
memory/608-67-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/608-68-0x000000000041D0B0-mapping.dmp
-
memory/1212-81-0x00000000067B0000-0x00000000068D3000-memory.dmpFilesize
1.1MB
-
memory/1212-71-0x0000000003E20000-0x0000000003EFF000-memory.dmpFilesize
892KB
-
memory/1212-73-0x0000000004F40000-0x00000000050BA000-memory.dmpFilesize
1.5MB
-
memory/1360-77-0x00000000008F0000-0x00000000009E4000-memory.dmpFilesize
976KB
-
memory/1360-78-0x00000000000D0000-0x00000000000F9000-memory.dmpFilesize
164KB
-
memory/1360-75-0x0000000075801000-0x0000000075803000-memory.dmpFilesize
8KB
-
memory/1360-79-0x0000000002220000-0x0000000002523000-memory.dmpFilesize
3.0MB
-
memory/1360-80-0x0000000001F50000-0x0000000001FDF000-memory.dmpFilesize
572KB
-
memory/1360-74-0x0000000000000000-mapping.dmp
-
memory/1620-66-0x0000000000000000-mapping.dmp
-
memory/1660-76-0x0000000000000000-mapping.dmp
-
memory/1812-60-0x0000000000D40000-0x0000000000D41000-memory.dmpFilesize
4KB
-
memory/1812-65-0x0000000004690000-0x00000000046BA000-memory.dmpFilesize
168KB
-
memory/1812-64-0x00000000051F0000-0x000000000524E000-memory.dmpFilesize
376KB
-
memory/1812-63-0x00000000003F0000-0x00000000003F7000-memory.dmpFilesize
28KB
-
memory/1812-62-0x0000000004BD0000-0x0000000004BD1000-memory.dmpFilesize
4KB