Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en -
submitted
15-09-2021 06:52
Static task
static1
Behavioral task
behavioral1
Sample
Unpaid invoice.exe
Resource
win7v20210408
General
-
Target
Unpaid invoice.exe
-
Size
548KB
-
MD5
3ade5b9b508051cc39c1c610f4af5a12
-
SHA1
662056878a2b1fb1e99d1f74bb0e8694904fdccd
-
SHA256
207dff33f6f91f114deae60a6cb3a404a5f40bc607fb6015f680c8980af7ac16
-
SHA512
a99f9f23663bc09fca19a96968a15014679e8bbe2bb4a6f64897a34b86faf72848af138b4dbdcda1ef19d4e2488e81dc447c50af5e05f2c67cf7521b070c3d0f
Malware Config
Extracted
xloader
2.3
b6cu
http://www.allfyllofficial.com/b6cu/
sxdiyan.com
web0084.com
cpafirmspokane.com
la-bio-geo.com
chacrit.com
stuntfighting.com
rjsworkshop.com
themillennialsfinest.com
thefrontrealestate.com
chairmn.com
best1korea.com
gudssutu.icu
backupchip.net
shrikanthamimports.com
sportrecoverysleeve.com
healthy-shack.com
investperwear.com
intertradeperu.com
resonantonshop.com
greghugheslaw.com
instrumentum.store
creative-cloud.info
sansfoundations.com
pmca.asia
night.doctor
19v5.com
cmas.life
yhanlikho.com
kartikpatelrealtor.com
viralpagi.com
samsonengineeringco.com
mh666.cool
laboratoriosjj.com
produklokal.com
tjhysb.com
solutions-oigroup.com
chictarh.com
gotmail.info
yourvalue.online
mylinkreview.com
champonpowerequipment.com
starcoupeownersindonesia.com
buzagialtligi.com
botol2-lasdnk.com
blunss.info
l3-construction.com
fmodesign.com
silkraga.com
editimpact.com
unionairjordanla.com
lacageavin.com
gushixiu.com
cleanlast.com
awvpvkmzxa.com
xiaosandao.com
nldcostmetics.com
prosperitywithsoul.com
kheticulture.com
booksbykimberlyeandco.com
creativehughes.com
mobilewz.com
arerasols.com
w-hanaemi-personal.com
dynamonetwork.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3924-126-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/3924-127-0x000000000041D0B0-mapping.dmp xloader behavioral2/memory/3996-133-0x0000000000DD0000-0x0000000000DF9000-memory.dmp xloader -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Unpaid invoice.exeUnpaid invoice.execmd.exedescription pid process target process PID 3332 set thread context of 3924 3332 Unpaid invoice.exe Unpaid invoice.exe PID 3924 set thread context of 2112 3924 Unpaid invoice.exe Explorer.EXE PID 3996 set thread context of 2112 3996 cmd.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 2 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 46 IoCs
Processes:
Unpaid invoice.exeUnpaid invoice.execmd.exepid process 3332 Unpaid invoice.exe 3332 Unpaid invoice.exe 3924 Unpaid invoice.exe 3924 Unpaid invoice.exe 3924 Unpaid invoice.exe 3924 Unpaid invoice.exe 3996 cmd.exe 3996 cmd.exe 3996 cmd.exe 3996 cmd.exe 3996 cmd.exe 3996 cmd.exe 3996 cmd.exe 3996 cmd.exe 3996 cmd.exe 3996 cmd.exe 3996 cmd.exe 3996 cmd.exe 3996 cmd.exe 3996 cmd.exe 3996 cmd.exe 3996 cmd.exe 3996 cmd.exe 3996 cmd.exe 3996 cmd.exe 3996 cmd.exe 3996 cmd.exe 3996 cmd.exe 3996 cmd.exe 3996 cmd.exe 3996 cmd.exe 3996 cmd.exe 3996 cmd.exe 3996 cmd.exe 3996 cmd.exe 3996 cmd.exe 3996 cmd.exe 3996 cmd.exe 3996 cmd.exe 3996 cmd.exe 3996 cmd.exe 3996 cmd.exe 3996 cmd.exe 3996 cmd.exe 3996 cmd.exe 3996 cmd.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2112 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Unpaid invoice.execmd.exepid process 3924 Unpaid invoice.exe 3924 Unpaid invoice.exe 3924 Unpaid invoice.exe 3996 cmd.exe 3996 cmd.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
Unpaid invoice.exeUnpaid invoice.execmd.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 3332 Unpaid invoice.exe Token: SeDebugPrivilege 3924 Unpaid invoice.exe Token: SeDebugPrivilege 3996 cmd.exe Token: SeShutdownPrivilege 2112 Explorer.EXE Token: SeCreatePagefilePrivilege 2112 Explorer.EXE Token: SeShutdownPrivilege 2112 Explorer.EXE Token: SeCreatePagefilePrivilege 2112 Explorer.EXE Token: SeShutdownPrivilege 2112 Explorer.EXE Token: SeCreatePagefilePrivilege 2112 Explorer.EXE Token: SeShutdownPrivilege 2112 Explorer.EXE Token: SeCreatePagefilePrivilege 2112 Explorer.EXE Token: SeShutdownPrivilege 2112 Explorer.EXE Token: SeCreatePagefilePrivilege 2112 Explorer.EXE Token: SeShutdownPrivilege 2112 Explorer.EXE Token: SeCreatePagefilePrivilege 2112 Explorer.EXE Token: SeShutdownPrivilege 2112 Explorer.EXE Token: SeCreatePagefilePrivilege 2112 Explorer.EXE Token: SeShutdownPrivilege 2112 Explorer.EXE Token: SeCreatePagefilePrivilege 2112 Explorer.EXE -
Suspicious use of FindShellTrayWindow 8 IoCs
Processes:
Explorer.EXEpid process 2112 Explorer.EXE 2112 Explorer.EXE 2112 Explorer.EXE 2112 Explorer.EXE 2112 Explorer.EXE 2112 Explorer.EXE 2112 Explorer.EXE 2112 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Unpaid invoice.exeExplorer.EXEcmd.exedescription pid process target process PID 3332 wrote to memory of 2656 3332 Unpaid invoice.exe schtasks.exe PID 3332 wrote to memory of 2656 3332 Unpaid invoice.exe schtasks.exe PID 3332 wrote to memory of 2656 3332 Unpaid invoice.exe schtasks.exe PID 3332 wrote to memory of 3924 3332 Unpaid invoice.exe Unpaid invoice.exe PID 3332 wrote to memory of 3924 3332 Unpaid invoice.exe Unpaid invoice.exe PID 3332 wrote to memory of 3924 3332 Unpaid invoice.exe Unpaid invoice.exe PID 3332 wrote to memory of 3924 3332 Unpaid invoice.exe Unpaid invoice.exe PID 3332 wrote to memory of 3924 3332 Unpaid invoice.exe Unpaid invoice.exe PID 3332 wrote to memory of 3924 3332 Unpaid invoice.exe Unpaid invoice.exe PID 2112 wrote to memory of 3996 2112 Explorer.EXE cmd.exe PID 2112 wrote to memory of 3996 2112 Explorer.EXE cmd.exe PID 2112 wrote to memory of 3996 2112 Explorer.EXE cmd.exe PID 3996 wrote to memory of 3848 3996 cmd.exe cmd.exe PID 3996 wrote to memory of 3848 3996 cmd.exe cmd.exe PID 3996 wrote to memory of 3848 3996 cmd.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Unpaid invoice.exe"C:\Users\Admin\AppData\Local\Temp\Unpaid invoice.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NBYchW" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9E0B.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Unpaid invoice.exe"C:\Users\Admin\AppData\Local\Temp\Unpaid invoice.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Unpaid invoice.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2112-130-0x0000000000CA0000-0x0000000000DE5000-memory.dmpFilesize
1.3MB
-
memory/2112-137-0x0000000005200000-0x0000000005314000-memory.dmpFilesize
1.1MB
-
memory/2656-125-0x0000000000000000-mapping.dmp
-
memory/3332-119-0x0000000005770000-0x0000000005771000-memory.dmpFilesize
4KB
-
memory/3332-120-0x0000000005850000-0x0000000005D4E000-memory.dmpFilesize
5.0MB
-
memory/3332-121-0x0000000005A60000-0x0000000005A61000-memory.dmpFilesize
4KB
-
memory/3332-122-0x0000000005780000-0x0000000005787000-memory.dmpFilesize
28KB
-
memory/3332-123-0x00000000064B0000-0x000000000650E000-memory.dmpFilesize
376KB
-
memory/3332-124-0x0000000008A00000-0x0000000008A2A000-memory.dmpFilesize
168KB
-
memory/3332-118-0x0000000005850000-0x0000000005851000-memory.dmpFilesize
4KB
-
memory/3332-115-0x0000000000EC0000-0x0000000000EC1000-memory.dmpFilesize
4KB
-
memory/3332-117-0x0000000005D50000-0x0000000005D51000-memory.dmpFilesize
4KB
-
memory/3848-135-0x0000000000000000-mapping.dmp
-
memory/3924-126-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/3924-128-0x0000000001500000-0x0000000001820000-memory.dmpFilesize
3.1MB
-
memory/3924-129-0x0000000000F60000-0x0000000000F70000-memory.dmpFilesize
64KB
-
memory/3924-127-0x000000000041D0B0-mapping.dmp
-
memory/3996-131-0x0000000000000000-mapping.dmp
-
memory/3996-133-0x0000000000DD0000-0x0000000000DF9000-memory.dmpFilesize
164KB
-
memory/3996-132-0x0000000001230000-0x0000000001289000-memory.dmpFilesize
356KB
-
memory/3996-134-0x00000000037C0000-0x0000000003AE0000-memory.dmpFilesize
3.1MB
-
memory/3996-136-0x0000000003AE0000-0x0000000003B6F000-memory.dmpFilesize
572KB