Payment Copy.exe

General
Target

Payment Copy.exe

Filesize

258KB

Completed

24-09-2021 12:04

Score
10 /10
MD5

0d6e0449a278b6971826e0da856aed38

SHA1

f95ea74f5d687eaedc24a2abadb77229e4918698

SHA256

2dc7525f9ee6e09a25f840b457bf5b0ba228c4697e1f3d4b81bd2964d2eafc61

Malware Config

Extracted

Family xloader
Version 2.5
Campaign b2c0
C2

http://www.thesewhitevvalls.com/b2c0/

Decoy

bjyxszd520.xyz

hsvfingerprinting.com

elliotpioneer.com

bf396.com

chinaopedia.com

6233v.com

shopeuphoricapparel.com

loccssol.store

truefictionpictures.com

playstarexch.com

peruviancoffee.store

shobhajoshi.com

philme.net

avito-rules.com

independencehomecenters.com

atp-cayenne.com

invetorsbank.com

sasanos.com

scentfreebnb.com

catfuid.com

sunshinefamilysupport.com

madison-co-atty.net

newhousebr.com

newstodayupdate.com

kamalaanjna.com

itpronto.com

hi-loentertainment.com

sadpartyrentals.com

vertuminy.com

khomayphotocopy.club

roleconstructora.com

cottonhome.online

starsspell.com

bedrijfs-kledingshop.com

aydeyahouse.com

miaintervista.com

taolemix.com

lnagvv.space

bjmobi.com

collabkc.art

onayli.net

ecostainable.com

vi88.info

brightlifeprochoice.com

taoluzhibo.info

techgobble.com

ideemimarlikinsaat.com

andajzx.com

shineshaft.website

arroundworld.com

Signatures 10

Filter: none

Discovery
  • Xloader

    Description

    Xloader is a rebranded version of Formbook malware.

  • Xloader Payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/2516-116-0x0000000000400000-0x0000000000429000-memory.dmpxloader
    behavioral2/memory/2516-117-0x000000000041D4C0-mapping.dmpxloader
    behavioral2/memory/2656-123-0x0000000000670000-0x0000000000699000-memory.dmpxloader
  • Loads dropped DLL
    Payment Copy.exe

    Reported IOCs

    pidprocess
    2300Payment Copy.exe
  • Suspicious use of SetThreadContext
    Payment Copy.exePayment Copy.exemsdt.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2300 set thread context of 25162300Payment Copy.exePayment Copy.exe
    PID 2516 set thread context of 30642516Payment Copy.exeExplorer.EXE
    PID 2656 set thread context of 30642656msdt.exeExplorer.EXE
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Suspicious behavior: EnumeratesProcesses
    Payment Copy.exemsdt.exe

    Reported IOCs

    pidprocess
    2516Payment Copy.exe
    2516Payment Copy.exe
    2516Payment Copy.exe
    2516Payment Copy.exe
    2656msdt.exe
    2656msdt.exe
    2656msdt.exe
    2656msdt.exe
    2656msdt.exe
    2656msdt.exe
    2656msdt.exe
    2656msdt.exe
    2656msdt.exe
    2656msdt.exe
    2656msdt.exe
    2656msdt.exe
    2656msdt.exe
    2656msdt.exe
    2656msdt.exe
    2656msdt.exe
    2656msdt.exe
    2656msdt.exe
    2656msdt.exe
    2656msdt.exe
    2656msdt.exe
    2656msdt.exe
    2656msdt.exe
    2656msdt.exe
    2656msdt.exe
    2656msdt.exe
    2656msdt.exe
    2656msdt.exe
    2656msdt.exe
    2656msdt.exe
    2656msdt.exe
    2656msdt.exe
    2656msdt.exe
    2656msdt.exe
    2656msdt.exe
    2656msdt.exe
    2656msdt.exe
    2656msdt.exe
    2656msdt.exe
    2656msdt.exe
    2656msdt.exe
    2656msdt.exe
    2656msdt.exe
    2656msdt.exe
    2656msdt.exe
    2656msdt.exe
    2656msdt.exe
    2656msdt.exe
    2656msdt.exe
    2656msdt.exe
    2656msdt.exe
    2656msdt.exe
    2656msdt.exe
    2656msdt.exe
    2656msdt.exe
    2656msdt.exe
    2656msdt.exe
    2656msdt.exe
  • Suspicious behavior: GetForegroundWindowSpam
    Explorer.EXE

    Reported IOCs

    pidprocess
    3064Explorer.EXE
  • Suspicious behavior: MapViewOfSection
    Payment Copy.exemsdt.exe

    Reported IOCs

    pidprocess
    2516Payment Copy.exe
    2516Payment Copy.exe
    2516Payment Copy.exe
    2656msdt.exe
    2656msdt.exe
  • Suspicious use of AdjustPrivilegeToken
    Payment Copy.exemsdt.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege2516Payment Copy.exe
    Token: SeDebugPrivilege2656msdt.exe
  • Suspicious use of WriteProcessMemory
    Payment Copy.exeExplorer.EXEmsdt.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2300 wrote to memory of 25162300Payment Copy.exePayment Copy.exe
    PID 2300 wrote to memory of 25162300Payment Copy.exePayment Copy.exe
    PID 2300 wrote to memory of 25162300Payment Copy.exePayment Copy.exe
    PID 2300 wrote to memory of 25162300Payment Copy.exePayment Copy.exe
    PID 2300 wrote to memory of 25162300Payment Copy.exePayment Copy.exe
    PID 2300 wrote to memory of 25162300Payment Copy.exePayment Copy.exe
    PID 3064 wrote to memory of 26563064Explorer.EXEmsdt.exe
    PID 3064 wrote to memory of 26563064Explorer.EXEmsdt.exe
    PID 3064 wrote to memory of 26563064Explorer.EXEmsdt.exe
    PID 2656 wrote to memory of 27042656msdt.execmd.exe
    PID 2656 wrote to memory of 27042656msdt.execmd.exe
    PID 2656 wrote to memory of 27042656msdt.execmd.exe
Processes 5
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    Suspicious behavior: GetForegroundWindowSpam
    Suspicious use of WriteProcessMemory
    PID:3064
    • C:\Users\Admin\AppData\Local\Temp\Payment Copy.exe
      "C:\Users\Admin\AppData\Local\Temp\Payment Copy.exe"
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2300
      • C:\Users\Admin\AppData\Local\Temp\Payment Copy.exe
        "C:\Users\Admin\AppData\Local\Temp\Payment Copy.exe"
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        PID:2516
    • C:\Windows\SysWOW64\msdt.exe
      "C:\Windows\SysWOW64\msdt.exe"
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2656
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\Payment Copy.exe"
        PID:2704
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • \Users\Admin\AppData\Local\Temp\nsc8DDF.tmp\ebzkw.dll

                          MD5

                          7925977982a97c0de2c1a34af37282a8

                          SHA1

                          26b7a9bf3f1937b4153750572ca18849f56dc41c

                          SHA256

                          14f0db931a3190b4e1cc5b960cea71a1298d87ef7466bb6c24631542a2b38eed

                          SHA512

                          cb85b54c3da4a09acf26a63626880dcc4ae831d7fa77659a777aa5c2b8a91d6f96b0d70bae78b2ec6d60456869ba78847b2823f39fd6ff1b206ad06df9743623

                        • memory/2516-119-0x0000000000AC0000-0x0000000000AD1000-memory.dmp

                        • memory/2516-116-0x0000000000400000-0x0000000000429000-memory.dmp

                        • memory/2516-117-0x000000000041D4C0-mapping.dmp

                        • memory/2516-118-0x0000000000B90000-0x0000000000EB0000-memory.dmp

                        • memory/2656-121-0x0000000000000000-mapping.dmp

                        • memory/2656-125-0x0000000004800000-0x0000000004B20000-memory.dmp

                        • memory/2656-122-0x0000000000820000-0x0000000000993000-memory.dmp

                        • memory/2656-123-0x0000000000670000-0x0000000000699000-memory.dmp

                        • memory/2656-126-0x00000000045D0000-0x0000000004660000-memory.dmp

                        • memory/2704-124-0x0000000000000000-mapping.dmp

                        • memory/3064-120-0x00000000027A0000-0x0000000002865000-memory.dmp

                        • memory/3064-127-0x0000000005E20000-0x0000000005F9A000-memory.dmp