Analysis
-
max time kernel
359s -
max time network
341s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
24-09-2021 12:38
Static task
static1
Behavioral task
behavioral1
Sample
ledger.exe
Resource
win7-en-20210920
General
-
Target
ledger.exe
-
Size
746KB
-
MD5
bb7bbc40aef8439092e6345d3428c975
-
SHA1
9bf46b95ff700e57bc0e38d5133577bfad260ea2
-
SHA256
b194903f2fb1231113b2cffdd6cf47e25d4d9f99675654f70865b1f3d0a9160c
-
SHA512
a1ed9eac420f49c4e101ddfb84a1b148a2c05a0999553978528cc1976f3027325b0944c721696ddc1b73b68bcc9766dcb884414efae70543ae7023f34130632f
Malware Config
Extracted
xloader
2.3
n58i
http://www.biosonicmicrocurrent.com/n58i/
electrifyz.com
silkpetalz.net
cognitivenavigation.com
poophaikus.com
orchidiris.com
arteregalos.com
dailybookmarks.info
gogoanume.pro
hushmailgmx.com
trjisa.com
notontrend.com
2020polltax.com
orderhappy.club
panggabean.net
govsathi.com
hrsbxg.com
xvideotokyo.online
lotteplaze.com
lovecleanliveclean.com
swaphomeloans.net
arcadems.info
creatingstrongerathletes.com
follaproperties.com
i-postgram.com
bootybella.fitness
avtofan.net
bimbavbi.com
yourtravelsbuddy.com
laiofit.com
ofnick.com
2g6gc6zma9g.net
phamthanhdam.com
shopteve.com
add-fast.com
studioloungemke.com
maxtoutfitness.com
mapleway.systems
login-settings.com
affoshop.com
hupubets.com
3energyservices.com
ccmfonline.com
keyhousebuyers.com
curvecue.com
developerdevelopment.com
jamesdunnandsons.com
devyassine.com
dongyilove.com
alienpuran.com
tuolp.com
bidprosper.com
feerd.com
acmeproxy.com
thechoicemediagroup.com
inspirespeep.com
leesangsoon.com
highheatcards.com
xn--yk3b99erra.com
rawfasteners.com
alfaniyaa.com
bellesaesthetics.com
ccequityholdings.com
carrolpuppies.com
huttibazar.net
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/316-59-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral1/memory/316-60-0x000000000041D040-mapping.dmp xloader behavioral1/memory/368-70-0x0000000000130000-0x0000000000158000-memory.dmp xloader -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 740 cmd.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
ledger.exeledger.execmstp.exedescription pid process target process PID 1392 set thread context of 316 1392 ledger.exe ledger.exe PID 316 set thread context of 1404 316 ledger.exe Explorer.EXE PID 316 set thread context of 1404 316 ledger.exe Explorer.EXE PID 368 set thread context of 1404 368 cmstp.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ledger.execmstp.exepid process 316 ledger.exe 316 ledger.exe 316 ledger.exe 368 cmstp.exe 368 cmstp.exe 368 cmstp.exe 368 cmstp.exe 368 cmstp.exe 368 cmstp.exe 368 cmstp.exe 368 cmstp.exe 368 cmstp.exe 368 cmstp.exe 368 cmstp.exe 368 cmstp.exe 368 cmstp.exe 368 cmstp.exe 368 cmstp.exe 368 cmstp.exe 368 cmstp.exe 368 cmstp.exe 368 cmstp.exe 368 cmstp.exe 368 cmstp.exe 368 cmstp.exe 368 cmstp.exe 368 cmstp.exe 368 cmstp.exe 368 cmstp.exe 368 cmstp.exe 368 cmstp.exe 368 cmstp.exe 368 cmstp.exe 368 cmstp.exe 368 cmstp.exe 368 cmstp.exe 368 cmstp.exe 368 cmstp.exe 368 cmstp.exe 368 cmstp.exe 368 cmstp.exe 368 cmstp.exe 368 cmstp.exe 368 cmstp.exe 368 cmstp.exe 368 cmstp.exe 368 cmstp.exe 368 cmstp.exe 368 cmstp.exe 368 cmstp.exe 368 cmstp.exe 368 cmstp.exe 368 cmstp.exe 368 cmstp.exe 368 cmstp.exe 368 cmstp.exe 368 cmstp.exe 368 cmstp.exe 368 cmstp.exe 368 cmstp.exe 368 cmstp.exe 368 cmstp.exe 368 cmstp.exe 368 cmstp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1404 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
ledger.execmstp.exepid process 316 ledger.exe 316 ledger.exe 316 ledger.exe 316 ledger.exe 368 cmstp.exe 368 cmstp.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
ledger.execmstp.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 316 ledger.exe Token: SeDebugPrivilege 368 cmstp.exe Token: SeShutdownPrivilege 1404 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1404 Explorer.EXE 1404 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1404 Explorer.EXE 1404 Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
ledger.exeExplorer.EXEcmstp.exedescription pid process target process PID 1392 wrote to memory of 316 1392 ledger.exe ledger.exe PID 1392 wrote to memory of 316 1392 ledger.exe ledger.exe PID 1392 wrote to memory of 316 1392 ledger.exe ledger.exe PID 1392 wrote to memory of 316 1392 ledger.exe ledger.exe PID 1392 wrote to memory of 316 1392 ledger.exe ledger.exe PID 1392 wrote to memory of 316 1392 ledger.exe ledger.exe PID 1392 wrote to memory of 316 1392 ledger.exe ledger.exe PID 1404 wrote to memory of 368 1404 Explorer.EXE cmstp.exe PID 1404 wrote to memory of 368 1404 Explorer.EXE cmstp.exe PID 1404 wrote to memory of 368 1404 Explorer.EXE cmstp.exe PID 1404 wrote to memory of 368 1404 Explorer.EXE cmstp.exe PID 1404 wrote to memory of 368 1404 Explorer.EXE cmstp.exe PID 1404 wrote to memory of 368 1404 Explorer.EXE cmstp.exe PID 1404 wrote to memory of 368 1404 Explorer.EXE cmstp.exe PID 368 wrote to memory of 740 368 cmstp.exe cmd.exe PID 368 wrote to memory of 740 368 cmstp.exe cmd.exe PID 368 wrote to memory of 740 368 cmstp.exe cmd.exe PID 368 wrote to memory of 740 368 cmstp.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ledger.exe"C:\Users\Admin\AppData\Local\Temp\ledger.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ledger.exe"C:\Users\Admin\AppData\Local\Temp\ledger.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\ledger.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/316-64-0x00000000001A0000-0x00000000001B0000-memory.dmpFilesize
64KB
-
memory/316-59-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/316-61-0x0000000000950000-0x0000000000C53000-memory.dmpFilesize
3.0MB
-
memory/316-62-0x0000000000120000-0x0000000000130000-memory.dmpFilesize
64KB
-
memory/316-60-0x000000000041D040-mapping.dmp
-
memory/368-67-0x00000000751D1000-0x00000000751D3000-memory.dmpFilesize
8KB
-
memory/368-69-0x0000000002020000-0x0000000002323000-memory.dmpFilesize
3.0MB
-
memory/368-72-0x0000000000970000-0x00000000009FF000-memory.dmpFilesize
572KB
-
memory/368-70-0x0000000000130000-0x0000000000158000-memory.dmpFilesize
160KB
-
memory/368-68-0x0000000000C00000-0x0000000000C18000-memory.dmpFilesize
96KB
-
memory/368-66-0x0000000000000000-mapping.dmp
-
memory/740-71-0x0000000000000000-mapping.dmp
-
memory/1392-57-0x0000000004C50000-0x0000000004CB0000-memory.dmpFilesize
384KB
-
memory/1392-55-0x0000000001090000-0x0000000001091000-memory.dmpFilesize
4KB
-
memory/1392-58-0x00000000049A0000-0x00000000049CA000-memory.dmpFilesize
168KB
-
memory/1392-53-0x00000000010D0000-0x00000000010D1000-memory.dmpFilesize
4KB
-
memory/1392-56-0x0000000000600000-0x0000000000616000-memory.dmpFilesize
88KB
-
memory/1404-65-0x0000000007160000-0x00000000072DE000-memory.dmpFilesize
1.5MB
-
memory/1404-73-0x0000000008E40000-0x0000000008FBA000-memory.dmpFilesize
1.5MB
-
memory/1404-63-0x0000000006FC0000-0x0000000007153000-memory.dmpFilesize
1.6MB