Analysis
-
max time kernel
300s -
max time network
298s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
24-09-2021 12:38
Static task
static1
Behavioral task
behavioral1
Sample
ledger.exe
Resource
win7-en-20210920
General
-
Target
ledger.exe
-
Size
746KB
-
MD5
bb7bbc40aef8439092e6345d3428c975
-
SHA1
9bf46b95ff700e57bc0e38d5133577bfad260ea2
-
SHA256
b194903f2fb1231113b2cffdd6cf47e25d4d9f99675654f70865b1f3d0a9160c
-
SHA512
a1ed9eac420f49c4e101ddfb84a1b148a2c05a0999553978528cc1976f3027325b0944c721696ddc1b73b68bcc9766dcb884414efae70543ae7023f34130632f
Malware Config
Extracted
xloader
2.3
n58i
http://www.biosonicmicrocurrent.com/n58i/
electrifyz.com
silkpetalz.net
cognitivenavigation.com
poophaikus.com
orchidiris.com
arteregalos.com
dailybookmarks.info
gogoanume.pro
hushmailgmx.com
trjisa.com
notontrend.com
2020polltax.com
orderhappy.club
panggabean.net
govsathi.com
hrsbxg.com
xvideotokyo.online
lotteplaze.com
lovecleanliveclean.com
swaphomeloans.net
arcadems.info
creatingstrongerathletes.com
follaproperties.com
i-postgram.com
bootybella.fitness
avtofan.net
bimbavbi.com
yourtravelsbuddy.com
laiofit.com
ofnick.com
2g6gc6zma9g.net
phamthanhdam.com
shopteve.com
add-fast.com
studioloungemke.com
maxtoutfitness.com
mapleway.systems
login-settings.com
affoshop.com
hupubets.com
3energyservices.com
ccmfonline.com
keyhousebuyers.com
curvecue.com
developerdevelopment.com
jamesdunnandsons.com
devyassine.com
dongyilove.com
alienpuran.com
tuolp.com
bidprosper.com
feerd.com
acmeproxy.com
thechoicemediagroup.com
inspirespeep.com
leesangsoon.com
highheatcards.com
xn--yk3b99erra.com
rawfasteners.com
alfaniyaa.com
bellesaesthetics.com
ccequityholdings.com
carrolpuppies.com
huttibazar.net
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1580-124-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral2/memory/1580-125-0x000000000041D040-mapping.dmp xloader behavioral2/memory/1860-131-0x0000000002A50000-0x0000000002A78000-memory.dmp xloader -
Suspicious use of SetThreadContext 3 IoCs
Processes:
ledger.exeledger.exemstsc.exedescription pid process target process PID 776 set thread context of 1580 776 ledger.exe ledger.exe PID 1580 set thread context of 3020 1580 ledger.exe Explorer.EXE PID 1860 set thread context of 3020 1860 mstsc.exe Explorer.EXE -
Modifies registry class 2 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ledger.exemstsc.exepid process 1580 ledger.exe 1580 ledger.exe 1580 ledger.exe 1580 ledger.exe 1860 mstsc.exe 1860 mstsc.exe 1860 mstsc.exe 1860 mstsc.exe 1860 mstsc.exe 1860 mstsc.exe 1860 mstsc.exe 1860 mstsc.exe 1860 mstsc.exe 1860 mstsc.exe 1860 mstsc.exe 1860 mstsc.exe 1860 mstsc.exe 1860 mstsc.exe 1860 mstsc.exe 1860 mstsc.exe 1860 mstsc.exe 1860 mstsc.exe 1860 mstsc.exe 1860 mstsc.exe 1860 mstsc.exe 1860 mstsc.exe 1860 mstsc.exe 1860 mstsc.exe 1860 mstsc.exe 1860 mstsc.exe 1860 mstsc.exe 1860 mstsc.exe 1860 mstsc.exe 1860 mstsc.exe 1860 mstsc.exe 1860 mstsc.exe 1860 mstsc.exe 1860 mstsc.exe 1860 mstsc.exe 1860 mstsc.exe 1860 mstsc.exe 1860 mstsc.exe 1860 mstsc.exe 1860 mstsc.exe 1860 mstsc.exe 1860 mstsc.exe 1860 mstsc.exe 1860 mstsc.exe 1860 mstsc.exe 1860 mstsc.exe 1860 mstsc.exe 1860 mstsc.exe 1860 mstsc.exe 1860 mstsc.exe 1860 mstsc.exe 1860 mstsc.exe 1860 mstsc.exe 1860 mstsc.exe 1860 mstsc.exe 1860 mstsc.exe 1860 mstsc.exe 1860 mstsc.exe 1860 mstsc.exe 1860 mstsc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3020 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
ledger.exemstsc.exepid process 1580 ledger.exe 1580 ledger.exe 1580 ledger.exe 1860 mstsc.exe 1860 mstsc.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
ledger.exeExplorer.EXEmstsc.exedescription pid process Token: SeDebugPrivilege 1580 ledger.exe Token: SeShutdownPrivilege 3020 Explorer.EXE Token: SeCreatePagefilePrivilege 3020 Explorer.EXE Token: SeShutdownPrivilege 3020 Explorer.EXE Token: SeCreatePagefilePrivilege 3020 Explorer.EXE Token: SeDebugPrivilege 1860 mstsc.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE 3020 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3020 Explorer.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
ledger.exeExplorer.EXEmstsc.exedescription pid process target process PID 776 wrote to memory of 1580 776 ledger.exe ledger.exe PID 776 wrote to memory of 1580 776 ledger.exe ledger.exe PID 776 wrote to memory of 1580 776 ledger.exe ledger.exe PID 776 wrote to memory of 1580 776 ledger.exe ledger.exe PID 776 wrote to memory of 1580 776 ledger.exe ledger.exe PID 776 wrote to memory of 1580 776 ledger.exe ledger.exe PID 3020 wrote to memory of 1860 3020 Explorer.EXE mstsc.exe PID 3020 wrote to memory of 1860 3020 Explorer.EXE mstsc.exe PID 3020 wrote to memory of 1860 3020 Explorer.EXE mstsc.exe PID 1860 wrote to memory of 2648 1860 mstsc.exe cmd.exe PID 1860 wrote to memory of 2648 1860 mstsc.exe cmd.exe PID 1860 wrote to memory of 2648 1860 mstsc.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ledger.exe"C:\Users\Admin\AppData\Local\Temp\ledger.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ledger.exe"C:\Users\Admin\AppData\Local\Temp\ledger.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\mstsc.exe"C:\Windows\SysWOW64\mstsc.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\ledger.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/776-114-0x00000000007B0000-0x00000000007B1000-memory.dmpFilesize
4KB
-
memory/776-116-0x0000000005670000-0x0000000005671000-memory.dmpFilesize
4KB
-
memory/776-117-0x00000000050C0000-0x00000000050C1000-memory.dmpFilesize
4KB
-
memory/776-118-0x00000000050A0000-0x00000000050A1000-memory.dmpFilesize
4KB
-
memory/776-119-0x0000000005170000-0x000000000566E000-memory.dmpFilesize
5.0MB
-
memory/776-120-0x0000000008870000-0x0000000008871000-memory.dmpFilesize
4KB
-
memory/776-121-0x0000000005640000-0x0000000005656000-memory.dmpFilesize
88KB
-
memory/776-122-0x0000000008B80000-0x0000000008BE0000-memory.dmpFilesize
384KB
-
memory/776-123-0x000000000B320000-0x000000000B34A000-memory.dmpFilesize
168KB
-
memory/1580-125-0x000000000041D040-mapping.dmp
-
memory/1580-124-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1580-127-0x00000000014D0000-0x00000000014E0000-memory.dmpFilesize
64KB
-
memory/1580-126-0x00000000019D0000-0x0000000001CF0000-memory.dmpFilesize
3.1MB
-
memory/1860-129-0x0000000000000000-mapping.dmp
-
memory/1860-130-0x00000000003B0000-0x00000000006AC000-memory.dmpFilesize
3.0MB
-
memory/1860-131-0x0000000002A50000-0x0000000002A78000-memory.dmpFilesize
160KB
-
memory/1860-133-0x0000000004900000-0x0000000004C20000-memory.dmpFilesize
3.1MB
-
memory/1860-134-0x0000000004840000-0x00000000048CF000-memory.dmpFilesize
572KB
-
memory/2648-132-0x0000000000000000-mapping.dmp
-
memory/3020-128-0x0000000005D10000-0x0000000005E67000-memory.dmpFilesize
1.3MB
-
memory/3020-135-0x00000000024A0000-0x0000000002571000-memory.dmpFilesize
836KB