Analysis
-
max time kernel
298s -
max time network
283s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
24-09-2021 14:59
Static task
static1
Behavioral task
behavioral1
Sample
INVOICE.exe
Resource
win7-en-20210920
General
-
Target
INVOICE.exe
-
Size
1.0MB
-
MD5
3e0b369f71d263bd0918bfce2b1873c3
-
SHA1
0919aa900e50b290cc90426537ec25a9c44496b0
-
SHA256
c10f872ac7d56c5c8d5151eb8d5c3aba275f83bd55700c0dc38776a04b275175
-
SHA512
6c5cb90c5519dbaf90b2ca2183d6c48a1cd216eeb1eff02f16d1042cdde5955734c7ea52408e6ec907abb1a5e4c40eca40b9ed830a92315fad4660861e425c3f
Malware Config
Extracted
xloader
2.5
m6rs
http://www.litediv.com/m6rs/
globalsovereignbank.com
ktnrape.xyz
churchybulletin.com
ddyla.com
imatge.cat
iwholesalestore.com
cultivapro.club
ibcfcl.com
refurbisheddildo.com
killerinktnpasumo4.xyz
mdphotoart.com
smi-ity.com
stanprolearningcenter.com
companyintelapp.com
tacticarc.com
soolls.com
gra68.net
cedricettori.digital
mossobuy.com
way2liv.com
j9b.xyz
bmfgi.com
gargantua-traiteur.com
tavolabread.com
neoplus-create.com
tracks-clicks.com
santsp.com
tokusa-f.com
yardparx.online
seinvestments-sg.com
elegantbrushes.net
restaurantemachupicchu.com
ha0313.com
dock7rods.com
emphatictrifles.com
onefunline.top
caulsshop.com
kittyol.com
thehealthyheifer.net
plotmyplot.com
leewaysvcs.com
eur86.com
lightsinwall.com
jiankangkyw.com
travilent.com
dvaccounts.com
wittyon.com
tommywoodenski.com
dividendoylibertad.com
aqscksw.com
familiapena2475.com
australianmeatandwine.com
leading.delivery
giftcards2you.com
bethlehemsmith.com
osterparrots.com
getignore.com
joyandsatisfy.club
sanibelislandhomesearch.com
smedivision.com
kitcycle.com
hills-renta.com
brownbeargraphics.com
46sheridan.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/796-59-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/796-60-0x000000000041D3D0-mapping.dmp xloader behavioral1/memory/848-67-0x00000000001D0000-0x00000000001F9000-memory.dmp xloader -
Executes dropped EXE 1 IoCs
Processes:
igfxrfftq.exepid process 1832 igfxrfftq.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1836 cmd.exe -
Loads dropped DLL 5 IoCs
Processes:
WerFault.exepid process 1504 WerFault.exe 1504 WerFault.exe 1504 WerFault.exe 1504 WerFault.exe 1504 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\KPUD5TBPDLH = "C:\\Program Files (x86)\\Njvxpnpxh\\igfxrfftq.exe" wscript.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
INVOICE.exeINVOICE.exewscript.exedescription pid process target process PID 1540 set thread context of 796 1540 INVOICE.exe INVOICE.exe PID 796 set thread context of 1356 796 INVOICE.exe Explorer.EXE PID 848 set thread context of 1356 848 wscript.exe Explorer.EXE -
Drops file in Program Files directory 2 IoCs
Processes:
wscript.exeExplorer.EXEdescription ioc process File opened for modification C:\Program Files (x86)\Njvxpnpxh\igfxrfftq.exe wscript.exe File created C:\Program Files (x86)\Njvxpnpxh\igfxrfftq.exe Explorer.EXE -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1504 1832 WerFault.exe igfxrfftq.exe -
Processes:
wscript.exedescription ioc process Key created \Registry\User\S-1-5-21-3456797065-1076791440-4146276586-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 wscript.exe -
Suspicious behavior: EnumeratesProcesses 55 IoCs
Processes:
INVOICE.exewscript.exeWerFault.exepid process 796 INVOICE.exe 796 INVOICE.exe 848 wscript.exe 848 wscript.exe 848 wscript.exe 848 wscript.exe 848 wscript.exe 848 wscript.exe 848 wscript.exe 848 wscript.exe 848 wscript.exe 848 wscript.exe 848 wscript.exe 848 wscript.exe 848 wscript.exe 848 wscript.exe 848 wscript.exe 848 wscript.exe 848 wscript.exe 848 wscript.exe 848 wscript.exe 848 wscript.exe 848 wscript.exe 848 wscript.exe 848 wscript.exe 848 wscript.exe 848 wscript.exe 848 wscript.exe 848 wscript.exe 848 wscript.exe 848 wscript.exe 848 wscript.exe 848 wscript.exe 848 wscript.exe 848 wscript.exe 848 wscript.exe 848 wscript.exe 848 wscript.exe 848 wscript.exe 848 wscript.exe 848 wscript.exe 848 wscript.exe 848 wscript.exe 848 wscript.exe 848 wscript.exe 1504 WerFault.exe 1504 WerFault.exe 1504 WerFault.exe 1504 WerFault.exe 1504 WerFault.exe 848 wscript.exe 848 wscript.exe 848 wscript.exe 848 wscript.exe 848 wscript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1356 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
INVOICE.exewscript.exepid process 796 INVOICE.exe 796 INVOICE.exe 796 INVOICE.exe 848 wscript.exe 848 wscript.exe 848 wscript.exe 848 wscript.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
INVOICE.exewscript.exeExplorer.EXEWerFault.exedescription pid process Token: SeDebugPrivilege 796 INVOICE.exe Token: SeDebugPrivilege 848 wscript.exe Token: SeShutdownPrivilege 1356 Explorer.EXE Token: SeDebugPrivilege 1504 WerFault.exe Token: SeShutdownPrivilege 1356 Explorer.EXE -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1356 Explorer.EXE 1356 Explorer.EXE 1356 Explorer.EXE 1356 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1356 Explorer.EXE 1356 Explorer.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
INVOICE.exeExplorer.EXEwscript.exeigfxrfftq.exedescription pid process target process PID 1540 wrote to memory of 796 1540 INVOICE.exe INVOICE.exe PID 1540 wrote to memory of 796 1540 INVOICE.exe INVOICE.exe PID 1540 wrote to memory of 796 1540 INVOICE.exe INVOICE.exe PID 1540 wrote to memory of 796 1540 INVOICE.exe INVOICE.exe PID 1540 wrote to memory of 796 1540 INVOICE.exe INVOICE.exe PID 1540 wrote to memory of 796 1540 INVOICE.exe INVOICE.exe PID 1540 wrote to memory of 796 1540 INVOICE.exe INVOICE.exe PID 1356 wrote to memory of 848 1356 Explorer.EXE wscript.exe PID 1356 wrote to memory of 848 1356 Explorer.EXE wscript.exe PID 1356 wrote to memory of 848 1356 Explorer.EXE wscript.exe PID 1356 wrote to memory of 848 1356 Explorer.EXE wscript.exe PID 848 wrote to memory of 1836 848 wscript.exe cmd.exe PID 848 wrote to memory of 1836 848 wscript.exe cmd.exe PID 848 wrote to memory of 1836 848 wscript.exe cmd.exe PID 848 wrote to memory of 1836 848 wscript.exe cmd.exe PID 848 wrote to memory of 1624 848 wscript.exe Firefox.exe PID 848 wrote to memory of 1624 848 wscript.exe Firefox.exe PID 848 wrote to memory of 1624 848 wscript.exe Firefox.exe PID 848 wrote to memory of 1624 848 wscript.exe Firefox.exe PID 848 wrote to memory of 1624 848 wscript.exe Firefox.exe PID 1356 wrote to memory of 1832 1356 Explorer.EXE igfxrfftq.exe PID 1356 wrote to memory of 1832 1356 Explorer.EXE igfxrfftq.exe PID 1356 wrote to memory of 1832 1356 Explorer.EXE igfxrfftq.exe PID 1356 wrote to memory of 1832 1356 Explorer.EXE igfxrfftq.exe PID 1832 wrote to memory of 1504 1832 igfxrfftq.exe WerFault.exe PID 1832 wrote to memory of 1504 1832 igfxrfftq.exe WerFault.exe PID 1832 wrote to memory of 1504 1832 igfxrfftq.exe WerFault.exe PID 1832 wrote to memory of 1504 1832 igfxrfftq.exe WerFault.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\INVOICE.exe"C:\Users\Admin\AppData\Local\Temp\INVOICE.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\INVOICE.exe"C:\Users\Admin\AppData\Local\Temp\INVOICE.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\INVOICE.exe"3⤵
- Deletes itself
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Program Files (x86)\Njvxpnpxh\igfxrfftq.exe"C:\Program Files (x86)\Njvxpnpxh\igfxrfftq.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 6643⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Njvxpnpxh\igfxrfftq.exeMD5
b0820366e32e612b669ca9c519dc15f6
SHA1b7fa7894ded1ae80f2f58b5269d460c4b6729d2e
SHA25615cc7b4992ee6bc7986aadb9fccd3ebf5aa2d50f8fff7920985bacbe9b0eafeb
SHA512fd9e2237d0d0c26a5c8aa14f19ce6ecc4b131229eacb0a3a73ff450a97aaf1350a2a27407f00db9f0ae1ad4a235e68645043bc6a47d4e814c9f022a4d56d8de4
-
C:\Program Files (x86)\Njvxpnpxh\igfxrfftq.exeMD5
b0820366e32e612b669ca9c519dc15f6
SHA1b7fa7894ded1ae80f2f58b5269d460c4b6729d2e
SHA25615cc7b4992ee6bc7986aadb9fccd3ebf5aa2d50f8fff7920985bacbe9b0eafeb
SHA512fd9e2237d0d0c26a5c8aa14f19ce6ecc4b131229eacb0a3a73ff450a97aaf1350a2a27407f00db9f0ae1ad4a235e68645043bc6a47d4e814c9f022a4d56d8de4
-
\Program Files (x86)\Njvxpnpxh\igfxrfftq.exeMD5
b0820366e32e612b669ca9c519dc15f6
SHA1b7fa7894ded1ae80f2f58b5269d460c4b6729d2e
SHA25615cc7b4992ee6bc7986aadb9fccd3ebf5aa2d50f8fff7920985bacbe9b0eafeb
SHA512fd9e2237d0d0c26a5c8aa14f19ce6ecc4b131229eacb0a3a73ff450a97aaf1350a2a27407f00db9f0ae1ad4a235e68645043bc6a47d4e814c9f022a4d56d8de4
-
\Program Files (x86)\Njvxpnpxh\igfxrfftq.exeMD5
b0820366e32e612b669ca9c519dc15f6
SHA1b7fa7894ded1ae80f2f58b5269d460c4b6729d2e
SHA25615cc7b4992ee6bc7986aadb9fccd3ebf5aa2d50f8fff7920985bacbe9b0eafeb
SHA512fd9e2237d0d0c26a5c8aa14f19ce6ecc4b131229eacb0a3a73ff450a97aaf1350a2a27407f00db9f0ae1ad4a235e68645043bc6a47d4e814c9f022a4d56d8de4
-
\Program Files (x86)\Njvxpnpxh\igfxrfftq.exeMD5
b0820366e32e612b669ca9c519dc15f6
SHA1b7fa7894ded1ae80f2f58b5269d460c4b6729d2e
SHA25615cc7b4992ee6bc7986aadb9fccd3ebf5aa2d50f8fff7920985bacbe9b0eafeb
SHA512fd9e2237d0d0c26a5c8aa14f19ce6ecc4b131229eacb0a3a73ff450a97aaf1350a2a27407f00db9f0ae1ad4a235e68645043bc6a47d4e814c9f022a4d56d8de4
-
\Program Files (x86)\Njvxpnpxh\igfxrfftq.exeMD5
b0820366e32e612b669ca9c519dc15f6
SHA1b7fa7894ded1ae80f2f58b5269d460c4b6729d2e
SHA25615cc7b4992ee6bc7986aadb9fccd3ebf5aa2d50f8fff7920985bacbe9b0eafeb
SHA512fd9e2237d0d0c26a5c8aa14f19ce6ecc4b131229eacb0a3a73ff450a97aaf1350a2a27407f00db9f0ae1ad4a235e68645043bc6a47d4e814c9f022a4d56d8de4
-
\Program Files (x86)\Njvxpnpxh\igfxrfftq.exeMD5
b0820366e32e612b669ca9c519dc15f6
SHA1b7fa7894ded1ae80f2f58b5269d460c4b6729d2e
SHA25615cc7b4992ee6bc7986aadb9fccd3ebf5aa2d50f8fff7920985bacbe9b0eafeb
SHA512fd9e2237d0d0c26a5c8aa14f19ce6ecc4b131229eacb0a3a73ff450a97aaf1350a2a27407f00db9f0ae1ad4a235e68645043bc6a47d4e814c9f022a4d56d8de4
-
memory/796-59-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/796-60-0x000000000041D3D0-mapping.dmp
-
memory/796-61-0x0000000000800000-0x0000000000B03000-memory.dmpFilesize
3.0MB
-
memory/796-62-0x0000000000200000-0x0000000000211000-memory.dmpFilesize
68KB
-
memory/848-70-0x00000000022B0000-0x0000000002340000-memory.dmpFilesize
576KB
-
memory/848-64-0x0000000000000000-mapping.dmp
-
memory/848-67-0x00000000001D0000-0x00000000001F9000-memory.dmpFilesize
164KB
-
memory/848-68-0x0000000001E90000-0x0000000002193000-memory.dmpFilesize
3.0MB
-
memory/848-69-0x0000000075A71000-0x0000000075A73000-memory.dmpFilesize
8KB
-
memory/848-66-0x00000000008D0000-0x00000000008F6000-memory.dmpFilesize
152KB
-
memory/1356-63-0x0000000006AD0000-0x0000000006C08000-memory.dmpFilesize
1.2MB
-
memory/1356-71-0x0000000006480000-0x00000000065DD000-memory.dmpFilesize
1.4MB
-
memory/1504-83-0x0000000000000000-mapping.dmp
-
memory/1504-89-0x0000000000370000-0x00000000003D0000-memory.dmpFilesize
384KB
-
memory/1540-53-0x0000000001180000-0x0000000001181000-memory.dmpFilesize
4KB
-
memory/1540-55-0x00000000003C0000-0x00000000003C1000-memory.dmpFilesize
4KB
-
memory/1540-56-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/1540-57-0x00000000057C0000-0x0000000005821000-memory.dmpFilesize
388KB
-
memory/1540-58-0x0000000000740000-0x0000000000772000-memory.dmpFilesize
200KB
-
memory/1624-78-0x000000013F360000-0x000000013F3F3000-memory.dmpFilesize
588KB
-
memory/1624-72-0x0000000000000000-mapping.dmp
-
memory/1624-80-0x00000000024D0000-0x000000000260A000-memory.dmpFilesize
1.2MB
-
memory/1832-82-0x0000000005150000-0x00000000051B1000-memory.dmpFilesize
388KB
-
memory/1832-81-0x0000000004CF0000-0x0000000004CF1000-memory.dmpFilesize
4KB
-
memory/1832-76-0x0000000001000000-0x0000000001001000-memory.dmpFilesize
4KB
-
memory/1832-73-0x0000000000000000-mapping.dmp
-
memory/1836-65-0x0000000000000000-mapping.dmp