Analysis
-
max time kernel
601s -
max time network
600s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
27-09-2021 04:27
Static task
static1
Behavioral task
behavioral1
Sample
Payment document.exe
Resource
win7-en-20210920
General
-
Target
Payment document.exe
-
Size
532KB
-
MD5
d0cceb56aaec4f8d458498904813b790
-
SHA1
8efefaefb2a32c05c3282721be10c0b838c0cc96
-
SHA256
bb60b98852cad89fe450ec8486cee96bb6932b29c692f97d5b7ed7936556845f
-
SHA512
26137c91ab694b4bc21d06ed5f5f916c6884f7a7a94536a22948290c9cfa1cb1ac84ecd4f0893784eaab0eb6c674f05d6062b0dc6f61293935bb3eef53571de0
Malware Config
Extracted
xloader
2.4
dbew
http://www.mengtai.xyz/dbew/
unblock-sites.xyz
xkmfiue.com
8pz96.com
affkart.com
attila-velte.com
hyrq30.website
tinoovia.com
egraintrade.com
smokynagata.com
welojz.xyz
lizethdavid.com
traumland56.com
player23games.com
mvnupersonaltraining.com
anonymousmen.com
learnchinese-school.com
haus-us.com
homayounmusic.com
kp-taku.com
djalleykat.com
cinaje.com
leohusdesign.com
johnstowntechsupport.com
epicaccesssolutions.biz
ny660.xyz
frtgfrfcfddffyvhhuhvfhujjfr.com
stopshopma.com
liylaehamarmaat3.xyz
1axlpkfm.icu
everbytecloud.com
tokitrip.com
popllp.com
29athurleighgrove.com
nakamotorecords.com
classiccityfringefestival.com
neovoguetriunfo.com
kishakpeace.com
tongsh.net
snaggy.site
justinamashcompany.com
blackdoorvermont.com
soukawaii.com
connector3.xyz
qlifescooter.com
instanewsinfo.com
zs-spring.com
hilist.xyz
ffpc.site
brightsunlatheworks.com
goosengakhaw.com
rowadconstruct.com
octanesyndicate.com
taxisperu.com
noweyessee.com
thooklivestock.com
treiding-oficial.site
southbanktempe.com
mo2.asia
tastetheduniya.com
santinoguera.com
deerfieldbeachmedicare.com
lifeslemon.com
shanghaiinvestments.com
driveretaildirect.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3188-124-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/3188-125-0x000000000041D3E0-mapping.dmp xloader behavioral2/memory/1916-133-0x0000000002BD0000-0x0000000002BF9000-memory.dmp xloader -
Suspicious use of SetThreadContext 4 IoCs
Processes:
Payment document.exePayment document.exenetsh.exedescription pid process target process PID 1832 set thread context of 3188 1832 Payment document.exe Payment document.exe PID 3188 set thread context of 3052 3188 Payment document.exe Explorer.EXE PID 3188 set thread context of 3052 3188 Payment document.exe Explorer.EXE PID 1916 set thread context of 3052 1916 netsh.exe Explorer.EXE -
Modifies registry class 2 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Payment document.exePayment document.exenetsh.exepid process 1832 Payment document.exe 1832 Payment document.exe 3188 Payment document.exe 3188 Payment document.exe 3188 Payment document.exe 3188 Payment document.exe 3188 Payment document.exe 3188 Payment document.exe 1916 netsh.exe 1916 netsh.exe 1916 netsh.exe 1916 netsh.exe 1916 netsh.exe 1916 netsh.exe 1916 netsh.exe 1916 netsh.exe 1916 netsh.exe 1916 netsh.exe 1916 netsh.exe 1916 netsh.exe 1916 netsh.exe 1916 netsh.exe 1916 netsh.exe 1916 netsh.exe 1916 netsh.exe 1916 netsh.exe 1916 netsh.exe 1916 netsh.exe 1916 netsh.exe 1916 netsh.exe 1916 netsh.exe 1916 netsh.exe 1916 netsh.exe 1916 netsh.exe 1916 netsh.exe 1916 netsh.exe 1916 netsh.exe 1916 netsh.exe 1916 netsh.exe 1916 netsh.exe 1916 netsh.exe 1916 netsh.exe 1916 netsh.exe 1916 netsh.exe 1916 netsh.exe 1916 netsh.exe 1916 netsh.exe 1916 netsh.exe 1916 netsh.exe 1916 netsh.exe 1916 netsh.exe 1916 netsh.exe 1916 netsh.exe 1916 netsh.exe 1916 netsh.exe 1916 netsh.exe 1916 netsh.exe 1916 netsh.exe 1916 netsh.exe 1916 netsh.exe 1916 netsh.exe 1916 netsh.exe 1916 netsh.exe 1916 netsh.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3052 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
Payment document.exenetsh.exepid process 3188 Payment document.exe 3188 Payment document.exe 3188 Payment document.exe 3188 Payment document.exe 1916 netsh.exe 1916 netsh.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
Payment document.exePayment document.exeExplorer.EXEnetsh.exedescription pid process Token: SeDebugPrivilege 1832 Payment document.exe Token: SeDebugPrivilege 3188 Payment document.exe Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE Token: SeDebugPrivilege 1916 netsh.exe Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE -
Suspicious use of FindShellTrayWindow 8 IoCs
Processes:
Explorer.EXEpid process 3052 Explorer.EXE 3052 Explorer.EXE 3052 Explorer.EXE 3052 Explorer.EXE 3052 Explorer.EXE 3052 Explorer.EXE 3052 Explorer.EXE 3052 Explorer.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Payment document.exeExplorer.EXEnetsh.exedescription pid process target process PID 1832 wrote to memory of 3188 1832 Payment document.exe Payment document.exe PID 1832 wrote to memory of 3188 1832 Payment document.exe Payment document.exe PID 1832 wrote to memory of 3188 1832 Payment document.exe Payment document.exe PID 1832 wrote to memory of 3188 1832 Payment document.exe Payment document.exe PID 1832 wrote to memory of 3188 1832 Payment document.exe Payment document.exe PID 1832 wrote to memory of 3188 1832 Payment document.exe Payment document.exe PID 3052 wrote to memory of 1916 3052 Explorer.EXE netsh.exe PID 3052 wrote to memory of 1916 3052 Explorer.EXE netsh.exe PID 3052 wrote to memory of 1916 3052 Explorer.EXE netsh.exe PID 1916 wrote to memory of 3940 1916 netsh.exe cmd.exe PID 1916 wrote to memory of 3940 1916 netsh.exe cmd.exe PID 1916 wrote to memory of 3940 1916 netsh.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Payment document.exe"C:\Users\Admin\AppData\Local\Temp\Payment document.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Payment document.exe"C:\Users\Admin\AppData\Local\Temp\Payment document.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Payment document.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1832-121-0x0000000005830000-0x0000000005837000-memory.dmpFilesize
28KB
-
memory/1832-114-0x0000000000E30000-0x0000000000E31000-memory.dmpFilesize
4KB
-
memory/1832-117-0x0000000005870000-0x0000000005871000-memory.dmpFilesize
4KB
-
memory/1832-118-0x00000000059A0000-0x0000000005E9E000-memory.dmpFilesize
5.0MB
-
memory/1832-119-0x0000000005820000-0x0000000005821000-memory.dmpFilesize
4KB
-
memory/1832-120-0x0000000005BA0000-0x0000000005BA1000-memory.dmpFilesize
4KB
-
memory/1832-116-0x0000000005EA0000-0x0000000005EA1000-memory.dmpFilesize
4KB
-
memory/1832-122-0x00000000065A0000-0x00000000065FE000-memory.dmpFilesize
376KB
-
memory/1832-123-0x0000000008A90000-0x0000000008ABB000-memory.dmpFilesize
172KB
-
memory/1916-136-0x0000000003530000-0x00000000035C0000-memory.dmpFilesize
576KB
-
memory/1916-134-0x00000000036E0000-0x0000000003A00000-memory.dmpFilesize
3.1MB
-
memory/1916-132-0x00000000009C0000-0x00000000009DE000-memory.dmpFilesize
120KB
-
memory/1916-133-0x0000000002BD0000-0x0000000002BF9000-memory.dmpFilesize
164KB
-
memory/1916-131-0x0000000000000000-mapping.dmp
-
memory/3052-130-0x0000000006A90000-0x0000000006C11000-memory.dmpFilesize
1.5MB
-
memory/3052-128-0x0000000006520000-0x000000000669C000-memory.dmpFilesize
1.5MB
-
memory/3052-137-0x0000000005740000-0x000000000589A000-memory.dmpFilesize
1.4MB
-
memory/3188-129-0x0000000001CC0000-0x0000000001CD1000-memory.dmpFilesize
68KB
-
memory/3188-126-0x0000000001970000-0x0000000001C90000-memory.dmpFilesize
3.1MB
-
memory/3188-127-0x0000000001950000-0x0000000001961000-memory.dmpFilesize
68KB
-
memory/3188-125-0x000000000041D3E0-mapping.dmp
-
memory/3188-124-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/3940-135-0x0000000000000000-mapping.dmp