Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
27-09-2021 14:14
Static task
static1
Behavioral task
behavioral1
Sample
Payment Slip.exe
Resource
win7v20210408
General
-
Target
Payment Slip.exe
-
Size
831KB
-
MD5
3d0d9c87ea732caf417afa0b8af62267
-
SHA1
dfb1e57a9cf498310cb7287f4b5792cbcd8b3974
-
SHA256
95b6ba2be30399f87d20e021bee29f0eb46773b67407f3ed9987d22610d5249d
-
SHA512
e7db51cd7baf84cf65ebead15c3e56ca9e381866a4edc7e945affe4f64f53bef08519037a5e4fc2ef8f8034e91b240b5d3511a2cdec08e308e8e473a7430a83b
Malware Config
Extracted
xloader
2.5
qfff
http://www.yuumgo.academy/qfff/
lakechelanwedding.com
jengly.com
alluresme.com
axswallet.com
meetmedubai.com
kortzfamily.com
whishfullittles.com
mts-consultant.com
amhoses.com
hdaz2.xyz
lkgsbx.com
b0ay.com
hlthits.com
dicsordgift.com
bearaconnect.com
strategicpropertyventures.com
158393097102.xyz
officesetupofficesetup.com
industrynewz.com
uperionorthamerica.com
bucksmobilenotary.com
clangadget.com
jolix123.com
jch.computer
suddennnnnnnnnnnn43.xyz
binbin-ads.com
yshowmedia.com
studentpair.com
switchsmartcloud.com
vywubey.xyz
timdixonpreferredadvisors.com
sturlabas.com
kisskissfallinlove.com
ivyrtp.com
agohmarket.com
spiritair-tickets.com
savon-el.com
paccarfinanical.com
appios.xyz
auxilvascular.com
takesatisfy.club
noframespanishfly.com
nordesmarcom.com
hbportalweb.online
adhdwhatelse.com
reparamospc.com
footballrun.online
mygreatsport.com
onloe.com
wargasarawak.com
bhagwatiretail.com
00333v.com
relativewifi.com
transferarea.com
abodhakujena.com
covidworld.info
hetuart.com
legacytailors.com
inafukutest.com
tiplovellc.com
fruit-joy.com
bnzvb.com
calaverascoffee.com
interweavelife.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4464-127-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/4464-128-0x000000000041D400-mapping.dmp xloader behavioral2/memory/4464-130-0x0000000000F00000-0x0000000000FAE000-memory.dmp xloader behavioral2/memory/4352-134-0x0000000002920000-0x0000000002949000-memory.dmp xloader -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Payment Slip.exePayment Slip.execolorcpl.exedescription pid process target process PID 3644 set thread context of 4464 3644 Payment Slip.exe Payment Slip.exe PID 4464 set thread context of 3048 4464 Payment Slip.exe Explorer.EXE PID 4352 set thread context of 3048 4352 colorcpl.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 44 IoCs
Processes:
Payment Slip.exePayment Slip.execolorcpl.exepid process 3644 Payment Slip.exe 3644 Payment Slip.exe 4464 Payment Slip.exe 4464 Payment Slip.exe 4464 Payment Slip.exe 4464 Payment Slip.exe 4352 colorcpl.exe 4352 colorcpl.exe 4352 colorcpl.exe 4352 colorcpl.exe 4352 colorcpl.exe 4352 colorcpl.exe 4352 colorcpl.exe 4352 colorcpl.exe 4352 colorcpl.exe 4352 colorcpl.exe 4352 colorcpl.exe 4352 colorcpl.exe 4352 colorcpl.exe 4352 colorcpl.exe 4352 colorcpl.exe 4352 colorcpl.exe 4352 colorcpl.exe 4352 colorcpl.exe 4352 colorcpl.exe 4352 colorcpl.exe 4352 colorcpl.exe 4352 colorcpl.exe 4352 colorcpl.exe 4352 colorcpl.exe 4352 colorcpl.exe 4352 colorcpl.exe 4352 colorcpl.exe 4352 colorcpl.exe 4352 colorcpl.exe 4352 colorcpl.exe 4352 colorcpl.exe 4352 colorcpl.exe 4352 colorcpl.exe 4352 colorcpl.exe 4352 colorcpl.exe 4352 colorcpl.exe 4352 colorcpl.exe 4352 colorcpl.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3048 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Payment Slip.execolorcpl.exepid process 4464 Payment Slip.exe 4464 Payment Slip.exe 4464 Payment Slip.exe 4352 colorcpl.exe 4352 colorcpl.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Payment Slip.exePayment Slip.execolorcpl.exedescription pid process Token: SeDebugPrivilege 3644 Payment Slip.exe Token: SeDebugPrivilege 4464 Payment Slip.exe Token: SeDebugPrivilege 4352 colorcpl.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
Payment Slip.exeExplorer.EXEcolorcpl.exedescription pid process target process PID 3644 wrote to memory of 1996 3644 Payment Slip.exe schtasks.exe PID 3644 wrote to memory of 1996 3644 Payment Slip.exe schtasks.exe PID 3644 wrote to memory of 1996 3644 Payment Slip.exe schtasks.exe PID 3644 wrote to memory of 2592 3644 Payment Slip.exe Payment Slip.exe PID 3644 wrote to memory of 2592 3644 Payment Slip.exe Payment Slip.exe PID 3644 wrote to memory of 2592 3644 Payment Slip.exe Payment Slip.exe PID 3644 wrote to memory of 4464 3644 Payment Slip.exe Payment Slip.exe PID 3644 wrote to memory of 4464 3644 Payment Slip.exe Payment Slip.exe PID 3644 wrote to memory of 4464 3644 Payment Slip.exe Payment Slip.exe PID 3644 wrote to memory of 4464 3644 Payment Slip.exe Payment Slip.exe PID 3644 wrote to memory of 4464 3644 Payment Slip.exe Payment Slip.exe PID 3644 wrote to memory of 4464 3644 Payment Slip.exe Payment Slip.exe PID 3048 wrote to memory of 4352 3048 Explorer.EXE colorcpl.exe PID 3048 wrote to memory of 4352 3048 Explorer.EXE colorcpl.exe PID 3048 wrote to memory of 4352 3048 Explorer.EXE colorcpl.exe PID 4352 wrote to memory of 4556 4352 colorcpl.exe cmd.exe PID 4352 wrote to memory of 4556 4352 colorcpl.exe cmd.exe PID 4352 wrote to memory of 4556 4352 colorcpl.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uVxomBuy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3588.tmp"3⤵
- Creates scheduled task(s)
PID:1996
-
-
C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"3⤵PID:2592
-
-
C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4464
-
-
-
C:\Windows\SysWOW64\colorcpl.exe"C:\Windows\SysWOW64\colorcpl.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Payment Slip.exe"3⤵PID:4556
-
-