Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
13-10-2021 14:18
Static task
static1
Behavioral task
behavioral1
Sample
Payment Confirmation.exe
Resource
win7-en-20210920
General
-
Target
Payment Confirmation.exe
-
Size
445KB
-
MD5
98ffc3c812e6cec919ebd286973e2002
-
SHA1
b0d1a65445a7923870ad23ec4d80f592e808c987
-
SHA256
014d0ece0d472eaea73698d634308303ddb9f227f39d339a66416c3cb744d2c1
-
SHA512
5875f8f2c736cbf501c25635f5c9014e499a7fce01f139315cbf5c0d3c45e1e8568a9fa8ddfe60cb0a44804a7677fdcd411eab4be6177926649b1b691d97a721
Malware Config
Extracted
xloader
2.5
b2c0
http://www.thesewhitevvalls.com/b2c0/
bjyxszd520.xyz
hsvfingerprinting.com
elliotpioneer.com
bf396.com
chinaopedia.com
6233v.com
shopeuphoricapparel.com
loccssol.store
truefictionpictures.com
playstarexch.com
peruviancoffee.store
shobhajoshi.com
philme.net
avito-rules.com
independencehomecenters.com
atp-cayenne.com
invetorsbank.com
sasanos.com
scentfreebnb.com
catfuid.com
sunshinefamilysupport.com
madison-co-atty.net
newhousebr.com
newstodayupdate.com
kamalaanjna.com
itpronto.com
hi-loentertainment.com
sadpartyrentals.com
vertuminy.com
khomayphotocopy.club
roleconstructora.com
cottonhome.online
starsspell.com
bedrijfs-kledingshop.com
aydeyahouse.com
miaintervista.com
taolemix.com
lnagvv.space
bjmobi.com
collabkc.art
onayli.net
ecostainable.com
vi88.info
brightlifeprochoice.com
taoluzhibo.info
techgobble.com
ideemimarlikinsaat.com
andajzx.com
shineshaft.website
arroundworld.com
reyuzed.com
emilfaucets.com
lumberjackguitarloops.com
pearl-interior.com
altitudebc.com
cqjiubai.com
kutahyaescortbayanlarim.xyz
metalworkingadditives.online
unasolucioendesa.com
andrewfjohnston.com
visionmark.net
dxxlewis.com
carts-amazon.com
anadolu.academy
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/620-55-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/620-56-0x000000000041D4C0-mapping.dmp xloader behavioral1/memory/620-61-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/832-66-0x0000000000080000-0x00000000000A9000-memory.dmp xloader -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1124 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
Payment Confirmation.exepid process 1232 Payment Confirmation.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
Payment Confirmation.exePayment Confirmation.exeNETSTAT.EXEdescription pid process target process PID 1232 set thread context of 620 1232 Payment Confirmation.exe Payment Confirmation.exe PID 620 set thread context of 1272 620 Payment Confirmation.exe Explorer.EXE PID 620 set thread context of 1272 620 Payment Confirmation.exe Explorer.EXE PID 832 set thread context of 1272 832 NETSTAT.EXE Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 832 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
Payment Confirmation.exeNETSTAT.EXEpid process 620 Payment Confirmation.exe 620 Payment Confirmation.exe 620 Payment Confirmation.exe 832 NETSTAT.EXE 832 NETSTAT.EXE 832 NETSTAT.EXE 832 NETSTAT.EXE 832 NETSTAT.EXE 832 NETSTAT.EXE 832 NETSTAT.EXE 832 NETSTAT.EXE 832 NETSTAT.EXE 832 NETSTAT.EXE 832 NETSTAT.EXE 832 NETSTAT.EXE 832 NETSTAT.EXE 832 NETSTAT.EXE 832 NETSTAT.EXE 832 NETSTAT.EXE 832 NETSTAT.EXE 832 NETSTAT.EXE 832 NETSTAT.EXE 832 NETSTAT.EXE 832 NETSTAT.EXE 832 NETSTAT.EXE 832 NETSTAT.EXE 832 NETSTAT.EXE 832 NETSTAT.EXE 832 NETSTAT.EXE 832 NETSTAT.EXE 832 NETSTAT.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1272 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
Payment Confirmation.exeNETSTAT.EXEpid process 620 Payment Confirmation.exe 620 Payment Confirmation.exe 620 Payment Confirmation.exe 620 Payment Confirmation.exe 832 NETSTAT.EXE 832 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Payment Confirmation.exeNETSTAT.EXEdescription pid process Token: SeDebugPrivilege 620 Payment Confirmation.exe Token: SeDebugPrivilege 832 NETSTAT.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1272 Explorer.EXE 1272 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1272 Explorer.EXE 1272 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Payment Confirmation.exeExplorer.EXENETSTAT.EXEdescription pid process target process PID 1232 wrote to memory of 620 1232 Payment Confirmation.exe Payment Confirmation.exe PID 1232 wrote to memory of 620 1232 Payment Confirmation.exe Payment Confirmation.exe PID 1232 wrote to memory of 620 1232 Payment Confirmation.exe Payment Confirmation.exe PID 1232 wrote to memory of 620 1232 Payment Confirmation.exe Payment Confirmation.exe PID 1232 wrote to memory of 620 1232 Payment Confirmation.exe Payment Confirmation.exe PID 1232 wrote to memory of 620 1232 Payment Confirmation.exe Payment Confirmation.exe PID 1232 wrote to memory of 620 1232 Payment Confirmation.exe Payment Confirmation.exe PID 1272 wrote to memory of 832 1272 Explorer.EXE NETSTAT.EXE PID 1272 wrote to memory of 832 1272 Explorer.EXE NETSTAT.EXE PID 1272 wrote to memory of 832 1272 Explorer.EXE NETSTAT.EXE PID 1272 wrote to memory of 832 1272 Explorer.EXE NETSTAT.EXE PID 832 wrote to memory of 1124 832 NETSTAT.EXE cmd.exe PID 832 wrote to memory of 1124 832 NETSTAT.EXE cmd.exe PID 832 wrote to memory of 1124 832 NETSTAT.EXE cmd.exe PID 832 wrote to memory of 1124 832 NETSTAT.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Payment Confirmation.exe"C:\Users\Admin\AppData\Local\Temp\Payment Confirmation.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Payment Confirmation.exe"C:\Users\Admin\AppData\Local\Temp\Payment Confirmation.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Payment Confirmation.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsyBE9F.tmp\nawgsdqut.dllMD5
d4233fefc9328cc30b0ef014beb2f51b
SHA1302180a5edb1fd653d7884bb60172e6edfbbeac4
SHA2561827a3002964434b0acff1359241948e334148d3413312cfea326cae8f269758
SHA512b3e19c83e631b6a8b8b0d00ab14af811519765b737f1497f27e8c3a8c3328038967dbb6095671e4095af48d6355b5f13cec20c38ef2dfb14cc2ae8e9482de4af
-
memory/620-62-0x00000000006E0000-0x00000000006F1000-memory.dmpFilesize
68KB
-
memory/620-55-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/620-56-0x000000000041D4C0-mapping.dmp
-
memory/620-58-0x0000000000740000-0x0000000000A43000-memory.dmpFilesize
3.0MB
-
memory/620-59-0x0000000000480000-0x0000000000491000-memory.dmpFilesize
68KB
-
memory/620-61-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/832-65-0x0000000000AC0000-0x0000000000AC9000-memory.dmpFilesize
36KB
-
memory/832-64-0x0000000000000000-mapping.dmp
-
memory/832-66-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/832-68-0x0000000002060000-0x0000000002363000-memory.dmpFilesize
3.0MB
-
memory/832-69-0x00000000009D0000-0x0000000000A60000-memory.dmpFilesize
576KB
-
memory/1124-67-0x0000000000000000-mapping.dmp
-
memory/1232-53-0x0000000074F81000-0x0000000074F83000-memory.dmpFilesize
8KB
-
memory/1272-60-0x0000000006550000-0x0000000006658000-memory.dmpFilesize
1.0MB
-
memory/1272-63-0x00000000071A0000-0x0000000007299000-memory.dmpFilesize
996KB
-
memory/1272-70-0x0000000007340000-0x0000000007442000-memory.dmpFilesize
1.0MB