Analysis
-
max time kernel
151s -
max time network
143s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
13-10-2021 14:18
Static task
static1
Behavioral task
behavioral1
Sample
Payment Confirmation.exe
Resource
win7-en-20210920
General
-
Target
Payment Confirmation.exe
-
Size
445KB
-
MD5
98ffc3c812e6cec919ebd286973e2002
-
SHA1
b0d1a65445a7923870ad23ec4d80f592e808c987
-
SHA256
014d0ece0d472eaea73698d634308303ddb9f227f39d339a66416c3cb744d2c1
-
SHA512
5875f8f2c736cbf501c25635f5c9014e499a7fce01f139315cbf5c0d3c45e1e8568a9fa8ddfe60cb0a44804a7677fdcd411eab4be6177926649b1b691d97a721
Malware Config
Extracted
xloader
2.5
b2c0
http://www.thesewhitevvalls.com/b2c0/
bjyxszd520.xyz
hsvfingerprinting.com
elliotpioneer.com
bf396.com
chinaopedia.com
6233v.com
shopeuphoricapparel.com
loccssol.store
truefictionpictures.com
playstarexch.com
peruviancoffee.store
shobhajoshi.com
philme.net
avito-rules.com
independencehomecenters.com
atp-cayenne.com
invetorsbank.com
sasanos.com
scentfreebnb.com
catfuid.com
sunshinefamilysupport.com
madison-co-atty.net
newhousebr.com
newstodayupdate.com
kamalaanjna.com
itpronto.com
hi-loentertainment.com
sadpartyrentals.com
vertuminy.com
khomayphotocopy.club
roleconstructora.com
cottonhome.online
starsspell.com
bedrijfs-kledingshop.com
aydeyahouse.com
miaintervista.com
taolemix.com
lnagvv.space
bjmobi.com
collabkc.art
onayli.net
ecostainable.com
vi88.info
brightlifeprochoice.com
taoluzhibo.info
techgobble.com
ideemimarlikinsaat.com
andajzx.com
shineshaft.website
arroundworld.com
reyuzed.com
emilfaucets.com
lumberjackguitarloops.com
pearl-interior.com
altitudebc.com
cqjiubai.com
kutahyaescortbayanlarim.xyz
metalworkingadditives.online
unasolucioendesa.com
andrewfjohnston.com
visionmark.net
dxxlewis.com
carts-amazon.com
anadolu.academy
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3852-116-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/3852-117-0x000000000041D4C0-mapping.dmp xloader behavioral2/memory/1572-127-0x00000000004C0000-0x00000000004E9000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
Payment Confirmation.exepid process 1844 Payment Confirmation.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Payment Confirmation.exePayment Confirmation.exemsiexec.exedescription pid process target process PID 1844 set thread context of 3852 1844 Payment Confirmation.exe Payment Confirmation.exe PID 3852 set thread context of 2848 3852 Payment Confirmation.exe Explorer.EXE PID 1572 set thread context of 2848 1572 msiexec.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
Payment Confirmation.exemsiexec.exepid process 3852 Payment Confirmation.exe 3852 Payment Confirmation.exe 3852 Payment Confirmation.exe 3852 Payment Confirmation.exe 1572 msiexec.exe 1572 msiexec.exe 1572 msiexec.exe 1572 msiexec.exe 1572 msiexec.exe 1572 msiexec.exe 1572 msiexec.exe 1572 msiexec.exe 1572 msiexec.exe 1572 msiexec.exe 1572 msiexec.exe 1572 msiexec.exe 1572 msiexec.exe 1572 msiexec.exe 1572 msiexec.exe 1572 msiexec.exe 1572 msiexec.exe 1572 msiexec.exe 1572 msiexec.exe 1572 msiexec.exe 1572 msiexec.exe 1572 msiexec.exe 1572 msiexec.exe 1572 msiexec.exe 1572 msiexec.exe 1572 msiexec.exe 1572 msiexec.exe 1572 msiexec.exe 1572 msiexec.exe 1572 msiexec.exe 1572 msiexec.exe 1572 msiexec.exe 1572 msiexec.exe 1572 msiexec.exe 1572 msiexec.exe 1572 msiexec.exe 1572 msiexec.exe 1572 msiexec.exe 1572 msiexec.exe 1572 msiexec.exe 1572 msiexec.exe 1572 msiexec.exe 1572 msiexec.exe 1572 msiexec.exe 1572 msiexec.exe 1572 msiexec.exe 1572 msiexec.exe 1572 msiexec.exe 1572 msiexec.exe 1572 msiexec.exe 1572 msiexec.exe 1572 msiexec.exe 1572 msiexec.exe 1572 msiexec.exe 1572 msiexec.exe 1572 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2848 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Payment Confirmation.exemsiexec.exepid process 3852 Payment Confirmation.exe 3852 Payment Confirmation.exe 3852 Payment Confirmation.exe 1572 msiexec.exe 1572 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Payment Confirmation.exemsiexec.exedescription pid process Token: SeDebugPrivilege 3852 Payment Confirmation.exe Token: SeDebugPrivilege 1572 msiexec.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Payment Confirmation.exeExplorer.EXEmsiexec.exedescription pid process target process PID 1844 wrote to memory of 3852 1844 Payment Confirmation.exe Payment Confirmation.exe PID 1844 wrote to memory of 3852 1844 Payment Confirmation.exe Payment Confirmation.exe PID 1844 wrote to memory of 3852 1844 Payment Confirmation.exe Payment Confirmation.exe PID 1844 wrote to memory of 3852 1844 Payment Confirmation.exe Payment Confirmation.exe PID 1844 wrote to memory of 3852 1844 Payment Confirmation.exe Payment Confirmation.exe PID 1844 wrote to memory of 3852 1844 Payment Confirmation.exe Payment Confirmation.exe PID 2848 wrote to memory of 1572 2848 Explorer.EXE msiexec.exe PID 2848 wrote to memory of 1572 2848 Explorer.EXE msiexec.exe PID 2848 wrote to memory of 1572 2848 Explorer.EXE msiexec.exe PID 1572 wrote to memory of 1768 1572 msiexec.exe cmd.exe PID 1572 wrote to memory of 1768 1572 msiexec.exe cmd.exe PID 1572 wrote to memory of 1768 1572 msiexec.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Payment Confirmation.exe"C:\Users\Admin\AppData\Local\Temp\Payment Confirmation.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Payment Confirmation.exe"C:\Users\Admin\AppData\Local\Temp\Payment Confirmation.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Payment Confirmation.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsvAB84.tmp\nawgsdqut.dllMD5
d4233fefc9328cc30b0ef014beb2f51b
SHA1302180a5edb1fd653d7884bb60172e6edfbbeac4
SHA2561827a3002964434b0acff1359241948e334148d3413312cfea326cae8f269758
SHA512b3e19c83e631b6a8b8b0d00ab14af811519765b737f1497f27e8c3a8c3328038967dbb6095671e4095af48d6355b5f13cec20c38ef2dfb14cc2ae8e9482de4af
-
memory/1572-124-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/1572-129-0x0000000004190000-0x0000000004220000-memory.dmpFilesize
576KB
-
memory/1572-126-0x00000000009D0000-0x00000000009E2000-memory.dmpFilesize
72KB
-
memory/1572-128-0x0000000004330000-0x0000000004650000-memory.dmpFilesize
3.1MB
-
memory/1572-127-0x00000000004C0000-0x00000000004E9000-memory.dmpFilesize
164KB
-
memory/1572-122-0x0000000000000000-mapping.dmp
-
memory/1572-123-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/1768-125-0x0000000000000000-mapping.dmp
-
memory/2848-121-0x00000000027D0000-0x00000000028B5000-memory.dmpFilesize
916KB
-
memory/2848-130-0x0000000002980000-0x0000000002A39000-memory.dmpFilesize
740KB
-
memory/3852-120-0x00000000009F0000-0x0000000000A01000-memory.dmpFilesize
68KB
-
memory/3852-119-0x0000000000A30000-0x0000000000D50000-memory.dmpFilesize
3.1MB
-
memory/3852-117-0x000000000041D4C0-mapping.dmp
-
memory/3852-116-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB