Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
15-10-2021 18:19
Static task
static1
Behavioral task
behavioral1
Sample
Nuevo Pago 15.10.2021.exe
Resource
win7-en-20210920
General
-
Target
Nuevo Pago 15.10.2021.exe
-
Size
247KB
-
MD5
b50f2ee58a34c1e367450e1e2bc107bf
-
SHA1
9a5bc255948f7b16eb3d109808d8d1bafd1f6070
-
SHA256
12fa6c4f9dc345eca587fe606caf9a5eccfcdc5456b2617ec17b1b1f1e06d24a
-
SHA512
fc3aed1caf7cdc271bfca44c8a7bcb254c7331f882c2a5903be7e9921ce71563dcfe305ed0f24838707f30909fa5cbb60854a187e46dc308bbb2c206a71148bb
Malware Config
Extracted
xloader
2.5
u9xn
http://www.crisisinterventionadvocates.com/u9xn/
lifeguardingcoursenearme.com
bolsaspapelcdmx.com
parsleypkllqu.xyz
68134.online
shopthatlookboutique.com
canlibahisportal.com
oligopoly.city
srchwithus.online
151motors.com
17yue.info
auntmarysnj.com
hanansalman.com
heyunshangcheng.info
doorslamersplus.com
sfcn-dng.com
highvizpeople.com
seoexpertinbangladesh.com
christinegagnonjewellery.com
artifactorie.biz
mre3.net
webbyteanalysis.online
medicmir.store
shdxh.com
salvationshippingsecurity.com
michita.xyz
itskosi.com
aligncoachingconsulting.com
cryptorickclub.art
cyliamartisbackup.com
ttemola.com
mujeresenfarmalatam.com
mykombuchafactory.com
irasutoya-ryou.com
envtmyouliqy.mobi
expert-rse.com
oddanimalsink.com
piezoelectricenergy.com
itservices-india.com
wintwiin.com
umgaleloacademy.com
everythangbutwhite.com
ishhs.xyz
brandsofcannabis.com
sculptingstones.com
hilldetailingllc.com
stone-project.net
rbrituelbeaute.com
atzoom.store
pronogtiki.store
baybeg.com
b148tlrfee9evtvorgm5947.com
msjanej.com
western-overseas.info
sharpecommunications.com
atlantahomesforcarguys.com
neosudo.com
blulacedefense.com
profilecolombia.com
blacksaltspain.com
sejiw3.xyz
saint444.com
getoken.net
joycegsy.com
fezora.xyz
Signatures
-
Xloader Payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/524-55-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/524-56-0x000000000041D4F0-mapping.dmp xloader behavioral1/memory/524-61-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1176-67-0x0000000000100000-0x0000000000129000-memory.dmp xloader behavioral1/memory/1836-79-0x000000000041D4F0-mapping.dmp xloader -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
ipconfig.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ipconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\J0HTELEPOVE = "C:\\Program Files (x86)\\Xgbcpjfbp\\vgaohl8x6.exe" ipconfig.exe -
Executes dropped EXE 2 IoCs
Processes:
vgaohl8x6.exevgaohl8x6.exepid process 1724 vgaohl8x6.exe 1836 vgaohl8x6.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1304 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
Nuevo Pago 15.10.2021.exevgaohl8x6.exepid process 1464 Nuevo Pago 15.10.2021.exe 1724 vgaohl8x6.exe -
Suspicious use of SetThreadContext 5 IoCs
Processes:
Nuevo Pago 15.10.2021.exeNuevo Pago 15.10.2021.exeipconfig.exevgaohl8x6.exedescription pid process target process PID 1464 set thread context of 524 1464 Nuevo Pago 15.10.2021.exe Nuevo Pago 15.10.2021.exe PID 524 set thread context of 1388 524 Nuevo Pago 15.10.2021.exe Explorer.EXE PID 524 set thread context of 1388 524 Nuevo Pago 15.10.2021.exe Explorer.EXE PID 1176 set thread context of 1388 1176 ipconfig.exe Explorer.EXE PID 1724 set thread context of 1836 1724 vgaohl8x6.exe vgaohl8x6.exe -
Drops file in Program Files directory 2 IoCs
Processes:
ipconfig.exeExplorer.EXEdescription ioc process File opened for modification C:\Program Files (x86)\Xgbcpjfbp\vgaohl8x6.exe ipconfig.exe File created C:\Program Files (x86)\Xgbcpjfbp\vgaohl8x6.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 6 IoCs
Processes:
resource yara_rule C:\Program Files (x86)\Xgbcpjfbp\vgaohl8x6.exe nsis_installer_1 C:\Program Files (x86)\Xgbcpjfbp\vgaohl8x6.exe nsis_installer_2 C:\Program Files (x86)\Xgbcpjfbp\vgaohl8x6.exe nsis_installer_1 C:\Program Files (x86)\Xgbcpjfbp\vgaohl8x6.exe nsis_installer_2 C:\Program Files (x86)\Xgbcpjfbp\vgaohl8x6.exe nsis_installer_1 C:\Program Files (x86)\Xgbcpjfbp\vgaohl8x6.exe nsis_installer_2 -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 1176 ipconfig.exe -
Processes:
ipconfig.exedescription ioc process Key created \Registry\User\S-1-5-21-3456797065-1076791440-4146276586-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
Nuevo Pago 15.10.2021.exeipconfig.exevgaohl8x6.exepid process 524 Nuevo Pago 15.10.2021.exe 524 Nuevo Pago 15.10.2021.exe 524 Nuevo Pago 15.10.2021.exe 1176 ipconfig.exe 1176 ipconfig.exe 1176 ipconfig.exe 1176 ipconfig.exe 1176 ipconfig.exe 1176 ipconfig.exe 1176 ipconfig.exe 1176 ipconfig.exe 1176 ipconfig.exe 1176 ipconfig.exe 1176 ipconfig.exe 1176 ipconfig.exe 1176 ipconfig.exe 1176 ipconfig.exe 1176 ipconfig.exe 1176 ipconfig.exe 1176 ipconfig.exe 1176 ipconfig.exe 1176 ipconfig.exe 1176 ipconfig.exe 1176 ipconfig.exe 1176 ipconfig.exe 1176 ipconfig.exe 1176 ipconfig.exe 1836 vgaohl8x6.exe 1176 ipconfig.exe 1176 ipconfig.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1388 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
Nuevo Pago 15.10.2021.exeipconfig.exepid process 524 Nuevo Pago 15.10.2021.exe 524 Nuevo Pago 15.10.2021.exe 524 Nuevo Pago 15.10.2021.exe 524 Nuevo Pago 15.10.2021.exe 1176 ipconfig.exe 1176 ipconfig.exe 1176 ipconfig.exe 1176 ipconfig.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Nuevo Pago 15.10.2021.exeipconfig.exevgaohl8x6.exedescription pid process Token: SeDebugPrivilege 524 Nuevo Pago 15.10.2021.exe Token: SeDebugPrivilege 1176 ipconfig.exe Token: SeDebugPrivilege 1836 vgaohl8x6.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1388 Explorer.EXE 1388 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1388 Explorer.EXE 1388 Explorer.EXE -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
Nuevo Pago 15.10.2021.exeExplorer.EXEipconfig.exevgaohl8x6.exedescription pid process target process PID 1464 wrote to memory of 524 1464 Nuevo Pago 15.10.2021.exe Nuevo Pago 15.10.2021.exe PID 1464 wrote to memory of 524 1464 Nuevo Pago 15.10.2021.exe Nuevo Pago 15.10.2021.exe PID 1464 wrote to memory of 524 1464 Nuevo Pago 15.10.2021.exe Nuevo Pago 15.10.2021.exe PID 1464 wrote to memory of 524 1464 Nuevo Pago 15.10.2021.exe Nuevo Pago 15.10.2021.exe PID 1464 wrote to memory of 524 1464 Nuevo Pago 15.10.2021.exe Nuevo Pago 15.10.2021.exe PID 1464 wrote to memory of 524 1464 Nuevo Pago 15.10.2021.exe Nuevo Pago 15.10.2021.exe PID 1464 wrote to memory of 524 1464 Nuevo Pago 15.10.2021.exe Nuevo Pago 15.10.2021.exe PID 1388 wrote to memory of 1176 1388 Explorer.EXE ipconfig.exe PID 1388 wrote to memory of 1176 1388 Explorer.EXE ipconfig.exe PID 1388 wrote to memory of 1176 1388 Explorer.EXE ipconfig.exe PID 1388 wrote to memory of 1176 1388 Explorer.EXE ipconfig.exe PID 1176 wrote to memory of 1304 1176 ipconfig.exe cmd.exe PID 1176 wrote to memory of 1304 1176 ipconfig.exe cmd.exe PID 1176 wrote to memory of 1304 1176 ipconfig.exe cmd.exe PID 1176 wrote to memory of 1304 1176 ipconfig.exe cmd.exe PID 1176 wrote to memory of 868 1176 ipconfig.exe Firefox.exe PID 1176 wrote to memory of 868 1176 ipconfig.exe Firefox.exe PID 1176 wrote to memory of 868 1176 ipconfig.exe Firefox.exe PID 1176 wrote to memory of 868 1176 ipconfig.exe Firefox.exe PID 1388 wrote to memory of 1724 1388 Explorer.EXE vgaohl8x6.exe PID 1388 wrote to memory of 1724 1388 Explorer.EXE vgaohl8x6.exe PID 1388 wrote to memory of 1724 1388 Explorer.EXE vgaohl8x6.exe PID 1388 wrote to memory of 1724 1388 Explorer.EXE vgaohl8x6.exe PID 1724 wrote to memory of 1836 1724 vgaohl8x6.exe vgaohl8x6.exe PID 1724 wrote to memory of 1836 1724 vgaohl8x6.exe vgaohl8x6.exe PID 1724 wrote to memory of 1836 1724 vgaohl8x6.exe vgaohl8x6.exe PID 1724 wrote to memory of 1836 1724 vgaohl8x6.exe vgaohl8x6.exe PID 1724 wrote to memory of 1836 1724 vgaohl8x6.exe vgaohl8x6.exe PID 1724 wrote to memory of 1836 1724 vgaohl8x6.exe vgaohl8x6.exe PID 1724 wrote to memory of 1836 1724 vgaohl8x6.exe vgaohl8x6.exe PID 1176 wrote to memory of 868 1176 ipconfig.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Nuevo Pago 15.10.2021.exe"C:\Users\Admin\AppData\Local\Temp\Nuevo Pago 15.10.2021.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Nuevo Pago 15.10.2021.exe"C:\Users\Admin\AppData\Local\Temp\Nuevo Pago 15.10.2021.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\SysWOW64\ipconfig.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Gathers network information
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Nuevo Pago 15.10.2021.exe"3⤵
- Deletes itself
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Program Files (x86)\Xgbcpjfbp\vgaohl8x6.exe"C:\Program Files (x86)\Xgbcpjfbp\vgaohl8x6.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Xgbcpjfbp\vgaohl8x6.exe"C:\Program Files (x86)\Xgbcpjfbp\vgaohl8x6.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Xgbcpjfbp\vgaohl8x6.exeMD5
b50f2ee58a34c1e367450e1e2bc107bf
SHA19a5bc255948f7b16eb3d109808d8d1bafd1f6070
SHA25612fa6c4f9dc345eca587fe606caf9a5eccfcdc5456b2617ec17b1b1f1e06d24a
SHA512fc3aed1caf7cdc271bfca44c8a7bcb254c7331f882c2a5903be7e9921ce71563dcfe305ed0f24838707f30909fa5cbb60854a187e46dc308bbb2c206a71148bb
-
C:\Program Files (x86)\Xgbcpjfbp\vgaohl8x6.exeMD5
b50f2ee58a34c1e367450e1e2bc107bf
SHA19a5bc255948f7b16eb3d109808d8d1bafd1f6070
SHA25612fa6c4f9dc345eca587fe606caf9a5eccfcdc5456b2617ec17b1b1f1e06d24a
SHA512fc3aed1caf7cdc271bfca44c8a7bcb254c7331f882c2a5903be7e9921ce71563dcfe305ed0f24838707f30909fa5cbb60854a187e46dc308bbb2c206a71148bb
-
C:\Program Files (x86)\Xgbcpjfbp\vgaohl8x6.exeMD5
b50f2ee58a34c1e367450e1e2bc107bf
SHA19a5bc255948f7b16eb3d109808d8d1bafd1f6070
SHA25612fa6c4f9dc345eca587fe606caf9a5eccfcdc5456b2617ec17b1b1f1e06d24a
SHA512fc3aed1caf7cdc271bfca44c8a7bcb254c7331f882c2a5903be7e9921ce71563dcfe305ed0f24838707f30909fa5cbb60854a187e46dc308bbb2c206a71148bb
-
C:\Users\Admin\AppData\Local\Temp\ntgda9u5r81zMD5
c8454c5a4e451f0b25b3ee8d33395505
SHA14c7e0cd3fcba769745df36d779b1bc38097fb8c4
SHA256403c9e6c9e00c83c4564bf71813d564711a72fe4d30ba53ea604a0670ecc8ca8
SHA512e831414daf7e9def23d66c715b6ae51904879c1e24c08333ccd2da75f7d4ee5e1585430488b38bc519450f07bdd5c72f20fc3803c0c6de6a27ef4408e110bcf1
-
\Users\Admin\AppData\Local\Temp\nsiC19B.tmp\gibh.dllMD5
6a6e5ce1da420ef522bed80375260881
SHA1acc4a1f85c397d6b93ba69f43182cbaf8d9cd768
SHA256829d331503e630301cb7e037a7e451e5e697db9573ee5ea5e2e2e2e5d195e6b1
SHA5121f1bdab25301ac57cd5d796557625a6a812900f01c44bf391fa1052f5fecf05b8c8edcb80b44ab1a7e4a74943aa722fc801b28e1212e6858c4d8b7b8d64f7102
-
\Users\Admin\AppData\Local\Temp\nsuE3DB.tmp\gibh.dllMD5
6a6e5ce1da420ef522bed80375260881
SHA1acc4a1f85c397d6b93ba69f43182cbaf8d9cd768
SHA256829d331503e630301cb7e037a7e451e5e697db9573ee5ea5e2e2e2e5d195e6b1
SHA5121f1bdab25301ac57cd5d796557625a6a812900f01c44bf391fa1052f5fecf05b8c8edcb80b44ab1a7e4a74943aa722fc801b28e1212e6858c4d8b7b8d64f7102
-
memory/524-58-0x0000000000970000-0x0000000000C73000-memory.dmpFilesize
3.0MB
-
memory/524-59-0x00000000003D0000-0x00000000003E1000-memory.dmpFilesize
68KB
-
memory/524-62-0x0000000000550000-0x0000000000561000-memory.dmpFilesize
68KB
-
memory/524-55-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/524-56-0x000000000041D4F0-mapping.dmp
-
memory/524-61-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1176-66-0x0000000000AC0000-0x0000000000ACA000-memory.dmpFilesize
40KB
-
memory/1176-69-0x0000000002060000-0x0000000002363000-memory.dmpFilesize
3.0MB
-
memory/1176-70-0x00000000009C0000-0x0000000000A50000-memory.dmpFilesize
576KB
-
memory/1176-67-0x0000000000100000-0x0000000000129000-memory.dmpFilesize
164KB
-
memory/1176-64-0x0000000000000000-mapping.dmp
-
memory/1304-68-0x0000000000000000-mapping.dmp
-
memory/1388-71-0x0000000003C50000-0x0000000003CF7000-memory.dmpFilesize
668KB
-
memory/1388-60-0x0000000006090000-0x000000000618A000-memory.dmpFilesize
1000KB
-
memory/1388-63-0x0000000006B80000-0x0000000006CEE000-memory.dmpFilesize
1.4MB
-
memory/1464-53-0x0000000075BD1000-0x0000000075BD3000-memory.dmpFilesize
8KB
-
memory/1724-72-0x0000000000000000-mapping.dmp
-
memory/1836-79-0x000000000041D4F0-mapping.dmp
-
memory/1836-81-0x0000000000990000-0x0000000000C93000-memory.dmpFilesize
3.0MB