Analysis
-
max time kernel
151s -
max time network
148s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
15-10-2021 18:19
Static task
static1
Behavioral task
behavioral1
Sample
Nuevo Pago 15.10.2021.exe
Resource
win7-en-20210920
General
-
Target
Nuevo Pago 15.10.2021.exe
-
Size
247KB
-
MD5
b50f2ee58a34c1e367450e1e2bc107bf
-
SHA1
9a5bc255948f7b16eb3d109808d8d1bafd1f6070
-
SHA256
12fa6c4f9dc345eca587fe606caf9a5eccfcdc5456b2617ec17b1b1f1e06d24a
-
SHA512
fc3aed1caf7cdc271bfca44c8a7bcb254c7331f882c2a5903be7e9921ce71563dcfe305ed0f24838707f30909fa5cbb60854a187e46dc308bbb2c206a71148bb
Malware Config
Extracted
xloader
2.5
u9xn
http://www.crisisinterventionadvocates.com/u9xn/
lifeguardingcoursenearme.com
bolsaspapelcdmx.com
parsleypkllqu.xyz
68134.online
shopthatlookboutique.com
canlibahisportal.com
oligopoly.city
srchwithus.online
151motors.com
17yue.info
auntmarysnj.com
hanansalman.com
heyunshangcheng.info
doorslamersplus.com
sfcn-dng.com
highvizpeople.com
seoexpertinbangladesh.com
christinegagnonjewellery.com
artifactorie.biz
mre3.net
webbyteanalysis.online
medicmir.store
shdxh.com
salvationshippingsecurity.com
michita.xyz
itskosi.com
aligncoachingconsulting.com
cryptorickclub.art
cyliamartisbackup.com
ttemola.com
mujeresenfarmalatam.com
mykombuchafactory.com
irasutoya-ryou.com
envtmyouliqy.mobi
expert-rse.com
oddanimalsink.com
piezoelectricenergy.com
itservices-india.com
wintwiin.com
umgaleloacademy.com
everythangbutwhite.com
ishhs.xyz
brandsofcannabis.com
sculptingstones.com
hilldetailingllc.com
stone-project.net
rbrituelbeaute.com
atzoom.store
pronogtiki.store
baybeg.com
b148tlrfee9evtvorgm5947.com
msjanej.com
western-overseas.info
sharpecommunications.com
atlantahomesforcarguys.com
neosudo.com
blulacedefense.com
profilecolombia.com
blacksaltspain.com
sejiw3.xyz
saint444.com
getoken.net
joycegsy.com
fezora.xyz
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4032-116-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/4032-117-0x000000000041D4F0-mapping.dmp xloader behavioral2/memory/920-125-0x0000000000610000-0x0000000000639000-memory.dmp xloader -
Executes dropped EXE 1 IoCs
Processes:
evnhj7njpftb.exepid process 2156 evnhj7njpftb.exe -
Loads dropped DLL 1 IoCs
Processes:
Nuevo Pago 15.10.2021.exepid process 2504 Nuevo Pago 15.10.2021.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
cmstp.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\KX4P-6RHUBO = "C:\\Program Files (x86)\\Bp6h\\evnhj7njpftb.exe" cmstp.exe Key created \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run cmstp.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Nuevo Pago 15.10.2021.exeNuevo Pago 15.10.2021.execmstp.exedescription pid process target process PID 2504 set thread context of 4032 2504 Nuevo Pago 15.10.2021.exe Nuevo Pago 15.10.2021.exe PID 4032 set thread context of 3024 4032 Nuevo Pago 15.10.2021.exe Explorer.EXE PID 920 set thread context of 3024 920 cmstp.exe Explorer.EXE -
Drops file in Program Files directory 4 IoCs
Processes:
cmstp.exeExplorer.EXEdescription ioc process File opened for modification C:\Program Files (x86)\Bp6h\evnhj7njpftb.exe cmstp.exe File opened for modification C:\Program Files (x86)\Bp6h Explorer.EXE File created C:\Program Files (x86)\Bp6h\evnhj7njpftb.exe Explorer.EXE File opened for modification C:\Program Files (x86)\Bp6h\evnhj7njpftb.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 4 IoCs
Processes:
resource yara_rule C:\Program Files (x86)\Bp6h\evnhj7njpftb.exe nsis_installer_1 C:\Program Files (x86)\Bp6h\evnhj7njpftb.exe nsis_installer_2 C:\Program Files (x86)\Bp6h\evnhj7njpftb.exe nsis_installer_1 C:\Program Files (x86)\Bp6h\evnhj7njpftb.exe nsis_installer_2 -
Processes:
cmstp.exedescription ioc process Key created \Registry\User\S-1-5-21-941723256-3451054534-3089625102-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cmstp.exe -
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
Nuevo Pago 15.10.2021.execmstp.exepid process 4032 Nuevo Pago 15.10.2021.exe 4032 Nuevo Pago 15.10.2021.exe 4032 Nuevo Pago 15.10.2021.exe 4032 Nuevo Pago 15.10.2021.exe 920 cmstp.exe 920 cmstp.exe 920 cmstp.exe 920 cmstp.exe 920 cmstp.exe 920 cmstp.exe 920 cmstp.exe 920 cmstp.exe 920 cmstp.exe 920 cmstp.exe 920 cmstp.exe 920 cmstp.exe 920 cmstp.exe 920 cmstp.exe 920 cmstp.exe 920 cmstp.exe 920 cmstp.exe 920 cmstp.exe 920 cmstp.exe 920 cmstp.exe 920 cmstp.exe 920 cmstp.exe 920 cmstp.exe 920 cmstp.exe 920 cmstp.exe 920 cmstp.exe 920 cmstp.exe 920 cmstp.exe 920 cmstp.exe 920 cmstp.exe 920 cmstp.exe 920 cmstp.exe 920 cmstp.exe 920 cmstp.exe 920 cmstp.exe 920 cmstp.exe 920 cmstp.exe 920 cmstp.exe 920 cmstp.exe 920 cmstp.exe 920 cmstp.exe 920 cmstp.exe 920 cmstp.exe 920 cmstp.exe 920 cmstp.exe 920 cmstp.exe 920 cmstp.exe 920 cmstp.exe 920 cmstp.exe 920 cmstp.exe 920 cmstp.exe 920 cmstp.exe 920 cmstp.exe 920 cmstp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3024 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Nuevo Pago 15.10.2021.execmstp.exepid process 4032 Nuevo Pago 15.10.2021.exe 4032 Nuevo Pago 15.10.2021.exe 4032 Nuevo Pago 15.10.2021.exe 920 cmstp.exe 920 cmstp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Nuevo Pago 15.10.2021.execmstp.exedescription pid process Token: SeDebugPrivilege 4032 Nuevo Pago 15.10.2021.exe Token: SeDebugPrivilege 920 cmstp.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
Nuevo Pago 15.10.2021.exeExplorer.EXEcmstp.exedescription pid process target process PID 2504 wrote to memory of 4032 2504 Nuevo Pago 15.10.2021.exe Nuevo Pago 15.10.2021.exe PID 2504 wrote to memory of 4032 2504 Nuevo Pago 15.10.2021.exe Nuevo Pago 15.10.2021.exe PID 2504 wrote to memory of 4032 2504 Nuevo Pago 15.10.2021.exe Nuevo Pago 15.10.2021.exe PID 2504 wrote to memory of 4032 2504 Nuevo Pago 15.10.2021.exe Nuevo Pago 15.10.2021.exe PID 2504 wrote to memory of 4032 2504 Nuevo Pago 15.10.2021.exe Nuevo Pago 15.10.2021.exe PID 2504 wrote to memory of 4032 2504 Nuevo Pago 15.10.2021.exe Nuevo Pago 15.10.2021.exe PID 3024 wrote to memory of 920 3024 Explorer.EXE cmstp.exe PID 3024 wrote to memory of 920 3024 Explorer.EXE cmstp.exe PID 3024 wrote to memory of 920 3024 Explorer.EXE cmstp.exe PID 920 wrote to memory of 1232 920 cmstp.exe cmd.exe PID 920 wrote to memory of 1232 920 cmstp.exe cmd.exe PID 920 wrote to memory of 1232 920 cmstp.exe cmd.exe PID 920 wrote to memory of 712 920 cmstp.exe cmd.exe PID 920 wrote to memory of 712 920 cmstp.exe cmd.exe PID 920 wrote to memory of 712 920 cmstp.exe cmd.exe PID 3024 wrote to memory of 2156 3024 Explorer.EXE evnhj7njpftb.exe PID 3024 wrote to memory of 2156 3024 Explorer.EXE evnhj7njpftb.exe PID 3024 wrote to memory of 2156 3024 Explorer.EXE evnhj7njpftb.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Nuevo Pago 15.10.2021.exe"C:\Users\Admin\AppData\Local\Temp\Nuevo Pago 15.10.2021.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Nuevo Pago 15.10.2021.exe"C:\Users\Admin\AppData\Local\Temp\Nuevo Pago 15.10.2021.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Nuevo Pago 15.10.2021.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files (x86)\Bp6h\evnhj7njpftb.exe"C:\Program Files (x86)\Bp6h\evnhj7njpftb.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Bp6h\evnhj7njpftb.exeMD5
b50f2ee58a34c1e367450e1e2bc107bf
SHA19a5bc255948f7b16eb3d109808d8d1bafd1f6070
SHA25612fa6c4f9dc345eca587fe606caf9a5eccfcdc5456b2617ec17b1b1f1e06d24a
SHA512fc3aed1caf7cdc271bfca44c8a7bcb254c7331f882c2a5903be7e9921ce71563dcfe305ed0f24838707f30909fa5cbb60854a187e46dc308bbb2c206a71148bb
-
C:\Program Files (x86)\Bp6h\evnhj7njpftb.exeMD5
b50f2ee58a34c1e367450e1e2bc107bf
SHA19a5bc255948f7b16eb3d109808d8d1bafd1f6070
SHA25612fa6c4f9dc345eca587fe606caf9a5eccfcdc5456b2617ec17b1b1f1e06d24a
SHA512fc3aed1caf7cdc271bfca44c8a7bcb254c7331f882c2a5903be7e9921ce71563dcfe305ed0f24838707f30909fa5cbb60854a187e46dc308bbb2c206a71148bb
-
C:\Users\Admin\AppData\Local\Temp\DB1MD5
b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
\Users\Admin\AppData\Local\Temp\nss1589.tmp\gibh.dllMD5
6a6e5ce1da420ef522bed80375260881
SHA1acc4a1f85c397d6b93ba69f43182cbaf8d9cd768
SHA256829d331503e630301cb7e037a7e451e5e697db9573ee5ea5e2e2e2e5d195e6b1
SHA5121f1bdab25301ac57cd5d796557625a6a812900f01c44bf391fa1052f5fecf05b8c8edcb80b44ab1a7e4a74943aa722fc801b28e1212e6858c4d8b7b8d64f7102
-
memory/712-129-0x0000000000000000-mapping.dmp
-
memory/920-127-0x0000000000F70000-0x0000000001000000-memory.dmpFilesize
576KB
-
memory/920-122-0x0000000000000000-mapping.dmp
-
memory/920-125-0x0000000000610000-0x0000000000639000-memory.dmpFilesize
164KB
-
memory/920-124-0x0000000001240000-0x0000000001256000-memory.dmpFilesize
88KB
-
memory/920-126-0x0000000004660000-0x0000000004980000-memory.dmpFilesize
3.1MB
-
memory/1232-123-0x0000000000000000-mapping.dmp
-
memory/2156-131-0x0000000000000000-mapping.dmp
-
memory/3024-128-0x0000000002450000-0x0000000002529000-memory.dmpFilesize
868KB
-
memory/3024-121-0x0000000005D00000-0x0000000005E35000-memory.dmpFilesize
1.2MB
-
memory/4032-119-0x0000000000A90000-0x0000000000DB0000-memory.dmpFilesize
3.1MB
-
memory/4032-120-0x00000000004C0000-0x000000000060A000-memory.dmpFilesize
1.3MB
-
memory/4032-117-0x000000000041D4F0-mapping.dmp
-
memory/4032-116-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB