Analysis
-
max time kernel
601s -
max time network
603s -
platform
windows7_x64 -
resource
win7-ja-20211014 -
submitted
21-10-2021 12:22
Static task
static1
Behavioral task
behavioral1
Sample
HTK TT600202109300860048866 Payment Proof.pdf.exe
Resource
win7-ja-20211014
Behavioral task
behavioral2
Sample
HTK TT600202109300860048866 Payment Proof.pdf.exe
Resource
win7-en-20210920
Behavioral task
behavioral3
Sample
HTK TT600202109300860048866 Payment Proof.pdf.exe
Resource
win7-de-20211014
Behavioral task
behavioral4
Sample
HTK TT600202109300860048866 Payment Proof.pdf.exe
Resource
win11
Behavioral task
behavioral5
Sample
HTK TT600202109300860048866 Payment Proof.pdf.exe
Resource
win10-ja-20211014
Behavioral task
behavioral6
Sample
HTK TT600202109300860048866 Payment Proof.pdf.exe
Resource
win10-en-20210920
General
-
Target
HTK TT600202109300860048866 Payment Proof.pdf.exe
-
Size
461KB
-
MD5
f12bf73a1cb81b5ddd8dd6ed66e610f1
-
SHA1
cb8b0497c95512bf9233823f7d20937424c87207
-
SHA256
6446736e3662120e1fe4c3518bc8e6d14553f6b0b27aaf1fc5676e1f73a50c33
-
SHA512
385c4de5deca014f7486f802efc9a305e2bd2c457a21b63f66bf6f3caef1acee6537f32c7cd4690ee0378939dfad4444abb832c31fb5b5cfcb5bf7ae86715bad
Malware Config
Extracted
xloader
2.5
euzn
http://www.heser.net/euzn/
235296tyc.com
gold12guide.art
baibuaherb.com
weberwines.tax
chezvitoria.com
aidenb.tech
pitchdeckservice.com
surgeryforfdf.xyz
workunvaccinated.com
hrtaro.com
yourotcs.com
sonimultispecialityclinic.com
consultantadvisors.com
pentesting-consulting.com
dantechs.digital
longshifa.online
taweilai.net
imyusuke.com
cashndashfinancial.com
fasiglimt.quest
jakital.com
graywolfdesign.com
pepeavatar.com
predixlogisticscourier.com
football-transfer-news.pro
herbalmedication.xyz
esd66.com
janesgalant.quest
abcrefreshments.com
chaoxy.com
rediscoveringyouhealing.com
mcrjadr5.xyz
n4sins.com
faithful-presence.com
013yu.xyz
isystemslanka.com
newbeautydk.com
ethiopia-info.com
hgaffiliates.net
anodynemedicalmassage.com
esohgroup.com
clinicamonicabarros.com
rafathecook.com
londonescort.xyz
dreamites.com
webtiyan.com
cnnautorepair.com
soposhshop.com
aarohaninsight2021.com
arceprojects.com
mecasso.store
mirai-energy.com
barwg.com
angeescollections-shop.com
xinlishiqiaoqiao.xyz
linuxsauce.net
dirbn.com
anandiaper.xyz
blackpanther.online
livinwoodbridgefarms.com
diepraxiskommunikation.com
radiosaptshahid.com
gofieldtest.com
minxtales.com
Signatures
-
Xloader Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/784-63-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/784-64-0x000000000041D420-mapping.dmp xloader behavioral1/memory/672-72-0x0000000000080000-0x00000000000A9000-memory.dmp xloader behavioral1/memory/2012-89-0x000000000041D420-mapping.dmp xloader -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
netsh.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run netsh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\XZWT4RBPT = "C:\\Program Files (x86)\\Cnng4x\\services7nmdpl.exe" netsh.exe -
Executes dropped EXE 3 IoCs
Processes:
services7nmdpl.exeservices7nmdpl.exeservices7nmdpl.exepid process 1948 services7nmdpl.exe 948 services7nmdpl.exe 2012 services7nmdpl.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 336 cmd.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
HTK TT600202109300860048866 Payment Proof.pdf.exeHTK TT600202109300860048866 Payment Proof.pdf.exenetsh.exeservices7nmdpl.exedescription pid process target process PID 1156 set thread context of 784 1156 HTK TT600202109300860048866 Payment Proof.pdf.exe HTK TT600202109300860048866 Payment Proof.pdf.exe PID 784 set thread context of 1420 784 HTK TT600202109300860048866 Payment Proof.pdf.exe Explorer.EXE PID 672 set thread context of 1420 672 netsh.exe Explorer.EXE PID 1948 set thread context of 2012 1948 services7nmdpl.exe services7nmdpl.exe -
Drops file in Program Files directory 2 IoCs
Processes:
netsh.exeExplorer.EXEdescription ioc process File opened for modification C:\Program Files (x86)\Cnng4x\services7nmdpl.exe netsh.exe File created C:\Program Files (x86)\Cnng4x\services7nmdpl.exe Explorer.EXE -
Processes:
netsh.exedescription ioc process Key created \Registry\User\S-1-5-21-2955169046-2371869340-1800780948-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 netsh.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
HTK TT600202109300860048866 Payment Proof.pdf.exenetsh.exeservices7nmdpl.exeservices7nmdpl.exepid process 784 HTK TT600202109300860048866 Payment Proof.pdf.exe 784 HTK TT600202109300860048866 Payment Proof.pdf.exe 672 netsh.exe 672 netsh.exe 672 netsh.exe 672 netsh.exe 672 netsh.exe 672 netsh.exe 672 netsh.exe 672 netsh.exe 672 netsh.exe 672 netsh.exe 672 netsh.exe 672 netsh.exe 672 netsh.exe 672 netsh.exe 672 netsh.exe 672 netsh.exe 672 netsh.exe 672 netsh.exe 672 netsh.exe 672 netsh.exe 672 netsh.exe 672 netsh.exe 672 netsh.exe 672 netsh.exe 672 netsh.exe 672 netsh.exe 672 netsh.exe 672 netsh.exe 672 netsh.exe 672 netsh.exe 672 netsh.exe 672 netsh.exe 672 netsh.exe 672 netsh.exe 672 netsh.exe 672 netsh.exe 672 netsh.exe 672 netsh.exe 672 netsh.exe 672 netsh.exe 1948 services7nmdpl.exe 2012 services7nmdpl.exe 672 netsh.exe 672 netsh.exe 672 netsh.exe 672 netsh.exe 672 netsh.exe 672 netsh.exe 672 netsh.exe 672 netsh.exe 672 netsh.exe 672 netsh.exe 672 netsh.exe 672 netsh.exe 672 netsh.exe 672 netsh.exe 672 netsh.exe 672 netsh.exe 672 netsh.exe 672 netsh.exe 672 netsh.exe 672 netsh.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1420 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
HTK TT600202109300860048866 Payment Proof.pdf.exenetsh.exepid process 784 HTK TT600202109300860048866 Payment Proof.pdf.exe 784 HTK TT600202109300860048866 Payment Proof.pdf.exe 784 HTK TT600202109300860048866 Payment Proof.pdf.exe 672 netsh.exe 672 netsh.exe 672 netsh.exe 672 netsh.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
HTK TT600202109300860048866 Payment Proof.pdf.exenetsh.exeservices7nmdpl.exeservices7nmdpl.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 784 HTK TT600202109300860048866 Payment Proof.pdf.exe Token: SeDebugPrivilege 672 netsh.exe Token: SeDebugPrivilege 1948 services7nmdpl.exe Token: SeDebugPrivilege 2012 services7nmdpl.exe Token: SeShutdownPrivilege 1420 Explorer.EXE Token: SeShutdownPrivilege 1420 Explorer.EXE Token: SeShutdownPrivilege 1420 Explorer.EXE -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1420 Explorer.EXE 1420 Explorer.EXE 1420 Explorer.EXE 1420 Explorer.EXE -
Suspicious use of SendNotifyMessage 26 IoCs
Processes:
Explorer.EXEpid process 1420 Explorer.EXE 1420 Explorer.EXE 1420 Explorer.EXE 1420 Explorer.EXE 1420 Explorer.EXE 1420 Explorer.EXE 1420 Explorer.EXE 1420 Explorer.EXE 1420 Explorer.EXE 1420 Explorer.EXE 1420 Explorer.EXE 1420 Explorer.EXE 1420 Explorer.EXE 1420 Explorer.EXE 1420 Explorer.EXE 1420 Explorer.EXE 1420 Explorer.EXE 1420 Explorer.EXE 1420 Explorer.EXE 1420 Explorer.EXE 1420 Explorer.EXE 1420 Explorer.EXE 1420 Explorer.EXE 1420 Explorer.EXE 1420 Explorer.EXE 1420 Explorer.EXE -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
HTK TT600202109300860048866 Payment Proof.pdf.exeExplorer.EXEnetsh.exeservices7nmdpl.exetaskeng.exedescription pid process target process PID 1156 wrote to memory of 784 1156 HTK TT600202109300860048866 Payment Proof.pdf.exe HTK TT600202109300860048866 Payment Proof.pdf.exe PID 1156 wrote to memory of 784 1156 HTK TT600202109300860048866 Payment Proof.pdf.exe HTK TT600202109300860048866 Payment Proof.pdf.exe PID 1156 wrote to memory of 784 1156 HTK TT600202109300860048866 Payment Proof.pdf.exe HTK TT600202109300860048866 Payment Proof.pdf.exe PID 1156 wrote to memory of 784 1156 HTK TT600202109300860048866 Payment Proof.pdf.exe HTK TT600202109300860048866 Payment Proof.pdf.exe PID 1156 wrote to memory of 784 1156 HTK TT600202109300860048866 Payment Proof.pdf.exe HTK TT600202109300860048866 Payment Proof.pdf.exe PID 1156 wrote to memory of 784 1156 HTK TT600202109300860048866 Payment Proof.pdf.exe HTK TT600202109300860048866 Payment Proof.pdf.exe PID 1156 wrote to memory of 784 1156 HTK TT600202109300860048866 Payment Proof.pdf.exe HTK TT600202109300860048866 Payment Proof.pdf.exe PID 1420 wrote to memory of 672 1420 Explorer.EXE netsh.exe PID 1420 wrote to memory of 672 1420 Explorer.EXE netsh.exe PID 1420 wrote to memory of 672 1420 Explorer.EXE netsh.exe PID 1420 wrote to memory of 672 1420 Explorer.EXE netsh.exe PID 672 wrote to memory of 336 672 netsh.exe cmd.exe PID 672 wrote to memory of 336 672 netsh.exe cmd.exe PID 672 wrote to memory of 336 672 netsh.exe cmd.exe PID 672 wrote to memory of 336 672 netsh.exe cmd.exe PID 672 wrote to memory of 1908 672 netsh.exe Firefox.exe PID 672 wrote to memory of 1908 672 netsh.exe Firefox.exe PID 672 wrote to memory of 1908 672 netsh.exe Firefox.exe PID 672 wrote to memory of 1908 672 netsh.exe Firefox.exe PID 1420 wrote to memory of 1948 1420 Explorer.EXE services7nmdpl.exe PID 1420 wrote to memory of 1948 1420 Explorer.EXE services7nmdpl.exe PID 1420 wrote to memory of 1948 1420 Explorer.EXE services7nmdpl.exe PID 1420 wrote to memory of 1948 1420 Explorer.EXE services7nmdpl.exe PID 672 wrote to memory of 1908 672 netsh.exe Firefox.exe PID 1948 wrote to memory of 948 1948 services7nmdpl.exe services7nmdpl.exe PID 1948 wrote to memory of 948 1948 services7nmdpl.exe services7nmdpl.exe PID 1948 wrote to memory of 948 1948 services7nmdpl.exe services7nmdpl.exe PID 1948 wrote to memory of 948 1948 services7nmdpl.exe services7nmdpl.exe PID 1948 wrote to memory of 2012 1948 services7nmdpl.exe services7nmdpl.exe PID 1948 wrote to memory of 2012 1948 services7nmdpl.exe services7nmdpl.exe PID 1948 wrote to memory of 2012 1948 services7nmdpl.exe services7nmdpl.exe PID 1948 wrote to memory of 2012 1948 services7nmdpl.exe services7nmdpl.exe PID 1948 wrote to memory of 2012 1948 services7nmdpl.exe services7nmdpl.exe PID 1948 wrote to memory of 2012 1948 services7nmdpl.exe services7nmdpl.exe PID 1948 wrote to memory of 2012 1948 services7nmdpl.exe services7nmdpl.exe PID 1148 wrote to memory of 1540 1148 taskeng.exe default-browser-agent.exe PID 1148 wrote to memory of 1540 1148 taskeng.exe default-browser-agent.exe PID 1148 wrote to memory of 1540 1148 taskeng.exe default-browser-agent.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\HTK TT600202109300860048866 Payment Proof.pdf.exe"C:\Users\Admin\AppData\Local\Temp\HTK TT600202109300860048866 Payment Proof.pdf.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\HTK TT600202109300860048866 Payment Proof.pdf.exe"C:\Users\Admin\AppData\Local\Temp\HTK TT600202109300860048866 Payment Proof.pdf.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\HTK TT600202109300860048866 Payment Proof.pdf.exe"3⤵
- Deletes itself
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Program Files (x86)\Cnng4x\services7nmdpl.exe"C:\Program Files (x86)\Cnng4x\services7nmdpl.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Cnng4x\services7nmdpl.exe"C:\Program Files (x86)\Cnng4x\services7nmdpl.exe"3⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Cnng4x\services7nmdpl.exe"C:\Program Files (x86)\Cnng4x\services7nmdpl.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {F37FA4C3-E7B7-442A-8A39-0EB1583E63BA} S-1-5-18:NT AUTHORITY\System:Service:1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {37883A03-041F-48F6-A2AE-BC3A73BB5131} S-1-5-21-2955169046-2371869340-1800780948-1000:UKNHJUQT\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\default-browser-agent.exe"C:\Program Files\Mozilla Firefox\default-browser-agent.exe" do-task2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Cnng4x\services7nmdpl.exeMD5
f12bf73a1cb81b5ddd8dd6ed66e610f1
SHA1cb8b0497c95512bf9233823f7d20937424c87207
SHA2566446736e3662120e1fe4c3518bc8e6d14553f6b0b27aaf1fc5676e1f73a50c33
SHA512385c4de5deca014f7486f802efc9a305e2bd2c457a21b63f66bf6f3caef1acee6537f32c7cd4690ee0378939dfad4444abb832c31fb5b5cfcb5bf7ae86715bad
-
C:\Program Files (x86)\Cnng4x\services7nmdpl.exeMD5
f12bf73a1cb81b5ddd8dd6ed66e610f1
SHA1cb8b0497c95512bf9233823f7d20937424c87207
SHA2566446736e3662120e1fe4c3518bc8e6d14553f6b0b27aaf1fc5676e1f73a50c33
SHA512385c4de5deca014f7486f802efc9a305e2bd2c457a21b63f66bf6f3caef1acee6537f32c7cd4690ee0378939dfad4444abb832c31fb5b5cfcb5bf7ae86715bad
-
C:\Program Files (x86)\Cnng4x\services7nmdpl.exeMD5
f12bf73a1cb81b5ddd8dd6ed66e610f1
SHA1cb8b0497c95512bf9233823f7d20937424c87207
SHA2566446736e3662120e1fe4c3518bc8e6d14553f6b0b27aaf1fc5676e1f73a50c33
SHA512385c4de5deca014f7486f802efc9a305e2bd2c457a21b63f66bf6f3caef1acee6537f32c7cd4690ee0378939dfad4444abb832c31fb5b5cfcb5bf7ae86715bad
-
C:\Program Files (x86)\Cnng4x\services7nmdpl.exeMD5
f12bf73a1cb81b5ddd8dd6ed66e610f1
SHA1cb8b0497c95512bf9233823f7d20937424c87207
SHA2566446736e3662120e1fe4c3518bc8e6d14553f6b0b27aaf1fc5676e1f73a50c33
SHA512385c4de5deca014f7486f802efc9a305e2bd2c457a21b63f66bf6f3caef1acee6537f32c7cd4690ee0378939dfad4444abb832c31fb5b5cfcb5bf7ae86715bad
-
memory/336-70-0x0000000000000000-mapping.dmp
-
memory/672-71-0x0000000001770000-0x000000000178B000-memory.dmpFilesize
108KB
-
memory/672-69-0x0000000000000000-mapping.dmp
-
memory/672-74-0x0000000000570000-0x0000000000600000-memory.dmpFilesize
576KB
-
memory/672-73-0x0000000000C90000-0x0000000000F93000-memory.dmpFilesize
3.0MB
-
memory/672-72-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/784-67-0x0000000000180000-0x0000000000191000-memory.dmpFilesize
68KB
-
memory/784-64-0x000000000041D420-mapping.dmp
-
memory/784-62-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/784-61-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/784-63-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/784-65-0x0000000000B40000-0x0000000000E43000-memory.dmpFilesize
3.0MB
-
memory/1156-55-0x0000000000930000-0x0000000000931000-memory.dmpFilesize
4KB
-
memory/1156-58-0x0000000004C60000-0x0000000004C61000-memory.dmpFilesize
4KB
-
memory/1156-60-0x0000000004BF0000-0x0000000004C3B000-memory.dmpFilesize
300KB
-
memory/1156-59-0x0000000000630000-0x0000000000637000-memory.dmpFilesize
28KB
-
memory/1156-57-0x0000000075AC1000-0x0000000075AC3000-memory.dmpFilesize
8KB
-
memory/1420-75-0x0000000006BF0000-0x0000000006D2B000-memory.dmpFilesize
1.2MB
-
memory/1420-68-0x0000000004310000-0x00000000043BD000-memory.dmpFilesize
692KB
-
memory/1540-92-0x0000000000000000-mapping.dmp
-
memory/1948-77-0x0000000000000000-mapping.dmp
-
memory/1948-83-0x0000000004D20000-0x0000000004D21000-memory.dmpFilesize
4KB
-
memory/1948-80-0x0000000000150000-0x0000000000151000-memory.dmpFilesize
4KB
-
memory/2012-89-0x000000000041D420-mapping.dmp
-
memory/2012-91-0x0000000000800000-0x0000000000B03000-memory.dmpFilesize
3.0MB