Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
26-10-2021 13:06
Static task
static1
Behavioral task
behavioral1
Sample
payment advice_16000.exe
Resource
win7-en-20210920
General
-
Target
payment advice_16000.exe
-
Size
254KB
-
MD5
a1c481bb9474e04781840009a3c10664
-
SHA1
c432b71a2f493e7c7a120d42d41bf7e4de2053f8
-
SHA256
68aba64ef9b4e5af747005ea8efdd213a80e86e45e9b4f480a54af016e3c6c95
-
SHA512
831053501f491e71664ef594394772f18a5197989c4b4dd625572efa5e508a27ef6d3469a94fad64b7c2dee44904400cd9173edaf1fa5049b21e952bf4903f68
Malware Config
Extracted
xloader
2.5
d6pu
http://www.bonitaspringshomesearch.com/d6pu/
ifixcreditatl.com
productgeekout.com
electricvehicle-insurance.com
kuiper.business
cloudenglabs.com
gorbepari.com
collecthappy.com
amykrussell.store
clubhousebusinesscourse.com
aplussinifiklima.com
slewis.design
atticwitt.com
galenota.com
griphook.xyz
gsjbd1.club
bootystrapfitness.com
emflawrhks.com
alternativedata.investments
eyehealthtnpasumo3.xyz
naturanzaec.com
vinotrentino.info
thisevent.com
joaopedroeviviane.com
fructuosopascualehijos.net
nftokenartwork.com
gymzara.com
erwan-gueldy-transexual.net
enjoyjourneys.com
sanguinejewellery.com
xxxafricain.com
besrbee.com
kefirusa.com
dualdrivesystem.com
brixbol.com
cor-pt.com
myrhannover.com
entospt.com
slabiesplin.quest
rebuildablecarsonline.com
gangom.com
msulthony.tech
thesmithyvan.com
dharma33.com
rjm226.com
yourbestproduct.com
hyderabadmotorclub.com
karlitomarx.com
sunflowerediting.com
seangreenphotography.com
vikramsparmar.com
roguelakegames.com
globaltechmeet.com
wmr.agency
buksi.biz
ratnagirikosh.com
charleskinzel.com
dunavulkan.quest
diffamr.net
ceveye.com
ss0235.com
7u2mjf.com
getavan.net
thinkcentury.net
diasporahealthfoundation.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/284-56-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/284-57-0x000000000041D4E0-mapping.dmp xloader behavioral1/memory/1712-65-0x0000000000100000-0x0000000000129000-memory.dmp xloader -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1820 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
payment advice_16000.exepid process 1720 payment advice_16000.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
payment advice_16000.exepayment advice_16000.exewininit.exedescription pid process target process PID 1720 set thread context of 284 1720 payment advice_16000.exe payment advice_16000.exe PID 284 set thread context of 1400 284 payment advice_16000.exe Explorer.EXE PID 1712 set thread context of 1400 1712 wininit.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
payment advice_16000.exewininit.exepid process 284 payment advice_16000.exe 284 payment advice_16000.exe 1712 wininit.exe 1712 wininit.exe 1712 wininit.exe 1712 wininit.exe 1712 wininit.exe 1712 wininit.exe 1712 wininit.exe 1712 wininit.exe 1712 wininit.exe 1712 wininit.exe 1712 wininit.exe 1712 wininit.exe 1712 wininit.exe 1712 wininit.exe 1712 wininit.exe 1712 wininit.exe 1712 wininit.exe 1712 wininit.exe 1712 wininit.exe 1712 wininit.exe 1712 wininit.exe 1712 wininit.exe 1712 wininit.exe 1712 wininit.exe 1712 wininit.exe 1712 wininit.exe 1712 wininit.exe 1712 wininit.exe 1712 wininit.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1400 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
payment advice_16000.exewininit.exepid process 284 payment advice_16000.exe 284 payment advice_16000.exe 284 payment advice_16000.exe 1712 wininit.exe 1712 wininit.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
payment advice_16000.exewininit.exedescription pid process Token: SeDebugPrivilege 284 payment advice_16000.exe Token: SeDebugPrivilege 1712 wininit.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1400 Explorer.EXE 1400 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1400 Explorer.EXE 1400 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
payment advice_16000.exeExplorer.EXEwininit.exedescription pid process target process PID 1720 wrote to memory of 284 1720 payment advice_16000.exe payment advice_16000.exe PID 1720 wrote to memory of 284 1720 payment advice_16000.exe payment advice_16000.exe PID 1720 wrote to memory of 284 1720 payment advice_16000.exe payment advice_16000.exe PID 1720 wrote to memory of 284 1720 payment advice_16000.exe payment advice_16000.exe PID 1720 wrote to memory of 284 1720 payment advice_16000.exe payment advice_16000.exe PID 1720 wrote to memory of 284 1720 payment advice_16000.exe payment advice_16000.exe PID 1720 wrote to memory of 284 1720 payment advice_16000.exe payment advice_16000.exe PID 1400 wrote to memory of 1712 1400 Explorer.EXE wininit.exe PID 1400 wrote to memory of 1712 1400 Explorer.EXE wininit.exe PID 1400 wrote to memory of 1712 1400 Explorer.EXE wininit.exe PID 1400 wrote to memory of 1712 1400 Explorer.EXE wininit.exe PID 1712 wrote to memory of 1820 1712 wininit.exe cmd.exe PID 1712 wrote to memory of 1820 1712 wininit.exe cmd.exe PID 1712 wrote to memory of 1820 1712 wininit.exe cmd.exe PID 1712 wrote to memory of 1820 1712 wininit.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\payment advice_16000.exe"C:\Users\Admin\AppData\Local\Temp\payment advice_16000.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\payment advice_16000.exe"C:\Users\Admin\AppData\Local\Temp\payment advice_16000.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wininit.exe"C:\Windows\SysWOW64\wininit.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\payment advice_16000.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsdC830.tmp\mdta.dllMD5
7be3eed97c26a1f2f541fac2be0b7fa9
SHA1430271b97cebe8ae8fc94b5661dca421469c82cd
SHA256d67b59fb5f9599649fa1aee124aca1b4db74a20fff182133f6569e95d9dd27d0
SHA51280fe44fc62eb3c8799cf75c66b542995db529ad694665bef18b6ed89eeb976bd328f9965694934a40d345b1bb4e10de13e52747e40f60ea66fb3f4eafbaa0d38
-
memory/284-59-0x0000000000770000-0x0000000000A73000-memory.dmpFilesize
3.0MB
-
memory/284-56-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/284-57-0x000000000041D4E0-mapping.dmp
-
memory/284-60-0x00000000002D0000-0x00000000002E1000-memory.dmpFilesize
68KB
-
memory/1400-61-0x0000000006950000-0x0000000006A64000-memory.dmpFilesize
1.1MB
-
memory/1400-68-0x0000000006A70000-0x0000000006B8A000-memory.dmpFilesize
1.1MB
-
memory/1712-62-0x0000000000000000-mapping.dmp
-
memory/1712-63-0x0000000000280000-0x000000000029A000-memory.dmpFilesize
104KB
-
memory/1712-64-0x0000000001E30000-0x0000000002133000-memory.dmpFilesize
3.0MB
-
memory/1712-65-0x0000000000100000-0x0000000000129000-memory.dmpFilesize
164KB
-
memory/1712-67-0x0000000001D00000-0x0000000001D90000-memory.dmpFilesize
576KB
-
memory/1720-54-0x00000000751A1000-0x00000000751A3000-memory.dmpFilesize
8KB
-
memory/1820-66-0x0000000000000000-mapping.dmp