Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
26-10-2021 13:06
Static task
static1
Behavioral task
behavioral1
Sample
payment advice_16000.exe
Resource
win7-en-20210920
General
-
Target
payment advice_16000.exe
-
Size
254KB
-
MD5
a1c481bb9474e04781840009a3c10664
-
SHA1
c432b71a2f493e7c7a120d42d41bf7e4de2053f8
-
SHA256
68aba64ef9b4e5af747005ea8efdd213a80e86e45e9b4f480a54af016e3c6c95
-
SHA512
831053501f491e71664ef594394772f18a5197989c4b4dd625572efa5e508a27ef6d3469a94fad64b7c2dee44904400cd9173edaf1fa5049b21e952bf4903f68
Malware Config
Extracted
xloader
2.5
d6pu
http://www.bonitaspringshomesearch.com/d6pu/
ifixcreditatl.com
productgeekout.com
electricvehicle-insurance.com
kuiper.business
cloudenglabs.com
gorbepari.com
collecthappy.com
amykrussell.store
clubhousebusinesscourse.com
aplussinifiklima.com
slewis.design
atticwitt.com
galenota.com
griphook.xyz
gsjbd1.club
bootystrapfitness.com
emflawrhks.com
alternativedata.investments
eyehealthtnpasumo3.xyz
naturanzaec.com
vinotrentino.info
thisevent.com
joaopedroeviviane.com
fructuosopascualehijos.net
nftokenartwork.com
gymzara.com
erwan-gueldy-transexual.net
enjoyjourneys.com
sanguinejewellery.com
xxxafricain.com
besrbee.com
kefirusa.com
dualdrivesystem.com
brixbol.com
cor-pt.com
myrhannover.com
entospt.com
slabiesplin.quest
rebuildablecarsonline.com
gangom.com
msulthony.tech
thesmithyvan.com
dharma33.com
rjm226.com
yourbestproduct.com
hyderabadmotorclub.com
karlitomarx.com
sunflowerediting.com
seangreenphotography.com
vikramsparmar.com
roguelakegames.com
globaltechmeet.com
wmr.agency
buksi.biz
ratnagirikosh.com
charleskinzel.com
dunavulkan.quest
diffamr.net
ceveye.com
ss0235.com
7u2mjf.com
getavan.net
thinkcentury.net
diasporahealthfoundation.com
Signatures
-
Xloader Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/2684-116-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/2684-117-0x000000000041D4E0-mapping.dmp xloader behavioral2/memory/4044-125-0x0000000000F10000-0x0000000000F39000-memory.dmp xloader behavioral2/memory/3068-135-0x000000000041D4E0-mapping.dmp xloader -
Executes dropped EXE 2 IoCs
Processes:
winktyl00.exewinktyl00.exepid process 360 winktyl00.exe 3068 winktyl00.exe -
Loads dropped DLL 2 IoCs
Processes:
payment advice_16000.exewinktyl00.exepid process 2708 payment advice_16000.exe 360 winktyl00.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
cmd.exedescription ioc process Key created \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ILMDQRT8YJ = "C:\\Program Files (x86)\\Zuv1xjlm\\winktyl00.exe" cmd.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
payment advice_16000.exepayment advice_16000.execmd.exewinktyl00.exedescription pid process target process PID 2708 set thread context of 2684 2708 payment advice_16000.exe payment advice_16000.exe PID 2684 set thread context of 3056 2684 payment advice_16000.exe Explorer.EXE PID 4044 set thread context of 3056 4044 cmd.exe Explorer.EXE PID 360 set thread context of 3068 360 winktyl00.exe winktyl00.exe -
Drops file in Program Files directory 4 IoCs
Processes:
cmd.exeExplorer.EXEdescription ioc process File opened for modification C:\Program Files (x86)\Zuv1xjlm\winktyl00.exe cmd.exe File opened for modification C:\Program Files (x86)\Zuv1xjlm Explorer.EXE File created C:\Program Files (x86)\Zuv1xjlm\winktyl00.exe Explorer.EXE File opened for modification C:\Program Files (x86)\Zuv1xjlm\winktyl00.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 6 IoCs
Processes:
resource yara_rule C:\Program Files (x86)\Zuv1xjlm\winktyl00.exe nsis_installer_1 C:\Program Files (x86)\Zuv1xjlm\winktyl00.exe nsis_installer_2 C:\Program Files (x86)\Zuv1xjlm\winktyl00.exe nsis_installer_1 C:\Program Files (x86)\Zuv1xjlm\winktyl00.exe nsis_installer_2 C:\Program Files (x86)\Zuv1xjlm\winktyl00.exe nsis_installer_1 C:\Program Files (x86)\Zuv1xjlm\winktyl00.exe nsis_installer_2 -
Processes:
cmd.exedescription ioc process Key created \Registry\User\S-1-5-21-941723256-3451054534-3089625102-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cmd.exe -
Suspicious behavior: EnumeratesProcesses 56 IoCs
Processes:
payment advice_16000.execmd.exewinktyl00.exepid process 2684 payment advice_16000.exe 2684 payment advice_16000.exe 2684 payment advice_16000.exe 2684 payment advice_16000.exe 4044 cmd.exe 4044 cmd.exe 4044 cmd.exe 4044 cmd.exe 4044 cmd.exe 4044 cmd.exe 4044 cmd.exe 4044 cmd.exe 4044 cmd.exe 4044 cmd.exe 4044 cmd.exe 4044 cmd.exe 4044 cmd.exe 4044 cmd.exe 4044 cmd.exe 4044 cmd.exe 4044 cmd.exe 4044 cmd.exe 4044 cmd.exe 4044 cmd.exe 4044 cmd.exe 4044 cmd.exe 4044 cmd.exe 4044 cmd.exe 4044 cmd.exe 4044 cmd.exe 4044 cmd.exe 4044 cmd.exe 4044 cmd.exe 4044 cmd.exe 4044 cmd.exe 4044 cmd.exe 4044 cmd.exe 4044 cmd.exe 4044 cmd.exe 4044 cmd.exe 4044 cmd.exe 4044 cmd.exe 4044 cmd.exe 4044 cmd.exe 4044 cmd.exe 4044 cmd.exe 4044 cmd.exe 4044 cmd.exe 3068 winktyl00.exe 3068 winktyl00.exe 4044 cmd.exe 4044 cmd.exe 4044 cmd.exe 4044 cmd.exe 4044 cmd.exe 4044 cmd.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3056 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
payment advice_16000.execmd.exepid process 2684 payment advice_16000.exe 2684 payment advice_16000.exe 2684 payment advice_16000.exe 4044 cmd.exe 4044 cmd.exe 4044 cmd.exe 4044 cmd.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
payment advice_16000.execmd.exeExplorer.EXEwinktyl00.exedescription pid process Token: SeDebugPrivilege 2684 payment advice_16000.exe Token: SeDebugPrivilege 4044 cmd.exe Token: SeShutdownPrivilege 3056 Explorer.EXE Token: SeCreatePagefilePrivilege 3056 Explorer.EXE Token: SeDebugPrivilege 3068 winktyl00.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
payment advice_16000.exeExplorer.EXEcmd.exewinktyl00.exedescription pid process target process PID 2708 wrote to memory of 2684 2708 payment advice_16000.exe payment advice_16000.exe PID 2708 wrote to memory of 2684 2708 payment advice_16000.exe payment advice_16000.exe PID 2708 wrote to memory of 2684 2708 payment advice_16000.exe payment advice_16000.exe PID 2708 wrote to memory of 2684 2708 payment advice_16000.exe payment advice_16000.exe PID 2708 wrote to memory of 2684 2708 payment advice_16000.exe payment advice_16000.exe PID 2708 wrote to memory of 2684 2708 payment advice_16000.exe payment advice_16000.exe PID 3056 wrote to memory of 4044 3056 Explorer.EXE cmd.exe PID 3056 wrote to memory of 4044 3056 Explorer.EXE cmd.exe PID 3056 wrote to memory of 4044 3056 Explorer.EXE cmd.exe PID 4044 wrote to memory of 388 4044 cmd.exe cmd.exe PID 4044 wrote to memory of 388 4044 cmd.exe cmd.exe PID 4044 wrote to memory of 388 4044 cmd.exe cmd.exe PID 3056 wrote to memory of 360 3056 Explorer.EXE winktyl00.exe PID 3056 wrote to memory of 360 3056 Explorer.EXE winktyl00.exe PID 3056 wrote to memory of 360 3056 Explorer.EXE winktyl00.exe PID 360 wrote to memory of 3068 360 winktyl00.exe winktyl00.exe PID 360 wrote to memory of 3068 360 winktyl00.exe winktyl00.exe PID 360 wrote to memory of 3068 360 winktyl00.exe winktyl00.exe PID 360 wrote to memory of 3068 360 winktyl00.exe winktyl00.exe PID 360 wrote to memory of 3068 360 winktyl00.exe winktyl00.exe PID 360 wrote to memory of 3068 360 winktyl00.exe winktyl00.exe PID 4044 wrote to memory of 3560 4044 cmd.exe cmd.exe PID 4044 wrote to memory of 3560 4044 cmd.exe cmd.exe PID 4044 wrote to memory of 3560 4044 cmd.exe cmd.exe PID 4044 wrote to memory of 772 4044 cmd.exe Firefox.exe PID 4044 wrote to memory of 772 4044 cmd.exe Firefox.exe PID 4044 wrote to memory of 772 4044 cmd.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\payment advice_16000.exe"C:\Users\Admin\AppData\Local\Temp\payment advice_16000.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\payment advice_16000.exe"C:\Users\Admin\AppData\Local\Temp\payment advice_16000.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\payment advice_16000.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Program Files (x86)\Zuv1xjlm\winktyl00.exe"C:\Program Files (x86)\Zuv1xjlm\winktyl00.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Zuv1xjlm\winktyl00.exe"C:\Program Files (x86)\Zuv1xjlm\winktyl00.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Zuv1xjlm\winktyl00.exeMD5
a1c481bb9474e04781840009a3c10664
SHA1c432b71a2f493e7c7a120d42d41bf7e4de2053f8
SHA25668aba64ef9b4e5af747005ea8efdd213a80e86e45e9b4f480a54af016e3c6c95
SHA512831053501f491e71664ef594394772f18a5197989c4b4dd625572efa5e508a27ef6d3469a94fad64b7c2dee44904400cd9173edaf1fa5049b21e952bf4903f68
-
C:\Program Files (x86)\Zuv1xjlm\winktyl00.exeMD5
a1c481bb9474e04781840009a3c10664
SHA1c432b71a2f493e7c7a120d42d41bf7e4de2053f8
SHA25668aba64ef9b4e5af747005ea8efdd213a80e86e45e9b4f480a54af016e3c6c95
SHA512831053501f491e71664ef594394772f18a5197989c4b4dd625572efa5e508a27ef6d3469a94fad64b7c2dee44904400cd9173edaf1fa5049b21e952bf4903f68
-
C:\Program Files (x86)\Zuv1xjlm\winktyl00.exeMD5
a1c481bb9474e04781840009a3c10664
SHA1c432b71a2f493e7c7a120d42d41bf7e4de2053f8
SHA25668aba64ef9b4e5af747005ea8efdd213a80e86e45e9b4f480a54af016e3c6c95
SHA512831053501f491e71664ef594394772f18a5197989c4b4dd625572efa5e508a27ef6d3469a94fad64b7c2dee44904400cd9173edaf1fa5049b21e952bf4903f68
-
C:\Users\Admin\AppData\Local\Temp\DB1MD5
b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
C:\Users\Admin\AppData\Local\Temp\fz9jymg857rxbeMD5
39797312794434002a09131e32b5d347
SHA1dc40573abf285996f4cf2e6087b677152e8a85e3
SHA2566d514108c7b81f6cade0ccbccffc39d9ea239a59bbb98e6d00b0821f9e0a6f3d
SHA512736553e17ba74448067396261df3be57ca40f95d4d420114a8ca3e55cea6971d5ab3c8560f05e2ddaec4401b381f202f317e2527b2ec614478902505a7e24086
-
\Users\Admin\AppData\Local\Temp\nsrEE59.tmp\mdta.dllMD5
7be3eed97c26a1f2f541fac2be0b7fa9
SHA1430271b97cebe8ae8fc94b5661dca421469c82cd
SHA256d67b59fb5f9599649fa1aee124aca1b4db74a20fff182133f6569e95d9dd27d0
SHA51280fe44fc62eb3c8799cf75c66b542995db529ad694665bef18b6ed89eeb976bd328f9965694934a40d345b1bb4e10de13e52747e40f60ea66fb3f4eafbaa0d38
-
\Users\Admin\AppData\Local\Temp\nsyC80B.tmp\mdta.dllMD5
7be3eed97c26a1f2f541fac2be0b7fa9
SHA1430271b97cebe8ae8fc94b5661dca421469c82cd
SHA256d67b59fb5f9599649fa1aee124aca1b4db74a20fff182133f6569e95d9dd27d0
SHA51280fe44fc62eb3c8799cf75c66b542995db529ad694665bef18b6ed89eeb976bd328f9965694934a40d345b1bb4e10de13e52747e40f60ea66fb3f4eafbaa0d38
-
memory/360-129-0x0000000000000000-mapping.dmp
-
memory/388-123-0x0000000000000000-mapping.dmp
-
memory/2684-119-0x0000000000AB0000-0x0000000000DD0000-memory.dmpFilesize
3.1MB
-
memory/2684-120-0x00000000004C0000-0x000000000060A000-memory.dmpFilesize
1.3MB
-
memory/2684-117-0x000000000041D4E0-mapping.dmp
-
memory/2684-116-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/3056-121-0x0000000006140000-0x00000000062D1000-memory.dmpFilesize
1.6MB
-
memory/3056-128-0x00000000068D0000-0x0000000006A2C000-memory.dmpFilesize
1.4MB
-
memory/3068-135-0x000000000041D4E0-mapping.dmp
-
memory/3068-137-0x0000000000A50000-0x0000000000D70000-memory.dmpFilesize
3.1MB
-
memory/3560-138-0x0000000000000000-mapping.dmp
-
memory/4044-127-0x0000000003670000-0x0000000003700000-memory.dmpFilesize
576KB
-
memory/4044-126-0x0000000003810000-0x0000000003B30000-memory.dmpFilesize
3.1MB
-
memory/4044-125-0x0000000000F10000-0x0000000000F39000-memory.dmpFilesize
164KB
-
memory/4044-124-0x0000000000FB0000-0x0000000001009000-memory.dmpFilesize
356KB
-
memory/4044-122-0x0000000000000000-mapping.dmp