Analysis
-
max time kernel
149s -
max time network
168s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
29-10-2021 09:53
Static task
static1
Behavioral task
behavioral1
Sample
Invoice.exe
Resource
win7-en-20210920
General
-
Target
Invoice.exe
-
Size
376KB
-
MD5
d316b55036ed7571bf26849eb0ae463b
-
SHA1
9b9e1398a81f5692caaf168023311e78fba2b193
-
SHA256
f82263cd92ff85163569edb0eae620d23858d5958bb88b5bb205e6660d1e8822
-
SHA512
4037268abc4c9a08d1c8cb2ac87ea239c4315999ef315fe08a2b1c9eac34163a318c9cbfdcb4a11477b0388527f0f15572325b6a9e75fb117765550e48e5ef56
Malware Config
Extracted
xloader
2.5
ku75
http://www.majesticgolftours.com/ku75/
brews4you.net
underdogpride.com
ej-anders.com
celescope.com
misguidedmarket.com
chaoqiangjixie.com
goldingravel.com
sliceofheavenmenu.com
playlovely.com
modern-elementz.com
privateschoolsofmanila.com
calguardbeta.com
greekowner.com
enrisi.com
musicway.digital
cryptohealthpass.com
kinchipectic.quest
sherwoodstory.online
consultordeimoveis.online
selfhealthcare.club
swaymontana.tech
eyoudirect.com
buge-link.com
nonsensehenough.com
tyc68795.com
krivalnails.com
asabyjas.com
dietatrintadias.com
pantagruel-language.com
beogaistoge.com
wizard-nt.store
lm-desiign.com
aurakayskincare.com
freestarfinanacial.com
nutfat.com
originconsultingservices.com
asihb.com
cbrecruiterssolution.com
tnea2014.com
ampersandcraftsuk.com
enigmasdev.com
e2adriasec.online
80jiang.top
nstrealestate.com
bet-unlim.store
topstitched.com
integratedveteran.com
31068182.com
dangerzonepod.com
everettrossi.com
exobus.xyz
seniorlivingsearchusanet.com
dan-is-a-ghey-retard.com
slatecapitals.com
thetalkzone.com
naturalperuoriginal.com
peninsulaheatpumps.com
stolik-kawowy.com
mirage7.bet
jdrmik.space
citrusarrow.coffee
melisadongel.xyz
hunabkureiki.com
originalkodsukses.icu
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1460-62-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1460-63-0x000000000041D4A0-mapping.dmp xloader behavioral1/memory/1220-71-0x0000000000080000-0x00000000000A9000-memory.dmp xloader -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1984 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Invoice.exeInvoice.exeNAPSTAT.EXEdescription pid process target process PID 324 set thread context of 1460 324 Invoice.exe Invoice.exe PID 1460 set thread context of 1364 1460 Invoice.exe Explorer.EXE PID 1220 set thread context of 1364 1220 NAPSTAT.EXE Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
NAPSTAT.EXEdescription ioc process File opened for modification C:\Program Files (x86)\L4h9l_r5h\regsvcnnu0.exe NAPSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
Invoice.exeNAPSTAT.EXEpid process 1460 Invoice.exe 1460 Invoice.exe 1220 NAPSTAT.EXE 1220 NAPSTAT.EXE 1220 NAPSTAT.EXE 1220 NAPSTAT.EXE 1220 NAPSTAT.EXE 1220 NAPSTAT.EXE 1220 NAPSTAT.EXE 1220 NAPSTAT.EXE 1220 NAPSTAT.EXE 1220 NAPSTAT.EXE 1220 NAPSTAT.EXE 1220 NAPSTAT.EXE 1220 NAPSTAT.EXE 1220 NAPSTAT.EXE 1220 NAPSTAT.EXE 1220 NAPSTAT.EXE 1220 NAPSTAT.EXE 1220 NAPSTAT.EXE 1220 NAPSTAT.EXE 1220 NAPSTAT.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Invoice.exeNAPSTAT.EXEpid process 1460 Invoice.exe 1460 Invoice.exe 1460 Invoice.exe 1220 NAPSTAT.EXE 1220 NAPSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Invoice.exeNAPSTAT.EXEdescription pid process Token: SeDebugPrivilege 1460 Invoice.exe Token: SeDebugPrivilege 1220 NAPSTAT.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1364 Explorer.EXE 1364 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1364 Explorer.EXE 1364 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Invoice.exeExplorer.EXENAPSTAT.EXEdescription pid process target process PID 324 wrote to memory of 1460 324 Invoice.exe Invoice.exe PID 324 wrote to memory of 1460 324 Invoice.exe Invoice.exe PID 324 wrote to memory of 1460 324 Invoice.exe Invoice.exe PID 324 wrote to memory of 1460 324 Invoice.exe Invoice.exe PID 324 wrote to memory of 1460 324 Invoice.exe Invoice.exe PID 324 wrote to memory of 1460 324 Invoice.exe Invoice.exe PID 324 wrote to memory of 1460 324 Invoice.exe Invoice.exe PID 1364 wrote to memory of 1220 1364 Explorer.EXE NAPSTAT.EXE PID 1364 wrote to memory of 1220 1364 Explorer.EXE NAPSTAT.EXE PID 1364 wrote to memory of 1220 1364 Explorer.EXE NAPSTAT.EXE PID 1364 wrote to memory of 1220 1364 Explorer.EXE NAPSTAT.EXE PID 1220 wrote to memory of 1984 1220 NAPSTAT.EXE cmd.exe PID 1220 wrote to memory of 1984 1220 NAPSTAT.EXE cmd.exe PID 1220 wrote to memory of 1984 1220 NAPSTAT.EXE cmd.exe PID 1220 wrote to memory of 1984 1220 NAPSTAT.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Invoice.exe"C:\Users\Admin\AppData\Local\Temp\Invoice.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Invoice.exe"C:\Users\Admin\AppData\Local\Temp\Invoice.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\NAPSTAT.EXE"C:\Windows\SysWOW64\NAPSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Invoice.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/324-54-0x0000000000090000-0x0000000000091000-memory.dmpFilesize
4KB
-
memory/324-56-0x0000000000600000-0x0000000000601000-memory.dmpFilesize
4KB
-
memory/324-57-0x0000000076B61000-0x0000000076B63000-memory.dmpFilesize
8KB
-
memory/324-58-0x0000000000510000-0x0000000000516000-memory.dmpFilesize
24KB
-
memory/324-59-0x0000000000930000-0x000000000097A000-memory.dmpFilesize
296KB
-
memory/1220-68-0x0000000000000000-mapping.dmp
-
memory/1220-71-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/1220-73-0x0000000001C90000-0x0000000001D20000-memory.dmpFilesize
576KB
-
memory/1220-70-0x00000000006B0000-0x00000000006F6000-memory.dmpFilesize
280KB
-
memory/1220-72-0x0000000001F60000-0x0000000002263000-memory.dmpFilesize
3.0MB
-
memory/1364-74-0x00000000064D0000-0x000000000662B000-memory.dmpFilesize
1.4MB
-
memory/1364-67-0x0000000006FE0000-0x0000000007148000-memory.dmpFilesize
1.4MB
-
memory/1460-66-0x0000000000300000-0x0000000000311000-memory.dmpFilesize
68KB
-
memory/1460-60-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1460-65-0x0000000000A00000-0x0000000000D03000-memory.dmpFilesize
3.0MB
-
memory/1460-61-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1460-63-0x000000000041D4A0-mapping.dmp
-
memory/1460-62-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1984-69-0x0000000000000000-mapping.dmp