Analysis
-
max time kernel
152s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
29-10-2021 09:53
Static task
static1
Behavioral task
behavioral1
Sample
Invoice.exe
Resource
win7-en-20210920
General
-
Target
Invoice.exe
-
Size
376KB
-
MD5
d316b55036ed7571bf26849eb0ae463b
-
SHA1
9b9e1398a81f5692caaf168023311e78fba2b193
-
SHA256
f82263cd92ff85163569edb0eae620d23858d5958bb88b5bb205e6660d1e8822
-
SHA512
4037268abc4c9a08d1c8cb2ac87ea239c4315999ef315fe08a2b1c9eac34163a318c9cbfdcb4a11477b0388527f0f15572325b6a9e75fb117765550e48e5ef56
Malware Config
Extracted
xloader
2.5
ku75
http://www.majesticgolftours.com/ku75/
brews4you.net
underdogpride.com
ej-anders.com
celescope.com
misguidedmarket.com
chaoqiangjixie.com
goldingravel.com
sliceofheavenmenu.com
playlovely.com
modern-elementz.com
privateschoolsofmanila.com
calguardbeta.com
greekowner.com
enrisi.com
musicway.digital
cryptohealthpass.com
kinchipectic.quest
sherwoodstory.online
consultordeimoveis.online
selfhealthcare.club
swaymontana.tech
eyoudirect.com
buge-link.com
nonsensehenough.com
tyc68795.com
krivalnails.com
asabyjas.com
dietatrintadias.com
pantagruel-language.com
beogaistoge.com
wizard-nt.store
lm-desiign.com
aurakayskincare.com
freestarfinanacial.com
nutfat.com
originconsultingservices.com
asihb.com
cbrecruiterssolution.com
tnea2014.com
ampersandcraftsuk.com
enigmasdev.com
e2adriasec.online
80jiang.top
nstrealestate.com
bet-unlim.store
topstitched.com
integratedveteran.com
31068182.com
dangerzonepod.com
everettrossi.com
exobus.xyz
seniorlivingsearchusanet.com
dan-is-a-ghey-retard.com
slatecapitals.com
thetalkzone.com
naturalperuoriginal.com
peninsulaheatpumps.com
stolik-kawowy.com
mirage7.bet
jdrmik.space
citrusarrow.coffee
melisadongel.xyz
hunabkureiki.com
originalkodsukses.icu
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3176-124-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/3176-125-0x000000000041D4A0-mapping.dmp xloader behavioral2/memory/1496-132-0x0000000000530000-0x0000000000559000-memory.dmp xloader -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Invoice.exeInvoice.execolorcpl.exedescription pid process target process PID 3672 set thread context of 3176 3672 Invoice.exe Invoice.exe PID 3176 set thread context of 3024 3176 Invoice.exe Explorer.EXE PID 1496 set thread context of 3024 1496 colorcpl.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 46 IoCs
Processes:
Invoice.execolorcpl.exepid process 3176 Invoice.exe 3176 Invoice.exe 3176 Invoice.exe 3176 Invoice.exe 1496 colorcpl.exe 1496 colorcpl.exe 1496 colorcpl.exe 1496 colorcpl.exe 1496 colorcpl.exe 1496 colorcpl.exe 1496 colorcpl.exe 1496 colorcpl.exe 1496 colorcpl.exe 1496 colorcpl.exe 1496 colorcpl.exe 1496 colorcpl.exe 1496 colorcpl.exe 1496 colorcpl.exe 1496 colorcpl.exe 1496 colorcpl.exe 1496 colorcpl.exe 1496 colorcpl.exe 1496 colorcpl.exe 1496 colorcpl.exe 1496 colorcpl.exe 1496 colorcpl.exe 1496 colorcpl.exe 1496 colorcpl.exe 1496 colorcpl.exe 1496 colorcpl.exe 1496 colorcpl.exe 1496 colorcpl.exe 1496 colorcpl.exe 1496 colorcpl.exe 1496 colorcpl.exe 1496 colorcpl.exe 1496 colorcpl.exe 1496 colorcpl.exe 1496 colorcpl.exe 1496 colorcpl.exe 1496 colorcpl.exe 1496 colorcpl.exe 1496 colorcpl.exe 1496 colorcpl.exe 1496 colorcpl.exe 1496 colorcpl.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3024 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Invoice.execolorcpl.exepid process 3176 Invoice.exe 3176 Invoice.exe 3176 Invoice.exe 1496 colorcpl.exe 1496 colorcpl.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Invoice.execolorcpl.exedescription pid process Token: SeDebugPrivilege 3176 Invoice.exe Token: SeDebugPrivilege 1496 colorcpl.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Invoice.exeExplorer.EXEcolorcpl.exedescription pid process target process PID 3672 wrote to memory of 3176 3672 Invoice.exe Invoice.exe PID 3672 wrote to memory of 3176 3672 Invoice.exe Invoice.exe PID 3672 wrote to memory of 3176 3672 Invoice.exe Invoice.exe PID 3672 wrote to memory of 3176 3672 Invoice.exe Invoice.exe PID 3672 wrote to memory of 3176 3672 Invoice.exe Invoice.exe PID 3672 wrote to memory of 3176 3672 Invoice.exe Invoice.exe PID 3024 wrote to memory of 1496 3024 Explorer.EXE colorcpl.exe PID 3024 wrote to memory of 1496 3024 Explorer.EXE colorcpl.exe PID 3024 wrote to memory of 1496 3024 Explorer.EXE colorcpl.exe PID 1496 wrote to memory of 3768 1496 colorcpl.exe cmd.exe PID 1496 wrote to memory of 3768 1496 colorcpl.exe cmd.exe PID 1496 wrote to memory of 3768 1496 colorcpl.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Invoice.exe"C:\Users\Admin\AppData\Local\Temp\Invoice.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Invoice.exe"C:\Users\Admin\AppData\Local\Temp\Invoice.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\colorcpl.exe"C:\Windows\SysWOW64\colorcpl.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Invoice.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1496-135-0x0000000004530000-0x00000000045C0000-memory.dmpFilesize
576KB
-
memory/1496-131-0x0000000000C90000-0x0000000000CA9000-memory.dmpFilesize
100KB
-
memory/1496-133-0x00000000046E0000-0x0000000004A00000-memory.dmpFilesize
3.1MB
-
memory/1496-132-0x0000000000530000-0x0000000000559000-memory.dmpFilesize
164KB
-
memory/1496-130-0x0000000000000000-mapping.dmp
-
memory/3024-129-0x0000000005D00000-0x0000000005E37000-memory.dmpFilesize
1.2MB
-
memory/3024-136-0x0000000002450000-0x0000000002517000-memory.dmpFilesize
796KB
-
memory/3176-128-0x00000000014C0000-0x000000000160A000-memory.dmpFilesize
1.3MB
-
memory/3176-124-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/3176-125-0x000000000041D4A0-mapping.dmp
-
memory/3176-127-0x0000000001A40000-0x0000000001D60000-memory.dmpFilesize
3.1MB
-
memory/3672-115-0x0000000000F90000-0x0000000000F91000-memory.dmpFilesize
4KB
-
memory/3672-123-0x00000000091E0000-0x000000000922A000-memory.dmpFilesize
296KB
-
memory/3672-122-0x0000000009230000-0x0000000009231000-memory.dmpFilesize
4KB
-
memory/3672-121-0x0000000005C50000-0x0000000005C56000-memory.dmpFilesize
24KB
-
memory/3672-120-0x0000000005A60000-0x0000000005A61000-memory.dmpFilesize
4KB
-
memory/3672-119-0x0000000005A20000-0x0000000005F1E000-memory.dmpFilesize
5.0MB
-
memory/3672-118-0x0000000005960000-0x0000000005961000-memory.dmpFilesize
4KB
-
memory/3672-117-0x0000000005F20000-0x0000000005F21000-memory.dmpFilesize
4KB
-
memory/3768-134-0x0000000000000000-mapping.dmp