Analysis
-
max time kernel
151s -
max time network
175s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
04-11-2021 03:13
Static task
static1
Behavioral task
behavioral1
Sample
PO Document.exe
Resource
win7-en-20210920
General
-
Target
PO Document.exe
-
Size
323KB
-
MD5
1ec1e11ac3014b8dd331b3d08972f21b
-
SHA1
07c546a6a311835c712d9404be182daef56611ab
-
SHA256
afcf4012f8671a224c6856e0d968b7f7de88d7d96f0caddc97cd0f985694e530
-
SHA512
62ae0a5018493d84dd9605a71b25a7bc0b01462280655e4faa4918cd1765dd24de42e64aa9c1f48ce021a05a314dfc9e3b9ceccd7222b1c17c663d4ade3b4d42
Malware Config
Extracted
xloader
2.5
u9xn
http://www.crisisinterventionadvocates.com/u9xn/
lifeguardingcoursenearme.com
bolsaspapelcdmx.com
parsleypkllqu.xyz
68134.online
shopthatlookboutique.com
canlibahisportal.com
oligopoly.city
srchwithus.online
151motors.com
17yue.info
auntmarysnj.com
hanansalman.com
heyunshangcheng.info
doorslamersplus.com
sfcn-dng.com
highvizpeople.com
seoexpertinbangladesh.com
christinegagnonjewellery.com
artifactorie.biz
mre3.net
webbyteanalysis.online
medicmir.store
shdxh.com
salvationshippingsecurity.com
michita.xyz
itskosi.com
aligncoachingconsulting.com
cryptorickclub.art
cyliamartisbackup.com
ttemola.com
mujeresenfarmalatam.com
mykombuchafactory.com
irasutoya-ryou.com
envtmyouliqy.mobi
expert-rse.com
oddanimalsink.com
piezoelectricenergy.com
itservices-india.com
wintwiin.com
umgaleloacademy.com
everythangbutwhite.com
ishhs.xyz
brandsofcannabis.com
sculptingstones.com
hilldetailingllc.com
stone-project.net
rbrituelbeaute.com
atzoom.store
pronogtiki.store
baybeg.com
b148tlrfee9evtvorgm5947.com
msjanej.com
western-overseas.info
sharpecommunications.com
atlantahomesforcarguys.com
neosudo.com
blulacedefense.com
profilecolombia.com
blacksaltspain.com
sejiw3.xyz
saint444.com
getoken.net
joycegsy.com
fezora.xyz
Signatures
-
Xloader Payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1416-56-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1416-57-0x000000000041D4F0-mapping.dmp xloader behavioral1/memory/1416-62-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1152-68-0x0000000000080000-0x00000000000A9000-memory.dmp xloader behavioral1/memory/1712-80-0x000000000041D4F0-mapping.dmp xloader -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
raserver.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\JTH4QLUPW8G = "C:\\Program Files (x86)\\Nsfv\\userrfcx.exe" raserver.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run raserver.exe -
Executes dropped EXE 2 IoCs
Processes:
userrfcx.exeuserrfcx.exepid process 1232 userrfcx.exe 1712 userrfcx.exe -
Modifies Installed Components in the registry 2 TTPs
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1072 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
PO Document.exeuserrfcx.exepid process 864 PO Document.exe 1232 userrfcx.exe -
Suspicious use of SetThreadContext 5 IoCs
Processes:
PO Document.exePO Document.exeraserver.exeuserrfcx.exedescription pid process target process PID 864 set thread context of 1416 864 PO Document.exe PO Document.exe PID 1416 set thread context of 1356 1416 PO Document.exe Explorer.EXE PID 1416 set thread context of 1356 1416 PO Document.exe Explorer.EXE PID 1152 set thread context of 1356 1152 raserver.exe Explorer.EXE PID 1232 set thread context of 1712 1232 userrfcx.exe userrfcx.exe -
Drops file in Program Files directory 2 IoCs
Processes:
raserver.exeExplorer.EXEdescription ioc process File opened for modification C:\Program Files (x86)\Nsfv\userrfcx.exe raserver.exe File created C:\Program Files (x86)\Nsfv\userrfcx.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 6 IoCs
Processes:
resource yara_rule C:\Program Files (x86)\Nsfv\userrfcx.exe nsis_installer_1 C:\Program Files (x86)\Nsfv\userrfcx.exe nsis_installer_2 C:\Program Files (x86)\Nsfv\userrfcx.exe nsis_installer_1 C:\Program Files (x86)\Nsfv\userrfcx.exe nsis_installer_2 C:\Program Files (x86)\Nsfv\userrfcx.exe nsis_installer_1 C:\Program Files (x86)\Nsfv\userrfcx.exe nsis_installer_2 -
Processes:
raserver.exeexplorer.exedescription ioc process Key created \Registry\User\S-1-5-21-3456797065-1076791440-4146276586-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 raserver.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe -
Modifies registry class 5 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
PO Document.exeraserver.exeuserrfcx.exepid process 1416 PO Document.exe 1416 PO Document.exe 1416 PO Document.exe 1152 raserver.exe 1152 raserver.exe 1152 raserver.exe 1152 raserver.exe 1152 raserver.exe 1152 raserver.exe 1152 raserver.exe 1152 raserver.exe 1152 raserver.exe 1152 raserver.exe 1152 raserver.exe 1152 raserver.exe 1152 raserver.exe 1152 raserver.exe 1152 raserver.exe 1152 raserver.exe 1152 raserver.exe 1152 raserver.exe 1152 raserver.exe 1152 raserver.exe 1152 raserver.exe 1152 raserver.exe 1712 userrfcx.exe 1152 raserver.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1356 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
PO Document.exeraserver.exepid process 1416 PO Document.exe 1416 PO Document.exe 1416 PO Document.exe 1416 PO Document.exe 1152 raserver.exe 1152 raserver.exe 1152 raserver.exe 1152 raserver.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
Processes:
PO Document.exeraserver.exeuserrfcx.exeexplorer.exeAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 1416 PO Document.exe Token: SeDebugPrivilege 1152 raserver.exe Token: SeDebugPrivilege 1712 userrfcx.exe Token: SeShutdownPrivilege 1440 explorer.exe Token: SeShutdownPrivilege 1440 explorer.exe Token: SeShutdownPrivilege 1440 explorer.exe Token: SeShutdownPrivilege 1440 explorer.exe Token: SeShutdownPrivilege 1440 explorer.exe Token: 33 1420 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1420 AUDIODG.EXE Token: 33 1420 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1420 AUDIODG.EXE Token: SeShutdownPrivilege 1440 explorer.exe Token: SeShutdownPrivilege 1440 explorer.exe -
Suspicious use of FindShellTrayWindow 9 IoCs
Processes:
Explorer.EXEexplorer.exepid process 1356 Explorer.EXE 1356 Explorer.EXE 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe -
Suspicious use of SendNotifyMessage 15 IoCs
Processes:
Explorer.EXEexplorer.exepid process 1356 Explorer.EXE 1356 Explorer.EXE 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
PO Document.exeExplorer.EXEraserver.exeuserrfcx.exedescription pid process target process PID 864 wrote to memory of 1416 864 PO Document.exe PO Document.exe PID 864 wrote to memory of 1416 864 PO Document.exe PO Document.exe PID 864 wrote to memory of 1416 864 PO Document.exe PO Document.exe PID 864 wrote to memory of 1416 864 PO Document.exe PO Document.exe PID 864 wrote to memory of 1416 864 PO Document.exe PO Document.exe PID 864 wrote to memory of 1416 864 PO Document.exe PO Document.exe PID 864 wrote to memory of 1416 864 PO Document.exe PO Document.exe PID 1356 wrote to memory of 1152 1356 Explorer.EXE raserver.exe PID 1356 wrote to memory of 1152 1356 Explorer.EXE raserver.exe PID 1356 wrote to memory of 1152 1356 Explorer.EXE raserver.exe PID 1356 wrote to memory of 1152 1356 Explorer.EXE raserver.exe PID 1152 wrote to memory of 1072 1152 raserver.exe cmd.exe PID 1152 wrote to memory of 1072 1152 raserver.exe cmd.exe PID 1152 wrote to memory of 1072 1152 raserver.exe cmd.exe PID 1152 wrote to memory of 1072 1152 raserver.exe cmd.exe PID 1152 wrote to memory of 920 1152 raserver.exe Firefox.exe PID 1152 wrote to memory of 920 1152 raserver.exe Firefox.exe PID 1152 wrote to memory of 920 1152 raserver.exe Firefox.exe PID 1152 wrote to memory of 920 1152 raserver.exe Firefox.exe PID 1356 wrote to memory of 1232 1356 Explorer.EXE userrfcx.exe PID 1356 wrote to memory of 1232 1356 Explorer.EXE userrfcx.exe PID 1356 wrote to memory of 1232 1356 Explorer.EXE userrfcx.exe PID 1356 wrote to memory of 1232 1356 Explorer.EXE userrfcx.exe PID 1232 wrote to memory of 1712 1232 userrfcx.exe userrfcx.exe PID 1232 wrote to memory of 1712 1232 userrfcx.exe userrfcx.exe PID 1232 wrote to memory of 1712 1232 userrfcx.exe userrfcx.exe PID 1232 wrote to memory of 1712 1232 userrfcx.exe userrfcx.exe PID 1232 wrote to memory of 1712 1232 userrfcx.exe userrfcx.exe PID 1232 wrote to memory of 1712 1232 userrfcx.exe userrfcx.exe PID 1232 wrote to memory of 1712 1232 userrfcx.exe userrfcx.exe PID 1152 wrote to memory of 920 1152 raserver.exe Firefox.exe PID 1152 wrote to memory of 1440 1152 raserver.exe explorer.exe PID 1152 wrote to memory of 1440 1152 raserver.exe explorer.exe PID 1152 wrote to memory of 1440 1152 raserver.exe explorer.exe PID 1152 wrote to memory of 1440 1152 raserver.exe explorer.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PO Document.exe"C:\Users\Admin\AppData\Local\Temp\PO Document.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PO Document.exe"C:\Users\Admin\AppData\Local\Temp\PO Document.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\raserver.exe"C:\Windows\SysWOW64\raserver.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\PO Document.exe"3⤵
- Deletes itself
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"3⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Nsfv\userrfcx.exe"C:\Program Files (x86)\Nsfv\userrfcx.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Nsfv\userrfcx.exe"C:\Program Files (x86)\Nsfv\userrfcx.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x1d01⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Nsfv\userrfcx.exeMD5
1ec1e11ac3014b8dd331b3d08972f21b
SHA107c546a6a311835c712d9404be182daef56611ab
SHA256afcf4012f8671a224c6856e0d968b7f7de88d7d96f0caddc97cd0f985694e530
SHA51262ae0a5018493d84dd9605a71b25a7bc0b01462280655e4faa4918cd1765dd24de42e64aa9c1f48ce021a05a314dfc9e3b9ceccd7222b1c17c663d4ade3b4d42
-
C:\Program Files (x86)\Nsfv\userrfcx.exeMD5
1ec1e11ac3014b8dd331b3d08972f21b
SHA107c546a6a311835c712d9404be182daef56611ab
SHA256afcf4012f8671a224c6856e0d968b7f7de88d7d96f0caddc97cd0f985694e530
SHA51262ae0a5018493d84dd9605a71b25a7bc0b01462280655e4faa4918cd1765dd24de42e64aa9c1f48ce021a05a314dfc9e3b9ceccd7222b1c17c663d4ade3b4d42
-
C:\Program Files (x86)\Nsfv\userrfcx.exeMD5
1ec1e11ac3014b8dd331b3d08972f21b
SHA107c546a6a311835c712d9404be182daef56611ab
SHA256afcf4012f8671a224c6856e0d968b7f7de88d7d96f0caddc97cd0f985694e530
SHA51262ae0a5018493d84dd9605a71b25a7bc0b01462280655e4faa4918cd1765dd24de42e64aa9c1f48ce021a05a314dfc9e3b9ceccd7222b1c17c663d4ade3b4d42
-
C:\Users\Admin\AppData\Local\Temp\slnb17imo5g4be1MD5
15fb041a5b680fa7585b2d9d3928777f
SHA10e781615b4cbfab8389233c8a9e350462d5f977b
SHA2569c8d993ef9484d1b4cc778f6bfa97915c125422bde6d0ed768fc63ce9ff89c77
SHA5128a32960131bdbc8cf1b0d66787329b3756ef53d7b9374fe1e50e5d6d416b687d7e644a7dace8438b68e1353bb8ba526c5bef5ab0984a60d106d6b4f5c93bd24e
-
\Users\Admin\AppData\Local\Temp\nso29A1.tmp\rwee.dllMD5
251797ae229b4b54fafe515bd2f39bb8
SHA106624552a8fb9e036b1f95db53033b98852237a7
SHA2564d075b5b925b5a27826ce07996032452cb90d9388fe14e2bd9288de4d0e18e9e
SHA512c13febe46b13a9999dbef3b337eda17f9e3bad06200ab8efa1dc4b9eef23aac7d9ab5d4465235d8a35c27345c94ac5a26995ec63a63d698caef59b3eeb3bad6f
-
\Users\Admin\AppData\Local\Temp\nsu361F.tmp\rwee.dllMD5
251797ae229b4b54fafe515bd2f39bb8
SHA106624552a8fb9e036b1f95db53033b98852237a7
SHA2564d075b5b925b5a27826ce07996032452cb90d9388fe14e2bd9288de4d0e18e9e
SHA512c13febe46b13a9999dbef3b337eda17f9e3bad06200ab8efa1dc4b9eef23aac7d9ab5d4465235d8a35c27345c94ac5a26995ec63a63d698caef59b3eeb3bad6f
-
memory/864-54-0x0000000075A71000-0x0000000075A73000-memory.dmpFilesize
8KB
-
memory/1072-70-0x0000000000000000-mapping.dmp
-
memory/1152-71-0x00000000003A0000-0x0000000000430000-memory.dmpFilesize
576KB
-
memory/1152-65-0x0000000000000000-mapping.dmp
-
memory/1152-68-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/1152-69-0x0000000002270000-0x0000000002573000-memory.dmpFilesize
3.0MB
-
memory/1152-67-0x0000000000E50000-0x0000000000E6C000-memory.dmpFilesize
112KB
-
memory/1232-73-0x0000000000000000-mapping.dmp
-
memory/1356-61-0x0000000006AD0000-0x0000000006C5D000-memory.dmpFilesize
1.6MB
-
memory/1356-64-0x0000000006640000-0x00000000066F5000-memory.dmpFilesize
724KB
-
memory/1356-72-0x0000000008C30000-0x0000000008DB2000-memory.dmpFilesize
1.5MB
-
memory/1416-57-0x000000000041D4F0-mapping.dmp
-
memory/1416-63-0x0000000000390000-0x00000000003A1000-memory.dmpFilesize
68KB
-
memory/1416-60-0x00000000002C0000-0x00000000002D1000-memory.dmpFilesize
68KB
-
memory/1416-59-0x0000000000920000-0x0000000000C23000-memory.dmpFilesize
3.0MB
-
memory/1416-62-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1416-56-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1440-83-0x0000000000000000-mapping.dmp
-
memory/1440-84-0x000007FEFC361000-0x000007FEFC363000-memory.dmpFilesize
8KB
-
memory/1440-86-0x0000000002210000-0x0000000002211000-memory.dmpFilesize
4KB
-
memory/1712-80-0x000000000041D4F0-mapping.dmp
-
memory/1712-82-0x0000000000770000-0x0000000000A73000-memory.dmpFilesize
3.0MB