Analysis
-
max time kernel
152s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
05-11-2021 12:56
Static task
static1
Behavioral task
behavioral1
Sample
payment.exe
Resource
win7-en-20211104
General
-
Target
payment.exe
-
Size
301KB
-
MD5
c662f5f92a309035df41c2fa8ceec901
-
SHA1
2555dbb5bf478e472d834d7fee163fa75598eabf
-
SHA256
43205d5f8958ebc397086aa525220e381f4b0da942f071f236bdbe21280fe1b8
-
SHA512
8984f03fc2e0849c7e7ade5112158a6375d1b148beeddf35569410f56b1efa92796cac9ec6e94f0e71198fadf6b44cf3e3785eeb75cbd5483d1138d6ed9bc7ff
Malware Config
Extracted
xloader
2.5
unzn
http://www.davanamays.com/unzn/
xiulf.com
highcountrymortar.com
523561.com
marketingagency.tools
ganmovie.net
nationaalcontactpunt.com
sirrbter.com
begizas.xyz
missimi-fashion.com
munixc.info
daas.support
spaceworbc.com
faithtruthresolve.com
gymkub.com
thegrayverse.xyz
artisanmakefurniture.com
029tryy.com
ijuubx.biz
iphone13promax.club
techuniversus.com
samrgov.xyz
grownupcurl.com
sj0755.net
beekeeperkit.com
richessesabondantes.com
xclgjgjh.net
webworkscork.com
vedepviet365.com
bretabeameven.com
cdzsmhw.com
clearperspective.biz
tigrg5g784sh.biz
bbezan011.xyz
mycar.store
mansooralobeidli.com
ascensionmemberszoom.com
unlimitedrehab.com
wozka.top
askylarkgoods.com
rj793.com
prosvalor.com
primetimeexpress.com
boixosnoisperu.com
mmasportgear.com
concertiranian.net
hyponymys.info
maila.one
yti0fyic.xyz
shashiprayag.com
speedprosmotorsports.com
westchestercountyjunkcars.com
patienceinmypocket.com
rausachbaoloc.com
plexregroup.com
outsydercs.com
foodandflour.com
lenacrypto.xyz
homeservicetoday.net
marthaperry.com
vmtcyd4q8.com
shamefulguys.com
loccssol.store
gnarledportra.xyz
042atk.xyz
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/1640-119-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/1640-120-0x000000000041D430-mapping.dmp xloader behavioral2/memory/1640-123-0x0000000000550000-0x000000000069A000-memory.dmp xloader behavioral2/memory/3964-128-0x0000000000320000-0x0000000000349000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
payment.exepid process 2812 payment.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
payment.exepayment.exeraserver.exedescription pid process target process PID 2812 set thread context of 1640 2812 payment.exe payment.exe PID 1640 set thread context of 3036 1640 payment.exe Explorer.EXE PID 3964 set thread context of 3036 3964 raserver.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
payment.exeraserver.exepid process 1640 payment.exe 1640 payment.exe 1640 payment.exe 1640 payment.exe 3964 raserver.exe 3964 raserver.exe 3964 raserver.exe 3964 raserver.exe 3964 raserver.exe 3964 raserver.exe 3964 raserver.exe 3964 raserver.exe 3964 raserver.exe 3964 raserver.exe 3964 raserver.exe 3964 raserver.exe 3964 raserver.exe 3964 raserver.exe 3964 raserver.exe 3964 raserver.exe 3964 raserver.exe 3964 raserver.exe 3964 raserver.exe 3964 raserver.exe 3964 raserver.exe 3964 raserver.exe 3964 raserver.exe 3964 raserver.exe 3964 raserver.exe 3964 raserver.exe 3964 raserver.exe 3964 raserver.exe 3964 raserver.exe 3964 raserver.exe 3964 raserver.exe 3964 raserver.exe 3964 raserver.exe 3964 raserver.exe 3964 raserver.exe 3964 raserver.exe 3964 raserver.exe 3964 raserver.exe 3964 raserver.exe 3964 raserver.exe 3964 raserver.exe 3964 raserver.exe 3964 raserver.exe 3964 raserver.exe 3964 raserver.exe 3964 raserver.exe 3964 raserver.exe 3964 raserver.exe 3964 raserver.exe 3964 raserver.exe 3964 raserver.exe 3964 raserver.exe 3964 raserver.exe 3964 raserver.exe 3964 raserver.exe 3964 raserver.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3036 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
payment.exeraserver.exepid process 1640 payment.exe 1640 payment.exe 1640 payment.exe 3964 raserver.exe 3964 raserver.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
payment.exeraserver.exedescription pid process Token: SeDebugPrivilege 1640 payment.exe Token: SeDebugPrivilege 3964 raserver.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
payment.exeExplorer.EXEraserver.exedescription pid process target process PID 2812 wrote to memory of 1640 2812 payment.exe payment.exe PID 2812 wrote to memory of 1640 2812 payment.exe payment.exe PID 2812 wrote to memory of 1640 2812 payment.exe payment.exe PID 2812 wrote to memory of 1640 2812 payment.exe payment.exe PID 2812 wrote to memory of 1640 2812 payment.exe payment.exe PID 2812 wrote to memory of 1640 2812 payment.exe payment.exe PID 3036 wrote to memory of 3964 3036 Explorer.EXE raserver.exe PID 3036 wrote to memory of 3964 3036 Explorer.EXE raserver.exe PID 3036 wrote to memory of 3964 3036 Explorer.EXE raserver.exe PID 3964 wrote to memory of 3120 3964 raserver.exe cmd.exe PID 3964 wrote to memory of 3120 3964 raserver.exe cmd.exe PID 3964 wrote to memory of 3120 3964 raserver.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\payment.exe"C:\Users\Admin\AppData\Local\Temp\payment.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\payment.exe"C:\Users\Admin\AppData\Local\Temp\payment.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\raserver.exe"C:\Windows\SysWOW64\raserver.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\payment.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsd985A.tmp\lekf.dllMD5
7308a90795bd1362707bd1299fcaa16b
SHA10a3af093fb809a129f75381f3128e01e6aa83b8a
SHA256a59f16bf130b8cc3819227b64846d0a909ecd24355143754d9be47576157bf39
SHA5127937636604fbc34b9d1dbfdbb3bf93cb62318506e67cdff5d4deeb2149046e7f494c69e4dd319ed769009bc1872d67a2380ed7b259bf9276898b4a0862d4c2c4
-
memory/1640-119-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1640-120-0x000000000041D430-mapping.dmp
-
memory/1640-121-0x0000000000A60000-0x0000000000D80000-memory.dmpFilesize
3.1MB
-
memory/1640-123-0x0000000000550000-0x000000000069A000-memory.dmpFilesize
1.3MB
-
memory/3036-131-0x0000000006560000-0x0000000006675000-memory.dmpFilesize
1.1MB
-
memory/3036-124-0x0000000006450000-0x000000000655B000-memory.dmpFilesize
1.0MB
-
memory/3120-126-0x0000000000000000-mapping.dmp
-
memory/3964-125-0x0000000000000000-mapping.dmp
-
memory/3964-127-0x0000000000BD0000-0x0000000000BEF000-memory.dmpFilesize
124KB
-
memory/3964-129-0x00000000044C0000-0x00000000047E0000-memory.dmpFilesize
3.1MB
-
memory/3964-128-0x0000000000320000-0x0000000000349000-memory.dmpFilesize
164KB
-
memory/3964-130-0x0000000004310000-0x00000000043A0000-memory.dmpFilesize
576KB