Analysis
-
max time kernel
157s -
max time network
156s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
10-11-2021 19:17
Static task
static1
Behavioral task
behavioral1
Sample
PAIEMENT1.exe
Resource
win7-en-20211104
General
-
Target
PAIEMENT1.exe
-
Size
424KB
-
MD5
4a40bc732ce463e10ae463ee7b890242
-
SHA1
090fea71d8bc7abe48ea0d36d91a38ecf49f83d8
-
SHA256
1ac69ae85debbb73ec8b2bc1252374eb717b757b61819a012a8eedbac1148cd5
-
SHA512
d0efc801cb42571030a7e4381004eb1f1e3ee2c560726d1be48b8e17c23a5a5604a2e6e142b7354219957bd37cdb2e5eb5d1c1d5748018d88e5733594e4435df
Malware Config
Extracted
xloader
2.5
u9xn
http://www.crisisinterventionadvocates.com/u9xn/
lifeguardingcoursenearme.com
bolsaspapelcdmx.com
parsleypkllqu.xyz
68134.online
shopthatlookboutique.com
canlibahisportal.com
oligopoly.city
srchwithus.online
151motors.com
17yue.info
auntmarysnj.com
hanansalman.com
heyunshangcheng.info
doorslamersplus.com
sfcn-dng.com
highvizpeople.com
seoexpertinbangladesh.com
christinegagnonjewellery.com
artifactorie.biz
mre3.net
webbyteanalysis.online
medicmir.store
shdxh.com
salvationshippingsecurity.com
michita.xyz
itskosi.com
aligncoachingconsulting.com
cryptorickclub.art
cyliamartisbackup.com
ttemola.com
mujeresenfarmalatam.com
mykombuchafactory.com
irasutoya-ryou.com
envtmyouliqy.mobi
expert-rse.com
oddanimalsink.com
piezoelectricenergy.com
itservices-india.com
wintwiin.com
umgaleloacademy.com
everythangbutwhite.com
ishhs.xyz
brandsofcannabis.com
sculptingstones.com
hilldetailingllc.com
stone-project.net
rbrituelbeaute.com
atzoom.store
pronogtiki.store
baybeg.com
b148tlrfee9evtvorgm5947.com
msjanej.com
western-overseas.info
sharpecommunications.com
atlantahomesforcarguys.com
neosudo.com
blulacedefense.com
profilecolombia.com
blacksaltspain.com
sejiw3.xyz
saint444.com
getoken.net
joycegsy.com
fezora.xyz
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1372-57-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1372-58-0x000000000041D4F0-mapping.dmp xloader behavioral1/memory/1372-63-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1360-70-0x0000000000080000-0x00000000000A9000-memory.dmp xloader -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1088 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
PAIEMENT1.exepid process 472 PAIEMENT1.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
PAIEMENT1.exePAIEMENT1.exeraserver.exedescription pid process target process PID 472 set thread context of 1372 472 PAIEMENT1.exe PAIEMENT1.exe PID 1372 set thread context of 1396 1372 PAIEMENT1.exe Explorer.EXE PID 1372 set thread context of 1396 1372 PAIEMENT1.exe Explorer.EXE PID 1360 set thread context of 1396 1360 raserver.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
PAIEMENT1.exeraserver.exepid process 1372 PAIEMENT1.exe 1372 PAIEMENT1.exe 1372 PAIEMENT1.exe 1360 raserver.exe 1360 raserver.exe 1360 raserver.exe 1360 raserver.exe 1360 raserver.exe 1360 raserver.exe 1360 raserver.exe 1360 raserver.exe 1360 raserver.exe 1360 raserver.exe 1360 raserver.exe 1360 raserver.exe 1360 raserver.exe 1360 raserver.exe 1360 raserver.exe 1360 raserver.exe 1360 raserver.exe 1360 raserver.exe 1360 raserver.exe 1360 raserver.exe 1360 raserver.exe 1360 raserver.exe 1360 raserver.exe 1360 raserver.exe 1360 raserver.exe 1360 raserver.exe 1360 raserver.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1396 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
PAIEMENT1.exeraserver.exepid process 1372 PAIEMENT1.exe 1372 PAIEMENT1.exe 1372 PAIEMENT1.exe 1372 PAIEMENT1.exe 1360 raserver.exe 1360 raserver.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PAIEMENT1.exeraserver.exedescription pid process Token: SeDebugPrivilege 1372 PAIEMENT1.exe Token: SeDebugPrivilege 1360 raserver.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1396 Explorer.EXE 1396 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1396 Explorer.EXE 1396 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
PAIEMENT1.exeExplorer.EXEraserver.exedescription pid process target process PID 472 wrote to memory of 1372 472 PAIEMENT1.exe PAIEMENT1.exe PID 472 wrote to memory of 1372 472 PAIEMENT1.exe PAIEMENT1.exe PID 472 wrote to memory of 1372 472 PAIEMENT1.exe PAIEMENT1.exe PID 472 wrote to memory of 1372 472 PAIEMENT1.exe PAIEMENT1.exe PID 472 wrote to memory of 1372 472 PAIEMENT1.exe PAIEMENT1.exe PID 472 wrote to memory of 1372 472 PAIEMENT1.exe PAIEMENT1.exe PID 472 wrote to memory of 1372 472 PAIEMENT1.exe PAIEMENT1.exe PID 1396 wrote to memory of 1360 1396 Explorer.EXE raserver.exe PID 1396 wrote to memory of 1360 1396 Explorer.EXE raserver.exe PID 1396 wrote to memory of 1360 1396 Explorer.EXE raserver.exe PID 1396 wrote to memory of 1360 1396 Explorer.EXE raserver.exe PID 1360 wrote to memory of 1088 1360 raserver.exe cmd.exe PID 1360 wrote to memory of 1088 1360 raserver.exe cmd.exe PID 1360 wrote to memory of 1088 1360 raserver.exe cmd.exe PID 1360 wrote to memory of 1088 1360 raserver.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PAIEMENT1.exe"C:\Users\Admin\AppData\Local\Temp\PAIEMENT1.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PAIEMENT1.exe"C:\Users\Admin\AppData\Local\Temp\PAIEMENT1.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\raserver.exe"C:\Windows\SysWOW64\raserver.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\PAIEMENT1.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsi149.tmp\mjcxbw.dllMD5
e75fad4954d3cea12f4bbb5bf11fca90
SHA17ac1e5a5e1276a07660a954c8a4cf90508237bb6
SHA2565e00724748d8300e54d0e9066d3c4bdb867609d9684f9558354f20ac65d7307b
SHA5122a2234a864b299a8315042917840e84cf30695d5f2f54b4820dcbd08a80fe2ca8a0a8fa1b0ebd1691974ac1667d4b550d0b8911f780d967f273f48d79689ff1d
-
memory/472-55-0x00000000760C1000-0x00000000760C3000-memory.dmpFilesize
8KB
-
memory/1088-68-0x0000000000000000-mapping.dmp
-
memory/1360-66-0x0000000000000000-mapping.dmp
-
memory/1360-72-0x0000000001D20000-0x0000000001DB0000-memory.dmpFilesize
576KB
-
memory/1360-71-0x0000000001E30000-0x0000000002133000-memory.dmpFilesize
3.0MB
-
memory/1360-70-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/1360-69-0x0000000000130000-0x000000000014C000-memory.dmpFilesize
112KB
-
memory/1372-60-0x0000000000990000-0x0000000000C93000-memory.dmpFilesize
3.0MB
-
memory/1372-64-0x0000000000570000-0x0000000000581000-memory.dmpFilesize
68KB
-
memory/1372-63-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1372-61-0x00000000003D0000-0x00000000003E1000-memory.dmpFilesize
68KB
-
memory/1372-58-0x000000000041D4F0-mapping.dmp
-
memory/1372-57-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1396-65-0x0000000006C50000-0x0000000006D91000-memory.dmpFilesize
1.3MB
-
memory/1396-62-0x0000000004360000-0x0000000004479000-memory.dmpFilesize
1.1MB
-
memory/1396-73-0x0000000007250000-0x000000000735D000-memory.dmpFilesize
1.1MB