Analysis
-
max time kernel
157s -
max time network
165s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
10-11-2021 19:17
Static task
static1
Behavioral task
behavioral1
Sample
PAIEMENT1.exe
Resource
win7-en-20211104
General
-
Target
PAIEMENT1.exe
-
Size
424KB
-
MD5
4a40bc732ce463e10ae463ee7b890242
-
SHA1
090fea71d8bc7abe48ea0d36d91a38ecf49f83d8
-
SHA256
1ac69ae85debbb73ec8b2bc1252374eb717b757b61819a012a8eedbac1148cd5
-
SHA512
d0efc801cb42571030a7e4381004eb1f1e3ee2c560726d1be48b8e17c23a5a5604a2e6e142b7354219957bd37cdb2e5eb5d1c1d5748018d88e5733594e4435df
Malware Config
Extracted
xloader
2.5
u9xn
http://www.crisisinterventionadvocates.com/u9xn/
lifeguardingcoursenearme.com
bolsaspapelcdmx.com
parsleypkllqu.xyz
68134.online
shopthatlookboutique.com
canlibahisportal.com
oligopoly.city
srchwithus.online
151motors.com
17yue.info
auntmarysnj.com
hanansalman.com
heyunshangcheng.info
doorslamersplus.com
sfcn-dng.com
highvizpeople.com
seoexpertinbangladesh.com
christinegagnonjewellery.com
artifactorie.biz
mre3.net
webbyteanalysis.online
medicmir.store
shdxh.com
salvationshippingsecurity.com
michita.xyz
itskosi.com
aligncoachingconsulting.com
cryptorickclub.art
cyliamartisbackup.com
ttemola.com
mujeresenfarmalatam.com
mykombuchafactory.com
irasutoya-ryou.com
envtmyouliqy.mobi
expert-rse.com
oddanimalsink.com
piezoelectricenergy.com
itservices-india.com
wintwiin.com
umgaleloacademy.com
everythangbutwhite.com
ishhs.xyz
brandsofcannabis.com
sculptingstones.com
hilldetailingllc.com
stone-project.net
rbrituelbeaute.com
atzoom.store
pronogtiki.store
baybeg.com
b148tlrfee9evtvorgm5947.com
msjanej.com
western-overseas.info
sharpecommunications.com
atlantahomesforcarguys.com
neosudo.com
blulacedefense.com
profilecolombia.com
blacksaltspain.com
sejiw3.xyz
saint444.com
getoken.net
joycegsy.com
fezora.xyz
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Xloader Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/3944-119-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/3944-120-0x000000000041D4F0-mapping.dmp xloader behavioral2/memory/4072-128-0x0000000000870000-0x0000000000899000-memory.dmp xloader behavioral2/memory/876-138-0x000000000041D4F0-mapping.dmp xloader -
Executes dropped EXE 2 IoCs
Processes:
edj8kzix2d9.exeedj8kzix2d9.exepid process 820 edj8kzix2d9.exe 876 edj8kzix2d9.exe -
Loads dropped DLL 2 IoCs
Processes:
PAIEMENT1.exeedj8kzix2d9.exepid process 2020 PAIEMENT1.exe 820 edj8kzix2d9.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ZLHLS4BPN = "C:\\Program Files (x86)\\K7nrxv4\\edj8kzix2d9.exe" explorer.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
PAIEMENT1.exePAIEMENT1.exeexplorer.exeedj8kzix2d9.exedescription pid process target process PID 2020 set thread context of 3944 2020 PAIEMENT1.exe PAIEMENT1.exe PID 3944 set thread context of 2416 3944 PAIEMENT1.exe Explorer.EXE PID 4072 set thread context of 2416 4072 explorer.exe Explorer.EXE PID 820 set thread context of 876 820 edj8kzix2d9.exe edj8kzix2d9.exe -
Drops file in Program Files directory 4 IoCs
Processes:
Explorer.EXEexplorer.exedescription ioc process File opened for modification C:\Program Files (x86)\K7nrxv4 Explorer.EXE File created C:\Program Files (x86)\K7nrxv4\edj8kzix2d9.exe Explorer.EXE File opened for modification C:\Program Files (x86)\K7nrxv4\edj8kzix2d9.exe Explorer.EXE File opened for modification C:\Program Files (x86)\K7nrxv4\edj8kzix2d9.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 6 IoCs
Processes:
resource yara_rule C:\Program Files (x86)\K7nrxv4\edj8kzix2d9.exe nsis_installer_1 C:\Program Files (x86)\K7nrxv4\edj8kzix2d9.exe nsis_installer_2 C:\Program Files (x86)\K7nrxv4\edj8kzix2d9.exe nsis_installer_1 C:\Program Files (x86)\K7nrxv4\edj8kzix2d9.exe nsis_installer_2 C:\Program Files (x86)\K7nrxv4\edj8kzix2d9.exe nsis_installer_1 C:\Program Files (x86)\K7nrxv4\edj8kzix2d9.exe nsis_installer_2 -
Processes:
explorer.exedescription ioc process Key created \Registry\User\S-1-5-21-1042495040-510797905-2613508344-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 explorer.exe -
Suspicious behavior: EnumeratesProcesses 56 IoCs
Processes:
PAIEMENT1.exeexplorer.exeedj8kzix2d9.exepid process 3944 PAIEMENT1.exe 3944 PAIEMENT1.exe 3944 PAIEMENT1.exe 3944 PAIEMENT1.exe 4072 explorer.exe 4072 explorer.exe 4072 explorer.exe 4072 explorer.exe 4072 explorer.exe 4072 explorer.exe 4072 explorer.exe 4072 explorer.exe 4072 explorer.exe 4072 explorer.exe 4072 explorer.exe 4072 explorer.exe 4072 explorer.exe 4072 explorer.exe 4072 explorer.exe 4072 explorer.exe 4072 explorer.exe 4072 explorer.exe 4072 explorer.exe 4072 explorer.exe 4072 explorer.exe 4072 explorer.exe 4072 explorer.exe 4072 explorer.exe 4072 explorer.exe 4072 explorer.exe 4072 explorer.exe 4072 explorer.exe 4072 explorer.exe 4072 explorer.exe 4072 explorer.exe 4072 explorer.exe 4072 explorer.exe 4072 explorer.exe 4072 explorer.exe 4072 explorer.exe 4072 explorer.exe 4072 explorer.exe 4072 explorer.exe 4072 explorer.exe 4072 explorer.exe 4072 explorer.exe 876 edj8kzix2d9.exe 876 edj8kzix2d9.exe 4072 explorer.exe 4072 explorer.exe 4072 explorer.exe 4072 explorer.exe 4072 explorer.exe 4072 explorer.exe 4072 explorer.exe 4072 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2416 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
PAIEMENT1.exeexplorer.exepid process 3944 PAIEMENT1.exe 3944 PAIEMENT1.exe 3944 PAIEMENT1.exe 4072 explorer.exe 4072 explorer.exe 4072 explorer.exe 4072 explorer.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
PAIEMENT1.exeexplorer.exeExplorer.EXEedj8kzix2d9.exedescription pid process Token: SeDebugPrivilege 3944 PAIEMENT1.exe Token: SeDebugPrivilege 4072 explorer.exe Token: SeShutdownPrivilege 2416 Explorer.EXE Token: SeCreatePagefilePrivilege 2416 Explorer.EXE Token: SeDebugPrivilege 876 edj8kzix2d9.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
PAIEMENT1.exeExplorer.EXEexplorer.exeedj8kzix2d9.exedescription pid process target process PID 2020 wrote to memory of 3944 2020 PAIEMENT1.exe PAIEMENT1.exe PID 2020 wrote to memory of 3944 2020 PAIEMENT1.exe PAIEMENT1.exe PID 2020 wrote to memory of 3944 2020 PAIEMENT1.exe PAIEMENT1.exe PID 2020 wrote to memory of 3944 2020 PAIEMENT1.exe PAIEMENT1.exe PID 2020 wrote to memory of 3944 2020 PAIEMENT1.exe PAIEMENT1.exe PID 2020 wrote to memory of 3944 2020 PAIEMENT1.exe PAIEMENT1.exe PID 2416 wrote to memory of 4072 2416 Explorer.EXE explorer.exe PID 2416 wrote to memory of 4072 2416 Explorer.EXE explorer.exe PID 2416 wrote to memory of 4072 2416 Explorer.EXE explorer.exe PID 4072 wrote to memory of 4156 4072 explorer.exe cmd.exe PID 4072 wrote to memory of 4156 4072 explorer.exe cmd.exe PID 4072 wrote to memory of 4156 4072 explorer.exe cmd.exe PID 2416 wrote to memory of 820 2416 Explorer.EXE edj8kzix2d9.exe PID 2416 wrote to memory of 820 2416 Explorer.EXE edj8kzix2d9.exe PID 2416 wrote to memory of 820 2416 Explorer.EXE edj8kzix2d9.exe PID 820 wrote to memory of 876 820 edj8kzix2d9.exe edj8kzix2d9.exe PID 820 wrote to memory of 876 820 edj8kzix2d9.exe edj8kzix2d9.exe PID 820 wrote to memory of 876 820 edj8kzix2d9.exe edj8kzix2d9.exe PID 820 wrote to memory of 876 820 edj8kzix2d9.exe edj8kzix2d9.exe PID 820 wrote to memory of 876 820 edj8kzix2d9.exe edj8kzix2d9.exe PID 820 wrote to memory of 876 820 edj8kzix2d9.exe edj8kzix2d9.exe PID 4072 wrote to memory of 1140 4072 explorer.exe cmd.exe PID 4072 wrote to memory of 1140 4072 explorer.exe cmd.exe PID 4072 wrote to memory of 1140 4072 explorer.exe cmd.exe PID 4072 wrote to memory of 1520 4072 explorer.exe Firefox.exe PID 4072 wrote to memory of 1520 4072 explorer.exe Firefox.exe PID 4072 wrote to memory of 1520 4072 explorer.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PAIEMENT1.exe"C:\Users\Admin\AppData\Local\Temp\PAIEMENT1.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PAIEMENT1.exe"C:\Users\Admin\AppData\Local\Temp\PAIEMENT1.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\PAIEMENT1.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Program Files (x86)\K7nrxv4\edj8kzix2d9.exe"C:\Program Files (x86)\K7nrxv4\edj8kzix2d9.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\K7nrxv4\edj8kzix2d9.exe"C:\Program Files (x86)\K7nrxv4\edj8kzix2d9.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\K7nrxv4\edj8kzix2d9.exeMD5
4a40bc732ce463e10ae463ee7b890242
SHA1090fea71d8bc7abe48ea0d36d91a38ecf49f83d8
SHA2561ac69ae85debbb73ec8b2bc1252374eb717b757b61819a012a8eedbac1148cd5
SHA512d0efc801cb42571030a7e4381004eb1f1e3ee2c560726d1be48b8e17c23a5a5604a2e6e142b7354219957bd37cdb2e5eb5d1c1d5748018d88e5733594e4435df
-
C:\Program Files (x86)\K7nrxv4\edj8kzix2d9.exeMD5
4a40bc732ce463e10ae463ee7b890242
SHA1090fea71d8bc7abe48ea0d36d91a38ecf49f83d8
SHA2561ac69ae85debbb73ec8b2bc1252374eb717b757b61819a012a8eedbac1148cd5
SHA512d0efc801cb42571030a7e4381004eb1f1e3ee2c560726d1be48b8e17c23a5a5604a2e6e142b7354219957bd37cdb2e5eb5d1c1d5748018d88e5733594e4435df
-
C:\Program Files (x86)\K7nrxv4\edj8kzix2d9.exeMD5
4a40bc732ce463e10ae463ee7b890242
SHA1090fea71d8bc7abe48ea0d36d91a38ecf49f83d8
SHA2561ac69ae85debbb73ec8b2bc1252374eb717b757b61819a012a8eedbac1148cd5
SHA512d0efc801cb42571030a7e4381004eb1f1e3ee2c560726d1be48b8e17c23a5a5604a2e6e142b7354219957bd37cdb2e5eb5d1c1d5748018d88e5733594e4435df
-
C:\Users\Admin\AppData\Local\Temp\DB1MD5
b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
C:\Users\Admin\AppData\Local\Temp\azz06zcwvuaf88bqq7arMD5
3f94f73321346d0f83de179e10d6c262
SHA1b5d4789d9403cd2d0a130b6f3031b9c43472d975
SHA2564bf655ce5574a046778bcff5d2cd71694bfd8ccde68307de8042559dd69747a4
SHA51201ae3be2eb77c46c447e841209fb517e3436f2271f2812c13f95b8eff1b41a89074cf719b37548ed06a673cfb08478cee4c312b597bc8823f58c9072a0aa2be7
-
\Users\Admin\AppData\Local\Temp\nsiC0A2.tmp\mjcxbw.dllMD5
e75fad4954d3cea12f4bbb5bf11fca90
SHA17ac1e5a5e1276a07660a954c8a4cf90508237bb6
SHA2565e00724748d8300e54d0e9066d3c4bdb867609d9684f9558354f20ac65d7307b
SHA5122a2234a864b299a8315042917840e84cf30695d5f2f54b4820dcbd08a80fe2ca8a0a8fa1b0ebd1691974ac1667d4b550d0b8911f780d967f273f48d79689ff1d
-
\Users\Admin\AppData\Local\Temp\nsr9CF4.tmp\mjcxbw.dllMD5
e75fad4954d3cea12f4bbb5bf11fca90
SHA17ac1e5a5e1276a07660a954c8a4cf90508237bb6
SHA2565e00724748d8300e54d0e9066d3c4bdb867609d9684f9558354f20ac65d7307b
SHA5122a2234a864b299a8315042917840e84cf30695d5f2f54b4820dcbd08a80fe2ca8a0a8fa1b0ebd1691974ac1667d4b550d0b8911f780d967f273f48d79689ff1d
-
memory/820-132-0x0000000000000000-mapping.dmp
-
memory/876-138-0x000000000041D4F0-mapping.dmp
-
memory/876-142-0x0000000000BA0000-0x0000000000EC0000-memory.dmpFilesize
3.1MB
-
memory/1140-140-0x0000000000000000-mapping.dmp
-
memory/2416-124-0x0000000004F80000-0x00000000050D0000-memory.dmpFilesize
1.3MB
-
memory/2416-131-0x0000000002440000-0x000000000250F000-memory.dmpFilesize
828KB
-
memory/3944-123-0x00000000009E0000-0x00000000009F1000-memory.dmpFilesize
68KB
-
memory/3944-122-0x0000000000B20000-0x0000000000E40000-memory.dmpFilesize
3.1MB
-
memory/3944-120-0x000000000041D4F0-mapping.dmp
-
memory/3944-119-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4072-130-0x0000000001220000-0x00000000012B0000-memory.dmpFilesize
576KB
-
memory/4072-129-0x0000000004E90000-0x00000000051B0000-memory.dmpFilesize
3.1MB
-
memory/4072-127-0x0000000001310000-0x000000000174F000-memory.dmpFilesize
4.2MB
-
memory/4072-128-0x0000000000870000-0x0000000000899000-memory.dmpFilesize
164KB
-
memory/4072-125-0x0000000000000000-mapping.dmp
-
memory/4156-126-0x0000000000000000-mapping.dmp