Analysis
-
max time kernel
300s -
max time network
300s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
20-11-2021 00:30
Static task
static1
Behavioral task
behavioral1
Sample
Invoice request.exe
Resource
win7-en-20211014
General
-
Target
Invoice request.exe
-
Size
676KB
-
MD5
da15b6acf344c43696f03ccd0c9b5662
-
SHA1
490a2ef542738dfc47dc62663f1f4cd4b52d6c6d
-
SHA256
c26730ee4480c22df36df08e6386199eac697aef2310b98ec4719fe63f1d70f9
-
SHA512
403f26713a14eb962791da7abf6fc28d9c31d1a9db9ef2edec87a11153d65ebae31050b223fa904ab97923b3bad2dc0a14adbfc4642e3a1afa2f7f15d89484d5
Malware Config
Extracted
xloader
2.5
ea0r
http://www.asiapubz-hk.com/ea0r/
lionheartcreativestudios.com
konzertmanagement.com
blackpanther.online
broychim-int.com
takut18.com
txstarsolar.com
herdsherpa.com
igorshestakov.com
shinesbox.com
reflectpkljlt.xyz
oiltoolshub.com
viralmoneychallenge.com
changingalphastrategies.com
mecitiris.com
rdadmin.online
miniambiente.com
kominarcine.com
pino-almond.com
heihit.xyz
junqi888.com
metalumber.com
sclvfu.com
macanostore.online
projecturs.com
ahcprp.com
gztyfnrj.com
lospacenos.com
tak-etranger.com
dingermail.com
skiin.club
ystops.com
tnboxes.com
ccafgz.com
info1337.xyz
platinum24.top
hothess.com
novelfinancewhite.xyz
theselectdifference.com
flufca.com
giftcodefreefirevns.com
kgv-lachswehr.com
report-alfarabilabs.com
skeetones.com
4bcinc.com
americamr.com
wewonacademy.com
evrazavto.store
true-fanbox.com
greencofiji.com
threecommaspartners.com
hgtradingcoltd.com
xihe1919.com
241mk.com
helplockedout.com
wefundprojects.com
neosecure.store
purenewsworldwide.com
luckylottovip999.com
lottidobler.com
proyectohaciendohistoria.com
raintm.com
theproducerformula.com
trademarkitforyourself.com
ottaweed.com
Signatures
-
Xloader Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/288-57-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/288-58-0x000000000041D410-mapping.dmp xloader behavioral1/memory/1472-65-0x0000000000080000-0x00000000000A9000-memory.dmp xloader behavioral1/memory/1720-78-0x000000000041D410-mapping.dmp xloader -
Executes dropped EXE 2 IoCs
Processes:
vgayznhb0d.exevgayznhb0d.exepid process 1920 vgayznhb0d.exe 1720 vgayznhb0d.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 976 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
Invoice request.exevgayznhb0d.exepid process 268 Invoice request.exe 1920 vgayznhb0d.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
netsh.exedescription ioc process Key created \Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run netsh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\KRZXSZIXDLH = "C:\\Program Files (x86)\\Uj6tdv418\\vgayznhb0d.exe" netsh.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
Invoice request.exeInvoice request.exenetsh.exevgayznhb0d.exedescription pid process target process PID 268 set thread context of 288 268 Invoice request.exe Invoice request.exe PID 288 set thread context of 1360 288 Invoice request.exe Explorer.EXE PID 1472 set thread context of 1360 1472 netsh.exe Explorer.EXE PID 1920 set thread context of 1720 1920 vgayznhb0d.exe vgayznhb0d.exe -
Drops file in Program Files directory 2 IoCs
Processes:
netsh.exeExplorer.EXEdescription ioc process File opened for modification C:\Program Files (x86)\Uj6tdv418\vgayznhb0d.exe netsh.exe File created C:\Program Files (x86)\Uj6tdv418\vgayznhb0d.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 6 IoCs
Processes:
resource yara_rule C:\Program Files (x86)\Uj6tdv418\vgayznhb0d.exe nsis_installer_1 C:\Program Files (x86)\Uj6tdv418\vgayznhb0d.exe nsis_installer_2 C:\Program Files (x86)\Uj6tdv418\vgayznhb0d.exe nsis_installer_1 C:\Program Files (x86)\Uj6tdv418\vgayznhb0d.exe nsis_installer_2 C:\Program Files (x86)\Uj6tdv418\vgayznhb0d.exe nsis_installer_1 C:\Program Files (x86)\Uj6tdv418\vgayznhb0d.exe nsis_installer_2 -
Processes:
netsh.exedescription ioc process Key created \Registry\User\S-1-5-21-2955169046-2371869340-1800780948-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 netsh.exe -
Suspicious behavior: EnumeratesProcesses 59 IoCs
Processes:
Invoice request.exenetsh.exevgayznhb0d.exepid process 288 Invoice request.exe 288 Invoice request.exe 1472 netsh.exe 1472 netsh.exe 1472 netsh.exe 1472 netsh.exe 1472 netsh.exe 1472 netsh.exe 1472 netsh.exe 1472 netsh.exe 1472 netsh.exe 1472 netsh.exe 1472 netsh.exe 1472 netsh.exe 1472 netsh.exe 1472 netsh.exe 1472 netsh.exe 1472 netsh.exe 1472 netsh.exe 1472 netsh.exe 1472 netsh.exe 1472 netsh.exe 1472 netsh.exe 1472 netsh.exe 1472 netsh.exe 1472 netsh.exe 1472 netsh.exe 1472 netsh.exe 1472 netsh.exe 1472 netsh.exe 1472 netsh.exe 1472 netsh.exe 1472 netsh.exe 1472 netsh.exe 1472 netsh.exe 1472 netsh.exe 1472 netsh.exe 1472 netsh.exe 1472 netsh.exe 1472 netsh.exe 1472 netsh.exe 1472 netsh.exe 1472 netsh.exe 1472 netsh.exe 1472 netsh.exe 1472 netsh.exe 1472 netsh.exe 1472 netsh.exe 1472 netsh.exe 1720 vgayznhb0d.exe 1472 netsh.exe 1472 netsh.exe 1472 netsh.exe 1472 netsh.exe 1472 netsh.exe 1472 netsh.exe 1472 netsh.exe 1472 netsh.exe 1472 netsh.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1360 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
Invoice request.exenetsh.exepid process 288 Invoice request.exe 288 Invoice request.exe 288 Invoice request.exe 1472 netsh.exe 1472 netsh.exe 1472 netsh.exe 1472 netsh.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Invoice request.exenetsh.exevgayznhb0d.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 288 Invoice request.exe Token: SeDebugPrivilege 1472 netsh.exe Token: SeDebugPrivilege 1720 vgayznhb0d.exe Token: SeShutdownPrivilege 1360 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1360 Explorer.EXE 1360 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1360 Explorer.EXE 1360 Explorer.EXE -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
Invoice request.exeExplorer.EXEnetsh.exevgayznhb0d.exedescription pid process target process PID 268 wrote to memory of 288 268 Invoice request.exe Invoice request.exe PID 268 wrote to memory of 288 268 Invoice request.exe Invoice request.exe PID 268 wrote to memory of 288 268 Invoice request.exe Invoice request.exe PID 268 wrote to memory of 288 268 Invoice request.exe Invoice request.exe PID 268 wrote to memory of 288 268 Invoice request.exe Invoice request.exe PID 268 wrote to memory of 288 268 Invoice request.exe Invoice request.exe PID 268 wrote to memory of 288 268 Invoice request.exe Invoice request.exe PID 1360 wrote to memory of 1472 1360 Explorer.EXE netsh.exe PID 1360 wrote to memory of 1472 1360 Explorer.EXE netsh.exe PID 1360 wrote to memory of 1472 1360 Explorer.EXE netsh.exe PID 1360 wrote to memory of 1472 1360 Explorer.EXE netsh.exe PID 1472 wrote to memory of 976 1472 netsh.exe cmd.exe PID 1472 wrote to memory of 976 1472 netsh.exe cmd.exe PID 1472 wrote to memory of 976 1472 netsh.exe cmd.exe PID 1472 wrote to memory of 976 1472 netsh.exe cmd.exe PID 1472 wrote to memory of 308 1472 netsh.exe Firefox.exe PID 1472 wrote to memory of 308 1472 netsh.exe Firefox.exe PID 1472 wrote to memory of 308 1472 netsh.exe Firefox.exe PID 1472 wrote to memory of 308 1472 netsh.exe Firefox.exe PID 1360 wrote to memory of 1920 1360 Explorer.EXE vgayznhb0d.exe PID 1360 wrote to memory of 1920 1360 Explorer.EXE vgayznhb0d.exe PID 1360 wrote to memory of 1920 1360 Explorer.EXE vgayznhb0d.exe PID 1360 wrote to memory of 1920 1360 Explorer.EXE vgayznhb0d.exe PID 1920 wrote to memory of 1720 1920 vgayznhb0d.exe vgayznhb0d.exe PID 1920 wrote to memory of 1720 1920 vgayznhb0d.exe vgayznhb0d.exe PID 1920 wrote to memory of 1720 1920 vgayznhb0d.exe vgayznhb0d.exe PID 1920 wrote to memory of 1720 1920 vgayznhb0d.exe vgayznhb0d.exe PID 1920 wrote to memory of 1720 1920 vgayznhb0d.exe vgayznhb0d.exe PID 1920 wrote to memory of 1720 1920 vgayznhb0d.exe vgayznhb0d.exe PID 1920 wrote to memory of 1720 1920 vgayznhb0d.exe vgayznhb0d.exe PID 1472 wrote to memory of 308 1472 netsh.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Invoice request.exe"C:\Users\Admin\AppData\Local\Temp\Invoice request.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Invoice request.exe"C:\Users\Admin\AppData\Local\Temp\Invoice request.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Invoice request.exe"3⤵
- Deletes itself
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Program Files (x86)\Uj6tdv418\vgayznhb0d.exe"C:\Program Files (x86)\Uj6tdv418\vgayznhb0d.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Uj6tdv418\vgayznhb0d.exe"C:\Program Files (x86)\Uj6tdv418\vgayznhb0d.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Uj6tdv418\vgayznhb0d.exeMD5
da15b6acf344c43696f03ccd0c9b5662
SHA1490a2ef542738dfc47dc62663f1f4cd4b52d6c6d
SHA256c26730ee4480c22df36df08e6386199eac697aef2310b98ec4719fe63f1d70f9
SHA512403f26713a14eb962791da7abf6fc28d9c31d1a9db9ef2edec87a11153d65ebae31050b223fa904ab97923b3bad2dc0a14adbfc4642e3a1afa2f7f15d89484d5
-
C:\Program Files (x86)\Uj6tdv418\vgayznhb0d.exeMD5
da15b6acf344c43696f03ccd0c9b5662
SHA1490a2ef542738dfc47dc62663f1f4cd4b52d6c6d
SHA256c26730ee4480c22df36df08e6386199eac697aef2310b98ec4719fe63f1d70f9
SHA512403f26713a14eb962791da7abf6fc28d9c31d1a9db9ef2edec87a11153d65ebae31050b223fa904ab97923b3bad2dc0a14adbfc4642e3a1afa2f7f15d89484d5
-
C:\Program Files (x86)\Uj6tdv418\vgayznhb0d.exeMD5
da15b6acf344c43696f03ccd0c9b5662
SHA1490a2ef542738dfc47dc62663f1f4cd4b52d6c6d
SHA256c26730ee4480c22df36df08e6386199eac697aef2310b98ec4719fe63f1d70f9
SHA512403f26713a14eb962791da7abf6fc28d9c31d1a9db9ef2edec87a11153d65ebae31050b223fa904ab97923b3bad2dc0a14adbfc4642e3a1afa2f7f15d89484d5
-
C:\Users\Admin\AppData\Local\Temp\qg36eedlvrwqn6hMD5
3c2dd9ea5416d4052d87f735a58f82db
SHA188d45f16333f7030cc9c12ef181a7cfbafb372fe
SHA2560d7c2864b39c66c6ab7e0e3a8904956fec9de3d9cca3addcd36bc7154a835494
SHA512cb29a75ba855ad7f545b65be1925e25ea01f2f5324af2b048ad4f795e023766df997680f47af8a5828284218a72fea2f0135a4f54f10db9c706bba433cf9e273
-
\Users\Admin\AppData\Local\Temp\nstD3D4.tmp\vnrumu.dllMD5
9a7d13a3c75e3e9424a652055453f96b
SHA1535ff98bcf6079a1cd7851882118a9b088dcee37
SHA256f7875ce82468a23036c9464ae7bd956acc10df8e25fcee457acec0e02967d9aa
SHA51203c6500643439f5e1badbd0f82b035c42d2dbe921e60981a3d098f368ab7399ea28b7f3bbeb794a643f96d73354e5709f9eb06d5fa785f540cbb756f3ec1f759
-
\Users\Admin\AppData\Local\Temp\nsuA323.tmp\vnrumu.dllMD5
9a7d13a3c75e3e9424a652055453f96b
SHA1535ff98bcf6079a1cd7851882118a9b088dcee37
SHA256f7875ce82468a23036c9464ae7bd956acc10df8e25fcee457acec0e02967d9aa
SHA51203c6500643439f5e1badbd0f82b035c42d2dbe921e60981a3d098f368ab7399ea28b7f3bbeb794a643f96d73354e5709f9eb06d5fa785f540cbb756f3ec1f759
-
memory/268-55-0x0000000075F41000-0x0000000075F43000-memory.dmpFilesize
8KB
-
memory/288-61-0x00000000002C0000-0x00000000002D1000-memory.dmpFilesize
68KB
-
memory/288-60-0x0000000000840000-0x0000000000B43000-memory.dmpFilesize
3.0MB
-
memory/288-57-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/288-58-0x000000000041D410-mapping.dmp
-
memory/976-67-0x0000000000000000-mapping.dmp
-
memory/1360-69-0x0000000007160000-0x00000000072A1000-memory.dmpFilesize
1.3MB
-
memory/1360-62-0x0000000007000000-0x000000000715B000-memory.dmpFilesize
1.4MB
-
memory/1472-68-0x0000000000A00000-0x0000000000A90000-memory.dmpFilesize
576KB
-
memory/1472-63-0x0000000000000000-mapping.dmp
-
memory/1472-64-0x0000000001720000-0x000000000173B000-memory.dmpFilesize
108KB
-
memory/1472-66-0x0000000000B90000-0x0000000000E93000-memory.dmpFilesize
3.0MB
-
memory/1472-65-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/1720-78-0x000000000041D410-mapping.dmp
-
memory/1720-80-0x00000000008E0000-0x0000000000BE3000-memory.dmpFilesize
3.0MB
-
memory/1920-71-0x0000000000000000-mapping.dmp