remittance advice_001001098.exe

General
Target

remittance advice_001001098.exe

Filesize

331KB

Completed

26-11-2021 12:32

Score
10/10
MD5

7877a7074c688baf439f7ec1ab150682

SHA1

6c2539fb927b57388866f1c072cdf681b585fb2a

SHA256

08ade6bd3efcd20c80defdde936ef1329713af42d28889ffb69ba26b321a297f

Malware Config

Extracted

Family xloader
Version 2.5
Campaign e8ia
C2

http://www.helpfromjames.com/e8ia/

Decoy

le-hameau-enchanteur.com

quantumsystem-au.club

engravedeeply.com

yesrecompensas.lat

cavallitowerofficials.com

800seaspray.com

skifun-jetski.com

thouartafoot.com

nft2dollar.com

petrestore.online

cjcutthecord2.com

tippimccullough.com

gadget198.xyz

djmiriam.com

bitbasepay.com

cukierniawz.com

mcclureic.xyz

inthekitchenshakinandbakin.com

busy-clicks.com

melaniemorris.online

elysiangp.com

7bkj.com

wakeanddraw.com

ascalar.com

iteraxon.com

henleygirlscricket.com

torresflooringdecorllc.com

helgquieta.quest

xesteem.com

graffity-aws.com

bolerparts.com

andriylysenko.com

bestinvest-4-you.com

frelsicycling.com

airductcleaningindianapolis.net

nlproperties.net

alkoora.xyz

sakiyaman.com

wwwsmyrnaschooldistrict.com

unitedsafetyassociation.com

fiveallianceapparel.com

edgelordkids.com

herhauling.com

intelldat.com

weprepareamerica-planet.com

webartsolution.net

yiquge.com

marraasociados.com

dentalimplantnearyou-ca.space

linemanbible.com

Signatures 15

Filter: none

Discovery
  • Xloader

    Description

    Xloader is a rebranded version of Formbook malware.

  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    Description

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    Tags

  • Xloader Payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/568-57-0x0000000000400000-0x0000000000429000-memory.dmpxloader
    behavioral1/memory/568-58-0x000000000041D4D0-mapping.dmpxloader
    behavioral1/memory/552-65-0x0000000000070000-0x0000000000099000-memory.dmpxloader
  • Blocklisted process makes network request
    wscript.exe

    Reported IOCs

    flowpidprocess
    33552wscript.exe
  • Deletes itself
    cmd.exe

    Reported IOCs

    pidprocess
    700cmd.exe
  • Loads dropped DLL
    remittance advice_001001098.exe

    Reported IOCs

    pidprocess
    592remittance advice_001001098.exe
  • Suspicious use of SetThreadContext
    remittance advice_001001098.exeremittance advice_001001098.exewscript.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 592 set thread context of 568592remittance advice_001001098.exeremittance advice_001001098.exe
    PID 568 set thread context of 1380568remittance advice_001001098.exeExplorer.EXE
    PID 552 set thread context of 1380552wscript.exeExplorer.EXE
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Suspicious behavior: EnumeratesProcesses
    remittance advice_001001098.exewscript.exe

    Reported IOCs

    pidprocess
    568remittance advice_001001098.exe
    568remittance advice_001001098.exe
    552wscript.exe
    552wscript.exe
    552wscript.exe
    552wscript.exe
    552wscript.exe
    552wscript.exe
    552wscript.exe
    552wscript.exe
    552wscript.exe
    552wscript.exe
    552wscript.exe
    552wscript.exe
    552wscript.exe
    552wscript.exe
    552wscript.exe
    552wscript.exe
    552wscript.exe
    552wscript.exe
    552wscript.exe
    552wscript.exe
    552wscript.exe
    552wscript.exe
    552wscript.exe
    552wscript.exe
    552wscript.exe
    552wscript.exe
    552wscript.exe
    552wscript.exe
  • Suspicious behavior: GetForegroundWindowSpam
    Explorer.EXE

    Reported IOCs

    pidprocess
    1380Explorer.EXE
  • Suspicious behavior: MapViewOfSection
    remittance advice_001001098.exewscript.exe

    Reported IOCs

    pidprocess
    568remittance advice_001001098.exe
    568remittance advice_001001098.exe
    568remittance advice_001001098.exe
    552wscript.exe
    552wscript.exe
  • Suspicious use of AdjustPrivilegeToken
    remittance advice_001001098.exewscript.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege568remittance advice_001001098.exe
    Token: SeDebugPrivilege552wscript.exe
  • Suspicious use of FindShellTrayWindow
    Explorer.EXE

    Reported IOCs

    pidprocess
    1380Explorer.EXE
    1380Explorer.EXE
  • Suspicious use of SendNotifyMessage
    Explorer.EXE

    Reported IOCs

    pidprocess
    1380Explorer.EXE
    1380Explorer.EXE
  • Suspicious use of WriteProcessMemory
    remittance advice_001001098.exeExplorer.EXEwscript.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 592 wrote to memory of 568592remittance advice_001001098.exeremittance advice_001001098.exe
    PID 592 wrote to memory of 568592remittance advice_001001098.exeremittance advice_001001098.exe
    PID 592 wrote to memory of 568592remittance advice_001001098.exeremittance advice_001001098.exe
    PID 592 wrote to memory of 568592remittance advice_001001098.exeremittance advice_001001098.exe
    PID 592 wrote to memory of 568592remittance advice_001001098.exeremittance advice_001001098.exe
    PID 592 wrote to memory of 568592remittance advice_001001098.exeremittance advice_001001098.exe
    PID 592 wrote to memory of 568592remittance advice_001001098.exeremittance advice_001001098.exe
    PID 1380 wrote to memory of 5521380Explorer.EXEwscript.exe
    PID 1380 wrote to memory of 5521380Explorer.EXEwscript.exe
    PID 1380 wrote to memory of 5521380Explorer.EXEwscript.exe
    PID 1380 wrote to memory of 5521380Explorer.EXEwscript.exe
    PID 552 wrote to memory of 700552wscript.execmd.exe
    PID 552 wrote to memory of 700552wscript.execmd.exe
    PID 552 wrote to memory of 700552wscript.execmd.exe
    PID 552 wrote to memory of 700552wscript.execmd.exe
Processes 5
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    Suspicious behavior: GetForegroundWindowSpam
    Suspicious use of FindShellTrayWindow
    Suspicious use of SendNotifyMessage
    Suspicious use of WriteProcessMemory
    PID:1380
    • C:\Users\Admin\AppData\Local\Temp\remittance advice_001001098.exe
      "C:\Users\Admin\AppData\Local\Temp\remittance advice_001001098.exe"
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:592
      • C:\Users\Admin\AppData\Local\Temp\remittance advice_001001098.exe
        "C:\Users\Admin\AppData\Local\Temp\remittance advice_001001098.exe"
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        PID:568
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\SysWOW64\wscript.exe"
      Blocklisted process makes network request
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:552
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\remittance advice_001001098.exe"
        Deletes itself
        PID:700
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • \Users\Admin\AppData\Local\Temp\nsnAA92.tmp\tngylslz.dll

                          MD5

                          5dce4ab196ebed51421a281746048281

                          SHA1

                          372e20701622727ca50c39feeccb53d5c26102ff

                          SHA256

                          ccc17ccc0b0f0f45309c8dbff3671f9a1d178e5cf22e47174f8da054f71e1edd

                          SHA512

                          a03f9bbb52c755ef73fd2ed425454f1d47432d3e59937324761f3817be21d719c7a8b947d315fccbf7e197c081beb9cafe727952606634ba31ee1c07c59ae30e

                        • memory/552-67-0x0000000002170000-0x0000000002473000-memory.dmp

                        • memory/552-64-0x0000000000890000-0x00000000008B6000-memory.dmp

                        • memory/552-65-0x0000000000070000-0x0000000000099000-memory.dmp

                        • memory/552-68-0x00000000004D0000-0x0000000000560000-memory.dmp

                        • memory/552-63-0x0000000000000000-mapping.dmp

                        • memory/568-59-0x0000000000930000-0x0000000000C33000-memory.dmp

                        • memory/568-61-0x00000000002D0000-0x00000000002E1000-memory.dmp

                        • memory/568-57-0x0000000000400000-0x0000000000429000-memory.dmp

                        • memory/568-58-0x000000000041D4D0-mapping.dmp

                        • memory/592-55-0x0000000075981000-0x0000000075983000-memory.dmp

                        • memory/700-66-0x0000000000000000-mapping.dmp

                        • memory/1380-62-0x0000000007010000-0x00000000071B5000-memory.dmp

                        • memory/1380-69-0x0000000006E20000-0x0000000006F62000-memory.dmp