Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
26-11-2021 12:30
Static task
static1
Behavioral task
behavioral1
Sample
remittance advice_001001098.exe
Resource
win7-en-20211104
General
-
Target
remittance advice_001001098.exe
-
Size
331KB
-
MD5
7877a7074c688baf439f7ec1ab150682
-
SHA1
6c2539fb927b57388866f1c072cdf681b585fb2a
-
SHA256
08ade6bd3efcd20c80defdde936ef1329713af42d28889ffb69ba26b321a297f
-
SHA512
6e5dff775fe478634fc3553b0bed3e9e9fda7a956cc17743f2b1b27e06256008ba7bc229d55a409cb710f078c97b70bb709c764b9fc144c0700d77dab6f83402
Malware Config
Extracted
xloader
2.5
e8ia
http://www.helpfromjames.com/e8ia/
le-hameau-enchanteur.com
quantumsystem-au.club
engravedeeply.com
yesrecompensas.lat
cavallitowerofficials.com
800seaspray.com
skifun-jetski.com
thouartafoot.com
nft2dollar.com
petrestore.online
cjcutthecord2.com
tippimccullough.com
gadget198.xyz
djmiriam.com
bitbasepay.com
cukierniawz.com
mcclureic.xyz
inthekitchenshakinandbakin.com
busy-clicks.com
melaniemorris.online
elysiangp.com
7bkj.com
wakeanddraw.com
ascalar.com
iteraxon.com
henleygirlscricket.com
torresflooringdecorllc.com
helgquieta.quest
xesteem.com
graffity-aws.com
bolerparts.com
andriylysenko.com
bestinvest-4-you.com
frelsicycling.com
airductcleaningindianapolis.net
nlproperties.net
alkoora.xyz
sakiyaman.com
wwwsmyrnaschooldistrict.com
unitedsafetyassociation.com
fiveallianceapparel.com
edgelordkids.com
herhauling.com
intelldat.com
weprepareamerica-planet.com
webartsolution.net
yiquge.com
marraasociados.com
dentalimplantnearyou-ca.space
linemanbible.com
dunamisdispatchservicellc.com
latamoperationalinstitute.com
stpaulsschoolbagidora.com
groupninemed.com
solar-tribe.com
footairdz.com
blttsperma.quest
xfeuio.xyz
sahodyafbdchapter.com
0934800.com
dandftrading.com
gladway.net
mineriasinmercurio.com
inaampm.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3264-116-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/3264-117-0x000000000041D4D0-mapping.dmp xloader behavioral2/memory/3148-124-0x0000000002CA0000-0x0000000002CC9000-memory.dmp xloader -
Blocklisted process makes network request 1 IoCs
Processes:
cmstp.exeflow pid process 47 3148 cmstp.exe -
Loads dropped DLL 1 IoCs
Processes:
remittance advice_001001098.exepid process 2764 remittance advice_001001098.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
remittance advice_001001098.exeremittance advice_001001098.execmstp.exedescription pid process target process PID 2764 set thread context of 3264 2764 remittance advice_001001098.exe remittance advice_001001098.exe PID 3264 set thread context of 3024 3264 remittance advice_001001098.exe Explorer.EXE PID 3148 set thread context of 3024 3148 cmstp.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
remittance advice_001001098.execmstp.exepid process 3264 remittance advice_001001098.exe 3264 remittance advice_001001098.exe 3264 remittance advice_001001098.exe 3264 remittance advice_001001098.exe 3148 cmstp.exe 3148 cmstp.exe 3148 cmstp.exe 3148 cmstp.exe 3148 cmstp.exe 3148 cmstp.exe 3148 cmstp.exe 3148 cmstp.exe 3148 cmstp.exe 3148 cmstp.exe 3148 cmstp.exe 3148 cmstp.exe 3148 cmstp.exe 3148 cmstp.exe 3148 cmstp.exe 3148 cmstp.exe 3148 cmstp.exe 3148 cmstp.exe 3148 cmstp.exe 3148 cmstp.exe 3148 cmstp.exe 3148 cmstp.exe 3148 cmstp.exe 3148 cmstp.exe 3148 cmstp.exe 3148 cmstp.exe 3148 cmstp.exe 3148 cmstp.exe 3148 cmstp.exe 3148 cmstp.exe 3148 cmstp.exe 3148 cmstp.exe 3148 cmstp.exe 3148 cmstp.exe 3148 cmstp.exe 3148 cmstp.exe 3148 cmstp.exe 3148 cmstp.exe 3148 cmstp.exe 3148 cmstp.exe 3148 cmstp.exe 3148 cmstp.exe 3148 cmstp.exe 3148 cmstp.exe 3148 cmstp.exe 3148 cmstp.exe 3148 cmstp.exe 3148 cmstp.exe 3148 cmstp.exe 3148 cmstp.exe 3148 cmstp.exe 3148 cmstp.exe 3148 cmstp.exe 3148 cmstp.exe 3148 cmstp.exe 3148 cmstp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3024 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
remittance advice_001001098.execmstp.exepid process 3264 remittance advice_001001098.exe 3264 remittance advice_001001098.exe 3264 remittance advice_001001098.exe 3148 cmstp.exe 3148 cmstp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
remittance advice_001001098.execmstp.exedescription pid process Token: SeDebugPrivilege 3264 remittance advice_001001098.exe Token: SeDebugPrivilege 3148 cmstp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
remittance advice_001001098.exeExplorer.EXEcmstp.exedescription pid process target process PID 2764 wrote to memory of 3264 2764 remittance advice_001001098.exe remittance advice_001001098.exe PID 2764 wrote to memory of 3264 2764 remittance advice_001001098.exe remittance advice_001001098.exe PID 2764 wrote to memory of 3264 2764 remittance advice_001001098.exe remittance advice_001001098.exe PID 2764 wrote to memory of 3264 2764 remittance advice_001001098.exe remittance advice_001001098.exe PID 2764 wrote to memory of 3264 2764 remittance advice_001001098.exe remittance advice_001001098.exe PID 2764 wrote to memory of 3264 2764 remittance advice_001001098.exe remittance advice_001001098.exe PID 3024 wrote to memory of 3148 3024 Explorer.EXE cmstp.exe PID 3024 wrote to memory of 3148 3024 Explorer.EXE cmstp.exe PID 3024 wrote to memory of 3148 3024 Explorer.EXE cmstp.exe PID 3148 wrote to memory of 3528 3148 cmstp.exe cmd.exe PID 3148 wrote to memory of 3528 3148 cmstp.exe cmd.exe PID 3148 wrote to memory of 3528 3148 cmstp.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\remittance advice_001001098.exe"C:\Users\Admin\AppData\Local\Temp\remittance advice_001001098.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\remittance advice_001001098.exe"C:\Users\Admin\AppData\Local\Temp\remittance advice_001001098.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\remittance advice_001001098.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsdBFF6.tmp\tngylslz.dllMD5
5dce4ab196ebed51421a281746048281
SHA1372e20701622727ca50c39feeccb53d5c26102ff
SHA256ccc17ccc0b0f0f45309c8dbff3671f9a1d178e5cf22e47174f8da054f71e1edd
SHA512a03f9bbb52c755ef73fd2ed425454f1d47432d3e59937324761f3817be21d719c7a8b947d315fccbf7e197c081beb9cafe727952606634ba31ee1c07c59ae30e
-
memory/3024-121-0x0000000002F70000-0x000000000306E000-memory.dmpFilesize
1016KB
-
memory/3024-128-0x0000000005800000-0x00000000058FB000-memory.dmpFilesize
1004KB
-
memory/3148-125-0x0000000004930000-0x0000000004C50000-memory.dmpFilesize
3.1MB
-
memory/3148-122-0x0000000000000000-mapping.dmp
-
memory/3148-123-0x00000000003D0000-0x00000000003E6000-memory.dmpFilesize
88KB
-
memory/3148-124-0x0000000002CA0000-0x0000000002CC9000-memory.dmpFilesize
164KB
-
memory/3148-127-0x0000000004680000-0x0000000004710000-memory.dmpFilesize
576KB
-
memory/3264-120-0x0000000000600000-0x0000000000611000-memory.dmpFilesize
68KB
-
memory/3264-119-0x0000000000A40000-0x0000000000D60000-memory.dmpFilesize
3.1MB
-
memory/3264-117-0x000000000041D4D0-mapping.dmp
-
memory/3264-116-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/3528-126-0x0000000000000000-mapping.dmp