remittance advice_001001098.exe

General
Target

remittance advice_001001098.exe

Filesize

331KB

Completed

26-11-2021 12:32

Score
10/10
MD5

7877a7074c688baf439f7ec1ab150682

SHA1

6c2539fb927b57388866f1c072cdf681b585fb2a

SHA256

08ade6bd3efcd20c80defdde936ef1329713af42d28889ffb69ba26b321a297f

Malware Config

Extracted

Family xloader
Version 2.5
Campaign e8ia
C2

http://www.helpfromjames.com/e8ia/

Decoy

le-hameau-enchanteur.com

quantumsystem-au.club

engravedeeply.com

yesrecompensas.lat

cavallitowerofficials.com

800seaspray.com

skifun-jetski.com

thouartafoot.com

nft2dollar.com

petrestore.online

cjcutthecord2.com

tippimccullough.com

gadget198.xyz

djmiriam.com

bitbasepay.com

cukierniawz.com

mcclureic.xyz

inthekitchenshakinandbakin.com

busy-clicks.com

melaniemorris.online

elysiangp.com

7bkj.com

wakeanddraw.com

ascalar.com

iteraxon.com

henleygirlscricket.com

torresflooringdecorllc.com

helgquieta.quest

xesteem.com

graffity-aws.com

bolerparts.com

andriylysenko.com

bestinvest-4-you.com

frelsicycling.com

airductcleaningindianapolis.net

nlproperties.net

alkoora.xyz

sakiyaman.com

wwwsmyrnaschooldistrict.com

unitedsafetyassociation.com

fiveallianceapparel.com

edgelordkids.com

herhauling.com

intelldat.com

weprepareamerica-planet.com

webartsolution.net

yiquge.com

marraasociados.com

dentalimplantnearyou-ca.space

linemanbible.com

Signatures 12

Filter: none

Discovery
  • Xloader

    Description

    Xloader is a rebranded version of Formbook malware.

  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    Description

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    Tags

  • Xloader Payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/3264-116-0x0000000000400000-0x0000000000429000-memory.dmpxloader
    behavioral2/memory/3264-117-0x000000000041D4D0-mapping.dmpxloader
    behavioral2/memory/3148-124-0x0000000002CA0000-0x0000000002CC9000-memory.dmpxloader
  • Blocklisted process makes network request
    cmstp.exe

    Reported IOCs

    flowpidprocess
    473148cmstp.exe
  • Loads dropped DLL
    remittance advice_001001098.exe

    Reported IOCs

    pidprocess
    2764remittance advice_001001098.exe
  • Suspicious use of SetThreadContext
    remittance advice_001001098.exeremittance advice_001001098.execmstp.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2764 set thread context of 32642764remittance advice_001001098.exeremittance advice_001001098.exe
    PID 3264 set thread context of 30243264remittance advice_001001098.exeExplorer.EXE
    PID 3148 set thread context of 30243148cmstp.exeExplorer.EXE
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Suspicious behavior: EnumeratesProcesses
    remittance advice_001001098.execmstp.exe

    Reported IOCs

    pidprocess
    3264remittance advice_001001098.exe
    3264remittance advice_001001098.exe
    3264remittance advice_001001098.exe
    3264remittance advice_001001098.exe
    3148cmstp.exe
    3148cmstp.exe
    3148cmstp.exe
    3148cmstp.exe
    3148cmstp.exe
    3148cmstp.exe
    3148cmstp.exe
    3148cmstp.exe
    3148cmstp.exe
    3148cmstp.exe
    3148cmstp.exe
    3148cmstp.exe
    3148cmstp.exe
    3148cmstp.exe
    3148cmstp.exe
    3148cmstp.exe
    3148cmstp.exe
    3148cmstp.exe
    3148cmstp.exe
    3148cmstp.exe
    3148cmstp.exe
    3148cmstp.exe
    3148cmstp.exe
    3148cmstp.exe
    3148cmstp.exe
    3148cmstp.exe
    3148cmstp.exe
    3148cmstp.exe
    3148cmstp.exe
    3148cmstp.exe
    3148cmstp.exe
    3148cmstp.exe
    3148cmstp.exe
    3148cmstp.exe
    3148cmstp.exe
    3148cmstp.exe
    3148cmstp.exe
    3148cmstp.exe
    3148cmstp.exe
    3148cmstp.exe
    3148cmstp.exe
    3148cmstp.exe
    3148cmstp.exe
    3148cmstp.exe
    3148cmstp.exe
    3148cmstp.exe
    3148cmstp.exe
    3148cmstp.exe
    3148cmstp.exe
    3148cmstp.exe
    3148cmstp.exe
    3148cmstp.exe
    3148cmstp.exe
    3148cmstp.exe
    3148cmstp.exe
    3148cmstp.exe
  • Suspicious behavior: GetForegroundWindowSpam
    Explorer.EXE

    Reported IOCs

    pidprocess
    3024Explorer.EXE
  • Suspicious behavior: MapViewOfSection
    remittance advice_001001098.execmstp.exe

    Reported IOCs

    pidprocess
    3264remittance advice_001001098.exe
    3264remittance advice_001001098.exe
    3264remittance advice_001001098.exe
    3148cmstp.exe
    3148cmstp.exe
  • Suspicious use of AdjustPrivilegeToken
    remittance advice_001001098.execmstp.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege3264remittance advice_001001098.exe
    Token: SeDebugPrivilege3148cmstp.exe
  • Suspicious use of WriteProcessMemory
    remittance advice_001001098.exeExplorer.EXEcmstp.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2764 wrote to memory of 32642764remittance advice_001001098.exeremittance advice_001001098.exe
    PID 2764 wrote to memory of 32642764remittance advice_001001098.exeremittance advice_001001098.exe
    PID 2764 wrote to memory of 32642764remittance advice_001001098.exeremittance advice_001001098.exe
    PID 2764 wrote to memory of 32642764remittance advice_001001098.exeremittance advice_001001098.exe
    PID 2764 wrote to memory of 32642764remittance advice_001001098.exeremittance advice_001001098.exe
    PID 2764 wrote to memory of 32642764remittance advice_001001098.exeremittance advice_001001098.exe
    PID 3024 wrote to memory of 31483024Explorer.EXEcmstp.exe
    PID 3024 wrote to memory of 31483024Explorer.EXEcmstp.exe
    PID 3024 wrote to memory of 31483024Explorer.EXEcmstp.exe
    PID 3148 wrote to memory of 35283148cmstp.execmd.exe
    PID 3148 wrote to memory of 35283148cmstp.execmd.exe
    PID 3148 wrote to memory of 35283148cmstp.execmd.exe
Processes 5
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    Suspicious behavior: GetForegroundWindowSpam
    Suspicious use of WriteProcessMemory
    PID:3024
    • C:\Users\Admin\AppData\Local\Temp\remittance advice_001001098.exe
      "C:\Users\Admin\AppData\Local\Temp\remittance advice_001001098.exe"
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2764
      • C:\Users\Admin\AppData\Local\Temp\remittance advice_001001098.exe
        "C:\Users\Admin\AppData\Local\Temp\remittance advice_001001098.exe"
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        PID:3264
    • C:\Windows\SysWOW64\cmstp.exe
      "C:\Windows\SysWOW64\cmstp.exe"
      Blocklisted process makes network request
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3148
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\remittance advice_001001098.exe"
        PID:3528
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • \Users\Admin\AppData\Local\Temp\nsdBFF6.tmp\tngylslz.dll

                          MD5

                          5dce4ab196ebed51421a281746048281

                          SHA1

                          372e20701622727ca50c39feeccb53d5c26102ff

                          SHA256

                          ccc17ccc0b0f0f45309c8dbff3671f9a1d178e5cf22e47174f8da054f71e1edd

                          SHA512

                          a03f9bbb52c755ef73fd2ed425454f1d47432d3e59937324761f3817be21d719c7a8b947d315fccbf7e197c081beb9cafe727952606634ba31ee1c07c59ae30e

                        • memory/3024-121-0x0000000002F70000-0x000000000306E000-memory.dmp

                        • memory/3024-128-0x0000000005800000-0x00000000058FB000-memory.dmp

                        • memory/3148-125-0x0000000004930000-0x0000000004C50000-memory.dmp

                        • memory/3148-127-0x0000000004680000-0x0000000004710000-memory.dmp

                        • memory/3148-122-0x0000000000000000-mapping.dmp

                        • memory/3148-123-0x00000000003D0000-0x00000000003E6000-memory.dmp

                        • memory/3148-124-0x0000000002CA0000-0x0000000002CC9000-memory.dmp

                        • memory/3264-120-0x0000000000600000-0x0000000000611000-memory.dmp

                        • memory/3264-119-0x0000000000A40000-0x0000000000D60000-memory.dmp

                        • memory/3264-117-0x000000000041D4D0-mapping.dmp

                        • memory/3264-116-0x0000000000400000-0x0000000000429000-memory.dmp

                        • memory/3528-126-0x0000000000000000-mapping.dmp