payment advice_29011021.exe

General
Target

payment advice_29011021.exe

Filesize

292KB

Completed

29-11-2021 06:07

Score
10/10
MD5

9fd9757825549183fb53a8a7cbd0a11b

SHA1

3d24fae431c8c37b50fc0c8f6ca95af1ae19ce9e

SHA256

237b6ac1943742314565dfdcc34a5c17f475462ae4399a9a9765bbbd6c679c99

Malware Config

Extracted

Family xloader
Version 2.5
Campaign e8ia
C2

http://www.helpfromjames.com/e8ia/

Decoy

le-hameau-enchanteur.com

quantumsystem-au.club

engravedeeply.com

yesrecompensas.lat

cavallitowerofficials.com

800seaspray.com

skifun-jetski.com

thouartafoot.com

nft2dollar.com

petrestore.online

cjcutthecord2.com

tippimccullough.com

gadget198.xyz

djmiriam.com

bitbasepay.com

cukierniawz.com

mcclureic.xyz

inthekitchenshakinandbakin.com

busy-clicks.com

melaniemorris.online

elysiangp.com

7bkj.com

wakeanddraw.com

ascalar.com

iteraxon.com

henleygirlscricket.com

torresflooringdecorllc.com

helgquieta.quest

xesteem.com

graffity-aws.com

bolerparts.com

andriylysenko.com

bestinvest-4-you.com

frelsicycling.com

airductcleaningindianapolis.net

nlproperties.net

alkoora.xyz

sakiyaman.com

wwwsmyrnaschooldistrict.com

unitedsafetyassociation.com

fiveallianceapparel.com

edgelordkids.com

herhauling.com

intelldat.com

weprepareamerica-planet.com

webartsolution.net

yiquge.com

marraasociados.com

dentalimplantnearyou-ca.space

linemanbible.com

Signatures 14

Filter: none

Discovery
  • Xloader

    Description

    Xloader is a rebranded version of Formbook malware.

  • Xloader Payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1508-57-0x0000000000400000-0x0000000000429000-memory.dmpxloader
    behavioral1/memory/1508-58-0x000000000041D4D0-mapping.dmpxloader
    behavioral1/memory/1508-63-0x0000000000400000-0x0000000000429000-memory.dmpxloader
    behavioral1/memory/928-70-0x0000000000100000-0x0000000000129000-memory.dmpxloader
  • Blocklisted process makes network request
    cmstp.exe

    Reported IOCs

    flowpidprocess
    13928cmstp.exe
  • Deletes itself
    cmd.exe

    Reported IOCs

    pidprocess
    984cmd.exe
  • Loads dropped DLL
    payment advice_29011021.exe

    Reported IOCs

    pidprocess
    764payment advice_29011021.exe
  • Suspicious use of SetThreadContext
    payment advice_29011021.exepayment advice_29011021.execmstp.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 764 set thread context of 1508764payment advice_29011021.exepayment advice_29011021.exe
    PID 1508 set thread context of 12761508payment advice_29011021.exeExplorer.EXE
    PID 1508 set thread context of 12761508payment advice_29011021.exeExplorer.EXE
    PID 928 set thread context of 1276928cmstp.exeExplorer.EXE
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Suspicious behavior: EnumeratesProcesses
    payment advice_29011021.execmstp.exe

    Reported IOCs

    pidprocess
    1508payment advice_29011021.exe
    1508payment advice_29011021.exe
    1508payment advice_29011021.exe
    928cmstp.exe
    928cmstp.exe
    928cmstp.exe
    928cmstp.exe
    928cmstp.exe
    928cmstp.exe
    928cmstp.exe
    928cmstp.exe
    928cmstp.exe
    928cmstp.exe
    928cmstp.exe
    928cmstp.exe
    928cmstp.exe
    928cmstp.exe
    928cmstp.exe
    928cmstp.exe
    928cmstp.exe
    928cmstp.exe
    928cmstp.exe
    928cmstp.exe
    928cmstp.exe
    928cmstp.exe
    928cmstp.exe
    928cmstp.exe
    928cmstp.exe
    928cmstp.exe
    928cmstp.exe
  • Suspicious behavior: GetForegroundWindowSpam
    Explorer.EXE

    Reported IOCs

    pidprocess
    1276Explorer.EXE
  • Suspicious behavior: MapViewOfSection
    payment advice_29011021.execmstp.exe

    Reported IOCs

    pidprocess
    1508payment advice_29011021.exe
    1508payment advice_29011021.exe
    1508payment advice_29011021.exe
    1508payment advice_29011021.exe
    928cmstp.exe
    928cmstp.exe
  • Suspicious use of AdjustPrivilegeToken
    payment advice_29011021.execmstp.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1508payment advice_29011021.exe
    Token: SeDebugPrivilege928cmstp.exe
  • Suspicious use of FindShellTrayWindow
    Explorer.EXE

    Reported IOCs

    pidprocess
    1276Explorer.EXE
    1276Explorer.EXE
  • Suspicious use of SendNotifyMessage
    Explorer.EXE

    Reported IOCs

    pidprocess
    1276Explorer.EXE
    1276Explorer.EXE
  • Suspicious use of WriteProcessMemory
    payment advice_29011021.exeExplorer.EXEcmstp.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 764 wrote to memory of 1508764payment advice_29011021.exepayment advice_29011021.exe
    PID 764 wrote to memory of 1508764payment advice_29011021.exepayment advice_29011021.exe
    PID 764 wrote to memory of 1508764payment advice_29011021.exepayment advice_29011021.exe
    PID 764 wrote to memory of 1508764payment advice_29011021.exepayment advice_29011021.exe
    PID 764 wrote to memory of 1508764payment advice_29011021.exepayment advice_29011021.exe
    PID 764 wrote to memory of 1508764payment advice_29011021.exepayment advice_29011021.exe
    PID 764 wrote to memory of 1508764payment advice_29011021.exepayment advice_29011021.exe
    PID 1276 wrote to memory of 9281276Explorer.EXEcmstp.exe
    PID 1276 wrote to memory of 9281276Explorer.EXEcmstp.exe
    PID 1276 wrote to memory of 9281276Explorer.EXEcmstp.exe
    PID 1276 wrote to memory of 9281276Explorer.EXEcmstp.exe
    PID 1276 wrote to memory of 9281276Explorer.EXEcmstp.exe
    PID 1276 wrote to memory of 9281276Explorer.EXEcmstp.exe
    PID 1276 wrote to memory of 9281276Explorer.EXEcmstp.exe
    PID 928 wrote to memory of 984928cmstp.execmd.exe
    PID 928 wrote to memory of 984928cmstp.execmd.exe
    PID 928 wrote to memory of 984928cmstp.execmd.exe
    PID 928 wrote to memory of 984928cmstp.execmd.exe
Processes 5
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    Suspicious behavior: GetForegroundWindowSpam
    Suspicious use of FindShellTrayWindow
    Suspicious use of SendNotifyMessage
    Suspicious use of WriteProcessMemory
    PID:1276
    • C:\Users\Admin\AppData\Local\Temp\payment advice_29011021.exe
      "C:\Users\Admin\AppData\Local\Temp\payment advice_29011021.exe"
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:764
      • C:\Users\Admin\AppData\Local\Temp\payment advice_29011021.exe
        "C:\Users\Admin\AppData\Local\Temp\payment advice_29011021.exe"
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        PID:1508
    • C:\Windows\SysWOW64\cmstp.exe
      "C:\Windows\SysWOW64\cmstp.exe"
      Blocklisted process makes network request
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:928
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\payment advice_29011021.exe"
        Deletes itself
        PID:984
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • \Users\Admin\AppData\Local\Temp\nstCC36.tmp\fsagsi.dll

                          MD5

                          c423a14876868b5c0def8b781bc66a62

                          SHA1

                          f848e7bf0801a32f66c9c3ede645498812ebff06

                          SHA256

                          dee6a5e04eac8488f9d00d5e6684c9a8368eb6a765180a3f2c89a07499f951f7

                          SHA512

                          e2ba84a73f84b32cf42999d4f9b241ca22ae8653f7716676b718167b1a980943121ae2ccec5551a720cc7974175aca592a72301583b2accc865dbca89ff41a7e

                        • memory/764-55-0x0000000075BB1000-0x0000000075BB3000-memory.dmp

                        • memory/928-66-0x0000000000000000-mapping.dmp

                        • memory/928-71-0x0000000001F40000-0x0000000002243000-memory.dmp

                        • memory/928-70-0x0000000000100000-0x0000000000129000-memory.dmp

                        • memory/928-69-0x00000000000A0000-0x00000000000B8000-memory.dmp

                        • memory/928-72-0x0000000001D00000-0x0000000001D90000-memory.dmp

                        • memory/984-68-0x0000000000000000-mapping.dmp

                        • memory/1276-62-0x0000000006C30000-0x0000000006D69000-memory.dmp

                        • memory/1276-65-0x0000000006EA0000-0x0000000006F74000-memory.dmp

                        • memory/1276-73-0x00000000073A0000-0x0000000007527000-memory.dmp

                        • memory/1508-63-0x0000000000400000-0x0000000000429000-memory.dmp

                        • memory/1508-60-0x0000000000740000-0x0000000000A43000-memory.dmp

                        • memory/1508-61-0x0000000000480000-0x0000000000491000-memory.dmp

                        • memory/1508-58-0x000000000041D4D0-mapping.dmp

                        • memory/1508-57-0x0000000000400000-0x0000000000429000-memory.dmp

                        • memory/1508-64-0x0000000000710000-0x0000000000721000-memory.dmp