Analysis

  • max time kernel
    151s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-en-20211104
  • submitted
    29-11-2021 13:46

General

  • Target

    payment advice_29011021.exe

  • Size

    292KB

  • MD5

    9fd9757825549183fb53a8a7cbd0a11b

  • SHA1

    3d24fae431c8c37b50fc0c8f6ca95af1ae19ce9e

  • SHA256

    237b6ac1943742314565dfdcc34a5c17f475462ae4399a9a9765bbbd6c679c99

  • SHA512

    b0c762e6393b883925368b520087618082e8e8cdb0885b888a5a787ce5525bd89e7b8799486013cceb84460e3bd793d4a4e415288334fdf62a8b52397aef7222

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

e8ia

C2

http://www.helpfromjames.com/e8ia/

Decoy

le-hameau-enchanteur.com

quantumsystem-au.club

engravedeeply.com

yesrecompensas.lat

cavallitowerofficials.com

800seaspray.com

skifun-jetski.com

thouartafoot.com

nft2dollar.com

petrestore.online

cjcutthecord2.com

tippimccullough.com

gadget198.xyz

djmiriam.com

bitbasepay.com

cukierniawz.com

mcclureic.xyz

inthekitchenshakinandbakin.com

busy-clicks.com

melaniemorris.online

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • Xloader Payload 4 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 6 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Drops file in Program Files directory
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1412
    • C:\Users\Admin\AppData\Local\Temp\payment advice_29011021.exe
      "C:\Users\Admin\AppData\Local\Temp\payment advice_29011021.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1452
      • C:\Users\Admin\AppData\Local\Temp\payment advice_29011021.exe
        "C:\Users\Admin\AppData\Local\Temp\payment advice_29011021.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:848
    • C:\Windows\SysWOW64\wininit.exe
      "C:\Windows\SysWOW64\wininit.exe"
      2⤵
      • Adds policy Run key to start application
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1260
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\payment advice_29011021.exe"
        3⤵
        • Deletes itself
        PID:364
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:1752
      • C:\Program Files (x86)\F2d9l_r\vganz7.exe
        "C:\Program Files (x86)\F2d9l_r\vganz7.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1376
        • C:\Program Files (x86)\F2d9l_r\vganz7.exe
          "C:\Program Files (x86)\F2d9l_r\vganz7.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:456

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Defense Evasion

    Modify Registry

    2
    T1112

    Discovery

    System Information Discovery

    1
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\F2d9l_r\vganz7.exe
      MD5

      9fd9757825549183fb53a8a7cbd0a11b

      SHA1

      3d24fae431c8c37b50fc0c8f6ca95af1ae19ce9e

      SHA256

      237b6ac1943742314565dfdcc34a5c17f475462ae4399a9a9765bbbd6c679c99

      SHA512

      b0c762e6393b883925368b520087618082e8e8cdb0885b888a5a787ce5525bd89e7b8799486013cceb84460e3bd793d4a4e415288334fdf62a8b52397aef7222

    • C:\Program Files (x86)\F2d9l_r\vganz7.exe
      MD5

      9fd9757825549183fb53a8a7cbd0a11b

      SHA1

      3d24fae431c8c37b50fc0c8f6ca95af1ae19ce9e

      SHA256

      237b6ac1943742314565dfdcc34a5c17f475462ae4399a9a9765bbbd6c679c99

      SHA512

      b0c762e6393b883925368b520087618082e8e8cdb0885b888a5a787ce5525bd89e7b8799486013cceb84460e3bd793d4a4e415288334fdf62a8b52397aef7222

    • C:\Program Files (x86)\F2d9l_r\vganz7.exe
      MD5

      9fd9757825549183fb53a8a7cbd0a11b

      SHA1

      3d24fae431c8c37b50fc0c8f6ca95af1ae19ce9e

      SHA256

      237b6ac1943742314565dfdcc34a5c17f475462ae4399a9a9765bbbd6c679c99

      SHA512

      b0c762e6393b883925368b520087618082e8e8cdb0885b888a5a787ce5525bd89e7b8799486013cceb84460e3bd793d4a4e415288334fdf62a8b52397aef7222

    • C:\Users\Admin\AppData\Local\Temp\6ajiy25t92q9h4nej1x
      MD5

      d41d8cd98f00b204e9800998ecf8427e

      SHA1

      da39a3ee5e6b4b0d3255bfef95601890afd80709

      SHA256

      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

      SHA512

      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    • \Users\Admin\AppData\Local\Temp\nseBB5.tmp\fsagsi.dll
      MD5

      c423a14876868b5c0def8b781bc66a62

      SHA1

      f848e7bf0801a32f66c9c3ede645498812ebff06

      SHA256

      dee6a5e04eac8488f9d00d5e6684c9a8368eb6a765180a3f2c89a07499f951f7

      SHA512

      e2ba84a73f84b32cf42999d4f9b241ca22ae8653f7716676b718167b1a980943121ae2ccec5551a720cc7974175aca592a72301583b2accc865dbca89ff41a7e

    • \Users\Admin\AppData\Local\Temp\nsyDAA7.tmp\fsagsi.dll
      MD5

      c423a14876868b5c0def8b781bc66a62

      SHA1

      f848e7bf0801a32f66c9c3ede645498812ebff06

      SHA256

      dee6a5e04eac8488f9d00d5e6684c9a8368eb6a765180a3f2c89a07499f951f7

      SHA512

      e2ba84a73f84b32cf42999d4f9b241ca22ae8653f7716676b718167b1a980943121ae2ccec5551a720cc7974175aca592a72301583b2accc865dbca89ff41a7e

    • memory/364-64-0x0000000000000000-mapping.dmp
    • memory/456-80-0x0000000000970000-0x0000000000C73000-memory.dmp
      Filesize

      3MB

    • memory/456-78-0x000000000041D4D0-mapping.dmp
    • memory/848-61-0x00000000003D0000-0x00000000003E1000-memory.dmp
      Filesize

      68KB

    • memory/848-60-0x0000000000950000-0x0000000000C53000-memory.dmp
      Filesize

      3MB

    • memory/848-58-0x000000000041D4D0-mapping.dmp
    • memory/848-57-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

    • memory/1260-66-0x0000000000080000-0x00000000000A9000-memory.dmp
      Filesize

      164KB

    • memory/1260-67-0x0000000002280000-0x0000000002583000-memory.dmp
      Filesize

      3MB

    • memory/1260-68-0x00000000004E0000-0x0000000000570000-memory.dmp
      Filesize

      576KB

    • memory/1260-65-0x0000000000E60000-0x0000000000E7A000-memory.dmp
      Filesize

      104KB

    • memory/1260-63-0x0000000000000000-mapping.dmp
    • memory/1376-71-0x0000000000000000-mapping.dmp
    • memory/1412-69-0x0000000009070000-0x00000000091D2000-memory.dmp
      Filesize

      1MB

    • memory/1412-62-0x00000000073B0000-0x0000000007509000-memory.dmp
      Filesize

      1MB

    • memory/1452-55-0x0000000076241000-0x0000000076243000-memory.dmp
      Filesize

      8KB