Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
01-12-2021 08:29
Static task
static1
Behavioral task
behavioral1
Sample
Overdue Invoice.exe
Resource
win7-en-20211014
General
-
Target
Overdue Invoice.exe
-
Size
614KB
-
MD5
fc0c4e91f8407bc6d4d650924e7a4fae
-
SHA1
6dd4286594c7d6171c9cf8479cd6a2b0821d053f
-
SHA256
e630a2d0f63e21c38730606f15825c625d37eb1ff5b038724b403a1f72c591ec
-
SHA512
038c6d7e7a455bf79fc9c5e77800d04be999b0ba84568eb90b18fb622577ceb54fa4ab5854bc8386b48d6cbaa53008993f94eb8172b6d8d74107cdb741ef811f
Malware Config
Extracted
xloader
2.5
ea0r
http://www.asiapubz-hk.com/ea0r/
lionheartcreativestudios.com
konzertmanagement.com
blackpanther.online
broychim-int.com
takut18.com
txstarsolar.com
herdsherpa.com
igorshestakov.com
shinesbox.com
reflectpkljlt.xyz
oiltoolshub.com
viralmoneychallenge.com
changingalphastrategies.com
mecitiris.com
rdadmin.online
miniambiente.com
kominarcine.com
pino-almond.com
heihit.xyz
junqi888.com
metalumber.com
sclvfu.com
macanostore.online
projecturs.com
ahcprp.com
gztyfnrj.com
lospacenos.com
tak-etranger.com
dingermail.com
skiin.club
ystops.com
tnboxes.com
ccafgz.com
info1337.xyz
platinum24.top
hothess.com
novelfinancewhite.xyz
theselectdifference.com
flufca.com
giftcodefreefirevns.com
kgv-lachswehr.com
report-alfarabilabs.com
skeetones.com
4bcinc.com
americamr.com
wewonacademy.com
evrazavto.store
true-fanbox.com
greencofiji.com
threecommaspartners.com
hgtradingcoltd.com
xihe1919.com
241mk.com
helplockedout.com
wefundprojects.com
neosecure.store
purenewsworldwide.com
luckylottovip999.com
lottidobler.com
proyectohaciendohistoria.com
raintm.com
theproducerformula.com
trademarkitforyourself.com
ottaweed.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/604-127-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/604-128-0x000000000041D410-mapping.dmp xloader behavioral2/memory/3436-135-0x00000000009C0000-0x00000000009E9000-memory.dmp xloader -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Overdue Invoice.exeOverdue Invoice.execmstp.exedescription pid process target process PID 2584 set thread context of 604 2584 Overdue Invoice.exe Overdue Invoice.exe PID 604 set thread context of 2984 604 Overdue Invoice.exe Explorer.EXE PID 3436 set thread context of 2984 3436 cmstp.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 44 IoCs
Processes:
Overdue Invoice.execmstp.exepid process 604 Overdue Invoice.exe 604 Overdue Invoice.exe 604 Overdue Invoice.exe 604 Overdue Invoice.exe 3436 cmstp.exe 3436 cmstp.exe 3436 cmstp.exe 3436 cmstp.exe 3436 cmstp.exe 3436 cmstp.exe 3436 cmstp.exe 3436 cmstp.exe 3436 cmstp.exe 3436 cmstp.exe 3436 cmstp.exe 3436 cmstp.exe 3436 cmstp.exe 3436 cmstp.exe 3436 cmstp.exe 3436 cmstp.exe 3436 cmstp.exe 3436 cmstp.exe 3436 cmstp.exe 3436 cmstp.exe 3436 cmstp.exe 3436 cmstp.exe 3436 cmstp.exe 3436 cmstp.exe 3436 cmstp.exe 3436 cmstp.exe 3436 cmstp.exe 3436 cmstp.exe 3436 cmstp.exe 3436 cmstp.exe 3436 cmstp.exe 3436 cmstp.exe 3436 cmstp.exe 3436 cmstp.exe 3436 cmstp.exe 3436 cmstp.exe 3436 cmstp.exe 3436 cmstp.exe 3436 cmstp.exe 3436 cmstp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2984 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Overdue Invoice.execmstp.exepid process 604 Overdue Invoice.exe 604 Overdue Invoice.exe 604 Overdue Invoice.exe 3436 cmstp.exe 3436 cmstp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Overdue Invoice.execmstp.exedescription pid process Token: SeDebugPrivilege 604 Overdue Invoice.exe Token: SeDebugPrivilege 3436 cmstp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Overdue Invoice.exeExplorer.EXEcmstp.exedescription pid process target process PID 2584 wrote to memory of 604 2584 Overdue Invoice.exe Overdue Invoice.exe PID 2584 wrote to memory of 604 2584 Overdue Invoice.exe Overdue Invoice.exe PID 2584 wrote to memory of 604 2584 Overdue Invoice.exe Overdue Invoice.exe PID 2584 wrote to memory of 604 2584 Overdue Invoice.exe Overdue Invoice.exe PID 2584 wrote to memory of 604 2584 Overdue Invoice.exe Overdue Invoice.exe PID 2584 wrote to memory of 604 2584 Overdue Invoice.exe Overdue Invoice.exe PID 2984 wrote to memory of 3436 2984 Explorer.EXE cmstp.exe PID 2984 wrote to memory of 3436 2984 Explorer.EXE cmstp.exe PID 2984 wrote to memory of 3436 2984 Explorer.EXE cmstp.exe PID 3436 wrote to memory of 1476 3436 cmstp.exe cmd.exe PID 3436 wrote to memory of 1476 3436 cmstp.exe cmd.exe PID 3436 wrote to memory of 1476 3436 cmstp.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Overdue Invoice.exe"C:\Users\Admin\AppData\Local\Temp\Overdue Invoice.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Overdue Invoice.exe"C:\Users\Admin\AppData\Local\Temp\Overdue Invoice.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Overdue Invoice.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/604-127-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/604-130-0x00000000016B0000-0x00000000019D0000-memory.dmpFilesize
3.1MB
-
memory/604-131-0x00000000011F0000-0x0000000001201000-memory.dmpFilesize
68KB
-
memory/604-128-0x000000000041D410-mapping.dmp
-
memory/1476-136-0x0000000000000000-mapping.dmp
-
memory/2584-124-0x0000000005670000-0x0000000005676000-memory.dmpFilesize
24KB
-
memory/2584-120-0x0000000005680000-0x0000000005681000-memory.dmpFilesize
4KB
-
memory/2584-126-0x0000000006130000-0x0000000006187000-memory.dmpFilesize
348KB
-
memory/2584-118-0x0000000000960000-0x0000000000961000-memory.dmpFilesize
4KB
-
memory/2584-123-0x0000000005240000-0x0000000005241000-memory.dmpFilesize
4KB
-
memory/2584-122-0x0000000005180000-0x000000000567E000-memory.dmpFilesize
5.0MB
-
memory/2584-121-0x0000000005260000-0x0000000005261000-memory.dmpFilesize
4KB
-
memory/2584-125-0x00000000061D0000-0x00000000061D1000-memory.dmpFilesize
4KB
-
memory/2984-132-0x00000000061E0000-0x00000000062F0000-memory.dmpFilesize
1.1MB
-
memory/2984-139-0x0000000002B00000-0x0000000002BE5000-memory.dmpFilesize
916KB
-
memory/3436-135-0x00000000009C0000-0x00000000009E9000-memory.dmpFilesize
164KB
-
memory/3436-134-0x0000000001200000-0x0000000001216000-memory.dmpFilesize
88KB
-
memory/3436-133-0x0000000000000000-mapping.dmp
-
memory/3436-137-0x0000000004AF0000-0x0000000004E10000-memory.dmpFilesize
3.1MB
-
memory/3436-138-0x00000000049F0000-0x0000000004A80000-memory.dmpFilesize
576KB