Analysis
-
max time kernel
307s -
max time network
312s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
02-12-2021 12:43
Static task
static1
Behavioral task
behavioral1
Sample
Pending Invoice 38129337.exe
Resource
win7-en-20211014
General
-
Target
Pending Invoice 38129337.exe
-
Size
356KB
-
MD5
8b7820fd7d45dcd564fb92db1ebe9295
-
SHA1
c383a24a84143123f120f754bb0877b91628ff5b
-
SHA256
c1657f01ccef85f3f46740a96704bc5dccfb4cf8fc9ac09abcfd7aa6660448f7
-
SHA512
96ffc3d1d785035b47342b700d2930cf4daee597d02e97310a53be8baa819b403dbd96e82470fa0483f5bb442728c4e0eb352ebca0945070a49013451c441590
Malware Config
Extracted
xloader
2.5
ea0r
http://www.asiapubz-hk.com/ea0r/
lionheartcreativestudios.com
konzertmanagement.com
blackpanther.online
broychim-int.com
takut18.com
txstarsolar.com
herdsherpa.com
igorshestakov.com
shinesbox.com
reflectpkljlt.xyz
oiltoolshub.com
viralmoneychallenge.com
changingalphastrategies.com
mecitiris.com
rdadmin.online
miniambiente.com
kominarcine.com
pino-almond.com
heihit.xyz
junqi888.com
metalumber.com
sclvfu.com
macanostore.online
projecturs.com
ahcprp.com
gztyfnrj.com
lospacenos.com
tak-etranger.com
dingermail.com
skiin.club
ystops.com
tnboxes.com
ccafgz.com
info1337.xyz
platinum24.top
hothess.com
novelfinancewhite.xyz
theselectdifference.com
flufca.com
giftcodefreefirevns.com
kgv-lachswehr.com
report-alfarabilabs.com
skeetones.com
4bcinc.com
americamr.com
wewonacademy.com
evrazavto.store
true-fanbox.com
greencofiji.com
threecommaspartners.com
hgtradingcoltd.com
xihe1919.com
241mk.com
helplockedout.com
wefundprojects.com
neosecure.store
purenewsworldwide.com
luckylottovip999.com
lottidobler.com
proyectohaciendohistoria.com
raintm.com
theproducerformula.com
trademarkitforyourself.com
ottaweed.com
Signatures
-
Xloader Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/3960-119-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/3960-120-0x000000000041D410-mapping.dmp xloader behavioral2/memory/3992-127-0x0000000000CD0000-0x0000000000CF9000-memory.dmp xloader behavioral2/memory/1544-140-0x000000000041D410-mapping.dmp xloader -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
raserver.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run raserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\QZD0HZG8NRI = "C:\\Program Files (x86)\\Mhdfpdxs\\helprr-d4d.exe" raserver.exe -
Executes dropped EXE 2 IoCs
Processes:
helprr-d4d.exehelprr-d4d.exepid process 1252 helprr-d4d.exe 1544 helprr-d4d.exe -
Loads dropped DLL 2 IoCs
Processes:
Pending Invoice 38129337.exehelprr-d4d.exepid process 3664 Pending Invoice 38129337.exe 1252 helprr-d4d.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
Pending Invoice 38129337.exePending Invoice 38129337.exeraserver.exehelprr-d4d.exedescription pid process target process PID 3664 set thread context of 3960 3664 Pending Invoice 38129337.exe Pending Invoice 38129337.exe PID 3960 set thread context of 3056 3960 Pending Invoice 38129337.exe Explorer.EXE PID 3992 set thread context of 3056 3992 raserver.exe Explorer.EXE PID 1252 set thread context of 1544 1252 helprr-d4d.exe helprr-d4d.exe -
Drops file in Program Files directory 4 IoCs
Processes:
raserver.exeExplorer.EXEdescription ioc process File opened for modification C:\Program Files (x86)\Mhdfpdxs\helprr-d4d.exe raserver.exe File opened for modification C:\Program Files (x86)\Mhdfpdxs Explorer.EXE File created C:\Program Files (x86)\Mhdfpdxs\helprr-d4d.exe Explorer.EXE File opened for modification C:\Program Files (x86)\Mhdfpdxs\helprr-d4d.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 6 IoCs
Processes:
resource yara_rule C:\Program Files (x86)\Mhdfpdxs\helprr-d4d.exe nsis_installer_1 C:\Program Files (x86)\Mhdfpdxs\helprr-d4d.exe nsis_installer_2 C:\Program Files (x86)\Mhdfpdxs\helprr-d4d.exe nsis_installer_1 C:\Program Files (x86)\Mhdfpdxs\helprr-d4d.exe nsis_installer_2 C:\Program Files (x86)\Mhdfpdxs\helprr-d4d.exe nsis_installer_1 C:\Program Files (x86)\Mhdfpdxs\helprr-d4d.exe nsis_installer_2 -
Processes:
raserver.exedescription ioc process Key created \Registry\User\S-1-5-21-1042495040-510797905-2613508344-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 raserver.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Pending Invoice 38129337.exeraserver.exepid process 3960 Pending Invoice 38129337.exe 3960 Pending Invoice 38129337.exe 3960 Pending Invoice 38129337.exe 3960 Pending Invoice 38129337.exe 3992 raserver.exe 3992 raserver.exe 3992 raserver.exe 3992 raserver.exe 3992 raserver.exe 3992 raserver.exe 3992 raserver.exe 3992 raserver.exe 3992 raserver.exe 3992 raserver.exe 3992 raserver.exe 3992 raserver.exe 3992 raserver.exe 3992 raserver.exe 3992 raserver.exe 3992 raserver.exe 3992 raserver.exe 3992 raserver.exe 3992 raserver.exe 3992 raserver.exe 3992 raserver.exe 3992 raserver.exe 3992 raserver.exe 3992 raserver.exe 3992 raserver.exe 3992 raserver.exe 3992 raserver.exe 3992 raserver.exe 3992 raserver.exe 3992 raserver.exe 3992 raserver.exe 3992 raserver.exe 3992 raserver.exe 3992 raserver.exe 3992 raserver.exe 3992 raserver.exe 3992 raserver.exe 3992 raserver.exe 3992 raserver.exe 3992 raserver.exe 3992 raserver.exe 3992 raserver.exe 3992 raserver.exe 3992 raserver.exe 3992 raserver.exe 3992 raserver.exe 3992 raserver.exe 3992 raserver.exe 3992 raserver.exe 3992 raserver.exe 3992 raserver.exe 3992 raserver.exe 3992 raserver.exe 3992 raserver.exe 3992 raserver.exe 3992 raserver.exe 3992 raserver.exe 3992 raserver.exe 3992 raserver.exe 3992 raserver.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3056 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
Pending Invoice 38129337.exeraserver.exepid process 3960 Pending Invoice 38129337.exe 3960 Pending Invoice 38129337.exe 3960 Pending Invoice 38129337.exe 3992 raserver.exe 3992 raserver.exe 3992 raserver.exe 3992 raserver.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
Pending Invoice 38129337.exeraserver.exeExplorer.EXEhelprr-d4d.exedescription pid process Token: SeDebugPrivilege 3960 Pending Invoice 38129337.exe Token: SeDebugPrivilege 3992 raserver.exe Token: SeShutdownPrivilege 3056 Explorer.EXE Token: SeCreatePagefilePrivilege 3056 Explorer.EXE Token: SeShutdownPrivilege 3056 Explorer.EXE Token: SeCreatePagefilePrivilege 3056 Explorer.EXE Token: SeDebugPrivilege 1544 helprr-d4d.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
Pending Invoice 38129337.exeExplorer.EXEraserver.exehelprr-d4d.exedescription pid process target process PID 3664 wrote to memory of 3960 3664 Pending Invoice 38129337.exe Pending Invoice 38129337.exe PID 3664 wrote to memory of 3960 3664 Pending Invoice 38129337.exe Pending Invoice 38129337.exe PID 3664 wrote to memory of 3960 3664 Pending Invoice 38129337.exe Pending Invoice 38129337.exe PID 3664 wrote to memory of 3960 3664 Pending Invoice 38129337.exe Pending Invoice 38129337.exe PID 3664 wrote to memory of 3960 3664 Pending Invoice 38129337.exe Pending Invoice 38129337.exe PID 3664 wrote to memory of 3960 3664 Pending Invoice 38129337.exe Pending Invoice 38129337.exe PID 3056 wrote to memory of 3992 3056 Explorer.EXE raserver.exe PID 3056 wrote to memory of 3992 3056 Explorer.EXE raserver.exe PID 3056 wrote to memory of 3992 3056 Explorer.EXE raserver.exe PID 3992 wrote to memory of 4288 3992 raserver.exe cmd.exe PID 3992 wrote to memory of 4288 3992 raserver.exe cmd.exe PID 3992 wrote to memory of 4288 3992 raserver.exe cmd.exe PID 3992 wrote to memory of 492 3992 raserver.exe cmd.exe PID 3992 wrote to memory of 492 3992 raserver.exe cmd.exe PID 3992 wrote to memory of 492 3992 raserver.exe cmd.exe PID 3992 wrote to memory of 1204 3992 raserver.exe Firefox.exe PID 3992 wrote to memory of 1204 3992 raserver.exe Firefox.exe PID 3056 wrote to memory of 1252 3056 Explorer.EXE helprr-d4d.exe PID 3056 wrote to memory of 1252 3056 Explorer.EXE helprr-d4d.exe PID 3056 wrote to memory of 1252 3056 Explorer.EXE helprr-d4d.exe PID 1252 wrote to memory of 1544 1252 helprr-d4d.exe helprr-d4d.exe PID 1252 wrote to memory of 1544 1252 helprr-d4d.exe helprr-d4d.exe PID 1252 wrote to memory of 1544 1252 helprr-d4d.exe helprr-d4d.exe PID 1252 wrote to memory of 1544 1252 helprr-d4d.exe helprr-d4d.exe PID 1252 wrote to memory of 1544 1252 helprr-d4d.exe helprr-d4d.exe PID 1252 wrote to memory of 1544 1252 helprr-d4d.exe helprr-d4d.exe PID 3992 wrote to memory of 1204 3992 raserver.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Pending Invoice 38129337.exe"C:\Users\Admin\AppData\Local\Temp\Pending Invoice 38129337.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Pending Invoice 38129337.exe"C:\Users\Admin\AppData\Local\Temp\Pending Invoice 38129337.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\raserver.exe"C:\Windows\SysWOW64\raserver.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Pending Invoice 38129337.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Program Files (x86)\Mhdfpdxs\helprr-d4d.exe"C:\Program Files (x86)\Mhdfpdxs\helprr-d4d.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Mhdfpdxs\helprr-d4d.exe"C:\Program Files (x86)\Mhdfpdxs\helprr-d4d.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Mhdfpdxs\helprr-d4d.exeMD5
8b7820fd7d45dcd564fb92db1ebe9295
SHA1c383a24a84143123f120f754bb0877b91628ff5b
SHA256c1657f01ccef85f3f46740a96704bc5dccfb4cf8fc9ac09abcfd7aa6660448f7
SHA51296ffc3d1d785035b47342b700d2930cf4daee597d02e97310a53be8baa819b403dbd96e82470fa0483f5bb442728c4e0eb352ebca0945070a49013451c441590
-
C:\Program Files (x86)\Mhdfpdxs\helprr-d4d.exeMD5
8b7820fd7d45dcd564fb92db1ebe9295
SHA1c383a24a84143123f120f754bb0877b91628ff5b
SHA256c1657f01ccef85f3f46740a96704bc5dccfb4cf8fc9ac09abcfd7aa6660448f7
SHA51296ffc3d1d785035b47342b700d2930cf4daee597d02e97310a53be8baa819b403dbd96e82470fa0483f5bb442728c4e0eb352ebca0945070a49013451c441590
-
C:\Program Files (x86)\Mhdfpdxs\helprr-d4d.exeMD5
8b7820fd7d45dcd564fb92db1ebe9295
SHA1c383a24a84143123f120f754bb0877b91628ff5b
SHA256c1657f01ccef85f3f46740a96704bc5dccfb4cf8fc9ac09abcfd7aa6660448f7
SHA51296ffc3d1d785035b47342b700d2930cf4daee597d02e97310a53be8baa819b403dbd96e82470fa0483f5bb442728c4e0eb352ebca0945070a49013451c441590
-
C:\Users\Admin\AppData\Local\Temp\DB1MD5
b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
C:\Users\Admin\AppData\Local\Temp\yrxgm2w0x467yMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Temp\nsjCDB2.tmp\ancprnfrgdi.dllMD5
43e23cb30db04f30af162414f5fcb084
SHA12f8db11d592b1b28d56f9ba4e8666af458100a3b
SHA25694f51bd2bafd932f5c3ae824f2a2f93be2978c6b7c194f4f39231bce3ac7fac4
SHA512cb1ec23a47939760f6fd6e2e090124bf89c89190ed6cfe634274fdcded11fa868b7ca0c7379ec1452339e4c361a6c052f3bca9dfb44595309af02cfe16fa9daf
-
\Users\Admin\AppData\Local\Temp\nsz578.tmp\ancprnfrgdi.dllMD5
43e23cb30db04f30af162414f5fcb084
SHA12f8db11d592b1b28d56f9ba4e8666af458100a3b
SHA25694f51bd2bafd932f5c3ae824f2a2f93be2978c6b7c194f4f39231bce3ac7fac4
SHA512cb1ec23a47939760f6fd6e2e090124bf89c89190ed6cfe634274fdcded11fa868b7ca0c7379ec1452339e4c361a6c052f3bca9dfb44595309af02cfe16fa9daf
-
memory/492-132-0x0000000000000000-mapping.dmp
-
memory/1252-134-0x0000000000000000-mapping.dmp
-
memory/1544-142-0x0000000000B20000-0x0000000000E40000-memory.dmpFilesize
3.1MB
-
memory/1544-140-0x000000000041D410-mapping.dmp
-
memory/3056-124-0x0000000005D10000-0x0000000005E27000-memory.dmpFilesize
1.1MB
-
memory/3056-131-0x00000000061C0000-0x000000000634D000-memory.dmpFilesize
1.6MB
-
memory/3960-122-0x0000000000A60000-0x0000000000D80000-memory.dmpFilesize
3.1MB
-
memory/3960-123-0x00000000005E0000-0x00000000005F1000-memory.dmpFilesize
68KB
-
memory/3960-120-0x000000000041D410-mapping.dmp
-
memory/3960-119-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/3992-130-0x0000000004A70000-0x0000000004B00000-memory.dmpFilesize
576KB
-
memory/3992-129-0x0000000004BF0000-0x0000000004F10000-memory.dmpFilesize
3.1MB
-
memory/3992-127-0x0000000000CD0000-0x0000000000CF9000-memory.dmpFilesize
164KB
-
memory/3992-126-0x0000000000EB0000-0x0000000000ECF000-memory.dmpFilesize
124KB
-
memory/3992-125-0x0000000000000000-mapping.dmp
-
memory/4288-128-0x0000000000000000-mapping.dmp