Overview

overview

10

Static

static

Payment Advice.exe

windows7_x64

10

Payment Advice.exe

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-en-20211104
  • submitted
    06-12-2021 13:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Payment Advice.exe

  • Size

    1.3MB

  • MD5

    6e976bdd711770b20d6664fd18fe5c7b

  • SHA1

    168d5d7bece8d371a379148c1988841e49b21ace

  • SHA256

    d2b976a493c6d3b694dba0e139cea1d4943c0176a807109a9ab045a6b23b75c1

  • SHA512

    6d6eb05864690352a47dc32670ef968c6c6edd908372e335a8abd44ccd76c6b230177fd29841d0a1672891b7bd1488057358e0d35be80f7c8edea3ef55227648

Score
10/10
xloaderea0rloaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ea0r

C2

http://www.asiapubz-hk.com/ea0r/

Decoy

lionheartcreativestudios.com

konzertmanagement.com

blackpanther.online

broychim-int.com

takut18.com

txstarsolar.com

herdsherpa.com

igorshestakov.com

shinesbox.com

reflectpkljlt.xyz

oiltoolshub.com

viralmoneychallenge.com

changingalphastrategies.com

mecitiris.com

rdadmin.online

miniambiente.com

kominarcine.com

pino-almond.com

heihit.xyz

junqi888.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 4 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1376
    • C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe
      "C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1576
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GUkSklAlcp.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:544
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GUkSklAlcp" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4B62.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:924
      • C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe
        "C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1160
    • C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\SysWOW64\svchost.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1684
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe"
        3⤵
        • Deletes itself
        PID:860

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp4B62.tmp
    MD5

    c13af8863a9a3cd00bef2fc23c743ba0

    SHA1

    67aea05bf3e1069e58260aa628446fcb7ccd895d

    SHA256

    5e4c1c1bbdd7f84a21bbdf8e19e559b837e4deb32dd52e4cfd0e5771918b8cda

    SHA512

    23b849359011d0998604ffe491ffde8b5be11301b53c302c4c0275e88967d7df52822affe82dc4b672989e4c487d9f3bfebfa9f0b217515c6338ec2e1d30d205

    Download Submit
  • memory/544-75-0x0000000002480000-0x00000000030CA000-memory.dmp
    Filesize

    12.3MB

    Download
  • memory/544-71-0x0000000002480000-0x00000000030CA000-memory.dmp
    Filesize

    12.3MB

    Download
  • memory/544-69-0x0000000002480000-0x00000000030CA000-memory.dmp
    Filesize

    12.3MB

    Download
  • memory/544-61-0x0000000000000000-mapping.dmp
    Download
  • memory/860-82-0x0000000000000000-mapping.dmp
    Download
  • memory/924-62-0x0000000000000000-mapping.dmp
    Download
  • memory/1160-73-0x0000000000280000-0x0000000000291000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1160-76-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1160-66-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1160-67-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1160-68-0x000000000041D410-mapping.dmp
    Download
  • memory/1160-77-0x0000000000360000-0x0000000000371000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1160-72-0x0000000000890000-0x0000000000B93000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1160-65-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1376-78-0x0000000005EF0000-0x0000000005FC7000-memory.dmp
    Filesize

    860KB

    Download
  • memory/1376-74-0x00000000044A0000-0x000000000454F000-memory.dmp
    Filesize

    700KB

    Download
  • memory/1376-86-0x0000000005FD0000-0x000000000608B000-memory.dmp
    Filesize

    748KB

    Download
  • memory/1576-57-0x00000000753E1000-0x00000000753E3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1576-55-0x0000000001390000-0x0000000001391000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1576-60-0x00000000054B0000-0x00000000055C6000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1576-59-0x0000000004D30000-0x0000000004D31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1576-58-0x0000000000910000-0x0000000000918000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1684-79-0x0000000000000000-mapping.dmp
    Download
  • memory/1684-80-0x0000000000070000-0x0000000000078000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1684-81-0x00000000000E0000-0x0000000000109000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1684-83-0x00000000006D0000-0x00000000009D3000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1684-85-0x00000000005B0000-0x0000000000640000-memory.dmp
    Filesize

    576KB

    Download