Overview

overview

10

Static

static

Payment Advice.exe

windows7_x64

10

Payment Advice.exe

windows10_x64

10

Analysis

  • max time kernel
    53s
  • max time network
    65s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    06-12-2021 13:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Payment Advice.exe

  • Size

    1.3MB

  • MD5

    6e976bdd711770b20d6664fd18fe5c7b

  • SHA1

    168d5d7bece8d371a379148c1988841e49b21ace

  • SHA256

    d2b976a493c6d3b694dba0e139cea1d4943c0176a807109a9ab045a6b23b75c1

  • SHA512

    6d6eb05864690352a47dc32670ef968c6c6edd908372e335a8abd44ccd76c6b230177fd29841d0a1672891b7bd1488057358e0d35be80f7c8edea3ef55227648

Score
10/10
xloaderea0rloaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ea0r

C2

http://www.asiapubz-hk.com/ea0r/

Decoy

lionheartcreativestudios.com

konzertmanagement.com

blackpanther.online

broychim-int.com

takut18.com

txstarsolar.com

herdsherpa.com

igorshestakov.com

shinesbox.com

reflectpkljlt.xyz

oiltoolshub.com

viralmoneychallenge.com

changingalphastrategies.com

mecitiris.com

rdadmin.online

miniambiente.com

kominarcine.com

pino-almond.com

heihit.xyz

junqi888.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2988
    • C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe
      "C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3616
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GUkSklAlcp.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3440
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GUkSklAlcp" /XML "C:\Users\Admin\AppData\Local\Temp\tmp503F.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:3536
      • C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe
        "C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe"
        3⤵
          PID:1352
        • C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe
          "C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:1492
      • C:\Windows\SysWOW64\autofmt.exe
        "C:\Windows\SysWOW64\autofmt.exe"
        2⤵
          PID:2352
        • C:\Windows\SysWOW64\svchost.exe
          "C:\Windows\SysWOW64\svchost.exe"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:60
          • C:\Windows\SysWOW64\cmd.exe
            /c del "C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe"
            3⤵
              PID:948

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Scheduled Task

        1
        T1053

        Persistence

        Scheduled Task

        1
        T1053

        Privilege Escalation

        Scheduled Task

        1
        T1053

        Defense Evasion

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\tmp503F.tmp
          MD5

          db50a35ad08566ca96860c062ab65ce0

          SHA1

          bf5dfaafba531a744cd1d46ec8ac56510928fbae

          SHA256

          b4ac9b06157339cf79f6e1ab964f496ab58dcd5201c23a350e48eb76dcc7dbcd

          SHA512

          5fa8d63451f80853671ef262b5acb6a2ed5bc47328a2cc6aec96121ba86fa6249f5650c0fd186826666399a47871ca2e7113e01feb0b2ef5b26d79084cda644f

          Download Submit
        • memory/60-171-0x0000000003320000-0x0000000003640000-memory.dmp
          Filesize

          3.1MB

          Download
        • memory/60-169-0x00000000009B0000-0x00000000009BC000-memory.dmp
          Filesize

          48KB

          Download
        • memory/60-170-0x0000000000890000-0x00000000008B9000-memory.dmp
          Filesize

          164KB

          Download
        • memory/60-149-0x0000000000000000-mapping.dmp
          Download
        • memory/948-156-0x0000000000000000-mapping.dmp
          Download
        • memory/1492-142-0x00000000014A0000-0x00000000014B1000-memory.dmp
          Filesize

          68KB

          Download
        • memory/1492-141-0x0000000001060000-0x0000000001380000-memory.dmp
          Filesize

          3.1MB

          Download
        • memory/1492-133-0x000000000041D410-mapping.dmp
          Download
        • memory/1492-132-0x0000000000400000-0x0000000000429000-memory.dmp
          Filesize

          164KB

          Download
        • memory/2988-143-0x00000000025B0000-0x000000000266B000-memory.dmp
          Filesize

          748KB

          Download
        • memory/3440-147-0x00000000004E0000-0x00000000004E1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3440-139-0x0000000007260000-0x0000000007261000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3440-129-0x00000000064E0000-0x00000000064E1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3440-127-0x00000000004E0000-0x00000000004E1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3440-131-0x0000000006B50000-0x0000000006B51000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3440-155-0x0000000008930000-0x0000000008963000-memory.dmp
          Filesize

          204KB

          Download
        • memory/3440-125-0x0000000000000000-mapping.dmp
          Download
        • memory/3440-135-0x00000000040F2000-0x00000000040F3000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3440-134-0x00000000040F0000-0x00000000040F1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3440-137-0x0000000006A00000-0x0000000006A01000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3440-138-0x00000000071F0000-0x00000000071F1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3440-163-0x0000000008910000-0x0000000008911000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3440-140-0x00000000074B0000-0x00000000074B1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3440-183-0x00000000040F3000-0x00000000040F4000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3440-173-0x0000000008E60000-0x0000000008E61000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3440-128-0x00000000004E0000-0x00000000004E1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3440-144-0x0000000007300000-0x0000000007301000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3440-145-0x0000000007940000-0x0000000007941000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3440-146-0x0000000007BD0000-0x0000000007BD1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3440-172-0x000000007EFB0000-0x000000007EFB1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3440-168-0x0000000008B10000-0x0000000008B11000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3536-126-0x0000000000000000-mapping.dmp
          Download
        • memory/3616-122-0x0000000005330000-0x0000000005331000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3616-120-0x0000000004F60000-0x0000000004F61000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3616-121-0x0000000005060000-0x0000000005068000-memory.dmp
          Filesize

          32KB

          Download
        • memory/3616-119-0x0000000004E80000-0x000000000537E000-memory.dmp
          Filesize

          5.0MB

          Download
        • memory/3616-118-0x0000000004E80000-0x0000000004E81000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3616-117-0x0000000005380000-0x0000000005381000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3616-115-0x0000000000460000-0x0000000000461000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3616-123-0x0000000005BA0000-0x0000000005BA1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3616-124-0x0000000005C40000-0x0000000005D56000-memory.dmp
          Filesize

          1.1MB

          Download