Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
09-12-2021 04:21
Static task
static1
Behavioral task
behavioral1
Sample
Bill of Lading & Shipping Advice.exe
Resource
win7-en-20211208
General
-
Target
Bill of Lading & Shipping Advice.exe
-
Size
508KB
-
MD5
ca0d7b52d537773db4598a25fdf5cf22
-
SHA1
f971b4ac64190312edfd3830dd40a257316c7e8f
-
SHA256
b9829a5660b2dcf188de5595741b42380f091c30bb3be299e131b61171d7b513
-
SHA512
58b69ca75d881acf8d90e3c22859dff514f796872460e619bd4699f71abbeb02ccc6832b583d29e916b6f993d508018b50d59cd8d46859251cb12e9e14d91195
Malware Config
Extracted
xloader
2.5
ea0r
http://www.asiapubz-hk.com/ea0r/
lionheartcreativestudios.com
konzertmanagement.com
blackpanther.online
broychim-int.com
takut18.com
txstarsolar.com
herdsherpa.com
igorshestakov.com
shinesbox.com
reflectpkljlt.xyz
oiltoolshub.com
viralmoneychallenge.com
changingalphastrategies.com
mecitiris.com
rdadmin.online
miniambiente.com
kominarcine.com
pino-almond.com
heihit.xyz
junqi888.com
metalumber.com
sclvfu.com
macanostore.online
projecturs.com
ahcprp.com
gztyfnrj.com
lospacenos.com
tak-etranger.com
dingermail.com
skiin.club
ystops.com
tnboxes.com
ccafgz.com
info1337.xyz
platinum24.top
hothess.com
novelfinancewhite.xyz
theselectdifference.com
flufca.com
giftcodefreefirevns.com
kgv-lachswehr.com
report-alfarabilabs.com
skeetones.com
4bcinc.com
americamr.com
wewonacademy.com
evrazavto.store
true-fanbox.com
greencofiji.com
threecommaspartners.com
hgtradingcoltd.com
xihe1919.com
241mk.com
helplockedout.com
wefundprojects.com
neosecure.store
purenewsworldwide.com
luckylottovip999.com
lottidobler.com
proyectohaciendohistoria.com
raintm.com
theproducerformula.com
trademarkitforyourself.com
ottaweed.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3540-116-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/3540-117-0x000000000041D410-mapping.dmp xloader behavioral2/memory/4092-124-0x00000000003A0000-0x00000000003C9000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
Bill of Lading & Shipping Advice.exepid process 2492 Bill of Lading & Shipping Advice.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Bill of Lading & Shipping Advice.exeBill of Lading & Shipping Advice.execmstp.exedescription pid process target process PID 2492 set thread context of 3540 2492 Bill of Lading & Shipping Advice.exe Bill of Lading & Shipping Advice.exe PID 3540 set thread context of 2084 3540 Bill of Lading & Shipping Advice.exe Explorer.EXE PID 4092 set thread context of 2084 4092 cmstp.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
Bill of Lading & Shipping Advice.execmstp.exepid process 3540 Bill of Lading & Shipping Advice.exe 3540 Bill of Lading & Shipping Advice.exe 3540 Bill of Lading & Shipping Advice.exe 3540 Bill of Lading & Shipping Advice.exe 4092 cmstp.exe 4092 cmstp.exe 4092 cmstp.exe 4092 cmstp.exe 4092 cmstp.exe 4092 cmstp.exe 4092 cmstp.exe 4092 cmstp.exe 4092 cmstp.exe 4092 cmstp.exe 4092 cmstp.exe 4092 cmstp.exe 4092 cmstp.exe 4092 cmstp.exe 4092 cmstp.exe 4092 cmstp.exe 4092 cmstp.exe 4092 cmstp.exe 4092 cmstp.exe 4092 cmstp.exe 4092 cmstp.exe 4092 cmstp.exe 4092 cmstp.exe 4092 cmstp.exe 4092 cmstp.exe 4092 cmstp.exe 4092 cmstp.exe 4092 cmstp.exe 4092 cmstp.exe 4092 cmstp.exe 4092 cmstp.exe 4092 cmstp.exe 4092 cmstp.exe 4092 cmstp.exe 4092 cmstp.exe 4092 cmstp.exe 4092 cmstp.exe 4092 cmstp.exe 4092 cmstp.exe 4092 cmstp.exe 4092 cmstp.exe 4092 cmstp.exe 4092 cmstp.exe 4092 cmstp.exe 4092 cmstp.exe 4092 cmstp.exe 4092 cmstp.exe 4092 cmstp.exe 4092 cmstp.exe 4092 cmstp.exe 4092 cmstp.exe 4092 cmstp.exe 4092 cmstp.exe 4092 cmstp.exe 4092 cmstp.exe 4092 cmstp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2084 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Bill of Lading & Shipping Advice.execmstp.exepid process 3540 Bill of Lading & Shipping Advice.exe 3540 Bill of Lading & Shipping Advice.exe 3540 Bill of Lading & Shipping Advice.exe 4092 cmstp.exe 4092 cmstp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Bill of Lading & Shipping Advice.execmstp.exedescription pid process Token: SeDebugPrivilege 3540 Bill of Lading & Shipping Advice.exe Token: SeDebugPrivilege 4092 cmstp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Bill of Lading & Shipping Advice.exeExplorer.EXEcmstp.exedescription pid process target process PID 2492 wrote to memory of 3540 2492 Bill of Lading & Shipping Advice.exe Bill of Lading & Shipping Advice.exe PID 2492 wrote to memory of 3540 2492 Bill of Lading & Shipping Advice.exe Bill of Lading & Shipping Advice.exe PID 2492 wrote to memory of 3540 2492 Bill of Lading & Shipping Advice.exe Bill of Lading & Shipping Advice.exe PID 2492 wrote to memory of 3540 2492 Bill of Lading & Shipping Advice.exe Bill of Lading & Shipping Advice.exe PID 2492 wrote to memory of 3540 2492 Bill of Lading & Shipping Advice.exe Bill of Lading & Shipping Advice.exe PID 2492 wrote to memory of 3540 2492 Bill of Lading & Shipping Advice.exe Bill of Lading & Shipping Advice.exe PID 2084 wrote to memory of 4092 2084 Explorer.EXE cmstp.exe PID 2084 wrote to memory of 4092 2084 Explorer.EXE cmstp.exe PID 2084 wrote to memory of 4092 2084 Explorer.EXE cmstp.exe PID 4092 wrote to memory of 3728 4092 cmstp.exe cmd.exe PID 4092 wrote to memory of 3728 4092 cmstp.exe cmd.exe PID 4092 wrote to memory of 3728 4092 cmstp.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Bill of Lading & Shipping Advice.exe"C:\Users\Admin\AppData\Local\Temp\Bill of Lading & Shipping Advice.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Bill of Lading & Shipping Advice.exe"C:\Users\Admin\AppData\Local\Temp\Bill of Lading & Shipping Advice.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Bill of Lading & Shipping Advice.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nspC390.tmp\ynieoukx.dllMD5
7c9a18a000849851c8e34fe6e1e88b21
SHA1ffd0b9cd7b469be2f15ce836076ff21c88ee3a2d
SHA25680f12b6475767dd4cd6271fd6e213317230ce5814909c9b21e132cacae3952c6
SHA5125e62ee3116a13fe3fcaf137329f02825be17ed2385c43a227b9b5f7f59b09636de0f85ee778b31f1c87b67afd786a6f62d5c79acc85caad32ebde0ce24cd9c9a
-
memory/2084-121-0x0000000004FF0000-0x000000000515A000-memory.dmpFilesize
1.4MB
-
memory/2084-128-0x0000000005160000-0x0000000005277000-memory.dmpFilesize
1.1MB
-
memory/3540-116-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/3540-117-0x000000000041D410-mapping.dmp
-
memory/3540-120-0x00000000006D0000-0x00000000006E1000-memory.dmpFilesize
68KB
-
memory/3540-119-0x0000000000A00000-0x0000000000D20000-memory.dmpFilesize
3.1MB
-
memory/3728-125-0x0000000000000000-mapping.dmp
-
memory/4092-123-0x0000000000800000-0x0000000000816000-memory.dmpFilesize
88KB
-
memory/4092-124-0x00000000003A0000-0x00000000003C9000-memory.dmpFilesize
164KB
-
memory/4092-126-0x0000000004600000-0x0000000004920000-memory.dmpFilesize
3.1MB
-
memory/4092-122-0x0000000000000000-mapping.dmp
-
memory/4092-127-0x00000000043E0000-0x0000000004470000-memory.dmpFilesize
576KB