Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
09-12-2021 06:51
Static task
static1
Behavioral task
behavioral1
Sample
PAYMENT_PO78893.js
Resource
win7-en-20211208
General
-
Target
PAYMENT_PO78893.js
-
Size
415KB
-
MD5
ed6574999b2277dae2c322d08de349f1
-
SHA1
bf71edb9c1c324c4534acdd46395b5ab67f268d0
-
SHA256
bd7de167ffee33b3abca17c579ca2b38c9c46b02d7e05da4cc3b0362d9331b1a
-
SHA512
65ea4d756d9920a00e707cbeb54f16612a5cab430f79528d0086b9ab19b38f458402afb715dd765332d44bfaf700b1a4d2a90a639ca18661a3dce31b7fdb49d0
Malware Config
Extracted
xloader
2.5
pzi0
http://www.buffstaff.com/pzi0/
laylmodest.com
woruke.club
metaverseslots.net
syscogent.net
aluxxenterprise.com
lm-solar.com
lightempirestore.com
witcheboutique.com
hometech-bosch.xyz
expert-netcad.com
poteconomist.com
mycousinsfriend.biz
shineveranda.com
collegedictionary.cloud
zqlidexx.com
businessesopportunity.com
2utalahs4.com
participatetn.info
dare2ownit.com
varser.com
gxo.digital
networkroftrl.xyz
renturways.com
theprooff.com
ncgf06.xyz
lighterior2.com
one-seo.xyz
benzprod.xyz
k6tkuwrnjake.biz
robinlynnolson.com
ioptest.com
modern-elementz.com
baetsupreme.net
lapetiteagencequimonte.com
xn--bellemre-60a.com
bringthegalaxy.com
shopnobra.com
maroondragon.com
pandemictickets.com
intelligentrereturns.net
quietshop.art
anarkalidress.com
wasserstoff-station.net
filmweltruhr.com
buck100.com
maxicashprommu.xyz
studiosilhouettes.com
lightningridgetradingpost.com
zhuanzhuan9987.top
mlelement.com
krystalsescapetravels.com
simplyabcbooks.com
greenhouse1995systems.com
altogetheradhd.com
servicedogumentary.com
cdcawpx.com
motometics.com
palisadesattahoe.com
paradgmpharma.com
microexpertise.com
venkycouture.online
maculardegenerationtsusanet.com
atlasbrandwear.com
karegcc.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\wealth.exe xloader C:\Users\Admin\AppData\Local\Temp\wealth.exe xloader behavioral1/memory/1956-68-0x0000000000080000-0x00000000000A9000-memory.dmp xloader -
Blocklisted process makes network request 18 IoCs
Processes:
wscript.exeflow pid process 5 580 wscript.exe 6 580 wscript.exe 9 580 wscript.exe 13 580 wscript.exe 18 580 wscript.exe 20 580 wscript.exe 26 580 wscript.exe 30 580 wscript.exe 33 580 wscript.exe 39 580 wscript.exe 40 580 wscript.exe 44 580 wscript.exe 48 580 wscript.exe 51 580 wscript.exe 55 580 wscript.exe 61 580 wscript.exe 63 580 wscript.exe 65 580 wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
wealth.exepid process 584 wealth.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mCwvamZnOK.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mCwvamZnOK.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\mCwvamZnOK.js\"" wscript.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
wealth.exeexplorer.exedescription pid process target process PID 584 set thread context of 1368 584 wealth.exe Explorer.EXE PID 1956 set thread context of 1368 1956 explorer.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
wealth.exeexplorer.exepid process 584 wealth.exe 584 wealth.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe 1956 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1368 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
wealth.exeexplorer.exepid process 584 wealth.exe 584 wealth.exe 584 wealth.exe 1956 explorer.exe 1956 explorer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
wealth.exeexplorer.exedescription pid process Token: SeDebugPrivilege 584 wealth.exe Token: SeDebugPrivilege 1956 explorer.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1368 Explorer.EXE 1368 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1368 Explorer.EXE 1368 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
wscript.exeExplorer.EXEexplorer.exedescription pid process target process PID 968 wrote to memory of 580 968 wscript.exe wscript.exe PID 968 wrote to memory of 580 968 wscript.exe wscript.exe PID 968 wrote to memory of 580 968 wscript.exe wscript.exe PID 968 wrote to memory of 584 968 wscript.exe wealth.exe PID 968 wrote to memory of 584 968 wscript.exe wealth.exe PID 968 wrote to memory of 584 968 wscript.exe wealth.exe PID 968 wrote to memory of 584 968 wscript.exe wealth.exe PID 1368 wrote to memory of 1956 1368 Explorer.EXE explorer.exe PID 1368 wrote to memory of 1956 1368 Explorer.EXE explorer.exe PID 1368 wrote to memory of 1956 1368 Explorer.EXE explorer.exe PID 1368 wrote to memory of 1956 1368 Explorer.EXE explorer.exe PID 1956 wrote to memory of 1028 1956 explorer.exe cmd.exe PID 1956 wrote to memory of 1028 1956 explorer.exe cmd.exe PID 1956 wrote to memory of 1028 1956 explorer.exe cmd.exe PID 1956 wrote to memory of 1028 1956 explorer.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\PAYMENT_PO78893.js2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\mCwvamZnOK.js"3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\wealth.exe"C:\Users\Admin\AppData\Local\Temp\wealth.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\wealth.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\wealth.exeMD5
83481bf872730cd133669c5ea5b1be2b
SHA1fbd2369965b20f6bee09063aa454de13a18c71d3
SHA2565d174dd08492f307e4b367e262f3e96b9beefb99f5abb11043ddf7142a18e9e8
SHA5129080dc9bcdfba87ff3ecb3ba04af7a03dea2228f093fbb91149ff8825694601908ba85b2ce27a1de47ce1f6e263b03d96d80d43b7a4033051fbbac64fde7dc51
-
C:\Users\Admin\AppData\Local\Temp\wealth.exeMD5
83481bf872730cd133669c5ea5b1be2b
SHA1fbd2369965b20f6bee09063aa454de13a18c71d3
SHA2565d174dd08492f307e4b367e262f3e96b9beefb99f5abb11043ddf7142a18e9e8
SHA5129080dc9bcdfba87ff3ecb3ba04af7a03dea2228f093fbb91149ff8825694601908ba85b2ce27a1de47ce1f6e263b03d96d80d43b7a4033051fbbac64fde7dc51
-
C:\Users\Admin\AppData\Roaming\mCwvamZnOK.jsMD5
922a967ec05e44eed7e89bce2e858722
SHA10466cb8198ef66d9620da26c2b2d1faa2c61ee7e
SHA2564707b9328e776abe28d01b08df3a7915b5e65fe33208dd7667c5bc8ca0eda7ea
SHA512504b376cb5f1d604e433a429bebabc4a53b64039d1e9d85245af852b910a4342c3407a82fbc25a771190aec21a94f6e80c947ba9d3f6a5f899e0f04dd2e30baa
-
memory/580-56-0x0000000000000000-mapping.dmp
-
memory/584-58-0x0000000000000000-mapping.dmp
-
memory/584-61-0x0000000000130000-0x0000000000141000-memory.dmpFilesize
68KB
-
memory/584-60-0x00000000008A0000-0x0000000000BA3000-memory.dmpFilesize
3.0MB
-
memory/968-55-0x000007FEFB801000-0x000007FEFB803000-memory.dmpFilesize
8KB
-
memory/1028-70-0x0000000000000000-mapping.dmp
-
memory/1368-62-0x0000000004F70000-0x000000000503A000-memory.dmpFilesize
808KB
-
memory/1368-72-0x0000000003D30000-0x0000000003DCA000-memory.dmpFilesize
616KB
-
memory/1956-63-0x0000000000000000-mapping.dmp
-
memory/1956-67-0x00000000006D0000-0x0000000000951000-memory.dmpFilesize
2.5MB
-
memory/1956-68-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/1956-69-0x00000000023D0000-0x00000000026D3000-memory.dmpFilesize
3.0MB
-
memory/1956-65-0x0000000074841000-0x0000000074843000-memory.dmpFilesize
8KB
-
memory/1956-71-0x0000000002180000-0x0000000002210000-memory.dmpFilesize
576KB
-
memory/1956-64-0x0000000074F11000-0x0000000074F13000-memory.dmpFilesize
8KB