Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
13-01-2022 08:21
Static task
static1
Behavioral task
behavioral1
Sample
overdue invoices_20220101.exe
Resource
win7-en-20211208
General
-
Target
overdue invoices_20220101.exe
-
Size
241KB
-
MD5
9505909b3c7ac59c6add4d72cd69ecd6
-
SHA1
3bb605a936ddb336de13fadd922b8be9634db0a6
-
SHA256
d1a716b9f2d3c4be4527b077dd5da726ffb4008935c7223116a3aa64b4f5f8f0
-
SHA512
0ba143e6ba24d25514ede89ffa97933309772f0c40c3d9eb9ae3e31dfecfc217e6712abda33f6105db33bd94cbfa816a9520d61dfd3f003022032c25fe9c657b
Malware Config
Extracted
xloader
2.5
igwa
listingswithalex.com
funtabse.com
aydenwalling.com
prochal.net
superfoodsnederland.com
moldluck.com
dianekgordon.store
regionalhomescommercial.com
mysecuritymadesimple.com
malwaremastery.com
kodaikeiko.com
jrzg996.com
agricurve.net
songlingjiu.com
virginianundahfishingclub.com
friendschance.com
pastelpresents.com
answertitles.com
survival-hunter.com
nxfddl.com
traditionnevertrend.com
agrovessel.com
unicorm.digital
cucumboy.com
alemdogarimpo.com
laraful.com
hexwaa.com
hanu21st.com
knoycia.com
qishengxing.com
gopipurespices.com
fdkkrfidkdslsieofkld.info
elephantspublications.online
valeriebeijing.com
xn--42cg2czax6ptae6a.com
2shengman.com
sfcshavedice.com
ragworkhouse.com
stardomfrokch.xyz
exoticcenterfold.com
eventosartifice.com
test-order-noren.com
110bao.com
face-pro.online
freedomoff.com
futuresep.com
tremblock.com
chocolat-gillotte.com
speclove.com
ddflsl.com
goodnewsmbc.net
cloudtotaal.com
goapps-auth.com
ouch247max.com
sabra-sd.com
luxuryneverhurt.art
rxvendorpills.online
ludowinners.online
placemyorder.online
skyrim.company
monsterlecturer.com
controle-fiscal.com
phoenixinjurylawyer.online
nanoheadgames.com
toposales.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/268-56-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/268-57-0x000000000041D440-mapping.dmp xloader behavioral1/memory/268-62-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1032-68-0x0000000000090000-0x00000000000B9000-memory.dmp xloader -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1424 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
overdue invoices_20220101.exepid process 1892 overdue invoices_20220101.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
overdue invoices_20220101.exeoverdue invoices_20220101.exewuapp.exedescription pid process target process PID 1892 set thread context of 268 1892 overdue invoices_20220101.exe overdue invoices_20220101.exe PID 268 set thread context of 1376 268 overdue invoices_20220101.exe Explorer.EXE PID 268 set thread context of 1376 268 overdue invoices_20220101.exe Explorer.EXE PID 1032 set thread context of 1376 1032 wuapp.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
overdue invoices_20220101.exewuapp.exepid process 268 overdue invoices_20220101.exe 268 overdue invoices_20220101.exe 268 overdue invoices_20220101.exe 1032 wuapp.exe 1032 wuapp.exe 1032 wuapp.exe 1032 wuapp.exe 1032 wuapp.exe 1032 wuapp.exe 1032 wuapp.exe 1032 wuapp.exe 1032 wuapp.exe 1032 wuapp.exe 1032 wuapp.exe 1032 wuapp.exe 1032 wuapp.exe 1032 wuapp.exe 1032 wuapp.exe 1032 wuapp.exe 1032 wuapp.exe 1032 wuapp.exe 1032 wuapp.exe 1032 wuapp.exe 1032 wuapp.exe 1032 wuapp.exe 1032 wuapp.exe 1032 wuapp.exe 1032 wuapp.exe 1032 wuapp.exe 1032 wuapp.exe 1032 wuapp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1376 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
overdue invoices_20220101.exewuapp.exepid process 268 overdue invoices_20220101.exe 268 overdue invoices_20220101.exe 268 overdue invoices_20220101.exe 268 overdue invoices_20220101.exe 1032 wuapp.exe 1032 wuapp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
overdue invoices_20220101.exewuapp.exedescription pid process Token: SeDebugPrivilege 268 overdue invoices_20220101.exe Token: SeDebugPrivilege 1032 wuapp.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1376 Explorer.EXE 1376 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1376 Explorer.EXE 1376 Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
overdue invoices_20220101.exeExplorer.EXEwuapp.exedescription pid process target process PID 1892 wrote to memory of 268 1892 overdue invoices_20220101.exe overdue invoices_20220101.exe PID 1892 wrote to memory of 268 1892 overdue invoices_20220101.exe overdue invoices_20220101.exe PID 1892 wrote to memory of 268 1892 overdue invoices_20220101.exe overdue invoices_20220101.exe PID 1892 wrote to memory of 268 1892 overdue invoices_20220101.exe overdue invoices_20220101.exe PID 1892 wrote to memory of 268 1892 overdue invoices_20220101.exe overdue invoices_20220101.exe PID 1892 wrote to memory of 268 1892 overdue invoices_20220101.exe overdue invoices_20220101.exe PID 1892 wrote to memory of 268 1892 overdue invoices_20220101.exe overdue invoices_20220101.exe PID 1376 wrote to memory of 1032 1376 Explorer.EXE wuapp.exe PID 1376 wrote to memory of 1032 1376 Explorer.EXE wuapp.exe PID 1376 wrote to memory of 1032 1376 Explorer.EXE wuapp.exe PID 1376 wrote to memory of 1032 1376 Explorer.EXE wuapp.exe PID 1376 wrote to memory of 1032 1376 Explorer.EXE wuapp.exe PID 1376 wrote to memory of 1032 1376 Explorer.EXE wuapp.exe PID 1376 wrote to memory of 1032 1376 Explorer.EXE wuapp.exe PID 1032 wrote to memory of 1424 1032 wuapp.exe cmd.exe PID 1032 wrote to memory of 1424 1032 wuapp.exe cmd.exe PID 1032 wrote to memory of 1424 1032 wuapp.exe cmd.exe PID 1032 wrote to memory of 1424 1032 wuapp.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\overdue invoices_20220101.exe"C:\Users\Admin\AppData\Local\Temp\overdue invoices_20220101.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\overdue invoices_20220101.exe"C:\Users\Admin\AppData\Local\Temp\overdue invoices_20220101.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wuapp.exe"C:\Windows\SysWOW64\wuapp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\overdue invoices_20220101.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsiCE1A.tmp\flwegdgvb.dllMD5
a300600e6b8394351a8389a806dd2c7d
SHA15f870174df74773d41b752ceed8eed23bfbfe2b3
SHA256456a3e50040043e7f61780657d486ca1a114df74db3e6376ab9943badba26b58
SHA512bce9e8cd5c679f913cedda3151728109c815e667de343d9df3f8bd4bd6522a2dcc1d0275e60ae479c24823b9afdedbcf91ceae5c958b19ade658fb3007bf8725
-
memory/268-63-0x0000000000390000-0x00000000003A1000-memory.dmpFilesize
68KB
-
memory/268-57-0x000000000041D440-mapping.dmp
-
memory/268-59-0x0000000000740000-0x0000000000A43000-memory.dmpFilesize
3.0MB
-
memory/268-56-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/268-62-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/268-60-0x0000000000350000-0x0000000000361000-memory.dmpFilesize
68KB
-
memory/1032-67-0x0000000000D70000-0x0000000000D7B000-memory.dmpFilesize
44KB
-
memory/1032-70-0x00000000008A0000-0x0000000000930000-memory.dmpFilesize
576KB
-
memory/1032-68-0x0000000000090000-0x00000000000B9000-memory.dmpFilesize
164KB
-
memory/1032-65-0x0000000000000000-mapping.dmp
-
memory/1032-69-0x0000000000980000-0x0000000000C83000-memory.dmpFilesize
3.0MB
-
memory/1376-64-0x00000000073A0000-0x0000000007509000-memory.dmpFilesize
1.4MB
-
memory/1376-61-0x0000000007110000-0x0000000007275000-memory.dmpFilesize
1.4MB
-
memory/1376-71-0x0000000004FC0000-0x00000000050BE000-memory.dmpFilesize
1016KB
-
memory/1424-66-0x0000000000000000-mapping.dmp
-
memory/1892-54-0x00000000751B1000-0x00000000751B3000-memory.dmpFilesize
8KB