Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
14-01-2022 09:17
Static task
static1
Behavioral task
behavioral1
Sample
commercial invoice_010202201.exe
Resource
win7-en-20211208
General
-
Target
commercial invoice_010202201.exe
-
Size
238KB
-
MD5
acbc7357e4fb7d8d4874ecbeb0c5bd0f
-
SHA1
f423fed0f335e5c31d7b799aba25469420fb6009
-
SHA256
73f458d7e38ab748b7b7d3b3e680db9eb08d845c1b1b7c935a6ee453d8f03358
-
SHA512
f492401628f2970d3a0056091aea7b7af9938da1d885e0f1a2946f3fed84eb8d132de8f926345791444de7c72c8adbb150d19cd5f81acc8fa1a043d6b0edd17d
Malware Config
Extracted
xloader
2.5
igwa
listingswithalex.com
funtabse.com
aydenwalling.com
prochal.net
superfoodsnederland.com
moldluck.com
dianekgordon.store
regionalhomescommercial.com
mysecuritymadesimple.com
malwaremastery.com
kodaikeiko.com
jrzg996.com
agricurve.net
songlingjiu.com
virginianundahfishingclub.com
friendschance.com
pastelpresents.com
answertitles.com
survival-hunter.com
nxfddl.com
traditionnevertrend.com
agrovessel.com
unicorm.digital
cucumboy.com
alemdogarimpo.com
laraful.com
hexwaa.com
hanu21st.com
knoycia.com
qishengxing.com
gopipurespices.com
fdkkrfidkdslsieofkld.info
elephantspublications.online
valeriebeijing.com
xn--42cg2czax6ptae6a.com
2shengman.com
sfcshavedice.com
ragworkhouse.com
stardomfrokch.xyz
exoticcenterfold.com
eventosartifice.com
test-order-noren.com
110bao.com
face-pro.online
freedomoff.com
futuresep.com
tremblock.com
chocolat-gillotte.com
speclove.com
ddflsl.com
goodnewsmbc.net
cloudtotaal.com
goapps-auth.com
ouch247max.com
sabra-sd.com
luxuryneverhurt.art
rxvendorpills.online
ludowinners.online
placemyorder.online
skyrim.company
monsterlecturer.com
controle-fiscal.com
phoenixinjurylawyer.online
nanoheadgames.com
toposales.com
Signatures
-
Xloader Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/2744-116-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/2744-117-0x000000000041D440-mapping.dmp xloader behavioral2/memory/2744-122-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/1204-128-0x00000000031F0000-0x0000000003219000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
commercial invoice_010202201.exepid process 3520 commercial invoice_010202201.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
commercial invoice_010202201.execommercial invoice_010202201.exemstsc.exedescription pid process target process PID 3520 set thread context of 2744 3520 commercial invoice_010202201.exe commercial invoice_010202201.exe PID 2744 set thread context of 2928 2744 commercial invoice_010202201.exe Explorer.EXE PID 2744 set thread context of 2928 2744 commercial invoice_010202201.exe Explorer.EXE PID 1204 set thread context of 2928 1204 mstsc.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
commercial invoice_010202201.exemstsc.exepid process 2744 commercial invoice_010202201.exe 2744 commercial invoice_010202201.exe 2744 commercial invoice_010202201.exe 2744 commercial invoice_010202201.exe 2744 commercial invoice_010202201.exe 2744 commercial invoice_010202201.exe 1204 mstsc.exe 1204 mstsc.exe 1204 mstsc.exe 1204 mstsc.exe 1204 mstsc.exe 1204 mstsc.exe 1204 mstsc.exe 1204 mstsc.exe 1204 mstsc.exe 1204 mstsc.exe 1204 mstsc.exe 1204 mstsc.exe 1204 mstsc.exe 1204 mstsc.exe 1204 mstsc.exe 1204 mstsc.exe 1204 mstsc.exe 1204 mstsc.exe 1204 mstsc.exe 1204 mstsc.exe 1204 mstsc.exe 1204 mstsc.exe 1204 mstsc.exe 1204 mstsc.exe 1204 mstsc.exe 1204 mstsc.exe 1204 mstsc.exe 1204 mstsc.exe 1204 mstsc.exe 1204 mstsc.exe 1204 mstsc.exe 1204 mstsc.exe 1204 mstsc.exe 1204 mstsc.exe 1204 mstsc.exe 1204 mstsc.exe 1204 mstsc.exe 1204 mstsc.exe 1204 mstsc.exe 1204 mstsc.exe 1204 mstsc.exe 1204 mstsc.exe 1204 mstsc.exe 1204 mstsc.exe 1204 mstsc.exe 1204 mstsc.exe 1204 mstsc.exe 1204 mstsc.exe 1204 mstsc.exe 1204 mstsc.exe 1204 mstsc.exe 1204 mstsc.exe 1204 mstsc.exe 1204 mstsc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2928 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
commercial invoice_010202201.exemstsc.exepid process 2744 commercial invoice_010202201.exe 2744 commercial invoice_010202201.exe 2744 commercial invoice_010202201.exe 2744 commercial invoice_010202201.exe 1204 mstsc.exe 1204 mstsc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
commercial invoice_010202201.exemstsc.exedescription pid process Token: SeDebugPrivilege 2744 commercial invoice_010202201.exe Token: SeDebugPrivilege 1204 mstsc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
commercial invoice_010202201.exeExplorer.EXEmstsc.exedescription pid process target process PID 3520 wrote to memory of 2744 3520 commercial invoice_010202201.exe commercial invoice_010202201.exe PID 3520 wrote to memory of 2744 3520 commercial invoice_010202201.exe commercial invoice_010202201.exe PID 3520 wrote to memory of 2744 3520 commercial invoice_010202201.exe commercial invoice_010202201.exe PID 3520 wrote to memory of 2744 3520 commercial invoice_010202201.exe commercial invoice_010202201.exe PID 3520 wrote to memory of 2744 3520 commercial invoice_010202201.exe commercial invoice_010202201.exe PID 3520 wrote to memory of 2744 3520 commercial invoice_010202201.exe commercial invoice_010202201.exe PID 2928 wrote to memory of 1204 2928 Explorer.EXE mstsc.exe PID 2928 wrote to memory of 1204 2928 Explorer.EXE mstsc.exe PID 2928 wrote to memory of 1204 2928 Explorer.EXE mstsc.exe PID 1204 wrote to memory of 1060 1204 mstsc.exe cmd.exe PID 1204 wrote to memory of 1060 1204 mstsc.exe cmd.exe PID 1204 wrote to memory of 1060 1204 mstsc.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\commercial invoice_010202201.exe"C:\Users\Admin\AppData\Local\Temp\commercial invoice_010202201.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\commercial invoice_010202201.exe"C:\Users\Admin\AppData\Local\Temp\commercial invoice_010202201.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\mstsc.exe"C:\Windows\SysWOW64\mstsc.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\commercial invoice_010202201.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsj9A01.tmp\uajs.dllMD5
85abde39747f6b521228f37be34d4869
SHA18b8f1c057d7369c6fea384daf46412f635ddf465
SHA256900e115c271f29c66454e91f168be012c2ae5d307c86b70e8d595e0bade388c6
SHA5127f36a7e83fd14924d365845608a9cd76f4accb425147e9f12d94a19ff5b50e3d6098e601fe08825aafef241b5a4296d7e287cc3fa794dc66c875b19df850b01f
-
memory/1060-126-0x0000000000000000-mapping.dmp
-
memory/1204-125-0x0000000000000000-mapping.dmp
-
memory/1204-130-0x0000000004F70000-0x0000000005000000-memory.dmpFilesize
576KB
-
memory/1204-129-0x00000000050C0000-0x00000000053E0000-memory.dmpFilesize
3.1MB
-
memory/1204-127-0x0000000000E90000-0x000000000118C000-memory.dmpFilesize
3.0MB
-
memory/1204-128-0x00000000031F0000-0x0000000003219000-memory.dmpFilesize
164KB
-
memory/2744-119-0x0000000000A40000-0x0000000000D60000-memory.dmpFilesize
3.1MB
-
memory/2744-123-0x0000000000A00000-0x0000000000A11000-memory.dmpFilesize
68KB
-
memory/2744-122-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2744-120-0x00000000009C0000-0x00000000009D1000-memory.dmpFilesize
68KB
-
memory/2744-117-0x000000000041D440-mapping.dmp
-
memory/2744-116-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2928-124-0x0000000001FE0000-0x00000000020AE000-memory.dmpFilesize
824KB
-
memory/2928-121-0x0000000000670000-0x0000000000733000-memory.dmpFilesize
780KB
-
memory/2928-131-0x00000000024F0000-0x00000000025E7000-memory.dmpFilesize
988KB