Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
19-01-2022 06:25
Static task
static1
Behavioral task
behavioral1
Sample
Invoice_xls.exe
Resource
win7-en-20211208
General
-
Target
Invoice_xls.exe
-
Size
311KB
-
MD5
11dd29bb7f2c5cb432b766b5b8dd828d
-
SHA1
d9fc2d3ef2af139ad15773b448ce1250c7262651
-
SHA256
2f2ba4f8549cb5de1822f0382532abdcdbd6fc2ad1f2d5120bb4c9f145e84f08
-
SHA512
9f33dd9911a99757f6b475a1a6725c980d27d18a2ee30bf51ebe6b0f33a4211e294bfae196ec94c44475b92ec08cef94bc0a53ea0c4180f8d49eb336c12f9253
Malware Config
Extracted
xloader
2.5
3a4h
mohamedmansour.net
asap.green
influxair.com
45mpt.xyz
cablerailingdesign.com
salesdisrupter.com
cxfarms.com
enerconfederal.com
pl1x.top
nyoz.top
fitnesz.website
minimi36.com
borealiselectricalrepair.com
miskalqurashi.com
importacionesdelfuturo.com
cigfinanacial.com
luxamata.xyz
digicoin724.com
gozabank.com
tribal-treasures.com
hose.center
myzipe.com
cqi2zp.biz
prodello.com
faciso.com
budgethoortoestellen.info
toddlyonsfishing.com
phhmrotgage.com
wcf888.xyz
paypal-caseid194.com
bobstranz.com
aerthlabel.com
echotrailliving.com
dysmict.com
ijoimr.com
excellentcreation.store
at-commercial-co.com
aeczpx99pxgd.biz
khuj1.com
reactivephysiorehab.com
trup.club
barber-king.online
shippingcontainerhomeus.com
sumanita.network
alyssaandrobert2022.com
greatamericanlandworks.com
fortlauderdalepartyboats.com
lqmrfw.com
industrionaires.com
potholepatrol.club
lagardeningsolutions.com
bigceme3.com
rebuildgomnmf.xyz
chimneysweepdetroit.com
tucochepordinero.com
companyintel.systems
xn--snabbtkrkortonline-j3b.com
fermentvmkwjm.online
cnywocean.com
tadrosmortgages.com
healthylifefit.com
smartcapitalpay.online
hiratasistemaseassociados.com
nowidza.com
oshirohego.com
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/976-57-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/696-63-0x0000000000080000-0x00000000000A9000-memory.dmp xloader -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 560 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
Invoice_xls.exepid process 1796 Invoice_xls.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Invoice_xls.exeInvoice_xls.exechkdsk.exedescription pid process target process PID 1796 set thread context of 976 1796 Invoice_xls.exe Invoice_xls.exe PID 976 set thread context of 1448 976 Invoice_xls.exe Explorer.EXE PID 696 set thread context of 1448 696 chkdsk.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
chkdsk.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
Invoice_xls.exechkdsk.exepid process 976 Invoice_xls.exe 976 Invoice_xls.exe 696 chkdsk.exe 696 chkdsk.exe 696 chkdsk.exe 696 chkdsk.exe 696 chkdsk.exe 696 chkdsk.exe 696 chkdsk.exe 696 chkdsk.exe 696 chkdsk.exe 696 chkdsk.exe 696 chkdsk.exe 696 chkdsk.exe 696 chkdsk.exe 696 chkdsk.exe 696 chkdsk.exe 696 chkdsk.exe 696 chkdsk.exe 696 chkdsk.exe 696 chkdsk.exe 696 chkdsk.exe 696 chkdsk.exe 696 chkdsk.exe 696 chkdsk.exe 696 chkdsk.exe 696 chkdsk.exe 696 chkdsk.exe 696 chkdsk.exe 696 chkdsk.exe 696 chkdsk.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1448 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Invoice_xls.exechkdsk.exepid process 976 Invoice_xls.exe 976 Invoice_xls.exe 976 Invoice_xls.exe 696 chkdsk.exe 696 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Invoice_xls.exechkdsk.exedescription pid process Token: SeDebugPrivilege 976 Invoice_xls.exe Token: SeDebugPrivilege 696 chkdsk.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1448 Explorer.EXE 1448 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1448 Explorer.EXE 1448 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Invoice_xls.exeExplorer.EXEchkdsk.exedescription pid process target process PID 1796 wrote to memory of 976 1796 Invoice_xls.exe Invoice_xls.exe PID 1796 wrote to memory of 976 1796 Invoice_xls.exe Invoice_xls.exe PID 1796 wrote to memory of 976 1796 Invoice_xls.exe Invoice_xls.exe PID 1796 wrote to memory of 976 1796 Invoice_xls.exe Invoice_xls.exe PID 1796 wrote to memory of 976 1796 Invoice_xls.exe Invoice_xls.exe PID 1796 wrote to memory of 976 1796 Invoice_xls.exe Invoice_xls.exe PID 1796 wrote to memory of 976 1796 Invoice_xls.exe Invoice_xls.exe PID 1448 wrote to memory of 696 1448 Explorer.EXE chkdsk.exe PID 1448 wrote to memory of 696 1448 Explorer.EXE chkdsk.exe PID 1448 wrote to memory of 696 1448 Explorer.EXE chkdsk.exe PID 1448 wrote to memory of 696 1448 Explorer.EXE chkdsk.exe PID 696 wrote to memory of 560 696 chkdsk.exe cmd.exe PID 696 wrote to memory of 560 696 chkdsk.exe cmd.exe PID 696 wrote to memory of 560 696 chkdsk.exe cmd.exe PID 696 wrote to memory of 560 696 chkdsk.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Invoice_xls.exe"C:\Users\Admin\AppData\Local\Temp\Invoice_xls.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Invoice_xls.exe"C:\Users\Admin\AppData\Local\Temp\Invoice_xls.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Invoice_xls.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nso4730.tmp\rrlxaouw.dllMD5
e52b051e982b688f4338b012105c35c2
SHA1eb63d793fd56e83b7b59ddd6b3baa60d7690d451
SHA256c9d1cef3f23698f94b58de1123e6634dfc575b51d11a5a4eeb03eef31723101c
SHA512f5177cafb0f7757c5c4445028f80a568c35c170fb15943f7c2d7cb2c7265179a054f4eba629311dd0bfddf1e74abf498755b67aa7d4f21b6b75cd106a6fd0558
-
memory/696-62-0x0000000000ED0000-0x0000000000ED7000-memory.dmpFilesize
28KB
-
memory/696-63-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/696-64-0x00000000022E0000-0x00000000025E3000-memory.dmpFilesize
3.0MB
-
memory/696-65-0x0000000000A40000-0x0000000000AD0000-memory.dmpFilesize
576KB
-
memory/976-57-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/976-60-0x00000000002C0000-0x0000000000429000-memory.dmpFilesize
1.4MB
-
memory/976-59-0x0000000000770000-0x0000000000A73000-memory.dmpFilesize
3.0MB
-
memory/1448-61-0x00000000071C0000-0x000000000731E000-memory.dmpFilesize
1.4MB
-
memory/1448-66-0x0000000005000000-0x00000000050D9000-memory.dmpFilesize
868KB
-
memory/1796-55-0x0000000075831000-0x0000000075833000-memory.dmpFilesize
8KB