Analysis
-
max time kernel
3s -
max time network
9s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
19-01-2022 06:25
Static task
static1
Behavioral task
behavioral1
Sample
Invoice_xls.exe
Resource
win7-en-20211208
General
-
Target
Invoice_xls.exe
-
Size
311KB
-
MD5
11dd29bb7f2c5cb432b766b5b8dd828d
-
SHA1
d9fc2d3ef2af139ad15773b448ce1250c7262651
-
SHA256
2f2ba4f8549cb5de1822f0382532abdcdbd6fc2ad1f2d5120bb4c9f145e84f08
-
SHA512
9f33dd9911a99757f6b475a1a6725c980d27d18a2ee30bf51ebe6b0f33a4211e294bfae196ec94c44475b92ec08cef94bc0a53ea0c4180f8d49eb336c12f9253
Malware Config
Extracted
xloader
2.5
3a4h
mohamedmansour.net
asap.green
influxair.com
45mpt.xyz
cablerailingdesign.com
salesdisrupter.com
cxfarms.com
enerconfederal.com
pl1x.top
nyoz.top
fitnesz.website
minimi36.com
borealiselectricalrepair.com
miskalqurashi.com
importacionesdelfuturo.com
cigfinanacial.com
luxamata.xyz
digicoin724.com
gozabank.com
tribal-treasures.com
hose.center
myzipe.com
cqi2zp.biz
prodello.com
faciso.com
budgethoortoestellen.info
toddlyonsfishing.com
phhmrotgage.com
wcf888.xyz
paypal-caseid194.com
bobstranz.com
aerthlabel.com
echotrailliving.com
dysmict.com
ijoimr.com
excellentcreation.store
at-commercial-co.com
aeczpx99pxgd.biz
khuj1.com
reactivephysiorehab.com
trup.club
barber-king.online
shippingcontainerhomeus.com
sumanita.network
alyssaandrobert2022.com
greatamericanlandworks.com
fortlauderdalepartyboats.com
lqmrfw.com
industrionaires.com
potholepatrol.club
lagardeningsolutions.com
bigceme3.com
rebuildgomnmf.xyz
chimneysweepdetroit.com
tucochepordinero.com
companyintel.systems
xn--snabbtkrkortonline-j3b.com
fermentvmkwjm.online
cnywocean.com
tadrosmortgages.com
healthylifefit.com
smartcapitalpay.online
hiratasistemaseassociados.com
nowidza.com
oshirohego.com
Signatures
-
Xloader Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2968-131-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
Invoice_xls.exepid process 3388 Invoice_xls.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Invoice_xls.exedescription pid process target process PID 3388 set thread context of 2968 3388 Invoice_xls.exe Invoice_xls.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Invoice_xls.exedescription pid process target process PID 3388 wrote to memory of 2968 3388 Invoice_xls.exe Invoice_xls.exe PID 3388 wrote to memory of 2968 3388 Invoice_xls.exe Invoice_xls.exe PID 3388 wrote to memory of 2968 3388 Invoice_xls.exe Invoice_xls.exe PID 3388 wrote to memory of 2968 3388 Invoice_xls.exe Invoice_xls.exe PID 3388 wrote to memory of 2968 3388 Invoice_xls.exe Invoice_xls.exe PID 3388 wrote to memory of 2968 3388 Invoice_xls.exe Invoice_xls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Invoice_xls.exe"C:\Users\Admin\AppData\Local\Temp\Invoice_xls.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Invoice_xls.exe"C:\Users\Admin\AppData\Local\Temp\Invoice_xls.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nsx2039.tmp\rrlxaouw.dllMD5
e52b051e982b688f4338b012105c35c2
SHA1eb63d793fd56e83b7b59ddd6b3baa60d7690d451
SHA256c9d1cef3f23698f94b58de1123e6634dfc575b51d11a5a4eeb03eef31723101c
SHA512f5177cafb0f7757c5c4445028f80a568c35c170fb15943f7c2d7cb2c7265179a054f4eba629311dd0bfddf1e74abf498755b67aa7d4f21b6b75cd106a6fd0558
-
memory/2968-131-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB