Analysis
-
max time kernel
152s -
max time network
147s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
19-01-2022 12:53
Static task
static1
Behavioral task
behavioral1
Sample
PROFORMA INVOICE_PDF.exe
Resource
win7-en-20211208
General
-
Target
PROFORMA INVOICE_PDF.exe
-
Size
718KB
-
MD5
076375a538b587ac4d6297ffc2c8b58c
-
SHA1
e1b0d3265fa30eb2cf3d207cb550b884963ff475
-
SHA256
64c7583a94ab474b9cd3509e8ca73eb7a19e70ffc2c4fa4582ccd7fd3f10c5ec
-
SHA512
8dd8f67a728a13b6c3928dc845213dd0ba0ce31b97f8dedd2c262c72483fc8674a619aa969f4275184de1ad7e1b75aff0fd9bf54a2b622a56e2827ec8c6c912f
Malware Config
Extracted
xloader
2.5
nt3f
tricyclee.com
kxsw999.com
wisteria-pavilion.com
bellaclancy.com
promissioskincare.com
hzy001.xyz
checkouthomehd.com
soladere.com
point4sales.com
socalmafia.com
libertadysarmiento.online
nftthirty.com
digitalgoldcryptostock.net
tulekiloscaird.com
austinfishandchicken.com
wlxxch.com
mgav51.xyz
landbanking.global
saprove.com
babyfaces.skin
elainemaxwellcoaching.com
1388xc.com
juveniscloud.com
bsauksjon.com
the-waterkooler.com
comment-changer-sa-vie.com
psmcnd.top
rhodesleadingedge.com
mccuelawfirm.com
skinnscience.club
hype-clicks.com
liaojinc.xyz
okmakers.com
ramblertour.online
wickedhunterworld.com
fit-threads.com
cookidoo.website
magentabin.com
pynch1.com
best-paper-to-know-today.info
allmight.net
monicraftsprintables.com
avataroasis.com
10dian-4.com
cozastore.net
capitalcased.com
spacezanome.xyz
feiyangmi.com
11opus.com
getinteriorsolution.com
tidyhutstore.com
amazingpomskyfamily.com
tfcvintage.com
halfanape.com
rotakb.com
martinasfood.com
the-thanks.com
mithilmehta.com
em-photo.art
primerepro.com
lankasirinspa.com
gtbaibang.com
zealandiatobacco.com
deepikatransportpackers.com
eagle-meter.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1052-57-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1408-64-0x0000000000080000-0x00000000000A9000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
PROFORMA INVOICE_PDF.exepid process 1212 PROFORMA INVOICE_PDF.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
PROFORMA INVOICE_PDF.exePROFORMA INVOICE_PDF.exeraserver.exedescription pid process target process PID 1212 set thread context of 1052 1212 PROFORMA INVOICE_PDF.exe PROFORMA INVOICE_PDF.exe PID 1052 set thread context of 1380 1052 PROFORMA INVOICE_PDF.exe Explorer.EXE PID 1408 set thread context of 1380 1408 raserver.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
PROFORMA INVOICE_PDF.exeraserver.exepid process 1052 PROFORMA INVOICE_PDF.exe 1052 PROFORMA INVOICE_PDF.exe 1408 raserver.exe 1408 raserver.exe 1408 raserver.exe 1408 raserver.exe 1408 raserver.exe 1408 raserver.exe 1408 raserver.exe 1408 raserver.exe 1408 raserver.exe 1408 raserver.exe 1408 raserver.exe 1408 raserver.exe 1408 raserver.exe 1408 raserver.exe 1408 raserver.exe 1408 raserver.exe 1408 raserver.exe 1408 raserver.exe 1408 raserver.exe 1408 raserver.exe 1408 raserver.exe 1408 raserver.exe 1408 raserver.exe 1408 raserver.exe 1408 raserver.exe 1408 raserver.exe 1408 raserver.exe 1408 raserver.exe 1408 raserver.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1380 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
PROFORMA INVOICE_PDF.exeraserver.exepid process 1052 PROFORMA INVOICE_PDF.exe 1052 PROFORMA INVOICE_PDF.exe 1052 PROFORMA INVOICE_PDF.exe 1408 raserver.exe 1408 raserver.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PROFORMA INVOICE_PDF.exeraserver.exedescription pid process Token: SeDebugPrivilege 1052 PROFORMA INVOICE_PDF.exe Token: SeDebugPrivilege 1408 raserver.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1380 Explorer.EXE 1380 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1380 Explorer.EXE 1380 Explorer.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
PROFORMA INVOICE_PDF.exeExplorer.EXEdescription pid process target process PID 1212 wrote to memory of 1052 1212 PROFORMA INVOICE_PDF.exe PROFORMA INVOICE_PDF.exe PID 1212 wrote to memory of 1052 1212 PROFORMA INVOICE_PDF.exe PROFORMA INVOICE_PDF.exe PID 1212 wrote to memory of 1052 1212 PROFORMA INVOICE_PDF.exe PROFORMA INVOICE_PDF.exe PID 1212 wrote to memory of 1052 1212 PROFORMA INVOICE_PDF.exe PROFORMA INVOICE_PDF.exe PID 1212 wrote to memory of 1052 1212 PROFORMA INVOICE_PDF.exe PROFORMA INVOICE_PDF.exe PID 1212 wrote to memory of 1052 1212 PROFORMA INVOICE_PDF.exe PROFORMA INVOICE_PDF.exe PID 1212 wrote to memory of 1052 1212 PROFORMA INVOICE_PDF.exe PROFORMA INVOICE_PDF.exe PID 1380 wrote to memory of 1408 1380 Explorer.EXE raserver.exe PID 1380 wrote to memory of 1408 1380 Explorer.EXE raserver.exe PID 1380 wrote to memory of 1408 1380 Explorer.EXE raserver.exe PID 1380 wrote to memory of 1408 1380 Explorer.EXE raserver.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE_PDF.exe"C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE_PDF.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE_PDF.exe"C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE_PDF.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\raserver.exe"C:\Windows\SysWOW64\raserver.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsyA30.tmp\idsllcv.dllMD5
75a6e047d5d32cd1cc52dccb3c200d87
SHA1f0fc2e45c5c324c27e9bb9c2a6ee3580e0dbac1c
SHA256674500cab69b44aaf389ff8022d77cb6b1f3166225bb58cba2c964b843bc442e
SHA5124a079e2e4444bdd4bc03defdd51040e15fb21a09a2d59344d1fb50a7629e722e6de558cf683dc20a94f1618d1923343f0fe83fd87c1928779d605848684a23f1
-
memory/1052-57-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1052-58-0x00000000008E0000-0x0000000000BE3000-memory.dmpFilesize
3.0MB
-
memory/1052-60-0x0000000000340000-0x0000000000351000-memory.dmpFilesize
68KB
-
memory/1212-55-0x0000000075D61000-0x0000000075D63000-memory.dmpFilesize
8KB
-
memory/1380-61-0x0000000006BA0000-0x0000000006C9F000-memory.dmpFilesize
1020KB
-
memory/1380-67-0x0000000006D70000-0x0000000006E9C000-memory.dmpFilesize
1.2MB
-
memory/1408-63-0x0000000000530000-0x000000000054C000-memory.dmpFilesize
112KB
-
memory/1408-64-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/1408-65-0x0000000001F90000-0x0000000002293000-memory.dmpFilesize
3.0MB
-
memory/1408-66-0x0000000000630000-0x0000000001F81000-memory.dmpFilesize
25.3MB