Analysis
-
max time kernel
17s -
max time network
25s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
19-01-2022 12:53
Static task
static1
Behavioral task
behavioral1
Sample
PROFORMA INVOICE_PDF.exe
Resource
win7-en-20211208
General
-
Target
PROFORMA INVOICE_PDF.exe
-
Size
718KB
-
MD5
076375a538b587ac4d6297ffc2c8b58c
-
SHA1
e1b0d3265fa30eb2cf3d207cb550b884963ff475
-
SHA256
64c7583a94ab474b9cd3509e8ca73eb7a19e70ffc2c4fa4582ccd7fd3f10c5ec
-
SHA512
8dd8f67a728a13b6c3928dc845213dd0ba0ce31b97f8dedd2c262c72483fc8674a619aa969f4275184de1ad7e1b75aff0fd9bf54a2b622a56e2827ec8c6c912f
Malware Config
Extracted
xloader
2.5
nt3f
tricyclee.com
kxsw999.com
wisteria-pavilion.com
bellaclancy.com
promissioskincare.com
hzy001.xyz
checkouthomehd.com
soladere.com
point4sales.com
socalmafia.com
libertadysarmiento.online
nftthirty.com
digitalgoldcryptostock.net
tulekiloscaird.com
austinfishandchicken.com
wlxxch.com
mgav51.xyz
landbanking.global
saprove.com
babyfaces.skin
elainemaxwellcoaching.com
1388xc.com
juveniscloud.com
bsauksjon.com
the-waterkooler.com
comment-changer-sa-vie.com
psmcnd.top
rhodesleadingedge.com
mccuelawfirm.com
skinnscience.club
hype-clicks.com
liaojinc.xyz
okmakers.com
ramblertour.online
wickedhunterworld.com
fit-threads.com
cookidoo.website
magentabin.com
pynch1.com
best-paper-to-know-today.info
allmight.net
monicraftsprintables.com
avataroasis.com
10dian-4.com
cozastore.net
capitalcased.com
spacezanome.xyz
feiyangmi.com
11opus.com
getinteriorsolution.com
tidyhutstore.com
amazingpomskyfamily.com
tfcvintage.com
halfanape.com
rotakb.com
martinasfood.com
the-thanks.com
mithilmehta.com
em-photo.art
primerepro.com
lankasirinspa.com
gtbaibang.com
zealandiatobacco.com
deepikatransportpackers.com
eagle-meter.com
Signatures
-
Xloader Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1060-131-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
PROFORMA INVOICE_PDF.exepid process 816 PROFORMA INVOICE_PDF.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PROFORMA INVOICE_PDF.exedescription pid process target process PID 816 set thread context of 1060 816 PROFORMA INVOICE_PDF.exe PROFORMA INVOICE_PDF.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
PROFORMA INVOICE_PDF.exedescription pid process target process PID 816 wrote to memory of 1060 816 PROFORMA INVOICE_PDF.exe PROFORMA INVOICE_PDF.exe PID 816 wrote to memory of 1060 816 PROFORMA INVOICE_PDF.exe PROFORMA INVOICE_PDF.exe PID 816 wrote to memory of 1060 816 PROFORMA INVOICE_PDF.exe PROFORMA INVOICE_PDF.exe PID 816 wrote to memory of 1060 816 PROFORMA INVOICE_PDF.exe PROFORMA INVOICE_PDF.exe PID 816 wrote to memory of 1060 816 PROFORMA INVOICE_PDF.exe PROFORMA INVOICE_PDF.exe PID 816 wrote to memory of 1060 816 PROFORMA INVOICE_PDF.exe PROFORMA INVOICE_PDF.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE_PDF.exe"C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE_PDF.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE_PDF.exe"C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE_PDF.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nsa8B96.tmp\idsllcv.dllMD5
75a6e047d5d32cd1cc52dccb3c200d87
SHA1f0fc2e45c5c324c27e9bb9c2a6ee3580e0dbac1c
SHA256674500cab69b44aaf389ff8022d77cb6b1f3166225bb58cba2c964b843bc442e
SHA5124a079e2e4444bdd4bc03defdd51040e15fb21a09a2d59344d1fb50a7629e722e6de558cf683dc20a94f1618d1923343f0fe83fd87c1928779d605848684a23f1
-
memory/1060-131-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB