Analysis
-
max time kernel
151s -
max time network
147s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
25-01-2022 19:48
Static task
static1
Behavioral task
behavioral1
Sample
SN011 Price Letter79753.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
SN011 Price Letter79753.exe
Resource
win10-en-20211208
General
-
Target
SN011 Price Letter79753.exe
-
Size
1.2MB
-
MD5
ea148cf5de55a7490bd96798a77bb57f
-
SHA1
eb2a3c7bc48156d9f8970a01ba69793609d8777f
-
SHA256
3e26cc02d70717e07a5fad9257773db1077896d5598cc2298849ca257157c04b
-
SHA512
fa8c27b5a02769f3990a801f132cbadd8f40a7616dd6aad2c0713495ca3d4cc8979628c4dbbe53dbf13a979ae68bda9fd31b6889bcdf45364d4bbb0a016bf0eb
Malware Config
Extracted
xloader
2.5
c6si
tristateinc.construction
americanscaregroundstexas.com
kanimisoshiru.com
wihling.com
fishcheekstosa.com
parentsfuid.com
greenstandmarket.com
fc8fla8kzq.com
gametwist-83.club
jobsncvs.com
directrealtysells.com
avida2015.com
conceptasite.net
arkaneattire.com
indev-mobility.info
2160centurypark412.com
valefloor.com
septembership.com
stackflix.com
jimc0sales.net
socialviralup.com
lastra41.com
juliaepaulovaocasar.com
jurisagora.com
drawandgrow.online
rebekahlouise.com
herport-fr.com
iphone13.webcam
appz-one.net
inpost-pl.net
promocion360fitness.com
global-forbes.biz
diamondtrade.net
albertcantos.com
gtgits.com
travel-ai.online
busipe6.com
mualikesubvn.com
niftyhandy.com
docprops.com
lido88.bet
baywoodphotography.com
cargosouq.info
newsnowlive.online
floridafishingoverboard.com
missnikissalsa.net
walletvalidate.space
kissimmeeinternationalcup.com
charterhome.school
gurujupiter.com
entertainmentwitchy.com
jokeaou.com
sugarmountainfirearms.com
iss-sa.com
smittyssierra.com
freedomoff.com
giftoin.com
realitystararmwrestling.com
salsalunch-equallyage.com
ladouba.com
thepropertygoat.com
bestofmerrick.guide
4the.top
regioinversiones.com
129qihu.com
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/528-60-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/540-67-0x0000000000080000-0x00000000000A9000-memory.dmp xloader -
Suspicious use of SetThreadContext 3 IoCs
Processes:
SN011 Price Letter79753.exeaspnet_regbrowsers.exemstsc.exedescription pid process target process PID 780 set thread context of 528 780 SN011 Price Letter79753.exe aspnet_regbrowsers.exe PID 528 set thread context of 1400 528 aspnet_regbrowsers.exe Explorer.EXE PID 540 set thread context of 1400 540 mstsc.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
aspnet_regbrowsers.exemstsc.exepid process 528 aspnet_regbrowsers.exe 528 aspnet_regbrowsers.exe 540 mstsc.exe 540 mstsc.exe 540 mstsc.exe 540 mstsc.exe 540 mstsc.exe 540 mstsc.exe 540 mstsc.exe 540 mstsc.exe 540 mstsc.exe 540 mstsc.exe 540 mstsc.exe 540 mstsc.exe 540 mstsc.exe 540 mstsc.exe 540 mstsc.exe 540 mstsc.exe 540 mstsc.exe 540 mstsc.exe 540 mstsc.exe 540 mstsc.exe 540 mstsc.exe 540 mstsc.exe 540 mstsc.exe 540 mstsc.exe 540 mstsc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1400 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
aspnet_regbrowsers.exemstsc.exepid process 528 aspnet_regbrowsers.exe 528 aspnet_regbrowsers.exe 528 aspnet_regbrowsers.exe 540 mstsc.exe 540 mstsc.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
SN011 Price Letter79753.exeaspnet_regbrowsers.exemstsc.exedescription pid process Token: SeDebugPrivilege 780 SN011 Price Letter79753.exe Token: SeDebugPrivilege 528 aspnet_regbrowsers.exe Token: SeDebugPrivilege 540 mstsc.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1400 Explorer.EXE 1400 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1400 Explorer.EXE 1400 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
SN011 Price Letter79753.exeExplorer.EXEmstsc.exedescription pid process target process PID 780 wrote to memory of 528 780 SN011 Price Letter79753.exe aspnet_regbrowsers.exe PID 780 wrote to memory of 528 780 SN011 Price Letter79753.exe aspnet_regbrowsers.exe PID 780 wrote to memory of 528 780 SN011 Price Letter79753.exe aspnet_regbrowsers.exe PID 780 wrote to memory of 528 780 SN011 Price Letter79753.exe aspnet_regbrowsers.exe PID 780 wrote to memory of 528 780 SN011 Price Letter79753.exe aspnet_regbrowsers.exe PID 780 wrote to memory of 528 780 SN011 Price Letter79753.exe aspnet_regbrowsers.exe PID 780 wrote to memory of 528 780 SN011 Price Letter79753.exe aspnet_regbrowsers.exe PID 1400 wrote to memory of 540 1400 Explorer.EXE mstsc.exe PID 1400 wrote to memory of 540 1400 Explorer.EXE mstsc.exe PID 1400 wrote to memory of 540 1400 Explorer.EXE mstsc.exe PID 1400 wrote to memory of 540 1400 Explorer.EXE mstsc.exe PID 540 wrote to memory of 676 540 mstsc.exe cmd.exe PID 540 wrote to memory of 676 540 mstsc.exe cmd.exe PID 540 wrote to memory of 676 540 mstsc.exe cmd.exe PID 540 wrote to memory of 676 540 mstsc.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SN011 Price Letter79753.exe"C:\Users\Admin\AppData\Local\Temp\SN011 Price Letter79753.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\mstsc.exe"C:\Windows\SysWOW64\mstsc.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/528-62-0x0000000000880000-0x0000000000B83000-memory.dmpFilesize
3.0MB
-
memory/528-60-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/528-63-0x0000000000220000-0x0000000000231000-memory.dmpFilesize
68KB
-
memory/528-59-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/528-58-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/540-66-0x0000000000680000-0x0000000000784000-memory.dmpFilesize
1.0MB
-
memory/540-65-0x0000000076B81000-0x0000000076B83000-memory.dmpFilesize
8KB
-
memory/540-67-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/540-68-0x0000000002040000-0x0000000002343000-memory.dmpFilesize
3.0MB
-
memory/540-69-0x00000000005E0000-0x0000000000670000-memory.dmpFilesize
576KB
-
memory/780-55-0x0000000000C90000-0x0000000000C91000-memory.dmpFilesize
4KB
-
memory/780-54-0x0000000000F00000-0x000000000102E000-memory.dmpFilesize
1.2MB
-
memory/780-56-0x00000000005D0000-0x00000000005E4000-memory.dmpFilesize
80KB
-
memory/1400-64-0x0000000004D30000-0x0000000004E17000-memory.dmpFilesize
924KB
-
memory/1400-70-0x00000000071E0000-0x0000000007326000-memory.dmpFilesize
1.3MB