Analysis
-
max time kernel
154s -
max time network
160s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
27-01-2022 12:55
Static task
static1
Behavioral task
behavioral1
Sample
payment advice_008900112.exe
Resource
win7-en-20211208
General
-
Target
payment advice_008900112.exe
-
Size
246KB
-
MD5
0783312f7caf72f1ac2a9951145bdda4
-
SHA1
c3da5594f78880bd4fc1d496efca357e6c19f65a
-
SHA256
e745235386d1908e2bf40be43cf982932ce8b1604fe59ed2195aee341becb7c3
-
SHA512
1270782a3aa83186265d8253781d0af5aa5769ccff033672c4f42d27f1be73e7cd2dbe9adbd448a3c09841285c54523fd682721724564794ce152ffbde38d0e1
Malware Config
Extracted
xloader
2.5
cxep
estateglobal.info
loransstore.com
loginofy.com
fjallravenz.online
cefseguranca-app.com
safontadiestramiento.com
bubbleteapro.com
morethanmummies.com
serviciopersonalizadoweb.com
headerbidder.info
skworkforce.com
heightsorthodontics.com
chulavistapd.com
southjerseyautobody.net
chargedbygratitude.com
meltingpotspot.com
gdjiachen.com
luckdrawprogram.com
vintagepaseo.com
bequestslojyh.xyz
layeredrofbes.xyz
com-weekly.email
suddisaddu.com
jnlord.com
outerverse.ventures
terraroyale.com
hairclub.info
rent2owninusa.com
pmaonline.xyz
wearecampo.com
multiplezonesplit.com
angry-mandala.com
ikigaiofficial.store
princewoodwork.store
moviesaver24.com
btec-solutions.com
valurgrayenterprises.com
homesofsilverspur.com
leysy-y-nazareno.com
grade8.tech
ammarus.com
researchjournal.net
nicolaslacasse.com
khukhuantainha.com
resultlv.com
toraportal.com
wickedhunterworld.com
clickspromolp.com
b148tlrnd09ustnnaku2721.com
high-low-ga.info
norcalfirewoodllc.com
fatima2021.com
aaronsmathquest.com
decal-mania.com
spitfiredefenceindustries.com
mireyita.com
simonhaidomous.com
roofingcontractorhickory.com
mgav69.xyz
spacebymeghan.com
hot144.com
mmfirewood.net
akshayaasri.com
bilgisayarimnekadar.com
littlesportsacademy.com
Signatures
-
Xloader Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/920-116-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/920-120-0x0000000000500000-0x0000000000E40000-memory.dmp xloader behavioral2/memory/1388-122-0x00000000035F0000-0x0000000003619000-memory.dmp xloader behavioral2/memory/1388-124-0x00000000052B0000-0x0000000005444000-memory.dmp xloader -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
mstsc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run mstsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ZJZP4PXHQZ = "C:\\Program Files (x86)\\Gb0hxyhm\\llbxnvtvro.exe" mstsc.exe -
Executes dropped EXE 2 IoCs
Processes:
llbxnvtvro.exellbxnvtvro.exepid process 676 llbxnvtvro.exe 840 llbxnvtvro.exe -
Loads dropped DLL 2 IoCs
Processes:
payment advice_008900112.exellbxnvtvro.exepid process 432 payment advice_008900112.exe 676 llbxnvtvro.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
payment advice_008900112.exepayment advice_008900112.exemstsc.exellbxnvtvro.exedescription pid process target process PID 432 set thread context of 920 432 payment advice_008900112.exe payment advice_008900112.exe PID 920 set thread context of 2072 920 payment advice_008900112.exe Explorer.EXE PID 1388 set thread context of 2072 1388 mstsc.exe Explorer.EXE PID 676 set thread context of 840 676 llbxnvtvro.exe llbxnvtvro.exe -
Drops file in Program Files directory 4 IoCs
Processes:
mstsc.exeExplorer.EXEdescription ioc process File opened for modification C:\Program Files (x86)\Gb0hxyhm\llbxnvtvro.exe mstsc.exe File opened for modification C:\Program Files (x86)\Gb0hxyhm Explorer.EXE File created C:\Program Files (x86)\Gb0hxyhm\llbxnvtvro.exe Explorer.EXE File opened for modification C:\Program Files (x86)\Gb0hxyhm\llbxnvtvro.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 6 IoCs
Processes:
resource yara_rule C:\Program Files (x86)\Gb0hxyhm\llbxnvtvro.exe nsis_installer_1 C:\Program Files (x86)\Gb0hxyhm\llbxnvtvro.exe nsis_installer_2 C:\Program Files (x86)\Gb0hxyhm\llbxnvtvro.exe nsis_installer_1 C:\Program Files (x86)\Gb0hxyhm\llbxnvtvro.exe nsis_installer_2 C:\Program Files (x86)\Gb0hxyhm\llbxnvtvro.exe nsis_installer_1 C:\Program Files (x86)\Gb0hxyhm\llbxnvtvro.exe nsis_installer_2 -
Processes:
mstsc.exedescription ioc process Key created \Registry\User\S-1-5-21-2361464256-2201551969-2316606395-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 mstsc.exe -
Suspicious behavior: EnumeratesProcesses 54 IoCs
Processes:
payment advice_008900112.exemstsc.exellbxnvtvro.exepid process 920 payment advice_008900112.exe 920 payment advice_008900112.exe 920 payment advice_008900112.exe 920 payment advice_008900112.exe 1388 mstsc.exe 1388 mstsc.exe 1388 mstsc.exe 1388 mstsc.exe 1388 mstsc.exe 1388 mstsc.exe 1388 mstsc.exe 1388 mstsc.exe 1388 mstsc.exe 1388 mstsc.exe 1388 mstsc.exe 1388 mstsc.exe 1388 mstsc.exe 1388 mstsc.exe 1388 mstsc.exe 1388 mstsc.exe 1388 mstsc.exe 1388 mstsc.exe 1388 mstsc.exe 1388 mstsc.exe 1388 mstsc.exe 1388 mstsc.exe 1388 mstsc.exe 1388 mstsc.exe 1388 mstsc.exe 1388 mstsc.exe 1388 mstsc.exe 1388 mstsc.exe 1388 mstsc.exe 1388 mstsc.exe 1388 mstsc.exe 1388 mstsc.exe 1388 mstsc.exe 1388 mstsc.exe 1388 mstsc.exe 1388 mstsc.exe 1388 mstsc.exe 1388 mstsc.exe 1388 mstsc.exe 1388 mstsc.exe 1388 mstsc.exe 1388 mstsc.exe 840 llbxnvtvro.exe 840 llbxnvtvro.exe 1388 mstsc.exe 1388 mstsc.exe 1388 mstsc.exe 1388 mstsc.exe 1388 mstsc.exe 1388 mstsc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2072 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
payment advice_008900112.exemstsc.exepid process 920 payment advice_008900112.exe 920 payment advice_008900112.exe 920 payment advice_008900112.exe 1388 mstsc.exe 1388 mstsc.exe 1388 mstsc.exe 1388 mstsc.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
payment advice_008900112.exemstsc.exellbxnvtvro.exedescription pid process Token: SeDebugPrivilege 920 payment advice_008900112.exe Token: SeDebugPrivilege 1388 mstsc.exe Token: SeDebugPrivilege 840 llbxnvtvro.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
payment advice_008900112.exeExplorer.EXEmstsc.exellbxnvtvro.exedescription pid process target process PID 432 wrote to memory of 920 432 payment advice_008900112.exe payment advice_008900112.exe PID 432 wrote to memory of 920 432 payment advice_008900112.exe payment advice_008900112.exe PID 432 wrote to memory of 920 432 payment advice_008900112.exe payment advice_008900112.exe PID 432 wrote to memory of 920 432 payment advice_008900112.exe payment advice_008900112.exe PID 432 wrote to memory of 920 432 payment advice_008900112.exe payment advice_008900112.exe PID 432 wrote to memory of 920 432 payment advice_008900112.exe payment advice_008900112.exe PID 2072 wrote to memory of 1388 2072 Explorer.EXE mstsc.exe PID 2072 wrote to memory of 1388 2072 Explorer.EXE mstsc.exe PID 2072 wrote to memory of 1388 2072 Explorer.EXE mstsc.exe PID 1388 wrote to memory of 3060 1388 mstsc.exe cmd.exe PID 1388 wrote to memory of 3060 1388 mstsc.exe cmd.exe PID 1388 wrote to memory of 3060 1388 mstsc.exe cmd.exe PID 1388 wrote to memory of 404 1388 mstsc.exe cmd.exe PID 1388 wrote to memory of 404 1388 mstsc.exe cmd.exe PID 1388 wrote to memory of 404 1388 mstsc.exe cmd.exe PID 1388 wrote to memory of 2712 1388 mstsc.exe Firefox.exe PID 1388 wrote to memory of 2712 1388 mstsc.exe Firefox.exe PID 2072 wrote to memory of 676 2072 Explorer.EXE llbxnvtvro.exe PID 2072 wrote to memory of 676 2072 Explorer.EXE llbxnvtvro.exe PID 2072 wrote to memory of 676 2072 Explorer.EXE llbxnvtvro.exe PID 676 wrote to memory of 840 676 llbxnvtvro.exe llbxnvtvro.exe PID 676 wrote to memory of 840 676 llbxnvtvro.exe llbxnvtvro.exe PID 676 wrote to memory of 840 676 llbxnvtvro.exe llbxnvtvro.exe PID 676 wrote to memory of 840 676 llbxnvtvro.exe llbxnvtvro.exe PID 676 wrote to memory of 840 676 llbxnvtvro.exe llbxnvtvro.exe PID 676 wrote to memory of 840 676 llbxnvtvro.exe llbxnvtvro.exe PID 1388 wrote to memory of 2712 1388 mstsc.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\payment advice_008900112.exe"C:\Users\Admin\AppData\Local\Temp\payment advice_008900112.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\payment advice_008900112.exe"C:\Users\Admin\AppData\Local\Temp\payment advice_008900112.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\mstsc.exe"C:\Windows\SysWOW64\mstsc.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\payment advice_008900112.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Program Files (x86)\Gb0hxyhm\llbxnvtvro.exe"C:\Program Files (x86)\Gb0hxyhm\llbxnvtvro.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Gb0hxyhm\llbxnvtvro.exe"C:\Program Files (x86)\Gb0hxyhm\llbxnvtvro.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Gb0hxyhm\llbxnvtvro.exeMD5
0783312f7caf72f1ac2a9951145bdda4
SHA1c3da5594f78880bd4fc1d496efca357e6c19f65a
SHA256e745235386d1908e2bf40be43cf982932ce8b1604fe59ed2195aee341becb7c3
SHA5121270782a3aa83186265d8253781d0af5aa5769ccff033672c4f42d27f1be73e7cd2dbe9adbd448a3c09841285c54523fd682721724564794ce152ffbde38d0e1
-
C:\Program Files (x86)\Gb0hxyhm\llbxnvtvro.exeMD5
0783312f7caf72f1ac2a9951145bdda4
SHA1c3da5594f78880bd4fc1d496efca357e6c19f65a
SHA256e745235386d1908e2bf40be43cf982932ce8b1604fe59ed2195aee341becb7c3
SHA5121270782a3aa83186265d8253781d0af5aa5769ccff033672c4f42d27f1be73e7cd2dbe9adbd448a3c09841285c54523fd682721724564794ce152ffbde38d0e1
-
C:\Program Files (x86)\Gb0hxyhm\llbxnvtvro.exeMD5
0783312f7caf72f1ac2a9951145bdda4
SHA1c3da5594f78880bd4fc1d496efca357e6c19f65a
SHA256e745235386d1908e2bf40be43cf982932ce8b1604fe59ed2195aee341becb7c3
SHA5121270782a3aa83186265d8253781d0af5aa5769ccff033672c4f42d27f1be73e7cd2dbe9adbd448a3c09841285c54523fd682721724564794ce152ffbde38d0e1
-
C:\Users\Admin\AppData\Local\Temp\DB1MD5
b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
C:\Users\Admin\AppData\Local\Temp\kehf8ycu2b9frnMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\yvevjpvkdMD5
16e9578e89075c3a629d875e9b469ae9
SHA15dd4c7094fcbc16141a927e2e26ca09fd52841f4
SHA256749a06c39bc2583e348c5ddccfcef5972305e309ce5a0c9d6a0433ab7ba209bb
SHA512965da7bfef9d2bbc0ad91ebca7f35f8d2a5d2f242f2cc9b7cb2eae91ead961fcf4ee3858bcf4af7e7bacc8a3076131424f3c340cf975cb6cad58d800ecffbf31
-
\Users\Admin\AppData\Local\Temp\nsf3165.tmp\wzqevt.dllMD5
a776ec55ad876c58677a7fcd8d196f2c
SHA1108a7314775f38ecc724ed1b01488ee4504f797b
SHA256072b6796585536a21e8d1815adf43a3047509468ef4b60d55eee335a7136ef04
SHA5121c1e3a0875c98011fade09a3577b92c7d56ea5497f5b2dcabe736a5ae44512523874129d63a1547fe808741322ae4c29de72b0ecb276fb201e2d75274fffedfb
-
\Users\Admin\AppData\Local\Temp\nsj66A7.tmp\wzqevt.dllMD5
a776ec55ad876c58677a7fcd8d196f2c
SHA1108a7314775f38ecc724ed1b01488ee4504f797b
SHA256072b6796585536a21e8d1815adf43a3047509468ef4b60d55eee335a7136ef04
SHA5121c1e3a0875c98011fade09a3577b92c7d56ea5497f5b2dcabe736a5ae44512523874129d63a1547fe808741322ae4c29de72b0ecb276fb201e2d75274fffedfb
-
memory/840-134-0x00000000009C0000-0x0000000000CE0000-memory.dmpFilesize
3.1MB
-
memory/920-120-0x0000000000500000-0x0000000000E40000-memory.dmpFilesize
9.2MB
-
memory/920-118-0x0000000000A00000-0x0000000000D20000-memory.dmpFilesize
3.1MB
-
memory/920-116-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1388-124-0x00000000052B0000-0x0000000005444000-memory.dmpFilesize
1.6MB
-
memory/1388-123-0x00000000055F0000-0x0000000005910000-memory.dmpFilesize
3.1MB
-
memory/1388-122-0x00000000035F0000-0x0000000003619000-memory.dmpFilesize
164KB
-
memory/1388-121-0x0000000001220000-0x000000000151C000-memory.dmpFilesize
3.0MB
-
memory/2072-125-0x0000000006120000-0x00000000061BB000-memory.dmpFilesize
620KB
-
memory/2072-119-0x0000000002AD0000-0x0000000002B9F000-memory.dmpFilesize
828KB