Analysis
-
max time kernel
163s -
max time network
159s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
27-01-2022 13:03
Static task
static1
Behavioral task
behavioral1
Sample
payment advice.ro9,pdf.exe
Resource
win7-en-20211208
General
-
Target
payment advice.ro9,pdf.exe
-
Size
607KB
-
MD5
5a3452246e02aa71c5d55a89e46cd310
-
SHA1
07cc96501710f0d80455fe9b5e34d4b9c1a3d05a
-
SHA256
81fc763d0863d2011499222a0683aed63c881b20ccf70d5775125451bf36b76a
-
SHA512
7b611c4385dae6bbc09bf9c866d0011e50bbda253917861ae33862f065017424ea97867eae8a02fc69ce24d6d344a8f4af1b38dd2ae6a0681403929fdcfbe4c0
Malware Config
Extracted
xloader
2.5
tod8
shabizy5.com
sattaking-delhiborder01.xyz
venetianmountains.com
vertogaastad.quest
zimalek.com
olympiacrownhotel.com
dubbostorage.online
mosescorrea.com
japanroofing.com
mashareq.store
gdetcz.com
slimmersite.com
aplintec.com
878971.com
charlottesbestroofcompany.com
into-mena.com
newlysupply.com
bianncapace.com
netrew.com
anhecapital.com
newtion.net
thelakemorleyhaunting.info
homicdecor.com
best-paper-to-know-today.info
bcw.today
cji-architect.com
perfecto21.com
misteroperfume.com
wlxxch.com
xn--maldya-qva.com
sandrasmit.club
ashabstracts.com
cbdshoot.com
qrin.top
1018shrader.com
gratisratio.com
alendigital.xyz
monroetruckingco.com
noahpresnell.com
czyssk.com
ultrahouseimob.com
tormentaritmica.com
exiqya.xyz
chodoque.net
shappilyeverafter.net
sacremots.com
necessary-tools.com
mathswithmike.online
gv-china.com
thenewivhubboston.com
pfo055lnb.xyz
fliprbook.club
tsourapricot.com
galactica-shop.com
sperrmuell-berlin-abholung.com
goldenaxe.club
lonestarbonehealth.com
potsleep.com
juliansdelectableedibles.com
wideaou.com
spaceworbc.com
cryptobittoday.com
dif-directory.xyz
lunchbreakincome.com
bulacee.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3804-120-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/3804-123-0x0000000000910000-0x0000000000AAA000-memory.dmp xloader behavioral2/memory/3672-126-0x0000000000600000-0x0000000000629000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
payment advice.ro9,pdf.exepid process 2552 payment advice.ro9,pdf.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
payment advice.ro9,pdf.exepayment advice.ro9,pdf.exehelp.exedescription pid process target process PID 2552 set thread context of 3804 2552 payment advice.ro9,pdf.exe payment advice.ro9,pdf.exe PID 3804 set thread context of 3012 3804 payment advice.ro9,pdf.exe Explorer.EXE PID 3672 set thread context of 3012 3672 help.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
payment advice.ro9,pdf.exehelp.exepid process 3804 payment advice.ro9,pdf.exe 3804 payment advice.ro9,pdf.exe 3804 payment advice.ro9,pdf.exe 3804 payment advice.ro9,pdf.exe 3672 help.exe 3672 help.exe 3672 help.exe 3672 help.exe 3672 help.exe 3672 help.exe 3672 help.exe 3672 help.exe 3672 help.exe 3672 help.exe 3672 help.exe 3672 help.exe 3672 help.exe 3672 help.exe 3672 help.exe 3672 help.exe 3672 help.exe 3672 help.exe 3672 help.exe 3672 help.exe 3672 help.exe 3672 help.exe 3672 help.exe 3672 help.exe 3672 help.exe 3672 help.exe 3672 help.exe 3672 help.exe 3672 help.exe 3672 help.exe 3672 help.exe 3672 help.exe 3672 help.exe 3672 help.exe 3672 help.exe 3672 help.exe 3672 help.exe 3672 help.exe 3672 help.exe 3672 help.exe 3672 help.exe 3672 help.exe 3672 help.exe 3672 help.exe 3672 help.exe 3672 help.exe 3672 help.exe 3672 help.exe 3672 help.exe 3672 help.exe 3672 help.exe 3672 help.exe 3672 help.exe 3672 help.exe 3672 help.exe 3672 help.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3012 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
payment advice.ro9,pdf.exehelp.exepid process 3804 payment advice.ro9,pdf.exe 3804 payment advice.ro9,pdf.exe 3804 payment advice.ro9,pdf.exe 3672 help.exe 3672 help.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
payment advice.ro9,pdf.exehelp.exedescription pid process Token: SeDebugPrivilege 3804 payment advice.ro9,pdf.exe Token: SeDebugPrivilege 3672 help.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
payment advice.ro9,pdf.exeExplorer.EXEhelp.exedescription pid process target process PID 2552 wrote to memory of 3804 2552 payment advice.ro9,pdf.exe payment advice.ro9,pdf.exe PID 2552 wrote to memory of 3804 2552 payment advice.ro9,pdf.exe payment advice.ro9,pdf.exe PID 2552 wrote to memory of 3804 2552 payment advice.ro9,pdf.exe payment advice.ro9,pdf.exe PID 2552 wrote to memory of 3804 2552 payment advice.ro9,pdf.exe payment advice.ro9,pdf.exe PID 2552 wrote to memory of 3804 2552 payment advice.ro9,pdf.exe payment advice.ro9,pdf.exe PID 2552 wrote to memory of 3804 2552 payment advice.ro9,pdf.exe payment advice.ro9,pdf.exe PID 3012 wrote to memory of 3672 3012 Explorer.EXE help.exe PID 3012 wrote to memory of 3672 3012 Explorer.EXE help.exe PID 3012 wrote to memory of 3672 3012 Explorer.EXE help.exe PID 3672 wrote to memory of 592 3672 help.exe cmd.exe PID 3672 wrote to memory of 592 3672 help.exe cmd.exe PID 3672 wrote to memory of 592 3672 help.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\payment advice.ro9,pdf.exe"C:\Users\Admin\AppData\Local\Temp\payment advice.ro9,pdf.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\payment advice.ro9,pdf.exe"C:\Users\Admin\AppData\Local\Temp\payment advice.ro9,pdf.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\payment advice.ro9,pdf.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nszE949.tmp\jfay.dllMD5
f6303ff47a3f9ae77f90a43ce73ed4c4
SHA1b8761d249917348eb9b4bbc41cac93c61cbf7dfa
SHA256b133ef10c41b4dd470ba411a84c327394cdf7bc4f1277d3e7117aa13da5c05bc
SHA51212b1f9fcd28e6debdaec038e679508ce4445a2f208ee5b5f0b399ead579796c51bd0c876c422536ad94d9294c58818d704d1cd531ab517f5fecfce5bb544f8df
-
memory/2552-119-0x00000000022C0000-0x00000000022C2000-memory.dmpFilesize
8KB
-
memory/3012-124-0x0000000004B40000-0x0000000004C72000-memory.dmpFilesize
1.2MB
-
memory/3012-129-0x00000000005C0000-0x0000000000656000-memory.dmpFilesize
600KB
-
memory/3672-125-0x0000000000BA0000-0x0000000000BA7000-memory.dmpFilesize
28KB
-
memory/3672-126-0x0000000000600000-0x0000000000629000-memory.dmpFilesize
164KB
-
memory/3672-127-0x0000000003090000-0x00000000033B0000-memory.dmpFilesize
3.1MB
-
memory/3672-128-0x0000000000930000-0x0000000002D43000-memory.dmpFilesize
36.1MB
-
memory/3804-120-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/3804-122-0x0000000000AB0000-0x0000000000DD0000-memory.dmpFilesize
3.1MB
-
memory/3804-123-0x0000000000910000-0x0000000000AAA000-memory.dmpFilesize
1.6MB