Analysis
-
max time kernel
151s -
max time network
144s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
28-01-2022 14:18
Static task
static1
Behavioral task
behavioral1
Sample
CRYPTO INVOICE APPROVED.exe
Resource
win7-en-20211208
General
-
Target
CRYPTO INVOICE APPROVED.exe
-
Size
250KB
-
MD5
9eb725df8f30e3dae7b3197a1783eaea
-
SHA1
7484f0d4ff29b450339c24c40b771f88e2d907d7
-
SHA256
f55c9c2bdda3ecb1e3404ec6c003f146204ed5fd550b6de28a50ee1bdfb722c4
-
SHA512
9be53f3c9e0dd9218bd197c09f232a5f3af7470a14b7f58ab346d3ee6a8155ec739416d57053ae7f0429a3483ed6babb69ff70b2195bea794f853529663ca17d
Malware Config
Extracted
xloader
2.5
rmfg
prospectcompounding.com
grand-prix.voyage
solvingpklogc.xyz
eliamhome.com
gamevip88.club
arsels.info
dswlt.com
dchehe.com
lawyerjerusalem.com
pbnseo.xyz
apuryifuid.com
kiukiupoker88.net
leannonimpact.com
kare-furniture.com
mississaugaremax.online
zpyh198.com
dueplay.store
naimi.ltd
greenstepspodiatry.com
cewirtanen.com
stonebyparamount.com
stellenbargains.com
meyerranch.realty
bitcoingrab.com
ifjejijfe.xyz
drjeannerot.com
trgau.com
thailandland.land
satupena.info
coinzillo.com
cloudreveller.digital
wilsoncreekarts.com
hyalucaps.com
dempius.com
onycostopsale.com
54jjpygl.xyz
quick2repair.net
tpyrj.com
cyndeiversondesigns.com
lmandarin.com
bornholm-urlaub.info
rodictibey.quest
saiione.com
flydakhla.com
surveycourses.com
bestnico.space
huvao.com
uptownholding.com
elitesellerstrafficnet.com
zitzies.xyz
supermercadolonuestro.com
laptoppricenepal.com
navyantra.com
myjms315.com
loanswithbrian.net
birbeygrup.xyz
trend-marketing.club
meipassion.com
amtha.com
witlyza.com
boardsandbeamsdecor.com
c2batwpnmu5uvtvnvfk5916.com
yavuzselimorganizasyon.com
4580055.xyz
brimstrategy.com
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2044-57-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/456-64-0x00000000000C0000-0x00000000000E9000-memory.dmp xloader -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 560 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
CRYPTO INVOICE APPROVED.exepid process 1580 CRYPTO INVOICE APPROVED.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
CRYPTO INVOICE APPROVED.exeCRYPTO INVOICE APPROVED.exeraserver.exedescription pid process target process PID 1580 set thread context of 2044 1580 CRYPTO INVOICE APPROVED.exe CRYPTO INVOICE APPROVED.exe PID 2044 set thread context of 1228 2044 CRYPTO INVOICE APPROVED.exe Explorer.EXE PID 456 set thread context of 1228 456 raserver.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
CRYPTO INVOICE APPROVED.exeraserver.exepid process 2044 CRYPTO INVOICE APPROVED.exe 2044 CRYPTO INVOICE APPROVED.exe 456 raserver.exe 456 raserver.exe 456 raserver.exe 456 raserver.exe 456 raserver.exe 456 raserver.exe 456 raserver.exe 456 raserver.exe 456 raserver.exe 456 raserver.exe 456 raserver.exe 456 raserver.exe 456 raserver.exe 456 raserver.exe 456 raserver.exe 456 raserver.exe 456 raserver.exe 456 raserver.exe 456 raserver.exe 456 raserver.exe 456 raserver.exe 456 raserver.exe 456 raserver.exe 456 raserver.exe 456 raserver.exe 456 raserver.exe 456 raserver.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
CRYPTO INVOICE APPROVED.exeraserver.exepid process 2044 CRYPTO INVOICE APPROVED.exe 2044 CRYPTO INVOICE APPROVED.exe 2044 CRYPTO INVOICE APPROVED.exe 456 raserver.exe 456 raserver.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
CRYPTO INVOICE APPROVED.exeraserver.exedescription pid process Token: SeDebugPrivilege 2044 CRYPTO INVOICE APPROVED.exe Token: SeDebugPrivilege 456 raserver.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
CRYPTO INVOICE APPROVED.exeExplorer.EXEraserver.exedescription pid process target process PID 1580 wrote to memory of 2044 1580 CRYPTO INVOICE APPROVED.exe CRYPTO INVOICE APPROVED.exe PID 1580 wrote to memory of 2044 1580 CRYPTO INVOICE APPROVED.exe CRYPTO INVOICE APPROVED.exe PID 1580 wrote to memory of 2044 1580 CRYPTO INVOICE APPROVED.exe CRYPTO INVOICE APPROVED.exe PID 1580 wrote to memory of 2044 1580 CRYPTO INVOICE APPROVED.exe CRYPTO INVOICE APPROVED.exe PID 1580 wrote to memory of 2044 1580 CRYPTO INVOICE APPROVED.exe CRYPTO INVOICE APPROVED.exe PID 1580 wrote to memory of 2044 1580 CRYPTO INVOICE APPROVED.exe CRYPTO INVOICE APPROVED.exe PID 1580 wrote to memory of 2044 1580 CRYPTO INVOICE APPROVED.exe CRYPTO INVOICE APPROVED.exe PID 1228 wrote to memory of 456 1228 Explorer.EXE raserver.exe PID 1228 wrote to memory of 456 1228 Explorer.EXE raserver.exe PID 1228 wrote to memory of 456 1228 Explorer.EXE raserver.exe PID 1228 wrote to memory of 456 1228 Explorer.EXE raserver.exe PID 456 wrote to memory of 560 456 raserver.exe cmd.exe PID 456 wrote to memory of 560 456 raserver.exe cmd.exe PID 456 wrote to memory of 560 456 raserver.exe cmd.exe PID 456 wrote to memory of 560 456 raserver.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CRYPTO INVOICE APPROVED.exe"C:\Users\Admin\AppData\Local\Temp\CRYPTO INVOICE APPROVED.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CRYPTO INVOICE APPROVED.exe"C:\Users\Admin\AppData\Local\Temp\CRYPTO INVOICE APPROVED.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\raserver.exe"C:\Windows\SysWOW64\raserver.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\CRYPTO INVOICE APPROVED.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsy254E.tmp\ucuuf.dllMD5
6cf647e973301a4259172ae988ae9a87
SHA1b003a0c03d628c3b0f59a3e6d7af86d375af06e1
SHA256408e85feeef744f07460df42ce8d8f57668ec5afd94aaa3331d5c48a5f0f7138
SHA51266fd713cf7426b4633b4e540d66ce34579c39278f6b47e884e5689e2c81d00f65ccb8b04e5f497413b03b6c2bf33e9a50d8aa42020e440bd171610fa884f064a
-
memory/456-63-0x0000000000FC0000-0x0000000000FDC000-memory.dmpFilesize
112KB
-
memory/456-64-0x00000000000C0000-0x00000000000E9000-memory.dmpFilesize
164KB
-
memory/456-65-0x0000000000A00000-0x0000000000D03000-memory.dmpFilesize
3.0MB
-
memory/456-66-0x0000000000880000-0x0000000000910000-memory.dmpFilesize
576KB
-
memory/1228-61-0x0000000006190000-0x00000000062AC000-memory.dmpFilesize
1.1MB
-
memory/1580-55-0x00000000763F1000-0x00000000763F3000-memory.dmpFilesize
8KB
-
memory/2044-57-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2044-59-0x0000000000900000-0x0000000000C03000-memory.dmpFilesize
3.0MB
-
memory/2044-60-0x00000000002A0000-0x00000000002B1000-memory.dmpFilesize
68KB