Analysis
-
max time kernel
189s -
max time network
206s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
28-01-2022 14:18
Static task
static1
Behavioral task
behavioral1
Sample
CRYPTO INVOICE APPROVED.exe
Resource
win7-en-20211208
General
-
Target
CRYPTO INVOICE APPROVED.exe
-
Size
250KB
-
MD5
9eb725df8f30e3dae7b3197a1783eaea
-
SHA1
7484f0d4ff29b450339c24c40b771f88e2d907d7
-
SHA256
f55c9c2bdda3ecb1e3404ec6c003f146204ed5fd550b6de28a50ee1bdfb722c4
-
SHA512
9be53f3c9e0dd9218bd197c09f232a5f3af7470a14b7f58ab346d3ee6a8155ec739416d57053ae7f0429a3483ed6babb69ff70b2195bea794f853529663ca17d
Malware Config
Extracted
xloader
2.5
rmfg
prospectcompounding.com
grand-prix.voyage
solvingpklogc.xyz
eliamhome.com
gamevip88.club
arsels.info
dswlt.com
dchehe.com
lawyerjerusalem.com
pbnseo.xyz
apuryifuid.com
kiukiupoker88.net
leannonimpact.com
kare-furniture.com
mississaugaremax.online
zpyh198.com
dueplay.store
naimi.ltd
greenstepspodiatry.com
cewirtanen.com
stonebyparamount.com
stellenbargains.com
meyerranch.realty
bitcoingrab.com
ifjejijfe.xyz
drjeannerot.com
trgau.com
thailandland.land
satupena.info
coinzillo.com
cloudreveller.digital
wilsoncreekarts.com
hyalucaps.com
dempius.com
onycostopsale.com
54jjpygl.xyz
quick2repair.net
tpyrj.com
cyndeiversondesigns.com
lmandarin.com
bornholm-urlaub.info
rodictibey.quest
saiione.com
flydakhla.com
surveycourses.com
bestnico.space
huvao.com
uptownholding.com
elitesellerstrafficnet.com
zitzies.xyz
supermercadolonuestro.com
laptoppricenepal.com
navyantra.com
myjms315.com
loanswithbrian.net
birbeygrup.xyz
trend-marketing.club
meipassion.com
amtha.com
witlyza.com
boardsandbeamsdecor.com
c2batwpnmu5uvtvnvfk5916.com
yavuzselimorganizasyon.com
4580055.xyz
brimstrategy.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2940-117-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/2940-120-0x00000000009D0000-0x0000000000EE0000-memory.dmp xloader behavioral2/memory/856-123-0x0000000005040000-0x0000000005069000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
CRYPTO INVOICE APPROVED.exepid process 2708 CRYPTO INVOICE APPROVED.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
CRYPTO INVOICE APPROVED.exeCRYPTO INVOICE APPROVED.exechkdsk.exedescription pid process target process PID 2708 set thread context of 2940 2708 CRYPTO INVOICE APPROVED.exe CRYPTO INVOICE APPROVED.exe PID 2940 set thread context of 3036 2940 CRYPTO INVOICE APPROVED.exe Explorer.EXE PID 856 set thread context of 3036 856 chkdsk.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
chkdsk.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Suspicious behavior: EnumeratesProcesses 50 IoCs
Processes:
CRYPTO INVOICE APPROVED.exechkdsk.exepid process 2940 CRYPTO INVOICE APPROVED.exe 2940 CRYPTO INVOICE APPROVED.exe 2940 CRYPTO INVOICE APPROVED.exe 2940 CRYPTO INVOICE APPROVED.exe 856 chkdsk.exe 856 chkdsk.exe 856 chkdsk.exe 856 chkdsk.exe 856 chkdsk.exe 856 chkdsk.exe 856 chkdsk.exe 856 chkdsk.exe 856 chkdsk.exe 856 chkdsk.exe 856 chkdsk.exe 856 chkdsk.exe 856 chkdsk.exe 856 chkdsk.exe 856 chkdsk.exe 856 chkdsk.exe 856 chkdsk.exe 856 chkdsk.exe 856 chkdsk.exe 856 chkdsk.exe 856 chkdsk.exe 856 chkdsk.exe 856 chkdsk.exe 856 chkdsk.exe 856 chkdsk.exe 856 chkdsk.exe 856 chkdsk.exe 856 chkdsk.exe 856 chkdsk.exe 856 chkdsk.exe 856 chkdsk.exe 856 chkdsk.exe 856 chkdsk.exe 856 chkdsk.exe 856 chkdsk.exe 856 chkdsk.exe 856 chkdsk.exe 856 chkdsk.exe 856 chkdsk.exe 856 chkdsk.exe 856 chkdsk.exe 856 chkdsk.exe 856 chkdsk.exe 856 chkdsk.exe 856 chkdsk.exe 856 chkdsk.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3036 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
CRYPTO INVOICE APPROVED.exechkdsk.exepid process 2940 CRYPTO INVOICE APPROVED.exe 2940 CRYPTO INVOICE APPROVED.exe 2940 CRYPTO INVOICE APPROVED.exe 856 chkdsk.exe 856 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
CRYPTO INVOICE APPROVED.exechkdsk.exedescription pid process Token: SeDebugPrivilege 2940 CRYPTO INVOICE APPROVED.exe Token: SeDebugPrivilege 856 chkdsk.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
CRYPTO INVOICE APPROVED.exeExplorer.EXEchkdsk.exedescription pid process target process PID 2708 wrote to memory of 2940 2708 CRYPTO INVOICE APPROVED.exe CRYPTO INVOICE APPROVED.exe PID 2708 wrote to memory of 2940 2708 CRYPTO INVOICE APPROVED.exe CRYPTO INVOICE APPROVED.exe PID 2708 wrote to memory of 2940 2708 CRYPTO INVOICE APPROVED.exe CRYPTO INVOICE APPROVED.exe PID 2708 wrote to memory of 2940 2708 CRYPTO INVOICE APPROVED.exe CRYPTO INVOICE APPROVED.exe PID 2708 wrote to memory of 2940 2708 CRYPTO INVOICE APPROVED.exe CRYPTO INVOICE APPROVED.exe PID 2708 wrote to memory of 2940 2708 CRYPTO INVOICE APPROVED.exe CRYPTO INVOICE APPROVED.exe PID 3036 wrote to memory of 856 3036 Explorer.EXE chkdsk.exe PID 3036 wrote to memory of 856 3036 Explorer.EXE chkdsk.exe PID 3036 wrote to memory of 856 3036 Explorer.EXE chkdsk.exe PID 856 wrote to memory of 3472 856 chkdsk.exe cmd.exe PID 856 wrote to memory of 3472 856 chkdsk.exe cmd.exe PID 856 wrote to memory of 3472 856 chkdsk.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CRYPTO INVOICE APPROVED.exe"C:\Users\Admin\AppData\Local\Temp\CRYPTO INVOICE APPROVED.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CRYPTO INVOICE APPROVED.exe"C:\Users\Admin\AppData\Local\Temp\CRYPTO INVOICE APPROVED.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\CRYPTO INVOICE APPROVED.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nso25A2.tmp\ucuuf.dllMD5
6cf647e973301a4259172ae988ae9a87
SHA1b003a0c03d628c3b0f59a3e6d7af86d375af06e1
SHA256408e85feeef744f07460df42ce8d8f57668ec5afd94aaa3331d5c48a5f0f7138
SHA51266fd713cf7426b4633b4e540d66ce34579c39278f6b47e884e5689e2c81d00f65ccb8b04e5f497413b03b6c2bf33e9a50d8aa42020e440bd171610fa884f064a
-
memory/856-123-0x0000000005040000-0x0000000005069000-memory.dmpFilesize
164KB
-
memory/856-122-0x0000000000DE0000-0x0000000000DEA000-memory.dmpFilesize
40KB
-
memory/856-124-0x0000000005110000-0x000000000525A000-memory.dmpFilesize
1.3MB
-
memory/856-125-0x00000000055C0000-0x0000000005650000-memory.dmpFilesize
576KB
-
memory/2708-116-0x000000001AD70000-0x000000001AD72000-memory.dmpFilesize
8KB
-
memory/2940-117-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2940-119-0x00000000009D0000-0x0000000000CF0000-memory.dmpFilesize
3.1MB
-
memory/2940-120-0x00000000009D0000-0x0000000000EE0000-memory.dmpFilesize
5.1MB
-
memory/3036-121-0x00000000056F0000-0x0000000005870000-memory.dmpFilesize
1.5MB
-
memory/3036-126-0x00000000068D0000-0x0000000006A25000-memory.dmpFilesize
1.3MB