Analysis
-
max time kernel
151s -
max time network
165s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
09-02-2022 10:21
Static task
static1
Behavioral task
behavioral1
Sample
PAYMENT_xlsx.exe
Resource
win7-en-20211208
General
-
Target
PAYMENT_xlsx.exe
-
Size
260KB
-
MD5
903f090170c015ce8a923608be5f5529
-
SHA1
ca5ab369fa9fa10367f8d2de5530986dd5add4a1
-
SHA256
ae912e8263a9242ff6590f2c818cdc64c3a6f2f059576dc8d760a3af93db63fc
-
SHA512
fb716c05053f9643ebdaff1e5a5a3d9b88cee77c1753a51618ab3c8f7897cd79384250edbe49cad6cf86579b83dd317ce2922674835ea3d484a0fb0f79f3bf6b
Malware Config
Extracted
xloader
2.5
dtt3
edilononlineshop.com
cursosd.com
viellacharteredland.com
increasey0urenergylevels.codes
yjy-hotel.com
claym.xyz
reelsguide.com
gives-cardano.com
ashrafannuar.com
mammalians.com
rocketleaguedads.com
yubierp.com
minimi36.com
chn-chn.com
jagojp888.com
parsian-shetab.com
273351.com
mdtouhid.com
babedads.com
vallinam2.com
buro-tic.com
az-rent.net
shifaebio.xyz
circuitoalberghiero.com
xn--b1afb9b.xn--p1acf
canlioyundasin.online
sachainchirajaomega.com
scandinest.com
pluky.net
tpxcy.com
nbg.global
automountproducts.com
hghbj.com
beachsidecoatings.com
householdertips.com
coworkingspace.online
doujyou.com
tenloe053.xyz
udpbkp.biz
kondanginyuk.online
zipiter.com
christiankrog.com
reliantrecruitinggroup.com
acrylicus.com
cruelgirls.biz
oeinsulation.com
mapnft.xyz
leadersfort.com
foodroutine.com
mayerohio.info
systemofsolutions.com
gideonajibike.com
bigboobz.net
townofis.com
mhkxlgs.com
sussaautocare.com
quicktle.com
boutiquedangel.com
garrisonroadhouse.com
stiff-pols.art
cabalaconsultores.com
theweddinggame.net
themoneymagicians.com
overtonesa.com
janasflannels.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/760-58-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/760-60-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1628-67-0x00000000000D0000-0x00000000000F9000-memory.dmp xloader -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1760 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
PAYMENT_xlsx.exepid process 1404 PAYMENT_xlsx.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
PAYMENT_xlsx.exePAYMENT_xlsx.execmstp.exedescription pid process target process PID 1404 set thread context of 760 1404 PAYMENT_xlsx.exe PAYMENT_xlsx.exe PID 760 set thread context of 1416 760 PAYMENT_xlsx.exe Explorer.EXE PID 1628 set thread context of 1416 1628 cmstp.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
PAYMENT_xlsx.execmstp.exepid process 760 PAYMENT_xlsx.exe 760 PAYMENT_xlsx.exe 1628 cmstp.exe 1628 cmstp.exe 1628 cmstp.exe 1628 cmstp.exe 1628 cmstp.exe 1628 cmstp.exe 1628 cmstp.exe 1628 cmstp.exe 1628 cmstp.exe 1628 cmstp.exe 1628 cmstp.exe 1628 cmstp.exe 1628 cmstp.exe 1628 cmstp.exe 1628 cmstp.exe 1628 cmstp.exe 1628 cmstp.exe 1628 cmstp.exe 1628 cmstp.exe 1628 cmstp.exe 1628 cmstp.exe 1628 cmstp.exe 1628 cmstp.exe 1628 cmstp.exe 1628 cmstp.exe 1628 cmstp.exe 1628 cmstp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1416 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
PAYMENT_xlsx.execmstp.exepid process 760 PAYMENT_xlsx.exe 760 PAYMENT_xlsx.exe 760 PAYMENT_xlsx.exe 1628 cmstp.exe 1628 cmstp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PAYMENT_xlsx.execmstp.exedescription pid process Token: SeDebugPrivilege 760 PAYMENT_xlsx.exe Token: SeDebugPrivilege 1628 cmstp.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1416 Explorer.EXE 1416 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1416 Explorer.EXE 1416 Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
PAYMENT_xlsx.exeExplorer.EXEcmstp.exedescription pid process target process PID 1404 wrote to memory of 760 1404 PAYMENT_xlsx.exe PAYMENT_xlsx.exe PID 1404 wrote to memory of 760 1404 PAYMENT_xlsx.exe PAYMENT_xlsx.exe PID 1404 wrote to memory of 760 1404 PAYMENT_xlsx.exe PAYMENT_xlsx.exe PID 1404 wrote to memory of 760 1404 PAYMENT_xlsx.exe PAYMENT_xlsx.exe PID 1404 wrote to memory of 760 1404 PAYMENT_xlsx.exe PAYMENT_xlsx.exe PID 1404 wrote to memory of 760 1404 PAYMENT_xlsx.exe PAYMENT_xlsx.exe PID 1404 wrote to memory of 760 1404 PAYMENT_xlsx.exe PAYMENT_xlsx.exe PID 1416 wrote to memory of 1628 1416 Explorer.EXE cmstp.exe PID 1416 wrote to memory of 1628 1416 Explorer.EXE cmstp.exe PID 1416 wrote to memory of 1628 1416 Explorer.EXE cmstp.exe PID 1416 wrote to memory of 1628 1416 Explorer.EXE cmstp.exe PID 1416 wrote to memory of 1628 1416 Explorer.EXE cmstp.exe PID 1416 wrote to memory of 1628 1416 Explorer.EXE cmstp.exe PID 1416 wrote to memory of 1628 1416 Explorer.EXE cmstp.exe PID 1628 wrote to memory of 1760 1628 cmstp.exe cmd.exe PID 1628 wrote to memory of 1760 1628 cmstp.exe cmd.exe PID 1628 wrote to memory of 1760 1628 cmstp.exe cmd.exe PID 1628 wrote to memory of 1760 1628 cmstp.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PAYMENT_xlsx.exe"C:\Users\Admin\AppData\Local\Temp\PAYMENT_xlsx.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PAYMENT_xlsx.exe"C:\Users\Admin\AppData\Local\Temp\PAYMENT_xlsx.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\PAYMENT_xlsx.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsyD8A.tmp\grjrgdnfat.dllMD5
4f17fcc87799615ed77345f05d8c5520
SHA11f4a7f5b874c28afdb8efa185282e8276147d305
SHA25642af13597bd2e5a22c31c9776403f45ddf4cded7a488fd7ae2463cfa31ba5783
SHA51240f2cbac516a82bccc0a49379a361d885dc97a4cc2589c81c1b39d5d94f9857c22eddc2194c089e392b209d9cc9e177ed4f39637e09639d4a9c08e7569ae485b
-
memory/760-61-0x0000000000830000-0x0000000000B33000-memory.dmpFilesize
3.0MB
-
memory/760-58-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/760-60-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/760-62-0x000000000041D000-0x000000000041E000-memory.dmpFilesize
4KB
-
memory/760-63-0x00000000002C0000-0x00000000002D1000-memory.dmpFilesize
68KB
-
memory/1404-57-0x00000000005E0000-0x00000000005E2000-memory.dmpFilesize
8KB
-
memory/1404-55-0x0000000075F81000-0x0000000075F83000-memory.dmpFilesize
8KB
-
memory/1416-64-0x00000000070B0000-0x00000000071AB000-memory.dmpFilesize
1004KB
-
memory/1416-70-0x0000000008F80000-0x00000000090C7000-memory.dmpFilesize
1.3MB
-
memory/1628-67-0x00000000000D0000-0x00000000000F9000-memory.dmpFilesize
164KB
-
memory/1628-66-0x00000000009E0000-0x00000000009F8000-memory.dmpFilesize
96KB
-
memory/1628-68-0x0000000001F90000-0x0000000002293000-memory.dmpFilesize
3.0MB
-
memory/1628-69-0x0000000000810000-0x00000000008A0000-memory.dmpFilesize
576KB