Analysis
-
max time kernel
150s -
max time network
170s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
14-02-2022 07:12
Static task
static1
Behavioral task
behavioral1
Sample
TNT Original Invoice PDF.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
TNT Original Invoice PDF.exe
Resource
win10v2004-en-20220112
General
-
Target
TNT Original Invoice PDF.exe
-
Size
435KB
-
MD5
235cfac32180bb40ce5c379fcaf75c27
-
SHA1
1bdef262e81ba80d8bd4b94abf106444754f1cb7
-
SHA256
fa0c54af42af10dbb34626554f789c0d00d392a6bca0017f97babda9e17ef785
-
SHA512
70dc67d2ffb3688722aeb3f482ce7998636cfd500ae85ba984b615ef753e1674b200fb5972ae0d21e6a74aaaba35e4ae47afbcb8ef2510ea868a3dce1c310b97
Malware Config
Extracted
xloader
2.5
zqzw
laurentmathieu.com
nohohonndana.com
hhmc.info
shophallows.com
blazebunk.com
goodbridge.xyz
flakycloud.com
bakermckenziegroups.com
formation-adistance.com
lovingearthbotanicals.com
tbrservice.plus
heritagehousehotels.com
drwbuildersco.com
lacsghb.com
wain3x.com
dadreview.club
continiutycp.com
cockgirls.com
48mpt.xyz
033skz.xyz
gmconstructionlnc.com
ms-mint.com
aenrione.xyz
honxuan.com
snowmanvila.com
cig-online.com
valetvolley.com
bjsnft.com
bennystrom.com
flw.ink
clarissagrandiart.com
samfamstudio.com
pamschams.com
edgar-regale.com
combi-tech.tech
00xwq.online
eclipseconstrucciones.com
plick-click.com
dive.education
regenelis.com
blue-chipwordtoscan-today.info
xn--rsso51aevf65u.com
maonagrana.com
lucasdebatintrader.com
cassijohnson.com
roeten.online
into-concrete.xyz
motovip.store
floryfab.com
slkykq.com
vidyakala.com
stairwaystowealth.com
meganandbobbyprine.com
arestradings.com
emilyschlueter.com
platanin.com
hnhstudios.com
dmembutidos.com
dcassorealtor.com
megamobil.wien
001skz.xyz
5t45urfgurkhgbvkhbuh.com
a3hd.com
newmexicotruckwrecklawyers.com
trabaho-academy.net
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/384-62-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/384-64-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1408-71-0x0000000000090000-0x00000000000B9000-memory.dmp xloader -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 588 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
TNT Original Invoice PDF.exeTNT Original Invoice PDF.exerundll32.exedescription pid process target process PID 528 set thread context of 384 528 TNT Original Invoice PDF.exe TNT Original Invoice PDF.exe PID 384 set thread context of 1380 384 TNT Original Invoice PDF.exe Explorer.EXE PID 1408 set thread context of 1380 1408 rundll32.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
TNT Original Invoice PDF.exerundll32.exepid process 384 TNT Original Invoice PDF.exe 384 TNT Original Invoice PDF.exe 1408 rundll32.exe 1408 rundll32.exe 1408 rundll32.exe 1408 rundll32.exe 1408 rundll32.exe 1408 rundll32.exe 1408 rundll32.exe 1408 rundll32.exe 1408 rundll32.exe 1408 rundll32.exe 1408 rundll32.exe 1408 rundll32.exe 1408 rundll32.exe 1408 rundll32.exe 1408 rundll32.exe 1408 rundll32.exe 1408 rundll32.exe 1408 rundll32.exe 1408 rundll32.exe 1408 rundll32.exe 1408 rundll32.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
TNT Original Invoice PDF.exerundll32.exepid process 384 TNT Original Invoice PDF.exe 384 TNT Original Invoice PDF.exe 384 TNT Original Invoice PDF.exe 1408 rundll32.exe 1408 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
TNT Original Invoice PDF.exerundll32.exedescription pid process Token: SeDebugPrivilege 384 TNT Original Invoice PDF.exe Token: SeDebugPrivilege 1408 rundll32.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1380 Explorer.EXE 1380 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1380 Explorer.EXE 1380 Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
TNT Original Invoice PDF.exeExplorer.EXErundll32.exedescription pid process target process PID 528 wrote to memory of 384 528 TNT Original Invoice PDF.exe TNT Original Invoice PDF.exe PID 528 wrote to memory of 384 528 TNT Original Invoice PDF.exe TNT Original Invoice PDF.exe PID 528 wrote to memory of 384 528 TNT Original Invoice PDF.exe TNT Original Invoice PDF.exe PID 528 wrote to memory of 384 528 TNT Original Invoice PDF.exe TNT Original Invoice PDF.exe PID 528 wrote to memory of 384 528 TNT Original Invoice PDF.exe TNT Original Invoice PDF.exe PID 528 wrote to memory of 384 528 TNT Original Invoice PDF.exe TNT Original Invoice PDF.exe PID 528 wrote to memory of 384 528 TNT Original Invoice PDF.exe TNT Original Invoice PDF.exe PID 1380 wrote to memory of 1408 1380 Explorer.EXE rundll32.exe PID 1380 wrote to memory of 1408 1380 Explorer.EXE rundll32.exe PID 1380 wrote to memory of 1408 1380 Explorer.EXE rundll32.exe PID 1380 wrote to memory of 1408 1380 Explorer.EXE rundll32.exe PID 1380 wrote to memory of 1408 1380 Explorer.EXE rundll32.exe PID 1380 wrote to memory of 1408 1380 Explorer.EXE rundll32.exe PID 1380 wrote to memory of 1408 1380 Explorer.EXE rundll32.exe PID 1408 wrote to memory of 588 1408 rundll32.exe cmd.exe PID 1408 wrote to memory of 588 1408 rundll32.exe cmd.exe PID 1408 wrote to memory of 588 1408 rundll32.exe cmd.exe PID 1408 wrote to memory of 588 1408 rundll32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice PDF.exe"C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice PDF.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice PDF.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice PDF.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/384-61-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/384-67-0x00000000003E0000-0x00000000003F1000-memory.dmpFilesize
68KB
-
memory/384-65-0x0000000000940000-0x0000000000C43000-memory.dmpFilesize
3.0MB
-
memory/384-66-0x000000000041D000-0x000000000041E000-memory.dmpFilesize
4KB
-
memory/384-64-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/384-62-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/384-60-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/528-59-0x0000000000870000-0x00000000008A0000-memory.dmpFilesize
192KB
-
memory/528-54-0x00000000008C0000-0x0000000000932000-memory.dmpFilesize
456KB
-
memory/528-58-0x0000000005640000-0x00000000056C4000-memory.dmpFilesize
528KB
-
memory/528-57-0x00000000003D0000-0x00000000003DA000-memory.dmpFilesize
40KB
-
memory/528-56-0x0000000004AC0000-0x0000000004AC1000-memory.dmpFilesize
4KB
-
memory/528-55-0x000000007469E000-0x000000007469F000-memory.dmpFilesize
4KB
-
memory/1380-68-0x0000000004EA0000-0x0000000004F5A000-memory.dmpFilesize
744KB
-
memory/1380-74-0x0000000006500000-0x00000000065DF000-memory.dmpFilesize
892KB
-
memory/1408-69-0x0000000076121000-0x0000000076123000-memory.dmpFilesize
8KB
-
memory/1408-70-0x00000000008B0000-0x00000000008BE000-memory.dmpFilesize
56KB
-
memory/1408-71-0x0000000000090000-0x00000000000B9000-memory.dmpFilesize
164KB
-
memory/1408-72-0x0000000002170000-0x0000000002473000-memory.dmpFilesize
3.0MB
-
memory/1408-73-0x0000000000520000-0x00000000005B0000-memory.dmpFilesize
576KB