Analysis
-
max time kernel
148s -
max time network
147s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
21-02-2022 10:32
Static task
static1
Behavioral task
behavioral1
Sample
Carta de pago.exe
Resource
win7-en-20211208
General
-
Target
Carta de pago.exe
-
Size
357KB
-
MD5
03206cea63667d5f8e8861f554720473
-
SHA1
43bcabbfaffce6dfb7c5ec763f11ea85d8876dad
-
SHA256
c15f6faab41ea44719d795995c15024db0719fa5c9a731110587ec4e1e041fc2
-
SHA512
7552aae69b210e543f27d707952738df7f349daf99450e53b0a39729ea7bea5e31d34b9dc6b876ef2964f759f488a83a052a913125fb6b6f50767f994277e933
Malware Config
Extracted
xloader
2.3
kio8
greeaircondition.com
thewilmingtonguide.com
cbluedotlivewdmall.com
globalcrime24.com
heightsplace.com
ghar.pro
asosbira.com
melolandia.com
velactun.com
erniesimms.com
nutbullet.com
drizzerstr.com
hnqym888.com
ghorowaseba.com
1317efoxchasedrive.info
stjudetroop623.com
facestaj.com
airpromaskaccessories.com
wolfetailors.com
56ohdc2016.com
estedindustries.com
magmaplant.net
tf-iot.com
jtkqmz.com
helmihendrahasilbumi.com
audiencetrust.sucks
thespiritualabolitionist.com
lauratoots.com
fantasticsgelato.com
allinoncrypto.site
youremsys.com
awesome-veganism.com
tsunrp.net
systizen.com
73gardinerdrive.com
legamedary.com
newyorkcityhemorrhoidclinic.com
ffhcompany.com
angermgmtathome.com
plantationrevival.com
utopicvibes.net
envirocare-ss.com
domentemenegi20.com
gropedais.club
thaibizgermany.com
noimagreece.com
yogabizhelp.com
sanrenzong.com
bingent.info
chinhphucphaidep.online
dubojx.com
jennaloren.com
thedesigneryshop.com
opera-historica.com
pizzaterry.com
the-aviate.com
perteprampram01.net
pastormariorondon.com
dream-case.com
ocleanwholesaler.com
masdimensiones.com
fireworkstycoons.com
porntvh.com
fixedpriceelectrician.com
smallcoloradoweddings.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1660-55-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/556-62-0x0000000000080000-0x00000000000A9000-memory.dmp xloader -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1740 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Carta de pago.exeCarta de pago.execontrol.exedescription pid process target process PID 756 set thread context of 1660 756 Carta de pago.exe Carta de pago.exe PID 1660 set thread context of 1216 1660 Carta de pago.exe Explorer.EXE PID 556 set thread context of 1216 556 control.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
Carta de pago.execontrol.exepid process 1660 Carta de pago.exe 1660 Carta de pago.exe 556 control.exe 556 control.exe 556 control.exe 556 control.exe 556 control.exe 556 control.exe 556 control.exe 556 control.exe 556 control.exe 556 control.exe 556 control.exe 556 control.exe 556 control.exe 556 control.exe 556 control.exe 556 control.exe 556 control.exe 556 control.exe 556 control.exe 556 control.exe 556 control.exe 556 control.exe 556 control.exe 556 control.exe 556 control.exe 556 control.exe 556 control.exe 556 control.exe 556 control.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1216 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
Carta de pago.exeCarta de pago.execontrol.exepid process 756 Carta de pago.exe 1660 Carta de pago.exe 1660 Carta de pago.exe 1660 Carta de pago.exe 556 control.exe 556 control.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Carta de pago.execontrol.exedescription pid process Token: SeDebugPrivilege 1660 Carta de pago.exe Token: SeDebugPrivilege 556 control.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1216 Explorer.EXE 1216 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1216 Explorer.EXE 1216 Explorer.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
Carta de pago.exeExplorer.EXEcontrol.exedescription pid process target process PID 756 wrote to memory of 1820 756 Carta de pago.exe cmd.exe PID 756 wrote to memory of 1820 756 Carta de pago.exe cmd.exe PID 756 wrote to memory of 1820 756 Carta de pago.exe cmd.exe PID 756 wrote to memory of 1820 756 Carta de pago.exe cmd.exe PID 756 wrote to memory of 1916 756 Carta de pago.exe cmd.exe PID 756 wrote to memory of 1916 756 Carta de pago.exe cmd.exe PID 756 wrote to memory of 1916 756 Carta de pago.exe cmd.exe PID 756 wrote to memory of 1916 756 Carta de pago.exe cmd.exe PID 756 wrote to memory of 1660 756 Carta de pago.exe Carta de pago.exe PID 756 wrote to memory of 1660 756 Carta de pago.exe Carta de pago.exe PID 756 wrote to memory of 1660 756 Carta de pago.exe Carta de pago.exe PID 756 wrote to memory of 1660 756 Carta de pago.exe Carta de pago.exe PID 756 wrote to memory of 1660 756 Carta de pago.exe Carta de pago.exe PID 1216 wrote to memory of 556 1216 Explorer.EXE control.exe PID 1216 wrote to memory of 556 1216 Explorer.EXE control.exe PID 1216 wrote to memory of 556 1216 Explorer.EXE control.exe PID 1216 wrote to memory of 556 1216 Explorer.EXE control.exe PID 556 wrote to memory of 1740 556 control.exe cmd.exe PID 556 wrote to memory of 1740 556 control.exe cmd.exe PID 556 wrote to memory of 1740 556 control.exe cmd.exe PID 556 wrote to memory of 1740 556 control.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Carta de pago.exe"C:\Users\Admin\AppData\Local\Temp\Carta de pago.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵
-
C:\Users\Admin\AppData\Local\Temp\Carta de pago.exe"C:\Users\Admin\AppData\Local\Temp\Carta de pago.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\control.exe"C:\Windows\SysWOW64\control.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Carta de pago.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/556-60-0x0000000075531000-0x0000000075533000-memory.dmpFilesize
8KB
-
memory/556-61-0x0000000000BB0000-0x0000000000BCF000-memory.dmpFilesize
124KB
-
memory/556-62-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/556-63-0x0000000001FD0000-0x00000000022D3000-memory.dmpFilesize
3.0MB
-
memory/556-64-0x0000000000820000-0x00000000008AF000-memory.dmpFilesize
572KB
-
memory/756-54-0x000000000043D000-0x0000000000440000-memory.dmpFilesize
12KB
-
memory/1216-59-0x0000000004B10000-0x0000000004C37000-memory.dmpFilesize
1.2MB
-
memory/1216-65-0x00000000067F0000-0x0000000006915000-memory.dmpFilesize
1.1MB
-
memory/1660-55-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1660-56-0x0000000000880000-0x0000000000B83000-memory.dmpFilesize
3.0MB
-
memory/1660-58-0x0000000000260000-0x0000000000270000-memory.dmpFilesize
64KB
-
memory/1660-57-0x000000000041D000-0x000000000041E000-memory.dmpFilesize
4KB