Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
21-02-2022 10:32
Static task
static1
Behavioral task
behavioral1
Sample
Carta de pago.exe
Resource
win7-en-20211208
General
-
Target
Carta de pago.exe
-
Size
357KB
-
MD5
03206cea63667d5f8e8861f554720473
-
SHA1
43bcabbfaffce6dfb7c5ec763f11ea85d8876dad
-
SHA256
c15f6faab41ea44719d795995c15024db0719fa5c9a731110587ec4e1e041fc2
-
SHA512
7552aae69b210e543f27d707952738df7f349daf99450e53b0a39729ea7bea5e31d34b9dc6b876ef2964f759f488a83a052a913125fb6b6f50767f994277e933
Malware Config
Extracted
xloader
2.3
kio8
greeaircondition.com
thewilmingtonguide.com
cbluedotlivewdmall.com
globalcrime24.com
heightsplace.com
ghar.pro
asosbira.com
melolandia.com
velactun.com
erniesimms.com
nutbullet.com
drizzerstr.com
hnqym888.com
ghorowaseba.com
1317efoxchasedrive.info
stjudetroop623.com
facestaj.com
airpromaskaccessories.com
wolfetailors.com
56ohdc2016.com
estedindustries.com
magmaplant.net
tf-iot.com
jtkqmz.com
helmihendrahasilbumi.com
audiencetrust.sucks
thespiritualabolitionist.com
lauratoots.com
fantasticsgelato.com
allinoncrypto.site
youremsys.com
awesome-veganism.com
tsunrp.net
systizen.com
73gardinerdrive.com
legamedary.com
newyorkcityhemorrhoidclinic.com
ffhcompany.com
angermgmtathome.com
plantationrevival.com
utopicvibes.net
envirocare-ss.com
domentemenegi20.com
gropedais.club
thaibizgermany.com
noimagreece.com
yogabizhelp.com
sanrenzong.com
bingent.info
chinhphucphaidep.online
dubojx.com
jennaloren.com
thedesigneryshop.com
opera-historica.com
pizzaterry.com
the-aviate.com
perteprampram01.net
pastormariorondon.com
dream-case.com
ocleanwholesaler.com
masdimensiones.com
fireworkstycoons.com
porntvh.com
fixedpriceelectrician.com
smallcoloradoweddings.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4624-132-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/2964-137-0x0000000000DA0000-0x0000000000DC9000-memory.dmp xloader -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Carta de pago.exeCarta de pago.exechkdsk.exedescription pid process target process PID 3272 set thread context of 4624 3272 Carta de pago.exe Carta de pago.exe PID 4624 set thread context of 3024 4624 Carta de pago.exe Explorer.EXE PID 2964 set thread context of 3024 2964 chkdsk.exe Explorer.EXE -
Drops file in Windows directory 6 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
chkdsk.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
Carta de pago.exechkdsk.exepid process 4624 Carta de pago.exe 4624 Carta de pago.exe 4624 Carta de pago.exe 4624 Carta de pago.exe 2964 chkdsk.exe 2964 chkdsk.exe 2964 chkdsk.exe 2964 chkdsk.exe 2964 chkdsk.exe 2964 chkdsk.exe 2964 chkdsk.exe 2964 chkdsk.exe 2964 chkdsk.exe 2964 chkdsk.exe 2964 chkdsk.exe 2964 chkdsk.exe 2964 chkdsk.exe 2964 chkdsk.exe 2964 chkdsk.exe 2964 chkdsk.exe 2964 chkdsk.exe 2964 chkdsk.exe 2964 chkdsk.exe 2964 chkdsk.exe 2964 chkdsk.exe 2964 chkdsk.exe 2964 chkdsk.exe 2964 chkdsk.exe 2964 chkdsk.exe 2964 chkdsk.exe 2964 chkdsk.exe 2964 chkdsk.exe 2964 chkdsk.exe 2964 chkdsk.exe 2964 chkdsk.exe 2964 chkdsk.exe 2964 chkdsk.exe 2964 chkdsk.exe 2964 chkdsk.exe 2964 chkdsk.exe 2964 chkdsk.exe 2964 chkdsk.exe 2964 chkdsk.exe 2964 chkdsk.exe 2964 chkdsk.exe 2964 chkdsk.exe 2964 chkdsk.exe 2964 chkdsk.exe 2964 chkdsk.exe 2964 chkdsk.exe 2964 chkdsk.exe 2964 chkdsk.exe 2964 chkdsk.exe 2964 chkdsk.exe 2964 chkdsk.exe 2964 chkdsk.exe 2964 chkdsk.exe 2964 chkdsk.exe 2964 chkdsk.exe 2964 chkdsk.exe 2964 chkdsk.exe 2964 chkdsk.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3024 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
Carta de pago.exeCarta de pago.exechkdsk.exepid process 3272 Carta de pago.exe 4624 Carta de pago.exe 4624 Carta de pago.exe 4624 Carta de pago.exe 2964 chkdsk.exe 2964 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
Carta de pago.exechkdsk.exesvchost.exedescription pid process Token: SeDebugPrivilege 4624 Carta de pago.exe Token: SeDebugPrivilege 2964 chkdsk.exe Token: SeShutdownPrivilege 4832 svchost.exe Token: SeCreatePagefilePrivilege 4832 svchost.exe Token: SeShutdownPrivilege 4832 svchost.exe Token: SeCreatePagefilePrivilege 4832 svchost.exe Token: SeShutdownPrivilege 4832 svchost.exe Token: SeCreatePagefilePrivilege 4832 svchost.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
Carta de pago.exeExplorer.EXEchkdsk.exedescription pid process target process PID 3272 wrote to memory of 3568 3272 Carta de pago.exe cmd.exe PID 3272 wrote to memory of 3568 3272 Carta de pago.exe cmd.exe PID 3272 wrote to memory of 3568 3272 Carta de pago.exe cmd.exe PID 3272 wrote to memory of 1568 3272 Carta de pago.exe cmd.exe PID 3272 wrote to memory of 1568 3272 Carta de pago.exe cmd.exe PID 3272 wrote to memory of 1568 3272 Carta de pago.exe cmd.exe PID 3272 wrote to memory of 4624 3272 Carta de pago.exe Carta de pago.exe PID 3272 wrote to memory of 4624 3272 Carta de pago.exe Carta de pago.exe PID 3272 wrote to memory of 4624 3272 Carta de pago.exe Carta de pago.exe PID 3272 wrote to memory of 4624 3272 Carta de pago.exe Carta de pago.exe PID 3024 wrote to memory of 2964 3024 Explorer.EXE chkdsk.exe PID 3024 wrote to memory of 2964 3024 Explorer.EXE chkdsk.exe PID 3024 wrote to memory of 2964 3024 Explorer.EXE chkdsk.exe PID 2964 wrote to memory of 4492 2964 chkdsk.exe cmd.exe PID 2964 wrote to memory of 4492 2964 chkdsk.exe cmd.exe PID 2964 wrote to memory of 4492 2964 chkdsk.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Carta de pago.exe"C:\Users\Admin\AppData\Local\Temp\Carta de pago.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵
-
C:\Users\Admin\AppData\Local\Temp\Carta de pago.exe"C:\Users\Admin\AppData\Local\Temp\Carta de pago.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Carta de pago.exe"3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2964-139-0x0000000001560000-0x00000000015EF000-memory.dmpFilesize
572KB
-
memory/2964-138-0x0000000001730000-0x0000000001A7A000-memory.dmpFilesize
3.3MB
-
memory/2964-137-0x0000000000DA0000-0x0000000000DC9000-memory.dmpFilesize
164KB
-
memory/2964-136-0x00000000008B0000-0x00000000008BA000-memory.dmpFilesize
40KB
-
memory/3024-135-0x0000000008710000-0x0000000008892000-memory.dmpFilesize
1.5MB
-
memory/3024-140-0x0000000003360000-0x0000000003443000-memory.dmpFilesize
908KB
-
memory/3272-130-0x00000000007AD000-0x00000000007B0000-memory.dmpFilesize
12KB
-
memory/4624-134-0x0000000000830000-0x0000000000840000-memory.dmpFilesize
64KB
-
memory/4624-131-0x0000000001040000-0x000000000138A000-memory.dmpFilesize
3.3MB
-
memory/4624-133-0x000000000041D000-0x000000000041E000-memory.dmpFilesize
4KB
-
memory/4624-132-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4832-141-0x000001EE29020000-0x000001EE29030000-memory.dmpFilesize
64KB
-
memory/4832-142-0x000001EE29080000-0x000001EE29090000-memory.dmpFilesize
64KB
-
memory/4832-143-0x000001EE2B750000-0x000001EE2B754000-memory.dmpFilesize
16KB