Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
25-02-2022 09:29
Static task
static1
Behavioral task
behavioral1
Sample
PAYMENT INSTRUCTIONS COPY.exe
Resource
win7-en-20211208
General
-
Target
PAYMENT INSTRUCTIONS COPY.exe
-
Size
338KB
-
MD5
c3ed9e3e0a175a9b8cf5cf02598e99b1
-
SHA1
444452c7815dc8fb47ad829af43ec0527f6bcc57
-
SHA256
37fb6b86524033fb07847e3550977bd8028701039465431bd89a33e870ff2c4d
-
SHA512
632e314f921bf8a13f2f04aa2270b87fa7e29f00e35d941260f24c1d08b1bcfae8b58823629bed3d2c5d6bf480619c8aa97523ca33d1d68ce3ea2a90bd3fd363
Malware Config
Extracted
xloader
2.5
yrcy
sturlabas.com
tantrungcompany.com
wildgraceyogahealing.com
wsparalegal.com
8xhgq.xyz
mysaylav.com
amelntl.net
cooleshow.online
adventuresbydisneyathome.com
sprinklekart.com
prostitutkitambovasuck.info
pakdao.com
finsith.com
nightpartner82.xyz
sex9a4ufbj.com
ketohousee.com
mairie-les-cammazes.com
elebots.xyz
highqualityremodeling.net
teamsterslocal553.com
rws3.xyz
ngucocloisua.online
waiting-game.com
chauffeureddriven.com
makemusictemecula.com
17taol.com
big-swindle.com
surveycourses.com
my-safqati.com
gn-powerplants.com
colorgameph.com
jaysingpurchessacademy.com
onlinedon.net
sebashtiana.com
vitamincfood.com
thesportcollective.com
tradableassettokens.com
worldhealthnutrition.com
let-value.com
tanyademby.com
tollesonhouses.com
puzzleadventure.city
mindsetolimpionico.com
krakenind.com
investorsbak.com
tenloe049.xyz
gooddeals4u.online
adelphosformacao.com
cyndeiversondesigns.com
hrofmdieh.com
volucercab.com
bitcoindatai.com
gokelmining.com
magicbasketbourse.net
myblessedgeneration.com
super-trade.online
onevishnu.online
ctr-expert.com
globalitinfra.com
lickmychili.com
0xbot.net
91aaa.net
b3yg6g.com
ruleship.com
lifescreativeflow.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1960-63-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/900-72-0x0000000000080000-0x00000000000A9000-memory.dmp xloader -
Executes dropped EXE 2 IoCs
Processes:
wljkjsd.exewljkjsd.exepid process 520 wljkjsd.exe 1960 wljkjsd.exe -
Loads dropped DLL 2 IoCs
Processes:
PAYMENT INSTRUCTIONS COPY.exewljkjsd.exepid process 1320 PAYMENT INSTRUCTIONS COPY.exe 520 wljkjsd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
wljkjsd.exewljkjsd.execontrol.exedescription pid process target process PID 520 set thread context of 1960 520 wljkjsd.exe wljkjsd.exe PID 1960 set thread context of 1380 1960 wljkjsd.exe Explorer.EXE PID 900 set thread context of 1380 900 control.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
wljkjsd.execontrol.exepid process 1960 wljkjsd.exe 1960 wljkjsd.exe 900 control.exe 900 control.exe 900 control.exe 900 control.exe 900 control.exe 900 control.exe 900 control.exe 900 control.exe 900 control.exe 900 control.exe 900 control.exe 900 control.exe 900 control.exe 900 control.exe 900 control.exe 900 control.exe 900 control.exe 900 control.exe 900 control.exe 900 control.exe 900 control.exe 900 control.exe 900 control.exe 900 control.exe 900 control.exe 900 control.exe 900 control.exe 900 control.exe 900 control.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1380 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
wljkjsd.execontrol.exepid process 1960 wljkjsd.exe 1960 wljkjsd.exe 1960 wljkjsd.exe 900 control.exe 900 control.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
wljkjsd.execontrol.exedescription pid process Token: SeDebugPrivilege 1960 wljkjsd.exe Token: SeDebugPrivilege 900 control.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1380 Explorer.EXE 1380 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1380 Explorer.EXE 1380 Explorer.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
PAYMENT INSTRUCTIONS COPY.exewljkjsd.exeExplorer.EXEcontrol.exedescription pid process target process PID 1320 wrote to memory of 520 1320 PAYMENT INSTRUCTIONS COPY.exe wljkjsd.exe PID 1320 wrote to memory of 520 1320 PAYMENT INSTRUCTIONS COPY.exe wljkjsd.exe PID 1320 wrote to memory of 520 1320 PAYMENT INSTRUCTIONS COPY.exe wljkjsd.exe PID 1320 wrote to memory of 520 1320 PAYMENT INSTRUCTIONS COPY.exe wljkjsd.exe PID 520 wrote to memory of 1960 520 wljkjsd.exe wljkjsd.exe PID 520 wrote to memory of 1960 520 wljkjsd.exe wljkjsd.exe PID 520 wrote to memory of 1960 520 wljkjsd.exe wljkjsd.exe PID 520 wrote to memory of 1960 520 wljkjsd.exe wljkjsd.exe PID 520 wrote to memory of 1960 520 wljkjsd.exe wljkjsd.exe PID 520 wrote to memory of 1960 520 wljkjsd.exe wljkjsd.exe PID 520 wrote to memory of 1960 520 wljkjsd.exe wljkjsd.exe PID 1380 wrote to memory of 900 1380 Explorer.EXE control.exe PID 1380 wrote to memory of 900 1380 Explorer.EXE control.exe PID 1380 wrote to memory of 900 1380 Explorer.EXE control.exe PID 1380 wrote to memory of 900 1380 Explorer.EXE control.exe PID 900 wrote to memory of 1592 900 control.exe cmd.exe PID 900 wrote to memory of 1592 900 control.exe cmd.exe PID 900 wrote to memory of 1592 900 control.exe cmd.exe PID 900 wrote to memory of 1592 900 control.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PAYMENT INSTRUCTIONS COPY.exe"C:\Users\Admin\AppData\Local\Temp\PAYMENT INSTRUCTIONS COPY.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\wljkjsd.exeC:\Users\Admin\AppData\Local\Temp\wljkjsd.exe C:\Users\Admin\AppData\Local\Temp\pgqbkgjy3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\wljkjsd.exeC:\Users\Admin\AppData\Local\Temp\wljkjsd.exe C:\Users\Admin\AppData\Local\Temp\pgqbkgjy4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\control.exe"C:\Windows\SysWOW64\control.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\wljkjsd.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\etng0idfoqdhkohcnx7MD5
ffe7b026299c5738fc187b8bca749ef8
SHA157caa3dbdb4c1bac77272d2e0c6b3b93cf78c538
SHA2560daff89a1913ded569975ca099ec16ea00a58d4e5cfdea33a3b52dc2e07d46d6
SHA512dc173e6ed76043e7c76ef6efb77c2d78d4baf7dc9da7b16d5f96ce8b6bf465a8d4d450287276825d016a6a03767543e464c8a2a7bc4c428826f2847d1cda9848
-
C:\Users\Admin\AppData\Local\Temp\pgqbkgjyMD5
a33814b64ecc9148ab1868b639f75be1
SHA14f510238bfe1f403b3bfe3499922bec93b507d99
SHA25686797894904510b78874629fb9db43fa6a40b11deba5e4405bca62a439d7e79f
SHA512c8e6eb3ebc6408ce036fa7f76dce55df72d1ecb980b77a09cf29ec3bb0289e6fc812f1674781f3f8695e3272b704bb42d6947b1f20bc40ff0be15725f00caf27
-
C:\Users\Admin\AppData\Local\Temp\wljkjsd.exeMD5
ee563df427774a44926ed328f1380884
SHA1334fe0d43590fe874d6400fb5abf20faadb26661
SHA25631feeb18bb65c93ff4f1fe75825f1060d839aa7b9657df6d321b298cf45d324f
SHA512673f2e2523fc62a131b585cd861db45bbf853747ea76161ae7e823832b965b81c209fc202ce15594ffcdafadf5ed9356af2f4330e04b0893a78ae0e8a6f32dda
-
C:\Users\Admin\AppData\Local\Temp\wljkjsd.exeMD5
ee563df427774a44926ed328f1380884
SHA1334fe0d43590fe874d6400fb5abf20faadb26661
SHA25631feeb18bb65c93ff4f1fe75825f1060d839aa7b9657df6d321b298cf45d324f
SHA512673f2e2523fc62a131b585cd861db45bbf853747ea76161ae7e823832b965b81c209fc202ce15594ffcdafadf5ed9356af2f4330e04b0893a78ae0e8a6f32dda
-
C:\Users\Admin\AppData\Local\Temp\wljkjsd.exeMD5
ee563df427774a44926ed328f1380884
SHA1334fe0d43590fe874d6400fb5abf20faadb26661
SHA25631feeb18bb65c93ff4f1fe75825f1060d839aa7b9657df6d321b298cf45d324f
SHA512673f2e2523fc62a131b585cd861db45bbf853747ea76161ae7e823832b965b81c209fc202ce15594ffcdafadf5ed9356af2f4330e04b0893a78ae0e8a6f32dda
-
\Users\Admin\AppData\Local\Temp\wljkjsd.exeMD5
ee563df427774a44926ed328f1380884
SHA1334fe0d43590fe874d6400fb5abf20faadb26661
SHA25631feeb18bb65c93ff4f1fe75825f1060d839aa7b9657df6d321b298cf45d324f
SHA512673f2e2523fc62a131b585cd861db45bbf853747ea76161ae7e823832b965b81c209fc202ce15594ffcdafadf5ed9356af2f4330e04b0893a78ae0e8a6f32dda
-
\Users\Admin\AppData\Local\Temp\wljkjsd.exeMD5
ee563df427774a44926ed328f1380884
SHA1334fe0d43590fe874d6400fb5abf20faadb26661
SHA25631feeb18bb65c93ff4f1fe75825f1060d839aa7b9657df6d321b298cf45d324f
SHA512673f2e2523fc62a131b585cd861db45bbf853747ea76161ae7e823832b965b81c209fc202ce15594ffcdafadf5ed9356af2f4330e04b0893a78ae0e8a6f32dda
-
memory/900-71-0x00000000005E0000-0x00000000005FF000-memory.dmpFilesize
124KB
-
memory/900-74-0x0000000001D70000-0x0000000001E00000-memory.dmpFilesize
576KB
-
memory/900-73-0x0000000001FB0000-0x00000000022B3000-memory.dmpFilesize
3.0MB
-
memory/900-72-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/1320-55-0x0000000074B21000-0x0000000074B23000-memory.dmpFilesize
8KB
-
memory/1380-69-0x0000000007040000-0x0000000007153000-memory.dmpFilesize
1.1MB
-
memory/1380-75-0x00000000042B0000-0x000000000434E000-memory.dmpFilesize
632KB
-
memory/1960-68-0x00000000002C0000-0x00000000002D1000-memory.dmpFilesize
68KB
-
memory/1960-67-0x000000000041D000-0x000000000041E000-memory.dmpFilesize
4KB
-
memory/1960-65-0x0000000000860000-0x0000000000B63000-memory.dmpFilesize
3.0MB
-
memory/1960-63-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB