Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
25-02-2022 09:29
Static task
static1
Behavioral task
behavioral1
Sample
PAYMENT INSTRUCTIONS COPY.exe
Resource
win7-en-20211208
General
-
Target
PAYMENT INSTRUCTIONS COPY.exe
-
Size
338KB
-
MD5
c3ed9e3e0a175a9b8cf5cf02598e99b1
-
SHA1
444452c7815dc8fb47ad829af43ec0527f6bcc57
-
SHA256
37fb6b86524033fb07847e3550977bd8028701039465431bd89a33e870ff2c4d
-
SHA512
632e314f921bf8a13f2f04aa2270b87fa7e29f00e35d941260f24c1d08b1bcfae8b58823629bed3d2c5d6bf480619c8aa97523ca33d1d68ce3ea2a90bd3fd363
Malware Config
Extracted
xloader
2.5
yrcy
sturlabas.com
tantrungcompany.com
wildgraceyogahealing.com
wsparalegal.com
8xhgq.xyz
mysaylav.com
amelntl.net
cooleshow.online
adventuresbydisneyathome.com
sprinklekart.com
prostitutkitambovasuck.info
pakdao.com
finsith.com
nightpartner82.xyz
sex9a4ufbj.com
ketohousee.com
mairie-les-cammazes.com
elebots.xyz
highqualityremodeling.net
teamsterslocal553.com
rws3.xyz
ngucocloisua.online
waiting-game.com
chauffeureddriven.com
makemusictemecula.com
17taol.com
big-swindle.com
surveycourses.com
my-safqati.com
gn-powerplants.com
colorgameph.com
jaysingpurchessacademy.com
onlinedon.net
sebashtiana.com
vitamincfood.com
thesportcollective.com
tradableassettokens.com
worldhealthnutrition.com
let-value.com
tanyademby.com
tollesonhouses.com
puzzleadventure.city
mindsetolimpionico.com
krakenind.com
investorsbak.com
tenloe049.xyz
gooddeals4u.online
adelphosformacao.com
cyndeiversondesigns.com
hrofmdieh.com
volucercab.com
bitcoindatai.com
gokelmining.com
magicbasketbourse.net
myblessedgeneration.com
super-trade.online
onevishnu.online
ctr-expert.com
globalitinfra.com
lickmychili.com
0xbot.net
91aaa.net
b3yg6g.com
ruleship.com
lifescreativeflow.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3028-134-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/3028-137-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/4004-143-0x0000000000900000-0x0000000000929000-memory.dmp xloader -
Executes dropped EXE 2 IoCs
Processes:
wljkjsd.exewljkjsd.exepid process 2704 wljkjsd.exe 3028 wljkjsd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
wljkjsd.exewljkjsd.exenetsh.exedescription pid process target process PID 2704 set thread context of 3028 2704 wljkjsd.exe wljkjsd.exe PID 3028 set thread context of 2416 3028 wljkjsd.exe Explorer.EXE PID 4004 set thread context of 2416 4004 netsh.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
wljkjsd.exenetsh.exepid process 3028 wljkjsd.exe 3028 wljkjsd.exe 3028 wljkjsd.exe 3028 wljkjsd.exe 4004 netsh.exe 4004 netsh.exe 4004 netsh.exe 4004 netsh.exe 4004 netsh.exe 4004 netsh.exe 4004 netsh.exe 4004 netsh.exe 4004 netsh.exe 4004 netsh.exe 4004 netsh.exe 4004 netsh.exe 4004 netsh.exe 4004 netsh.exe 4004 netsh.exe 4004 netsh.exe 4004 netsh.exe 4004 netsh.exe 4004 netsh.exe 4004 netsh.exe 4004 netsh.exe 4004 netsh.exe 4004 netsh.exe 4004 netsh.exe 4004 netsh.exe 4004 netsh.exe 4004 netsh.exe 4004 netsh.exe 4004 netsh.exe 4004 netsh.exe 4004 netsh.exe 4004 netsh.exe 4004 netsh.exe 4004 netsh.exe 4004 netsh.exe 4004 netsh.exe 4004 netsh.exe 4004 netsh.exe 4004 netsh.exe 4004 netsh.exe 4004 netsh.exe 4004 netsh.exe 4004 netsh.exe 4004 netsh.exe 4004 netsh.exe 4004 netsh.exe 4004 netsh.exe 4004 netsh.exe 4004 netsh.exe 4004 netsh.exe 4004 netsh.exe 4004 netsh.exe 4004 netsh.exe 4004 netsh.exe 4004 netsh.exe 4004 netsh.exe 4004 netsh.exe 4004 netsh.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2416 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
wljkjsd.exenetsh.exepid process 3028 wljkjsd.exe 3028 wljkjsd.exe 3028 wljkjsd.exe 4004 netsh.exe 4004 netsh.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
wljkjsd.exenetsh.exedescription pid process Token: SeDebugPrivilege 3028 wljkjsd.exe Token: SeDebugPrivilege 4004 netsh.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
PAYMENT INSTRUCTIONS COPY.exewljkjsd.exeExplorer.EXEnetsh.exedescription pid process target process PID 1480 wrote to memory of 2704 1480 PAYMENT INSTRUCTIONS COPY.exe wljkjsd.exe PID 1480 wrote to memory of 2704 1480 PAYMENT INSTRUCTIONS COPY.exe wljkjsd.exe PID 1480 wrote to memory of 2704 1480 PAYMENT INSTRUCTIONS COPY.exe wljkjsd.exe PID 2704 wrote to memory of 3028 2704 wljkjsd.exe wljkjsd.exe PID 2704 wrote to memory of 3028 2704 wljkjsd.exe wljkjsd.exe PID 2704 wrote to memory of 3028 2704 wljkjsd.exe wljkjsd.exe PID 2704 wrote to memory of 3028 2704 wljkjsd.exe wljkjsd.exe PID 2704 wrote to memory of 3028 2704 wljkjsd.exe wljkjsd.exe PID 2704 wrote to memory of 3028 2704 wljkjsd.exe wljkjsd.exe PID 2416 wrote to memory of 4004 2416 Explorer.EXE netsh.exe PID 2416 wrote to memory of 4004 2416 Explorer.EXE netsh.exe PID 2416 wrote to memory of 4004 2416 Explorer.EXE netsh.exe PID 4004 wrote to memory of 4364 4004 netsh.exe cmd.exe PID 4004 wrote to memory of 4364 4004 netsh.exe cmd.exe PID 4004 wrote to memory of 4364 4004 netsh.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PAYMENT INSTRUCTIONS COPY.exe"C:\Users\Admin\AppData\Local\Temp\PAYMENT INSTRUCTIONS COPY.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\wljkjsd.exeC:\Users\Admin\AppData\Local\Temp\wljkjsd.exe C:\Users\Admin\AppData\Local\Temp\pgqbkgjy3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\wljkjsd.exeC:\Users\Admin\AppData\Local\Temp\wljkjsd.exe C:\Users\Admin\AppData\Local\Temp\pgqbkgjy4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\wljkjsd.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\etng0idfoqdhkohcnx7MD5
ffe7b026299c5738fc187b8bca749ef8
SHA157caa3dbdb4c1bac77272d2e0c6b3b93cf78c538
SHA2560daff89a1913ded569975ca099ec16ea00a58d4e5cfdea33a3b52dc2e07d46d6
SHA512dc173e6ed76043e7c76ef6efb77c2d78d4baf7dc9da7b16d5f96ce8b6bf465a8d4d450287276825d016a6a03767543e464c8a2a7bc4c428826f2847d1cda9848
-
C:\Users\Admin\AppData\Local\Temp\pgqbkgjyMD5
a33814b64ecc9148ab1868b639f75be1
SHA14f510238bfe1f403b3bfe3499922bec93b507d99
SHA25686797894904510b78874629fb9db43fa6a40b11deba5e4405bca62a439d7e79f
SHA512c8e6eb3ebc6408ce036fa7f76dce55df72d1ecb980b77a09cf29ec3bb0289e6fc812f1674781f3f8695e3272b704bb42d6947b1f20bc40ff0be15725f00caf27
-
C:\Users\Admin\AppData\Local\Temp\wljkjsd.exeMD5
ee563df427774a44926ed328f1380884
SHA1334fe0d43590fe874d6400fb5abf20faadb26661
SHA25631feeb18bb65c93ff4f1fe75825f1060d839aa7b9657df6d321b298cf45d324f
SHA512673f2e2523fc62a131b585cd861db45bbf853747ea76161ae7e823832b965b81c209fc202ce15594ffcdafadf5ed9356af2f4330e04b0893a78ae0e8a6f32dda
-
C:\Users\Admin\AppData\Local\Temp\wljkjsd.exeMD5
ee563df427774a44926ed328f1380884
SHA1334fe0d43590fe874d6400fb5abf20faadb26661
SHA25631feeb18bb65c93ff4f1fe75825f1060d839aa7b9657df6d321b298cf45d324f
SHA512673f2e2523fc62a131b585cd861db45bbf853747ea76161ae7e823832b965b81c209fc202ce15594ffcdafadf5ed9356af2f4330e04b0893a78ae0e8a6f32dda
-
C:\Users\Admin\AppData\Local\Temp\wljkjsd.exeMD5
ee563df427774a44926ed328f1380884
SHA1334fe0d43590fe874d6400fb5abf20faadb26661
SHA25631feeb18bb65c93ff4f1fe75825f1060d839aa7b9657df6d321b298cf45d324f
SHA512673f2e2523fc62a131b585cd861db45bbf853747ea76161ae7e823832b965b81c209fc202ce15594ffcdafadf5ed9356af2f4330e04b0893a78ae0e8a6f32dda
-
memory/2416-146-0x0000000007D40000-0x0000000007EA9000-memory.dmpFilesize
1.4MB
-
memory/2416-141-0x0000000007C20000-0x0000000007D40000-memory.dmpFilesize
1.1MB
-
memory/3028-139-0x000000000041D000-0x000000000041E000-memory.dmpFilesize
4KB
-
memory/3028-138-0x0000000000AA0000-0x0000000000DEA000-memory.dmpFilesize
3.3MB
-
memory/3028-140-0x0000000000510000-0x0000000000521000-memory.dmpFilesize
68KB
-
memory/3028-137-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/3028-134-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4004-142-0x00000000010D0000-0x00000000010EE000-memory.dmpFilesize
120KB
-
memory/4004-143-0x0000000000900000-0x0000000000929000-memory.dmpFilesize
164KB
-
memory/4004-144-0x00000000012A0000-0x00000000015EA000-memory.dmpFilesize
3.3MB
-
memory/4004-145-0x0000000001000000-0x0000000001090000-memory.dmpFilesize
576KB