Analysis
-
max time kernel
159s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
01-03-2022 20:37
Static task
static1
Behavioral task
behavioral1
Sample
comprovante de pagamento.exe
Resource
win7-20220223-en
General
-
Target
comprovante de pagamento.exe
-
Size
339KB
-
MD5
cfddc31fa56b6e1a80f29386769bd19e
-
SHA1
78b41e3c049f5dca11aa3c9679f757461cabea7d
-
SHA256
a65fa640ac023cb2207b4707ca53b54ac80fab579b1ab598637850a003b4f2e4
-
SHA512
7b4273d4d8cfd5cbe9234dd459c50f56b34978535c9e7480afce28396623da3586dcf7e6011496881774c6ebc4382a61293b230216bfb252385c3b6e290b55cd
Malware Config
Extracted
xloader
2.5
cbgo
santesha.com
britneysbeautybar.com
sh-cy17.com
jeffcarveragency.com
3117111.com
sobrehosting.net
ddm123.xyz
toxcompliance.com
auditorydesigns.com
vliftfacial.com
ielhii.com
naameliss.com
ritualchariot.com
solchange.com
quatre-vingts.design
lawnmowermashine.com
braceletsstore.net
admappy.com
tollivercoltd.com
vaidix.com
rodrigomartinsadv.com
bouncingskull.com
hamiltonhellerrealestate.com
dream-kidz.com
growupnotgrowold.com
clanginandbangin.com
cornerstone-constructions.com
mcdonalds-delivery.xyz
omnikro.com
nca-group.com
hughers3.com
move-mobius.com
shrivs.com
hoshikuzu-hegemony.com
zpwx17.online
masoncable.com
butecreditunion.com
creativefolksnetwork.xyz
lejanet.com
tacticalslings.club
bestprodutos.com
quirkysoul39.com
sdettest.com
aomendc.xyz
lorticepttoyof6.xyz
nonvaxrnpositions.com
maintainaviation.com
kubanitka.com
fractalmerch.xyz
elbowguru.com
nikiyang.com
cialisactivesupers.com
bestofrochester.info
ynov-rennes.com
saiden8164.com
ffuster.com
papierle.com
dobsonfryedentist.com
rufisquoisedetransit.com
compassionatecuddling.com
kimlady.com
mashinchand.com
semicivilization.com
milamixecommerce.com
ambassadorandceoclub.com
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3708-134-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/836-142-0x00000000032D0000-0x00000000032F9000-memory.dmp xloader -
Executes dropped EXE 2 IoCs
Processes:
kefkdcbcrz.exekefkdcbcrz.exepid process 372 kefkdcbcrz.exe 3708 kefkdcbcrz.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
kefkdcbcrz.exekefkdcbcrz.execmstp.exedescription pid process target process PID 372 set thread context of 3708 372 kefkdcbcrz.exe kefkdcbcrz.exe PID 3708 set thread context of 2492 3708 kefkdcbcrz.exe Explorer.EXE PID 836 set thread context of 2492 836 cmstp.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
kefkdcbcrz.execmstp.exepid process 3708 kefkdcbcrz.exe 3708 kefkdcbcrz.exe 3708 kefkdcbcrz.exe 3708 kefkdcbcrz.exe 836 cmstp.exe 836 cmstp.exe 836 cmstp.exe 836 cmstp.exe 836 cmstp.exe 836 cmstp.exe 836 cmstp.exe 836 cmstp.exe 836 cmstp.exe 836 cmstp.exe 836 cmstp.exe 836 cmstp.exe 836 cmstp.exe 836 cmstp.exe 836 cmstp.exe 836 cmstp.exe 836 cmstp.exe 836 cmstp.exe 836 cmstp.exe 836 cmstp.exe 836 cmstp.exe 836 cmstp.exe 836 cmstp.exe 836 cmstp.exe 836 cmstp.exe 836 cmstp.exe 836 cmstp.exe 836 cmstp.exe 836 cmstp.exe 836 cmstp.exe 836 cmstp.exe 836 cmstp.exe 836 cmstp.exe 836 cmstp.exe 836 cmstp.exe 836 cmstp.exe 836 cmstp.exe 836 cmstp.exe 836 cmstp.exe 836 cmstp.exe 836 cmstp.exe 836 cmstp.exe 836 cmstp.exe 836 cmstp.exe 836 cmstp.exe 836 cmstp.exe 836 cmstp.exe 836 cmstp.exe 836 cmstp.exe 836 cmstp.exe 836 cmstp.exe 836 cmstp.exe 836 cmstp.exe 836 cmstp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2492 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
kefkdcbcrz.execmstp.exepid process 3708 kefkdcbcrz.exe 3708 kefkdcbcrz.exe 3708 kefkdcbcrz.exe 836 cmstp.exe 836 cmstp.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
kefkdcbcrz.execmstp.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 3708 kefkdcbcrz.exe Token: SeDebugPrivilege 836 cmstp.exe Token: SeShutdownPrivilege 2492 Explorer.EXE Token: SeCreatePagefilePrivilege 2492 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
comprovante de pagamento.exekefkdcbcrz.exeExplorer.EXEcmstp.exedescription pid process target process PID 332 wrote to memory of 372 332 comprovante de pagamento.exe kefkdcbcrz.exe PID 332 wrote to memory of 372 332 comprovante de pagamento.exe kefkdcbcrz.exe PID 332 wrote to memory of 372 332 comprovante de pagamento.exe kefkdcbcrz.exe PID 372 wrote to memory of 3708 372 kefkdcbcrz.exe kefkdcbcrz.exe PID 372 wrote to memory of 3708 372 kefkdcbcrz.exe kefkdcbcrz.exe PID 372 wrote to memory of 3708 372 kefkdcbcrz.exe kefkdcbcrz.exe PID 372 wrote to memory of 3708 372 kefkdcbcrz.exe kefkdcbcrz.exe PID 372 wrote to memory of 3708 372 kefkdcbcrz.exe kefkdcbcrz.exe PID 372 wrote to memory of 3708 372 kefkdcbcrz.exe kefkdcbcrz.exe PID 2492 wrote to memory of 836 2492 Explorer.EXE cmstp.exe PID 2492 wrote to memory of 836 2492 Explorer.EXE cmstp.exe PID 2492 wrote to memory of 836 2492 Explorer.EXE cmstp.exe PID 836 wrote to memory of 1132 836 cmstp.exe cmd.exe PID 836 wrote to memory of 1132 836 cmstp.exe cmd.exe PID 836 wrote to memory of 1132 836 cmstp.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\comprovante de pagamento.exe"C:\Users\Admin\AppData\Local\Temp\comprovante de pagamento.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\kefkdcbcrz.exeC:\Users\Admin\AppData\Local\Temp\kefkdcbcrz.exe C:\Users\Admin\AppData\Local\Temp\xsytq3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\kefkdcbcrz.exeC:\Users\Admin\AppData\Local\Temp\kefkdcbcrz.exe C:\Users\Admin\AppData\Local\Temp\xsytq4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\kefkdcbcrz.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\bs5210ina7o23q4wlvMD5
635788a319cc804f7eee6cc85484994d
SHA1ec66c3089a7ef4905248ea91d5fd5406e081deb0
SHA256cbfa82c018690de266af6d720c9916dd8236d5f12d65c31fb7bf5c95b4e0a43c
SHA512f8fb2daeedb1a92b0e206009155f29cde504de7cba69935d47ee63c96fe2734c93becf199adcca6da53357824024ed9636696b08bf9669a4024b2fb5bd8f17ba
-
C:\Users\Admin\AppData\Local\Temp\kefkdcbcrz.exeMD5
22c779f0c5c8e47aea06b03bdd12ef77
SHA114b36e7d3841575db9fceb8a635082cf3447ce25
SHA2561a7a06bea18bf2f36247341bc182cc1aecb1a9be28accb4d559e3e667957d0d3
SHA51210b2be6b4ca0b87ad0f2f31aace7aaac7340b7ab83dd9770f5f3e7fe3e1b9b62194e5721aeea3971d502b374d664fdbe9555540205be80aa7c197cbf146a3c74
-
C:\Users\Admin\AppData\Local\Temp\kefkdcbcrz.exeMD5
22c779f0c5c8e47aea06b03bdd12ef77
SHA114b36e7d3841575db9fceb8a635082cf3447ce25
SHA2561a7a06bea18bf2f36247341bc182cc1aecb1a9be28accb4d559e3e667957d0d3
SHA51210b2be6b4ca0b87ad0f2f31aace7aaac7340b7ab83dd9770f5f3e7fe3e1b9b62194e5721aeea3971d502b374d664fdbe9555540205be80aa7c197cbf146a3c74
-
C:\Users\Admin\AppData\Local\Temp\kefkdcbcrz.exeMD5
22c779f0c5c8e47aea06b03bdd12ef77
SHA114b36e7d3841575db9fceb8a635082cf3447ce25
SHA2561a7a06bea18bf2f36247341bc182cc1aecb1a9be28accb4d559e3e667957d0d3
SHA51210b2be6b4ca0b87ad0f2f31aace7aaac7340b7ab83dd9770f5f3e7fe3e1b9b62194e5721aeea3971d502b374d664fdbe9555540205be80aa7c197cbf146a3c74
-
C:\Users\Admin\AppData\Local\Temp\xsytqMD5
b56fe160e90745d86c9ee74fd026e134
SHA12231d8dc79fa27334de455ed5fe3d081490bbc77
SHA256cf9939352d9884929da9a22c416be384d658efdb818b1da7b257875e7c894a98
SHA512497604bf3a074f5affa3c52afd69f69db0b44fe1e6d5752a036c4c95ad7e869954f6d69201d54af087bf4583e71e40414260a70ca7db75832d8ae7b75312529e
-
memory/836-144-0x0000000005030000-0x00000000050C0000-memory.dmpFilesize
576KB
-
memory/836-143-0x0000000005300000-0x000000000564A000-memory.dmpFilesize
3.3MB
-
memory/836-142-0x00000000032D0000-0x00000000032F9000-memory.dmpFilesize
164KB
-
memory/836-141-0x0000000000E30000-0x0000000000E46000-memory.dmpFilesize
88KB
-
memory/2492-140-0x0000000008CE0000-0x0000000008E26000-memory.dmpFilesize
1.3MB
-
memory/2492-145-0x0000000008F60000-0x0000000009071000-memory.dmpFilesize
1.1MB
-
memory/3708-139-0x00000000014A0000-0x00000000014B1000-memory.dmpFilesize
68KB
-
memory/3708-137-0x00000000015D0000-0x000000000191A000-memory.dmpFilesize
3.3MB
-
memory/3708-138-0x000000000041D000-0x000000000041E000-memory.dmpFilesize
4KB
-
memory/3708-134-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB