Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
16-08-2022 06:53
Static task
static1
Behavioral task
behavioral1
Sample
Invoice&shipments documents.exe
Resource
win7-20220812-en
General
-
Target
Invoice&shipments documents.exe
-
Size
68KB
-
MD5
851f82e1941a676ce825320ebff94857
-
SHA1
30b9dbf2b97c20401b42188a335897994bce073e
-
SHA256
724856634d2e8796b6f0b6950ebdf98d32679ed73a8a65b995447ecd9098a0dc
-
SHA512
33f78bad1244d8c4859c1ed2f2276d10e821b14485213291cdb8d546415177884e8dfa710cbc48937d62eb8d75716b212c5811e5499a97de9de2a9cca83a408e
Malware Config
Extracted
xloader
2.9
v4qp
je1XQKU1LfJPVLk=
nvf41a7FsTLs6uB/g+CR
U7mryF6DctZn6GEjr9Bm4g==
1SONGrPdh7wGEOXp3g==
2xX859r7qOFq7GYkr9Bm4g==
IYtzVUx0Oo0HmZawLQAARDvBf4dL
NH3iuBPNSzZTvpw/4KaG
rDehfiqIPbdMBS8G1g==
xhb2uJ0eBwo7k3djqxh60xoNt4VoeQ==
AFtKux3JgPGRkx3xUsciR6piSg==
m+3VoJadWcBvOAPpzKUNPoAxyplS
1DWKULdka3mxIKhEqGxQr7gxyplS
DGlFGBqWi5CtrCX9alyTuPzq
muvVM4slyTfxORwAZisVksCM78aSEVo=
D3biNgUbyg9E5pl+
/+1QLPssvl/Xxg==
I4lzTjaAcc1iBS8G1g==
wSwc4MmbShojhlZCrniTuPzq
jN5YO6ZXSfJPVLk=
4TUS4+ANuqHCRTM9sniTuPzq
7Ssfd9ru/HPzWMZ42Z+E
TJl+UkzTsY6g86lyegOU3gw=
0juvfNqRgmJwwpc/4KaG
WJuGVDdhQj1Ux5s/4KaG
FHdjPTRtZc1rPwr8zUQfXogxyplS
1yUI9+gAwMPuYMWALzWc+w==
CW1UNSZVQKAlmQep/XYDYGot8HZX30M=
vRqFbt1zJfH304GOeAOU3gw=
P5CIQS65moOingakeAOU3gw=
d9dBqqBI+vgR0Q==
1zElifgR7DjBQhEgnWqTuPzq
Z60BYmHr5eHr4qiedQOU3gw=
HWU4MRo7NYMKvenJppIKPWxeSQ==
e3BN71BTWfJPVLk=
wy7WdMhKC6ZIBS8G1g==
XquYfmaLfMtjMdvi0UJCve3YPQ9/3VBp
KZGA1zHJgWB5XAUCtW5auQQ=
xiMia8hyQfJPVLk=
fs3InobYUU1v
g/FWtqk8QVV2fvykeAOU3gw=
Gk0rieTkzD/cYMxmtQij4wb9
sQ92QpZSTOWOi15IKJWeEYMaENE=
DmfkxD7hjeFXBS8G1g==
AF/WMxGNm+1qwhvu59Ziy96hOpN/3VBp
mPxzMqdFvl/Xxg==
wbYTecjCf2dE5pl+
bM22jGRvLWbm3dd/g+CR
3T4iifwiBwdGDun0r9Bm4g==
hd/Zp4qeQhkDA7I+sXVavwQ=
Y6UNZTVzVVVE5pl+
4V68Jxr1n3hpa/igeQOU3gw=
oxRu5bztvl/Xxg==
IoXeT3nFp316WK0=
LSJ+4y5JmmIN3w==
svtsPL5PAtT1ZVBKmNxkR6piSg==
Tqv+1CqslWNp1Z1v4rzl6xM=
nOjWOqSkigqvKn8jr9Bm4g==
5vNHav9pXUs=
51u5hOzjug9E5pl+
BV3fNCavl2Z69CjsSAHGFiPi
Pov+YD5zJgUUinyAxxhVrb6W7saSEVo=
sfvz0cLqvl/Xxg==
MZ0a3y3CnzpW1DsSU01xouShpVtF
ogaE4dJvYFB76MzDJpoQR6piSg==
erilb.com
Signatures
-
Xloader payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1708-65-0x0000000000400000-0x000000000042C000-memory.dmp xloader behavioral1/memory/1708-66-0x000000000041F6E0-mapping.dmp xloader behavioral1/memory/1708-68-0x0000000000400000-0x000000000042C000-memory.dmp xloader behavioral1/memory/1624-75-0x0000000000090000-0x00000000000BC000-memory.dmp xloader behavioral1/memory/1624-80-0x0000000000090000-0x00000000000BC000-memory.dmp xloader -
Blocklisted process makes network request 1 IoCs
Processes:
msiexec.exeflow pid process 18 1624 msiexec.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Invoice&shipments documents.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idmczmd = "\"C:\\Users\\Admin\\AppData\\Roaming\\Dnrhb\\Idmczmd.exe\"" Invoice&shipments documents.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Invoice&shipments documents.exeInstallUtil.exemsiexec.exedescription pid process target process PID 1132 set thread context of 1708 1132 Invoice&shipments documents.exe InstallUtil.exe PID 1708 set thread context of 1212 1708 InstallUtil.exe Explorer.EXE PID 1624 set thread context of 1212 1624 msiexec.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
powershell.exeInvoice&shipments documents.exeInstallUtil.exemsiexec.exepid process 756 powershell.exe 1132 Invoice&shipments documents.exe 1132 Invoice&shipments documents.exe 1708 InstallUtil.exe 1708 InstallUtil.exe 1624 msiexec.exe 1624 msiexec.exe 1624 msiexec.exe 1624 msiexec.exe 1624 msiexec.exe 1624 msiexec.exe 1624 msiexec.exe 1624 msiexec.exe 1624 msiexec.exe 1624 msiexec.exe 1624 msiexec.exe 1624 msiexec.exe 1624 msiexec.exe 1624 msiexec.exe 1624 msiexec.exe 1624 msiexec.exe 1624 msiexec.exe 1624 msiexec.exe 1624 msiexec.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
InstallUtil.exemsiexec.exepid process 1708 InstallUtil.exe 1708 InstallUtil.exe 1708 InstallUtil.exe 1624 msiexec.exe 1624 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Invoice&shipments documents.exepowershell.exeInstallUtil.exemsiexec.exedescription pid process Token: SeDebugPrivilege 1132 Invoice&shipments documents.exe Token: SeDebugPrivilege 756 powershell.exe Token: SeDebugPrivilege 1708 InstallUtil.exe Token: SeDebugPrivilege 1624 msiexec.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
Invoice&shipments documents.exeExplorer.EXEmsiexec.exedescription pid process target process PID 1132 wrote to memory of 756 1132 Invoice&shipments documents.exe powershell.exe PID 1132 wrote to memory of 756 1132 Invoice&shipments documents.exe powershell.exe PID 1132 wrote to memory of 756 1132 Invoice&shipments documents.exe powershell.exe PID 1132 wrote to memory of 756 1132 Invoice&shipments documents.exe powershell.exe PID 1132 wrote to memory of 1708 1132 Invoice&shipments documents.exe InstallUtil.exe PID 1132 wrote to memory of 1708 1132 Invoice&shipments documents.exe InstallUtil.exe PID 1132 wrote to memory of 1708 1132 Invoice&shipments documents.exe InstallUtil.exe PID 1132 wrote to memory of 1708 1132 Invoice&shipments documents.exe InstallUtil.exe PID 1132 wrote to memory of 1708 1132 Invoice&shipments documents.exe InstallUtil.exe PID 1132 wrote to memory of 1708 1132 Invoice&shipments documents.exe InstallUtil.exe PID 1132 wrote to memory of 1708 1132 Invoice&shipments documents.exe InstallUtil.exe PID 1132 wrote to memory of 1708 1132 Invoice&shipments documents.exe InstallUtil.exe PID 1132 wrote to memory of 1708 1132 Invoice&shipments documents.exe InstallUtil.exe PID 1132 wrote to memory of 1708 1132 Invoice&shipments documents.exe InstallUtil.exe PID 1212 wrote to memory of 1624 1212 Explorer.EXE msiexec.exe PID 1212 wrote to memory of 1624 1212 Explorer.EXE msiexec.exe PID 1212 wrote to memory of 1624 1212 Explorer.EXE msiexec.exe PID 1212 wrote to memory of 1624 1212 Explorer.EXE msiexec.exe PID 1212 wrote to memory of 1624 1212 Explorer.EXE msiexec.exe PID 1212 wrote to memory of 1624 1212 Explorer.EXE msiexec.exe PID 1212 wrote to memory of 1624 1212 Explorer.EXE msiexec.exe PID 1624 wrote to memory of 1704 1624 msiexec.exe cmd.exe PID 1624 wrote to memory of 1704 1624 msiexec.exe cmd.exe PID 1624 wrote to memory of 1704 1624 msiexec.exe cmd.exe PID 1624 wrote to memory of 1704 1624 msiexec.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Invoice&shipments documents.exe"C:\Users\Admin\AppData\Local\Temp\Invoice&shipments documents.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAOAA=3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/756-58-0x0000000000000000-mapping.dmp
-
memory/756-61-0x000000006EED0000-0x000000006F47B000-memory.dmpFilesize
5.7MB
-
memory/756-60-0x000000006EED0000-0x000000006F47B000-memory.dmpFilesize
5.7MB
-
memory/1132-54-0x0000000000DA0000-0x0000000000DB6000-memory.dmpFilesize
88KB
-
memory/1132-57-0x00000000041C0000-0x00000000041EA000-memory.dmpFilesize
168KB
-
memory/1132-56-0x0000000005910000-0x0000000005ABE000-memory.dmpFilesize
1.7MB
-
memory/1132-55-0x0000000075561000-0x0000000075563000-memory.dmpFilesize
8KB
-
memory/1212-81-0x00000000060C0000-0x0000000006218000-memory.dmpFilesize
1.3MB
-
memory/1212-79-0x00000000060C0000-0x0000000006218000-memory.dmpFilesize
1.3MB
-
memory/1212-71-0x0000000005F70000-0x00000000060B6000-memory.dmpFilesize
1.3MB
-
memory/1624-80-0x0000000000090000-0x00000000000BC000-memory.dmpFilesize
176KB
-
memory/1624-78-0x0000000000A50000-0x0000000000AE0000-memory.dmpFilesize
576KB
-
memory/1624-77-0x0000000002340000-0x0000000002643000-memory.dmpFilesize
3.0MB
-
memory/1624-74-0x0000000000F20000-0x0000000000F34000-memory.dmpFilesize
80KB
-
memory/1624-75-0x0000000000090000-0x00000000000BC000-memory.dmpFilesize
176KB
-
memory/1624-72-0x0000000000000000-mapping.dmp
-
memory/1704-76-0x0000000000000000-mapping.dmp
-
memory/1708-70-0x0000000000160000-0x0000000000171000-memory.dmpFilesize
68KB
-
memory/1708-69-0x0000000000A40000-0x0000000000D43000-memory.dmpFilesize
3.0MB
-
memory/1708-68-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1708-66-0x000000000041F6E0-mapping.dmp
-
memory/1708-65-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1708-63-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1708-62-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB