Analysis
-
max time kernel
300s -
max time network
301s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
10-01-2023 13:45
Static task
static1
Behavioral task
behavioral1
Sample
Invoice NO 22073895.exe
Resource
win7-20221111-en
General
-
Target
Invoice NO 22073895.exe
-
Size
486KB
-
MD5
85cd688a9fee95b88b94b6879039201f
-
SHA1
0843488b993fd26651cff415ac5a43c593defa25
-
SHA256
4d3261b30e45d9577916b421a9b829836e955a9be539866aa29d21aad01283c1
-
SHA512
9ed65a00f4e6c276b18778feac6140759ebbc159d15c4c20280ff13b1887c73ec4fc88a38abe0f8e0d75ec0e5a5acf82478472b761247bee1357d130bf80ab45
-
SSDEEP
12288:AYn68Ex+E5Z8kJqeKPMwwOfGo5KNfhtDuCytMi4zaaKL:AYn6DAEgIqecuo5KbsCy6igbG
Malware Config
Extracted
formbook
poub
WY0eksfISzRg4O6c+opnGL6gaw==
moRjn9ExtYi8UmUo+Tya
2vME+GedoxzFnuLXesUoVj4=
EvW4JWJ1NQ8nN3tA3SM=
2mK9efMZMgN1VOs=
8d0jua5b0J6AQEW7
/2cyThOd37DSTYMASDye4Q0t/Vs=
ral+tbIh2KKAQEW7
YLY9jsPtYB/FRmMo+Tya
R1WcElWAMtFxFrVqtZT2ZpIS9xRZNho=
KFXGg/T1pCC9GjrxUPTcjw==
8mMlK5nDwjjPFTP5jMtAtQ0t/Vs=
c7am8nhhlCo=
UW91trZj6dENxuRdpxOvW1Cf
sjOMUcvq6lYJCZEfV4euFzY=
62nBgPjdmWQkmWElww==
64E8JqA1aruSUvw=
NqI1reXpcR+REye0
8+y1oOsbjgSyEhjXUPTcjw==
Rx9by8gNBwN1VOs=
Muif0yE4CQN1VOs=
VEt6//SsIukFo46EOTs=
Z8su52MYL67C
usDwuHRs8/KlWg==
idmltXXu7XAgHLE/UPTcjw==
QPrxO2shWNiGexGboHDSRqBQ1TBd
hq9rqBND8/KlWg==
QS9iHFx08/KlWg==
v1soVFoThEdt/B/dK0v4+6Wb
7rqJytN13KKAQEW7
OWbeN2SDJwonsI6EOTs=
aqQrrKZDm16GMlAtvxavW1Cf
imnEZWIEbC4M8Q+i
Bry3oQg5+6ZaUNxzwg==
B3vYmyxPQS5XYvmCsqQXX8X948Zf
KbGBmwwCyKTKsUcRUNN6CD61aw==
2WpDae4P+W4cdqc8kPBcjqg0wS1X
MvkZLPRY25jI
Alr0VZGxYxG3dR/zSNjBhQ==
ZJkdjczlrF+8l0Os
dcmMkFm+QhFD4OM=
fMdUrd4J1n4mmWElww==
Gat+k1fHg11vTQ==
sn+7Q4uxaAu9FyGv7k24F1DWaBEvmRI=
CjvGRTnXOhtN6QSNxhmvW1Cf
CpHvP2VSxaKAQEW7
qQWkEUJYFKhPttOZ4MarX8KKLl+/Jg==
GNVP4yIy8/KlWg==
pqfVAERhYxN7YPM=
9nS5b/AGCpZNAfZj1A==
a3GcpSND8/KlWg==
fin6NmQXayreIOrzPyw=
EjdROfeTsDPVH+rzPyw=
DO4xD8nURBwM8Q+i
+p/LQHFh0KOAQEW7
iNos10QpwjvjvFrXJYtYFiuHdA==
SX//aFP4Yi5T6NbcKQr07J6e
2NKh0dNr52sTdH4OSNjBhQ==
ZMSJmgsxFrlp5fnecrgeVYcP4xRZNho=
oXmlavAJ+3IbFbl3Gm4H+iKG
ijjWRYCaXiTcigreSNjBhQ==
ZqpH49I4XPu1k+rzPyw=
ZZUh+4FrrBbKukgJWoeuFzY=
lLnTxHn7rq/W9G8rzjsgCnyBYw==
drzjup.space
Signatures
-
Xloader payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/2616-139-0x0000000000400000-0x000000000042C000-memory.dmp xloader behavioral2/memory/2616-146-0x0000000000400000-0x000000000042C000-memory.dmp xloader behavioral2/memory/3052-149-0x0000000000E80000-0x0000000000EAC000-memory.dmp xloader behavioral2/memory/3052-152-0x0000000000E80000-0x0000000000EAC000-memory.dmp xloader -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
WWAHost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WWAHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\BXETQ6HHB46 = "C:\\Program Files (x86)\\Ltlmx\\gpnplvxxfnb.exe" WWAHost.exe -
Executes dropped EXE 3 IoCs
Processes:
pvwuec.exepvwuec.exegpnplvxxfnb.exepid process 4844 pvwuec.exe 2616 pvwuec.exe 1372 gpnplvxxfnb.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
pvwuec.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation pvwuec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
pvwuec.exepvwuec.exeWWAHost.exedescription pid process target process PID 4844 set thread context of 2616 4844 pvwuec.exe pvwuec.exe PID 2616 set thread context of 1108 2616 pvwuec.exe Explorer.EXE PID 2616 set thread context of 1108 2616 pvwuec.exe Explorer.EXE PID 3052 set thread context of 1108 3052 WWAHost.exe Explorer.EXE -
Drops file in Program Files directory 4 IoCs
Processes:
Explorer.EXEWWAHost.exedescription ioc process File opened for modification C:\Program Files (x86)\Ltlmx\gpnplvxxfnb.exe Explorer.EXE File opened for modification C:\Program Files (x86)\Ltlmx\gpnplvxxfnb.exe WWAHost.exe File opened for modification C:\Program Files (x86)\Ltlmx Explorer.EXE File created C:\Program Files (x86)\Ltlmx\gpnplvxxfnb.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1652 1372 WerFault.exe gpnplvxxfnb.exe -
Processes:
WWAHost.exedescription ioc process Key created \Registry\User\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 WWAHost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
pvwuec.exeWWAHost.exepid process 2616 pvwuec.exe 2616 pvwuec.exe 2616 pvwuec.exe 2616 pvwuec.exe 2616 pvwuec.exe 2616 pvwuec.exe 3052 WWAHost.exe 3052 WWAHost.exe 3052 WWAHost.exe 3052 WWAHost.exe 3052 WWAHost.exe 3052 WWAHost.exe 3052 WWAHost.exe 3052 WWAHost.exe 3052 WWAHost.exe 3052 WWAHost.exe 3052 WWAHost.exe 3052 WWAHost.exe 3052 WWAHost.exe 3052 WWAHost.exe 3052 WWAHost.exe 3052 WWAHost.exe 3052 WWAHost.exe 3052 WWAHost.exe 3052 WWAHost.exe 3052 WWAHost.exe 3052 WWAHost.exe 3052 WWAHost.exe 3052 WWAHost.exe 3052 WWAHost.exe 3052 WWAHost.exe 3052 WWAHost.exe 3052 WWAHost.exe 3052 WWAHost.exe 3052 WWAHost.exe 3052 WWAHost.exe 3052 WWAHost.exe 3052 WWAHost.exe 3052 WWAHost.exe 3052 WWAHost.exe 3052 WWAHost.exe 3052 WWAHost.exe 3052 WWAHost.exe 3052 WWAHost.exe 3052 WWAHost.exe 3052 WWAHost.exe 3052 WWAHost.exe 3052 WWAHost.exe 3052 WWAHost.exe 3052 WWAHost.exe 3052 WWAHost.exe 3052 WWAHost.exe 3052 WWAHost.exe 3052 WWAHost.exe 3052 WWAHost.exe 3052 WWAHost.exe 3052 WWAHost.exe 3052 WWAHost.exe 3052 WWAHost.exe 3052 WWAHost.exe 3052 WWAHost.exe 3052 WWAHost.exe 3052 WWAHost.exe 3052 WWAHost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1108 Explorer.EXE -
Suspicious behavior: MapViewOfSection 9 IoCs
Processes:
pvwuec.exepvwuec.exeWWAHost.exepid process 4844 pvwuec.exe 2616 pvwuec.exe 2616 pvwuec.exe 2616 pvwuec.exe 2616 pvwuec.exe 3052 WWAHost.exe 3052 WWAHost.exe 3052 WWAHost.exe 3052 WWAHost.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
pvwuec.exeWWAHost.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 2616 pvwuec.exe Token: SeDebugPrivilege 3052 WWAHost.exe Token: SeShutdownPrivilege 1108 Explorer.EXE Token: SeCreatePagefilePrivilege 1108 Explorer.EXE Token: SeShutdownPrivilege 1108 Explorer.EXE Token: SeCreatePagefilePrivilege 1108 Explorer.EXE -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
Invoice NO 22073895.exepvwuec.exeExplorer.EXEWWAHost.exedescription pid process target process PID 4872 wrote to memory of 4844 4872 Invoice NO 22073895.exe pvwuec.exe PID 4872 wrote to memory of 4844 4872 Invoice NO 22073895.exe pvwuec.exe PID 4872 wrote to memory of 4844 4872 Invoice NO 22073895.exe pvwuec.exe PID 4844 wrote to memory of 2616 4844 pvwuec.exe pvwuec.exe PID 4844 wrote to memory of 2616 4844 pvwuec.exe pvwuec.exe PID 4844 wrote to memory of 2616 4844 pvwuec.exe pvwuec.exe PID 4844 wrote to memory of 2616 4844 pvwuec.exe pvwuec.exe PID 1108 wrote to memory of 3052 1108 Explorer.EXE WWAHost.exe PID 1108 wrote to memory of 3052 1108 Explorer.EXE WWAHost.exe PID 1108 wrote to memory of 3052 1108 Explorer.EXE WWAHost.exe PID 3052 wrote to memory of 424 3052 WWAHost.exe cmd.exe PID 3052 wrote to memory of 424 3052 WWAHost.exe cmd.exe PID 3052 wrote to memory of 424 3052 WWAHost.exe cmd.exe PID 3052 wrote to memory of 1936 3052 WWAHost.exe cmd.exe PID 3052 wrote to memory of 1936 3052 WWAHost.exe cmd.exe PID 3052 wrote to memory of 1936 3052 WWAHost.exe cmd.exe PID 3052 wrote to memory of 1244 3052 WWAHost.exe cmd.exe PID 3052 wrote to memory of 1244 3052 WWAHost.exe cmd.exe PID 3052 wrote to memory of 1244 3052 WWAHost.exe cmd.exe PID 3052 wrote to memory of 3932 3052 WWAHost.exe Firefox.exe PID 3052 wrote to memory of 3932 3052 WWAHost.exe Firefox.exe PID 3052 wrote to memory of 3932 3052 WWAHost.exe Firefox.exe PID 1108 wrote to memory of 1372 1108 Explorer.EXE gpnplvxxfnb.exe PID 1108 wrote to memory of 1372 1108 Explorer.EXE gpnplvxxfnb.exe PID 1108 wrote to memory of 1372 1108 Explorer.EXE gpnplvxxfnb.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Invoice NO 22073895.exe"C:\Users\Admin\AppData\Local\Temp\Invoice NO 22073895.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pvwuec.exe"C:\Users\Admin\AppData\Local\Temp\pvwuec.exe" C:\Users\Admin\AppData\Local\Temp\eeelcb.fn3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pvwuec.exe"C:\Users\Admin\AppData\Local\Temp\pvwuec.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WWAHost.exe"C:\Windows\SysWOW64\WWAHost.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\pvwuec.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Program Files (x86)\Ltlmx\gpnplvxxfnb.exe"C:\Program Files (x86)\Ltlmx\gpnplvxxfnb.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1372 -s 5043⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1372 -ip 13721⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Ltlmx\gpnplvxxfnb.exeFilesize
84KB
MD5e87c6c672ec024582ffb00811abf747e
SHA105921c941ed33b6e0e4cd35c20a452d0659d04dd
SHA25617a23dd9b5a1b36f5db90ea4e102a03a8dd14557b60f4c19c17e62e53ac19f86
SHA5125d09656b375b7cb2a3e3062e4a4af3c77663cc454e79a7be59f2996b4db54e8609f6de7b0ad27432e42b45f2e544a22ba43096b61be6d06d36ff1b20b1e49cb5
-
C:\Program Files (x86)\Ltlmx\gpnplvxxfnb.exeFilesize
84KB
MD5e87c6c672ec024582ffb00811abf747e
SHA105921c941ed33b6e0e4cd35c20a452d0659d04dd
SHA25617a23dd9b5a1b36f5db90ea4e102a03a8dd14557b60f4c19c17e62e53ac19f86
SHA5125d09656b375b7cb2a3e3062e4a4af3c77663cc454e79a7be59f2996b4db54e8609f6de7b0ad27432e42b45f2e544a22ba43096b61be6d06d36ff1b20b1e49cb5
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
40KB
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
C:\Users\Admin\AppData\Local\Temp\eeelcb.fnFilesize
5KB
MD5c4ee853696ad5db212cd6ae2bb8a0fe1
SHA1840ccd25c091a082be426b35386ce7ab8f5d0631
SHA2566c92c5b0c148c513174215823f3ba3f7f53adbaae077553219826b35553edba1
SHA5127527d4792d58829f38ed4509a37cc248a02aaeeddf747d3afe3c3f380f8fdad0ebe39e9c989bf1d224f54fab0d187379a93eb9a61800fd7d1f52eb4e6ec9e8c3
-
C:\Users\Admin\AppData\Local\Temp\pvwuec.exeFilesize
84KB
MD5e87c6c672ec024582ffb00811abf747e
SHA105921c941ed33b6e0e4cd35c20a452d0659d04dd
SHA25617a23dd9b5a1b36f5db90ea4e102a03a8dd14557b60f4c19c17e62e53ac19f86
SHA5125d09656b375b7cb2a3e3062e4a4af3c77663cc454e79a7be59f2996b4db54e8609f6de7b0ad27432e42b45f2e544a22ba43096b61be6d06d36ff1b20b1e49cb5
-
C:\Users\Admin\AppData\Local\Temp\pvwuec.exeFilesize
84KB
MD5e87c6c672ec024582ffb00811abf747e
SHA105921c941ed33b6e0e4cd35c20a452d0659d04dd
SHA25617a23dd9b5a1b36f5db90ea4e102a03a8dd14557b60f4c19c17e62e53ac19f86
SHA5125d09656b375b7cb2a3e3062e4a4af3c77663cc454e79a7be59f2996b4db54e8609f6de7b0ad27432e42b45f2e544a22ba43096b61be6d06d36ff1b20b1e49cb5
-
C:\Users\Admin\AppData\Local\Temp\pvwuec.exeFilesize
84KB
MD5e87c6c672ec024582ffb00811abf747e
SHA105921c941ed33b6e0e4cd35c20a452d0659d04dd
SHA25617a23dd9b5a1b36f5db90ea4e102a03a8dd14557b60f4c19c17e62e53ac19f86
SHA5125d09656b375b7cb2a3e3062e4a4af3c77663cc454e79a7be59f2996b4db54e8609f6de7b0ad27432e42b45f2e544a22ba43096b61be6d06d36ff1b20b1e49cb5
-
C:\Users\Admin\AppData\Local\Temp\serrf.pFilesize
196KB
MD5f33a9bba9a07130a2662f4f14e696e7c
SHA16fd979cbec5aaa33f8276ca0825a8c0e71768499
SHA256ea5fe369ca49d659b7cf129def53fd7a1589c9ccdf16a7270354897e885d730c
SHA5128df1c084b2dcf922faa9ae404642ab9e417b50bdafbf88ce14f1df1d3c3894d7e2f23e5e83ac4362edec3aa0d5a898af9087dac3680731a8dc8960a43b33cdfb
-
memory/424-147-0x0000000000000000-mapping.dmp
-
memory/1108-142-0x0000000002A70000-0x0000000002B63000-memory.dmpFilesize
972KB
-
memory/1108-144-0x00000000081D0000-0x000000000833B000-memory.dmpFilesize
1.4MB
-
memory/1108-153-0x0000000007030000-0x0000000007122000-memory.dmpFilesize
968KB
-
memory/1108-154-0x0000000007030000-0x0000000007122000-memory.dmpFilesize
968KB
-
memory/1244-157-0x0000000000000000-mapping.dmp
-
memory/1372-159-0x0000000000000000-mapping.dmp
-
memory/1936-155-0x0000000000000000-mapping.dmp
-
memory/2616-139-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/2616-146-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/2616-143-0x0000000000E90000-0x0000000000EA1000-memory.dmpFilesize
68KB
-
memory/2616-141-0x00000000005E0000-0x00000000005F1000-memory.dmpFilesize
68KB
-
memory/2616-140-0x0000000000A40000-0x0000000000D8A000-memory.dmpFilesize
3.3MB
-
memory/2616-137-0x0000000000000000-mapping.dmp
-
memory/3052-150-0x00000000019C0000-0x0000000001D0A000-memory.dmpFilesize
3.3MB
-
memory/3052-151-0x0000000001760000-0x00000000017F0000-memory.dmpFilesize
576KB
-
memory/3052-152-0x0000000000E80000-0x0000000000EAC000-memory.dmpFilesize
176KB
-
memory/3052-149-0x0000000000E80000-0x0000000000EAC000-memory.dmpFilesize
176KB
-
memory/3052-148-0x00000000006A0000-0x000000000077C000-memory.dmpFilesize
880KB
-
memory/3052-145-0x0000000000000000-mapping.dmp
-
memory/4844-132-0x0000000000000000-mapping.dmp