Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
30-01-2023 02:04
Static task
static1
Behavioral task
behavioral1
Sample
Arrival Notice.exe
Resource
win7-20221111-en
General
-
Target
Arrival Notice.exe
-
Size
443KB
-
MD5
7d71400ae523be4c870fca01cad243ae
-
SHA1
db3e7be3fc8dfdcff0147f944f519c99c69584eb
-
SHA256
c86c4b2413ae0161438065f00f28eae576d2fdfb2a27d06752316f1d1860edb1
-
SHA512
38894c771dd2c8efdb10e913e2702f1f85a16f66fa2876bfeb39b36053861426b086f73289c4e74e27cc8454d78f13629b23d8dc149819e241287c490c940fdc
-
SSDEEP
12288:lac6BafvIbRW06cviiD/EB7LlBgbgTKoOmRwFOp0/:lactfn09aiwVeoI/
Malware Config
Extracted
xloader
2.6
pdrq
welchsunstar.com
mppservicesllc.com
wiresofteflon.com
brabov.xyz
compnonoch.site
yourbuilderworks.com
iamsamirahman.com
eriqoes.com
eastudio.design
skyearth-est.com
teethfitness.com
razaancreates.com
shfbfs.com
joyfulbrokekids.com
kjbolden.com
howirep.com
deedeesmainecoons.website
e-powair.com
aheatea.com
shalfey0009.xyz
designcolor.style
netflixpaymentpending.ca
bothoitrang3.site
motondiarts.com
staynmocean.com
miamivideoshows.com
berendsit.com
yndzjs.com
yiwenhome.xyz
royaldeals.net
clearvison-ts.com
peluqueriasusanagalan.com
thelittlewellnessstudio.com
gurulotaska.com
smgsj.com
followpanelbd.com
prinirwedding.com
3559.fyi
amcvips.com
bigroof.top
chipbio-zt.com
candelasluxuryretreat.com
jboycephotography.com
affiliateindex.xyz
grannysseasonings.com
lcl-inc-test.com
beadallcreations.jewelry
yzzhome.top
tobe-science.com
cincinnaticustomrenovation.com
survaicommercial.xyz
businessdirectorymania.com
phqworld.com
miamigocars.com
labfour.systems
gregoryzeitler.com
dj-mary.com
one1-day.com
vegfiber.com
sfbayraw.net
xn--bndarsloto-s4a.com
felipesb.com
108580.com
1swj06mjrowgi.xyz
koalaglen.com
Signatures
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
Arrival Notice.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions Arrival Notice.exe -
Xloader payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/556-66-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral1/memory/556-67-0x000000000041F270-mapping.dmp xloader behavioral1/memory/556-69-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral1/memory/844-78-0x0000000000070000-0x000000000009B000-memory.dmp xloader behavioral1/memory/844-82-0x0000000000070000-0x000000000009B000-memory.dmp xloader -
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 9 844 wscript.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
Arrival Notice.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools Arrival Notice.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Arrival Notice.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Arrival Notice.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Arrival Notice.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 672 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MLMPLR5HGV = "C:\\Program Files (x86)\\Lpdd\\gdibbc.exe" wscript.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
Arrival Notice.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 Arrival Notice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Arrival Notice.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Arrival Notice.exeArrival Notice.exewscript.exedescription pid process target process PID 1380 set thread context of 556 1380 Arrival Notice.exe Arrival Notice.exe PID 556 set thread context of 1252 556 Arrival Notice.exe Explorer.EXE PID 844 set thread context of 1252 844 wscript.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
wscript.exedescription ioc process File opened for modification C:\Program Files (x86)\Lpdd\gdibbc.exe wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Processes:
wscript.exedescription ioc process Key created \Registry\User\S-1-5-21-3385717845-2518323428-350143044-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 wscript.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
Arrival Notice.exeArrival Notice.exepowershell.exewscript.exepid process 1380 Arrival Notice.exe 1380 Arrival Notice.exe 556 Arrival Notice.exe 556 Arrival Notice.exe 1968 powershell.exe 844 wscript.exe 844 wscript.exe 844 wscript.exe 844 wscript.exe 844 wscript.exe 844 wscript.exe 844 wscript.exe 844 wscript.exe 844 wscript.exe 844 wscript.exe 844 wscript.exe 844 wscript.exe 844 wscript.exe 844 wscript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1252 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
Arrival Notice.exewscript.exepid process 556 Arrival Notice.exe 556 Arrival Notice.exe 556 Arrival Notice.exe 844 wscript.exe 844 wscript.exe 844 wscript.exe 844 wscript.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Arrival Notice.exeArrival Notice.exepowershell.exewscript.exedescription pid process Token: SeDebugPrivilege 1380 Arrival Notice.exe Token: SeDebugPrivilege 556 Arrival Notice.exe Token: SeDebugPrivilege 1968 powershell.exe Token: SeDebugPrivilege 844 wscript.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1252 Explorer.EXE 1252 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1252 Explorer.EXE 1252 Explorer.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
Arrival Notice.exeExplorer.EXEwscript.exedescription pid process target process PID 1380 wrote to memory of 1968 1380 Arrival Notice.exe powershell.exe PID 1380 wrote to memory of 1968 1380 Arrival Notice.exe powershell.exe PID 1380 wrote to memory of 1968 1380 Arrival Notice.exe powershell.exe PID 1380 wrote to memory of 1968 1380 Arrival Notice.exe powershell.exe PID 1380 wrote to memory of 1416 1380 Arrival Notice.exe schtasks.exe PID 1380 wrote to memory of 1416 1380 Arrival Notice.exe schtasks.exe PID 1380 wrote to memory of 1416 1380 Arrival Notice.exe schtasks.exe PID 1380 wrote to memory of 1416 1380 Arrival Notice.exe schtasks.exe PID 1380 wrote to memory of 556 1380 Arrival Notice.exe Arrival Notice.exe PID 1380 wrote to memory of 556 1380 Arrival Notice.exe Arrival Notice.exe PID 1380 wrote to memory of 556 1380 Arrival Notice.exe Arrival Notice.exe PID 1380 wrote to memory of 556 1380 Arrival Notice.exe Arrival Notice.exe PID 1380 wrote to memory of 556 1380 Arrival Notice.exe Arrival Notice.exe PID 1380 wrote to memory of 556 1380 Arrival Notice.exe Arrival Notice.exe PID 1380 wrote to memory of 556 1380 Arrival Notice.exe Arrival Notice.exe PID 1252 wrote to memory of 844 1252 Explorer.EXE wscript.exe PID 1252 wrote to memory of 844 1252 Explorer.EXE wscript.exe PID 1252 wrote to memory of 844 1252 Explorer.EXE wscript.exe PID 1252 wrote to memory of 844 1252 Explorer.EXE wscript.exe PID 844 wrote to memory of 672 844 wscript.exe cmd.exe PID 844 wrote to memory of 672 844 wscript.exe cmd.exe PID 844 wrote to memory of 672 844 wscript.exe cmd.exe PID 844 wrote to memory of 672 844 wscript.exe cmd.exe PID 844 wrote to memory of 756 844 wscript.exe Firefox.exe PID 844 wrote to memory of 756 844 wscript.exe Firefox.exe PID 844 wrote to memory of 756 844 wscript.exe Firefox.exe PID 844 wrote to memory of 756 844 wscript.exe Firefox.exe PID 844 wrote to memory of 756 844 wscript.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Arrival Notice.exe"C:\Users\Admin\AppData\Local\Temp\Arrival Notice.exe"2⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\YyKWDHkSnIFE.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YyKWDHkSnIFE" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEFCC.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Arrival Notice.exe"C:\Users\Admin\AppData\Local\Temp\Arrival Notice.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe"2⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Arrival Notice.exe"3⤵
- Deletes itself
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpEFCC.tmpFilesize
1KB
MD5863f81076159792c05dd3172e90b8d1f
SHA1877af743934d8ab77978691329fb2542c9a5311f
SHA2563cfe3c4d01e61c5093174449bbfcd908b3609ecb2016f627a731bba30f7509c2
SHA512b040a36be78c6e433716113535dbab7beb8b2714e24cd139b929edd5a94652dc52587f07471bda14a7e977419eaf19e642a4c3ecbdf38a88a7c8da38d4d56156
-
memory/556-69-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/556-64-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/556-71-0x0000000000B10000-0x0000000000E13000-memory.dmpFilesize
3.0MB
-
memory/556-72-0x0000000000180000-0x0000000000191000-memory.dmpFilesize
68KB
-
memory/556-67-0x000000000041F270-mapping.dmp
-
memory/556-66-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/556-63-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/672-76-0x0000000000000000-mapping.dmp
-
memory/844-77-0x0000000000290000-0x00000000002B6000-memory.dmpFilesize
152KB
-
memory/844-79-0x0000000001F40000-0x0000000002243000-memory.dmpFilesize
3.0MB
-
memory/844-82-0x0000000000070000-0x000000000009B000-memory.dmpFilesize
172KB
-
memory/844-80-0x0000000001E80000-0x0000000001F10000-memory.dmpFilesize
576KB
-
memory/844-78-0x0000000000070000-0x000000000009B000-memory.dmpFilesize
172KB
-
memory/844-75-0x0000000000000000-mapping.dmp
-
memory/1252-73-0x0000000004C20000-0x0000000004D0E000-memory.dmpFilesize
952KB
-
memory/1252-83-0x0000000004DE0000-0x0000000004F39000-memory.dmpFilesize
1.3MB
-
memory/1252-81-0x0000000004DE0000-0x0000000004F39000-memory.dmpFilesize
1.3MB
-
memory/1380-57-0x00000000050B0000-0x000000000511A000-memory.dmpFilesize
424KB
-
memory/1380-56-0x0000000000430000-0x000000000043E000-memory.dmpFilesize
56KB
-
memory/1380-62-0x0000000005120000-0x0000000005152000-memory.dmpFilesize
200KB
-
memory/1380-54-0x0000000000900000-0x0000000000974000-memory.dmpFilesize
464KB
-
memory/1380-55-0x0000000074F01000-0x0000000074F03000-memory.dmpFilesize
8KB
-
memory/1416-59-0x0000000000000000-mapping.dmp
-
memory/1968-58-0x0000000000000000-mapping.dmp
-
memory/1968-74-0x000000006E020000-0x000000006E5CB000-memory.dmpFilesize
5.7MB
-
memory/1968-70-0x000000006E020000-0x000000006E5CB000-memory.dmpFilesize
5.7MB