Analysis
-
max time kernel
147s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
27/12/2023, 19:07
Static task
static1
Behavioral task
behavioral1
Sample
Payment_Advice.exe
Resource
win7-20231215-en
General
-
Target
Payment_Advice.exe
-
Size
600KB
-
MD5
e071eda90d0e53ace9919357d98281e4
-
SHA1
f75510c59e43a645702a66702882eeb7ad21bf62
-
SHA256
afc581586580ee675ab9b0cfef4e508b9decebe330dc6a7334534d34fb7d6a2e
-
SHA512
a979a37a203b576279d681909e3735a8557f192e34f4b5f5f86d8331f556cf221005e777bc51fd46fa5e23d4f626a9da3552c9d15874a2b54a2ac5635e846d9b
-
SSDEEP
12288:qTfM4y02iNv4s+BxlyA1dKBn+jHaz5d7AhyC6yuLRV7W:63y01usSxrKnX5NAhysuLTq
Malware Config
Extracted
xloader
2.3
uecu
ishtarhotel.com
woodstrends.icu
jalenowens.com
manno.expert
ssg1asia.com
telepathylaw.com
quickoprintnv.com
abrosnm3.com
lumberjackcatering.com
beachujamaica.com
thomasjeffersonbyrd.com
starryfinds.com
shelavish2.com
royalglamempirellc.com
deixandomeuemprego.com
alexgoestech.xyz
opticamn.com
fermanchevybrandon.com
milbodegas.info
adunarsrl.com
dataatlus.com
missabrams.com
beaconservicesuk.com
tvforpc.website
dipmarketingagency.com
milsontt.com
londonsashwindowsservices.com
feedmysheepdaily.com
firsttimephysics.com
hosefire.com
southdocknj.com
idfstool.com
drelip.com
decayette.com
awakenedgodsofbeauty.com
easttexasranch.com
risinglanka.com
meetingoffices.com
vase-composition.com
kupon.asia
alltimeselfstorage.com
gatorbrewcoffee.com
api-pay-agent.com
height-project.online
flbtyc638.com
psdmoravita.com
highbrowhairstudio.com
deepblueriver.com
yh22022.com
sts-100.com
michaelfmoore.com
alzheimers.computer
produtos-servicos.website
zyuyktlcu.icu
ezewasser.com
outstanding-palisade.com
saioura.com
core.run
allaboutlifeblog.com
foodolog.net
somerderm.com
scootrlv.com
ahjjbxg.com
gasworldchampionships.com
illoftapartments.com
Signatures
-
Xloader payload 4 IoCs
resource yara_rule behavioral1/memory/2892-14-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral1/memory/2892-18-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral1/memory/2704-23-0x0000000000080000-0x00000000000A8000-memory.dmp xloader behavioral1/memory/2704-25-0x0000000000080000-0x00000000000A8000-memory.dmp xloader -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 3004 set thread context of 2892 3004 Payment_Advice.exe 28 PID 2892 set thread context of 1136 2892 RegSvcs.exe 7 PID 2704 set thread context of 1136 2704 chkdsk.exe 7 -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 3004 Payment_Advice.exe 2892 RegSvcs.exe 2892 RegSvcs.exe 2704 chkdsk.exe 2704 chkdsk.exe 2704 chkdsk.exe 2704 chkdsk.exe 2704 chkdsk.exe 2704 chkdsk.exe 2704 chkdsk.exe 2704 chkdsk.exe 2704 chkdsk.exe 2704 chkdsk.exe 2704 chkdsk.exe 2704 chkdsk.exe 2704 chkdsk.exe 2704 chkdsk.exe 2704 chkdsk.exe 2704 chkdsk.exe 2704 chkdsk.exe 2704 chkdsk.exe 2704 chkdsk.exe 2704 chkdsk.exe 2704 chkdsk.exe 2704 chkdsk.exe 2704 chkdsk.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 2892 RegSvcs.exe 2892 RegSvcs.exe 2892 RegSvcs.exe 2704 chkdsk.exe 2704 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3004 Payment_Advice.exe Token: SeDebugPrivilege 2892 RegSvcs.exe Token: SeDebugPrivilege 2704 chkdsk.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 3004 wrote to memory of 2892 3004 Payment_Advice.exe 28 PID 3004 wrote to memory of 2892 3004 Payment_Advice.exe 28 PID 3004 wrote to memory of 2892 3004 Payment_Advice.exe 28 PID 3004 wrote to memory of 2892 3004 Payment_Advice.exe 28 PID 3004 wrote to memory of 2892 3004 Payment_Advice.exe 28 PID 3004 wrote to memory of 2892 3004 Payment_Advice.exe 28 PID 3004 wrote to memory of 2892 3004 Payment_Advice.exe 28 PID 3004 wrote to memory of 2892 3004 Payment_Advice.exe 28 PID 3004 wrote to memory of 2892 3004 Payment_Advice.exe 28 PID 3004 wrote to memory of 2892 3004 Payment_Advice.exe 28 PID 1136 wrote to memory of 2704 1136 Explorer.EXE 29 PID 1136 wrote to memory of 2704 1136 Explorer.EXE 29 PID 1136 wrote to memory of 2704 1136 Explorer.EXE 29 PID 1136 wrote to memory of 2704 1136 Explorer.EXE 29 PID 2704 wrote to memory of 2588 2704 chkdsk.exe 31 PID 2704 wrote to memory of 2588 2704 chkdsk.exe 31 PID 2704 wrote to memory of 2588 2704 chkdsk.exe 31 PID 2704 wrote to memory of 2588 2704 chkdsk.exe 31
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Users\Admin\AppData\Local\Temp\Payment_Advice.exe"C:\Users\Admin\AppData\Local\Temp\Payment_Advice.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2892
-
-
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵PID:2588
-
-