Overview
overview
10Static
static
3IoC/00496083.xls
windows7-x64
3IoC/00496083.xls
windows10-2004-x64
1IoC/680589798891.xls
windows7-x64
3IoC/680589798891.xls
windows10-2004-x64
1Consignmen...df.exe
windows7-x64
10Consignmen...df.exe
windows10-2004-x64
10DHL SHIPME...PD.exe
windows7-x64
10DHL SHIPME...PD.exe
windows10-2004-x64
10EZ0496.exe
windows7-x64
10EZ0496.exe
windows10-2004-x64
10IoC/I05517...55.xls
windows7-x64
3IoC/I05517...55.xls
windows10-2004-x64
1IoC/I79540...11.xls
windows7-x64
3IoC/I79540...11.xls
windows10-2004-x64
1New Order ...22.exe
windows7-x64
10New Order ...22.exe
windows10-2004-x64
10$PLUGINSDIR/Math.dll
windows7-x64
3$PLUGINSDIR/Math.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3Windows.Sy...ns.dll
windows10-2004-x64
3systeminfo.exe
windows10-2004-x64
3wecutil.exe
windows10-2004-x64
3New order ...22.exe
windows7-x64
10New order ...22.exe
windows10-2004-x64
10PO_#YBIC38...py.exe
windows7-x64
3PO_#YBIC38...py.exe
windows10-2004-x64
3Payment Ad...2).exe
windows7-x64
10Payment Ad...2).exe
windows10-2004-x64
10IoC/XSG8996380.xls
windows7-x64
3IoC/XSG8996380.xls
windows10-2004-x64
1Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 21:57
Static task
static1
Behavioral task
behavioral1
Sample
IoC/00496083.xls
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
IoC/00496083.xls
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
IoC/680589798891.xls
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
IoC/680589798891.xls
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
Consignment Document.pdf.exe
Resource
win7-20240729-en
Behavioral task
behavioral6
Sample
Consignment Document.pdf.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
DHL SHIPMENT NOTIFICATION 284748395PD.exe
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
DHL SHIPMENT NOTIFICATION 284748395PD.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
EZ0496.exe
Resource
win7-20241023-en
Behavioral task
behavioral10
Sample
EZ0496.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
IoC/I055170_06975755.xls
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
IoC/I055170_06975755.xls
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
IoC/I795405_33242211.xls
Resource
win7-20241010-en
Behavioral task
behavioral14
Sample
IoC/I795405_33242211.xls
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
New Order 00027748585 02222022.exe
Resource
win7-20240729-en
Behavioral task
behavioral16
Sample
New Order 00027748585 02222022.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
$PLUGINSDIR/Math.dll
Resource
win7-20241010-en
Behavioral task
behavioral18
Sample
$PLUGINSDIR/Math.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240708-en
Behavioral task
behavioral20
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
Windows.System.Diagnostics.TraceReporting.PlatformDiagnosticActions.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral22
Sample
systeminfo.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
wecutil.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral24
Sample
New order 003848848575 02162022.exe
Resource
win7-20240903-en
Behavioral task
behavioral25
Sample
New order 003848848575 02162022.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral26
Sample
PO_#YBIC3892900183902328_Evaluated Copy.exe
Resource
win7-20241023-en
Behavioral task
behavioral27
Sample
PO_#YBIC3892900183902328_Evaluated Copy.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral28
Sample
Payment Advice for Outstanding Invoices (2).exe
Resource
win7-20240903-en
Behavioral task
behavioral29
Sample
Payment Advice for Outstanding Invoices (2).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral30
Sample
IoC/XSG8996380.xls
Resource
win7-20240903-en
Behavioral task
behavioral31
Sample
IoC/XSG8996380.xls
Resource
win10v2004-20241007-en
General
-
Target
Payment Advice for Outstanding Invoices (2).exe
-
Size
621KB
-
MD5
2a2d3e7c62d3b3a9e9ef3565f04a2dc5
-
SHA1
e4829cc9645d8c2a26929d2f132cf6d0f358a988
-
SHA256
c435fcfb3786d573ede77e30ded01503640a4de64523df7e9078cfc572381ced
-
SHA512
0226f28426976c5bd064caabea3645062a99e1b1e99e79e4d518c783e208b299534ea9a4d1180bc43651fb1b65f72440382910b7ddf30e57ee4b8c9c9a732871
-
SSDEEP
12288:7Zbr8K777777777777TkNdgOG0IzkXh7aolFyiSu61xdEJXouOo0XSLEdigeAaui:7F8K777777777777TiP8EFhmoMst
Malware Config
Extracted
xloader
2.5
nqni
lekitaly.com
heroteas.com
funtique.art
cedarmoonshop.com
greenozon.com
jonescompanysolutions.com
pdxls.com
icreateandcut.com
healthylifeagainnow.com
zhongxinzxpz.top
hotelsaskatchewan.info
louisebeckinsale.net
hivizpeople.com
sanjoseejidillo.com
turnspout.net
suddennnnnnnnnnnn02.xyz
annianzu.icu
webdesigncharlestonsc.com
headrank.agency
bradyiconmusiccenter.com
bestemdurano.quest
mkbau-quickborn.com
telesportsbetting.com
zvedaventeco.quest
paradgmpharma.com
sarrosh.com
archivoibagon.xyz
alhelicanas.com
dazalogistics.com
timeless-express.com
otelcollector.com
marfez.net
kulturacosmetics.com
dbcvj.com
miracleinrecovery.com
palmsugar.biz
ingenuitygs.com
footprintorg.com
niceauto.mobi
tenlog001.xyz
visionaryentertainmentllc.com
vidasaludabledesdecasa.com
moreosin.com
hyggealewee.quest
cacaolixir.com
gowamerica.com
wynningforyou.com
kopekgiysileri.xyz
londcwtoyof6.xyz
knowunknow.com
senegencehr.com
desovote.com
724ototamir.com
ktnword.xyz
suaveluna.com
prowebcraft.net
h2waj537c697.biz
awesomeappsmusicdownloader.top
thebougiebrandshop.com
fullarchsuccess.com
supremepeakmaleenhancement.com
estabuloburgers.com
729321.com
avaxbridgeapes.com
apollorealtors.com
Signatures
-
Xloader family
-
Xloader payload 3 IoCs
resource yara_rule behavioral29/memory/1732-15-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral29/memory/1732-20-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral29/memory/4244-25-0x0000000000F90000-0x0000000000FB9000-memory.dmp xloader -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation Payment Advice for Outstanding Invoices (2).exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 920 set thread context of 1732 920 Payment Advice for Outstanding Invoices (2).exe 92 PID 1732 set thread context of 3520 1732 Payment Advice for Outstanding Invoices (2).exe 56 PID 4244 set thread context of 3520 4244 cmmon32.exe 56 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmmon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Payment Advice for Outstanding Invoices (2).exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4320 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 53 IoCs
pid Process 920 Payment Advice for Outstanding Invoices (2).exe 1732 Payment Advice for Outstanding Invoices (2).exe 1732 Payment Advice for Outstanding Invoices (2).exe 1732 Payment Advice for Outstanding Invoices (2).exe 1732 Payment Advice for Outstanding Invoices (2).exe 4244 cmmon32.exe 4244 cmmon32.exe 4244 cmmon32.exe 4244 cmmon32.exe 4244 cmmon32.exe 4244 cmmon32.exe 4244 cmmon32.exe 4244 cmmon32.exe 4244 cmmon32.exe 4244 cmmon32.exe 4244 cmmon32.exe 4244 cmmon32.exe 4244 cmmon32.exe 4244 cmmon32.exe 4244 cmmon32.exe 4244 cmmon32.exe 4244 cmmon32.exe 4244 cmmon32.exe 4244 cmmon32.exe 4244 cmmon32.exe 4244 cmmon32.exe 4244 cmmon32.exe 4244 cmmon32.exe 4244 cmmon32.exe 4244 cmmon32.exe 4244 cmmon32.exe 4244 cmmon32.exe 4244 cmmon32.exe 4244 cmmon32.exe 4244 cmmon32.exe 4244 cmmon32.exe 4244 cmmon32.exe 4244 cmmon32.exe 4244 cmmon32.exe 4244 cmmon32.exe 4244 cmmon32.exe 4244 cmmon32.exe 4244 cmmon32.exe 4244 cmmon32.exe 4244 cmmon32.exe 4244 cmmon32.exe 4244 cmmon32.exe 4244 cmmon32.exe 4244 cmmon32.exe 4244 cmmon32.exe 4244 cmmon32.exe 4244 cmmon32.exe 4244 cmmon32.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 1732 Payment Advice for Outstanding Invoices (2).exe 1732 Payment Advice for Outstanding Invoices (2).exe 1732 Payment Advice for Outstanding Invoices (2).exe 4244 cmmon32.exe 4244 cmmon32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 920 Payment Advice for Outstanding Invoices (2).exe Token: SeDebugPrivilege 1732 Payment Advice for Outstanding Invoices (2).exe Token: SeDebugPrivilege 4244 cmmon32.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 920 wrote to memory of 4320 920 Payment Advice for Outstanding Invoices (2).exe 90 PID 920 wrote to memory of 4320 920 Payment Advice for Outstanding Invoices (2).exe 90 PID 920 wrote to memory of 4320 920 Payment Advice for Outstanding Invoices (2).exe 90 PID 920 wrote to memory of 1732 920 Payment Advice for Outstanding Invoices (2).exe 92 PID 920 wrote to memory of 1732 920 Payment Advice for Outstanding Invoices (2).exe 92 PID 920 wrote to memory of 1732 920 Payment Advice for Outstanding Invoices (2).exe 92 PID 920 wrote to memory of 1732 920 Payment Advice for Outstanding Invoices (2).exe 92 PID 920 wrote to memory of 1732 920 Payment Advice for Outstanding Invoices (2).exe 92 PID 920 wrote to memory of 1732 920 Payment Advice for Outstanding Invoices (2).exe 92 PID 3520 wrote to memory of 4244 3520 Explorer.EXE 93 PID 3520 wrote to memory of 4244 3520 Explorer.EXE 93 PID 3520 wrote to memory of 4244 3520 Explorer.EXE 93
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:3520 -
C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe"C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe"2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IlSblFRyVadI" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFB09.tmp"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4320
-
-
C:\Users\Admin\AppData\Local\Temp\Payment Advice for Outstanding Invoices (2).exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1732
-
-
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4244
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD529a6bf584fd2f23bfc893adae238e979
SHA1b8ff2fd1ea786178be37a6ef3033d18f400a9b2a
SHA256e878f09bf6937560c0afe88cdb93ea57a84064a2acd14189ed28b152490ce3a1
SHA512c51e68c47b8baf0e3a04ab29069311eb4cf05dad68ee183d183d3f3564740bcbfff1267f6e7cab46317e0ec631a864e329f9c2ac93666f83b46adfe09008cc37