Analysis
-
max time kernel
36s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
21-01-2021 07:09
Static task
static1
Behavioral task
behavioral1
Sample
14f7d9b43392ee6fc45f4233cffd22af.exe
Resource
win7v20201028
General
-
Target
14f7d9b43392ee6fc45f4233cffd22af.exe
-
Size
1.0MB
-
MD5
14f7d9b43392ee6fc45f4233cffd22af
-
SHA1
549bd3b6249c5c3488e8ce7dd9c117f2aec2ee1a
-
SHA256
1a1316858bdc617d23e0330ddcde1958d2e95a083fa04020675ad4fb01780c46
-
SHA512
48f98e534452954b680e7b769c09b1425d46377d5da7afdb3237fc63c1a0e0f56d8635ea65ce64d77cc4501a2ffa7bde83a37e4198ada138300ca36dabc3cd83
Malware Config
Extracted
formbook
http://www.herbmedia.net/csv8/
slgacha.com
oohdough.com
6983ylc.com
aykassociate.com
latin-hotspot.com
starrockindia.com
beamsubway.com
queensboutique1000.com
madbaddie.com
bhoomimart.com
ankitparivar.com
aldanasanchezmx.com
citest1597669833.com
cristianofreitas.com
myplantus.com
counterfeitmilk.com
8xf39.com
pregnantwomens.com
yyyut6.com
stnanguo.com
fessusesefsee.com
logansshop.net
familydalmatianhomes.com
accessible.legal
epicmassiveconcepts.com
indianfactopedia.com
exit-divorce.com
colliapse.com
nosishop.com
hayat-aljowaily.com
soundon.events
previnacovid19-br.com
traptlongview.com
splendidhotelspa.com
masterzushop.com
ednevents.com
studentdividers.com
treningi-enduro.com
hostingcoaster.com
gourmetgroceriesfast.com
thesouthbeachlife.com
teemergin.com
fixmygearfast.com
arb-invest.com
shemaledreamz.com
1819apparel.com
thedigitalsatyam.com
alparmuhendislik.com
distinctmusicproductions.com
procreditexpert.com
insights4innovation.com
jzbtl.com
1033325.com
sorteocamper.info
scheherazadelegault.com
glowportraiture.com
cleitstaapps.com
globepublishers.com
stattests.com
brainandbodystrengthcoach.com
magenx2.info
escaparati.com
wood-decor24.com
travelnetafrica.com
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/428-14-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/428-15-0x000000000041D0C0-mapping.dmp xloader -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
14f7d9b43392ee6fc45f4233cffd22af.exedescription pid process target process PID 4772 set thread context of 428 4772 14f7d9b43392ee6fc45f4233cffd22af.exe 14f7d9b43392ee6fc45f4233cffd22af.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
14f7d9b43392ee6fc45f4233cffd22af.exe14f7d9b43392ee6fc45f4233cffd22af.exepid process 4772 14f7d9b43392ee6fc45f4233cffd22af.exe 428 14f7d9b43392ee6fc45f4233cffd22af.exe 428 14f7d9b43392ee6fc45f4233cffd22af.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
14f7d9b43392ee6fc45f4233cffd22af.exedescription pid process Token: SeDebugPrivilege 4772 14f7d9b43392ee6fc45f4233cffd22af.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
14f7d9b43392ee6fc45f4233cffd22af.exedescription pid process target process PID 4772 wrote to memory of 556 4772 14f7d9b43392ee6fc45f4233cffd22af.exe schtasks.exe PID 4772 wrote to memory of 556 4772 14f7d9b43392ee6fc45f4233cffd22af.exe schtasks.exe PID 4772 wrote to memory of 556 4772 14f7d9b43392ee6fc45f4233cffd22af.exe schtasks.exe PID 4772 wrote to memory of 428 4772 14f7d9b43392ee6fc45f4233cffd22af.exe 14f7d9b43392ee6fc45f4233cffd22af.exe PID 4772 wrote to memory of 428 4772 14f7d9b43392ee6fc45f4233cffd22af.exe 14f7d9b43392ee6fc45f4233cffd22af.exe PID 4772 wrote to memory of 428 4772 14f7d9b43392ee6fc45f4233cffd22af.exe 14f7d9b43392ee6fc45f4233cffd22af.exe PID 4772 wrote to memory of 428 4772 14f7d9b43392ee6fc45f4233cffd22af.exe 14f7d9b43392ee6fc45f4233cffd22af.exe PID 4772 wrote to memory of 428 4772 14f7d9b43392ee6fc45f4233cffd22af.exe 14f7d9b43392ee6fc45f4233cffd22af.exe PID 4772 wrote to memory of 428 4772 14f7d9b43392ee6fc45f4233cffd22af.exe 14f7d9b43392ee6fc45f4233cffd22af.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\14f7d9b43392ee6fc45f4233cffd22af.exe"C:\Users\Admin\AppData\Local\Temp\14f7d9b43392ee6fc45f4233cffd22af.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LvIUCJi" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD7F7.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\14f7d9b43392ee6fc45f4233cffd22af.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpD7F7.tmpMD5
30e10cdf7d5af02435258997819be0d2
SHA1fa8ddce4a64078889e2ecfd88730e3ddf841bc0b
SHA25647331cedc888f13607c7f48d18e04210560310092b47b1e62b13e25d72a417bc
SHA512f977cd94325e0161bf4019a89b64b1248c7839bd52a3f15598024647a3d2a84fabf5d2ab5280a4052214d5e3b41095ca71c95e44f7d5ba3d97970ece8d5a19ec
-
memory/428-17-0x0000000001280000-0x00000000015A0000-memory.dmpFilesize
3.1MB
-
memory/428-15-0x000000000041D0C0-mapping.dmp
-
memory/428-14-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/556-12-0x0000000000000000-mapping.dmp
-
memory/4772-6-0x00000000058A0000-0x00000000058A1000-memory.dmpFilesize
4KB
-
memory/4772-9-0x0000000005A50000-0x0000000005A51000-memory.dmpFilesize
4KB
-
memory/4772-10-0x0000000007CF0000-0x0000000007D77000-memory.dmpFilesize
540KB
-
memory/4772-11-0x0000000007E20000-0x0000000007E21000-memory.dmpFilesize
4KB
-
memory/4772-8-0x0000000005A40000-0x0000000005A4E000-memory.dmpFilesize
56KB
-
memory/4772-7-0x0000000003510000-0x0000000003511000-memory.dmpFilesize
4KB
-
memory/4772-2-0x0000000073360000-0x0000000073A4E000-memory.dmpFilesize
6.9MB
-
memory/4772-5-0x0000000005DA0000-0x0000000005DA1000-memory.dmpFilesize
4KB
-
memory/4772-3-0x0000000000F20000-0x0000000000F21000-memory.dmpFilesize
4KB