Analysis
-
max time kernel
14s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
05-03-2021 14:15
Static task
static1
Behavioral task
behavioral1
Sample
4e38f139a12a838dbde332c9d6285d2f.exe
Resource
win7v20201028
General
-
Target
4e38f139a12a838dbde332c9d6285d2f.exe
-
Size
218KB
-
MD5
4e38f139a12a838dbde332c9d6285d2f
-
SHA1
d9870967a42b9f754faf19c729fe5cfe1429556f
-
SHA256
9b8e02c9169932cb809300c4dff5afc240aba4d5a87264f0f7123314345c6248
-
SHA512
ab87a3301375a7ad63db3bc9d1904118fc82a206eeeef86596e760dcd7d7c09cd93fe672fe11f0a47110d413ad7fefc26819dde9aee672edd482a87e5104bb73
Malware Config
Extracted
xloader
http://www.fountainhead410.com/jzvu/
rezabird.com
amthebomb.com
cqfsc.net
scottgesslerdesign.com
australianhempco.com
digitalkn.com
theoneandonlytattoostudio.com
chaing-list.xyz
technicaljanu.com
tigerkid.net
mels.ink
adassadelacruz.com
deep-freezers.xyz
kundanbangles.com
88840678.com
xiaonaphotography.online
john-heer-stuttgart.com
gumrukihalesi.com
veekasdoshi.com
purathanam.com
thekeycrewshop.com
spinningx.com
icommercehotel.com
ketodietforall.com
vanmarina.com
premierenterpriserealty.com
standingrockcellars.com
cnhongzu.com
yewanfuli.com
kurdishtranslate.com
fionafrenchic.com
reachstudiokenya.com
neutrem.com
continentalhrservices.com
xyfs360.com
phone-avail27.club
funkyoufridays.net
paypalticket5396170.info
intlbazar.com
theflesolay.com
maquinagsmlb.net
treasureislandhunt.com
mehmederdas.com
hayalimofen.net
suspicy.com
beaufortgardenparty.com
sunkistplumbing.com
6116merrittdrive.com
ezbuydomain.com
maxicreamheladeriafruteria.com
butikfitrah.com
texasairwaydentist.net
hayatbirliktekolay.com
disinfectmylawofficeindy.com
hippopotames-consultants.com
sonicrings.net
itsukayamamura.com
shfhm.com
xiaoshuxiongvip.com
g-stone.art
hinjt-niyp.xyz
amarisworstell.com
theneverendingbedtimestory.com
vestnets.net
Signatures
-
Xloader Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3012-4-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
4e38f139a12a838dbde332c9d6285d2f.exepid process 4652 4e38f139a12a838dbde332c9d6285d2f.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
4e38f139a12a838dbde332c9d6285d2f.exedescription pid process target process PID 4652 set thread context of 3012 4652 4e38f139a12a838dbde332c9d6285d2f.exe 4e38f139a12a838dbde332c9d6285d2f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
4e38f139a12a838dbde332c9d6285d2f.exe4e38f139a12a838dbde332c9d6285d2f.exepid process 4652 4e38f139a12a838dbde332c9d6285d2f.exe 4652 4e38f139a12a838dbde332c9d6285d2f.exe 4652 4e38f139a12a838dbde332c9d6285d2f.exe 4652 4e38f139a12a838dbde332c9d6285d2f.exe 4652 4e38f139a12a838dbde332c9d6285d2f.exe 4652 4e38f139a12a838dbde332c9d6285d2f.exe 4652 4e38f139a12a838dbde332c9d6285d2f.exe 4652 4e38f139a12a838dbde332c9d6285d2f.exe 3012 4e38f139a12a838dbde332c9d6285d2f.exe 3012 4e38f139a12a838dbde332c9d6285d2f.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
4e38f139a12a838dbde332c9d6285d2f.exepid process 4652 4e38f139a12a838dbde332c9d6285d2f.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
4e38f139a12a838dbde332c9d6285d2f.exedescription pid process target process PID 4652 wrote to memory of 3012 4652 4e38f139a12a838dbde332c9d6285d2f.exe 4e38f139a12a838dbde332c9d6285d2f.exe PID 4652 wrote to memory of 3012 4652 4e38f139a12a838dbde332c9d6285d2f.exe 4e38f139a12a838dbde332c9d6285d2f.exe PID 4652 wrote to memory of 3012 4652 4e38f139a12a838dbde332c9d6285d2f.exe 4e38f139a12a838dbde332c9d6285d2f.exe PID 4652 wrote to memory of 3012 4652 4e38f139a12a838dbde332c9d6285d2f.exe 4e38f139a12a838dbde332c9d6285d2f.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4e38f139a12a838dbde332c9d6285d2f.exe"C:\Users\Admin\AppData\Local\Temp\4e38f139a12a838dbde332c9d6285d2f.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4e38f139a12a838dbde332c9d6285d2f.exe"C:\Users\Admin\AppData\Local\Temp\4e38f139a12a838dbde332c9d6285d2f.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsd4FCC.tmp\cx67q960gnfsak.dllMD5
7c62e61b4ef935588ae9f1ac06f25aef
SHA1bebd69699282e251febeea424c26184987fe4b0f
SHA2568044fa7a693f7616b70f2bb1b99c7247f6b5daf9792d0916431ca72afca6806d
SHA512dc55efba66637352aa1cc723e40386af58fbce9e4d2b43f49f739b234484af277c666fdb44e53f80f6653b21b361dbd1fe999ce60a385ec019b0317b67dc6a07
-
memory/3012-3-0x000000000041D100-mapping.dmp
-
memory/3012-4-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/3012-5-0x0000000000B20000-0x0000000000E40000-memory.dmpFilesize
3.1MB