Analysis
-
max time kernel
2s -
max time network
11s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
05-03-2021 14:31
Static task
static1
Behavioral task
behavioral1
Sample
f7ab1c6e6623676d14665c84fdc9aee4.exe
Resource
win7v20201028
General
-
Target
f7ab1c6e6623676d14665c84fdc9aee4.exe
-
Size
217KB
-
MD5
f7ab1c6e6623676d14665c84fdc9aee4
-
SHA1
6d5b39ada2ead78c8977cb917cfee6e83180116f
-
SHA256
e6e9f774351440aef9b0b309282155ad0258f6e97da820170384454711e4bef8
-
SHA512
71239d2d161879d13053f3512a57a84fd9a86e907874075a7f6f143e6b96b0f64c5e933a4fb15d7deb4c3723ca8d1856723b7d8efa82ced17879f7f30c6483cf
Malware Config
Extracted
xloader
http://www.856380692.xyz/nsag/
usopencoverage.com
5bo5j.com
deliveryourvote.com
bestbuycarpethd.com
worldsourcecloud.com
glowtheblog.com
translations.tools
ithacapella.com
machinerysubway.com
aashlokhospitals.com
athara-kiano.com
anabittencourt.com
hakimkhawatmi.com
fashionwatchesstore.com
krishnagiri.info
tencenttexts.com
kodairo.com
ouitum.club
robertbeauford.net
polling.asia
evoslancete.com
4676sabalkey.com
chechadskeitaro.com
babyhopeful.com
11376.xyz
oryanomer.com
jyxxfy.com
scanourworld.com
thevistadrinksco.com
meow-cafe.com
xfixpros.com
botaniquecouture.com
bkhlep.xyz
mauriciozarate.com
icepolo.com
siyezim.com
myfeezinc.com
nooshone.com
wholesalerbargains.com
winabeel.com
frankfrango.com
patientsbooking.info
ineedahealer.com
thefamilyorchard.net
clericallyco.com
overseaexpert.com
bukaino.net
womens-secrets.love
skinjunkie.site
dccheavydutydiv.net
explorerthecity.com
droneserviceshouston.com
creationsbyjamie.com
profirma-nachfolge.com
oasisbracelet.com
maurobenetti.com
mecs.club
mistressofherdivinity.com
vooronsland.com
navia.world
commagx4.info
caresring.com
yourstrivingforexcellence.com
alpinevalleytimeshares.com
Signatures
-
Xloader Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1988-5-0x0000000000400000-0x0000000000428000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
f7ab1c6e6623676d14665c84fdc9aee4.exepid process 292 f7ab1c6e6623676d14665c84fdc9aee4.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
f7ab1c6e6623676d14665c84fdc9aee4.exedescription pid process target process PID 292 set thread context of 1988 292 f7ab1c6e6623676d14665c84fdc9aee4.exe f7ab1c6e6623676d14665c84fdc9aee4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
f7ab1c6e6623676d14665c84fdc9aee4.exef7ab1c6e6623676d14665c84fdc9aee4.exepid process 292 f7ab1c6e6623676d14665c84fdc9aee4.exe 292 f7ab1c6e6623676d14665c84fdc9aee4.exe 292 f7ab1c6e6623676d14665c84fdc9aee4.exe 292 f7ab1c6e6623676d14665c84fdc9aee4.exe 1988 f7ab1c6e6623676d14665c84fdc9aee4.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
f7ab1c6e6623676d14665c84fdc9aee4.exepid process 292 f7ab1c6e6623676d14665c84fdc9aee4.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
f7ab1c6e6623676d14665c84fdc9aee4.exedescription pid process target process PID 292 wrote to memory of 1988 292 f7ab1c6e6623676d14665c84fdc9aee4.exe f7ab1c6e6623676d14665c84fdc9aee4.exe PID 292 wrote to memory of 1988 292 f7ab1c6e6623676d14665c84fdc9aee4.exe f7ab1c6e6623676d14665c84fdc9aee4.exe PID 292 wrote to memory of 1988 292 f7ab1c6e6623676d14665c84fdc9aee4.exe f7ab1c6e6623676d14665c84fdc9aee4.exe PID 292 wrote to memory of 1988 292 f7ab1c6e6623676d14665c84fdc9aee4.exe f7ab1c6e6623676d14665c84fdc9aee4.exe PID 292 wrote to memory of 1988 292 f7ab1c6e6623676d14665c84fdc9aee4.exe f7ab1c6e6623676d14665c84fdc9aee4.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f7ab1c6e6623676d14665c84fdc9aee4.exe"C:\Users\Admin\AppData\Local\Temp\f7ab1c6e6623676d14665c84fdc9aee4.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f7ab1c6e6623676d14665c84fdc9aee4.exe"C:\Users\Admin\AppData\Local\Temp\f7ab1c6e6623676d14665c84fdc9aee4.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsiF6D.tmp\93ni8zi9fd1f.dllMD5
6bb21314f484e79d6d6e4b2329ee68ef
SHA1e988cdc158cf6eb71e19afc946812d77f02ff370
SHA256c7f2500459484d1df8d6a2c6a391d39ba79c1343412eb0231d036fb036b0368a
SHA512ea1e7341484cb41d8081a6d018fb1f383727613cf228aa9fabb32405c8c8159d68e8572e5e0eb85b40de6538c540d837ee7b96c886739b449dd1b93c75ce1c09
-
memory/292-2-0x0000000076861000-0x0000000076863000-memory.dmpFilesize
8KB
-
memory/1988-4-0x000000000041D000-mapping.dmp
-
memory/1988-5-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1988-6-0x00000000006E0000-0x00000000009E3000-memory.dmpFilesize
3.0MB