Analysis
-
max time kernel
37s -
max time network
40s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
06-03-2021 00:04
Static task
static1
Behavioral task
behavioral1
Sample
9b8e02c9169932cb809300c4dff5afc240aba4d5a87264f0f7123314345c6248.exe
Resource
win7v20201028
General
-
Target
9b8e02c9169932cb809300c4dff5afc240aba4d5a87264f0f7123314345c6248.exe
-
Size
218KB
-
MD5
4e38f139a12a838dbde332c9d6285d2f
-
SHA1
d9870967a42b9f754faf19c729fe5cfe1429556f
-
SHA256
9b8e02c9169932cb809300c4dff5afc240aba4d5a87264f0f7123314345c6248
-
SHA512
ab87a3301375a7ad63db3bc9d1904118fc82a206eeeef86596e760dcd7d7c09cd93fe672fe11f0a47110d413ad7fefc26819dde9aee672edd482a87e5104bb73
Malware Config
Extracted
xloader
http://www.fountainhead410.com/jzvu/
rezabird.com
amthebomb.com
cqfsc.net
scottgesslerdesign.com
australianhempco.com
digitalkn.com
theoneandonlytattoostudio.com
chaing-list.xyz
technicaljanu.com
tigerkid.net
mels.ink
adassadelacruz.com
deep-freezers.xyz
kundanbangles.com
88840678.com
xiaonaphotography.online
john-heer-stuttgart.com
gumrukihalesi.com
veekasdoshi.com
purathanam.com
thekeycrewshop.com
spinningx.com
icommercehotel.com
ketodietforall.com
vanmarina.com
premierenterpriserealty.com
standingrockcellars.com
cnhongzu.com
yewanfuli.com
kurdishtranslate.com
fionafrenchic.com
reachstudiokenya.com
neutrem.com
continentalhrservices.com
xyfs360.com
phone-avail27.club
funkyoufridays.net
paypalticket5396170.info
intlbazar.com
theflesolay.com
maquinagsmlb.net
treasureislandhunt.com
mehmederdas.com
hayalimofen.net
suspicy.com
beaufortgardenparty.com
sunkistplumbing.com
6116merrittdrive.com
ezbuydomain.com
maxicreamheladeriafruteria.com
butikfitrah.com
texasairwaydentist.net
hayatbirliktekolay.com
disinfectmylawofficeindy.com
hippopotames-consultants.com
sonicrings.net
itsukayamamura.com
shfhm.com
xiaoshuxiongvip.com
g-stone.art
hinjt-niyp.xyz
amarisworstell.com
theneverendingbedtimestory.com
vestnets.net
Signatures
-
Xloader Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1268-5-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
9b8e02c9169932cb809300c4dff5afc240aba4d5a87264f0f7123314345c6248.exepid process 1596 9b8e02c9169932cb809300c4dff5afc240aba4d5a87264f0f7123314345c6248.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
9b8e02c9169932cb809300c4dff5afc240aba4d5a87264f0f7123314345c6248.exedescription pid process target process PID 1596 set thread context of 1268 1596 9b8e02c9169932cb809300c4dff5afc240aba4d5a87264f0f7123314345c6248.exe 9b8e02c9169932cb809300c4dff5afc240aba4d5a87264f0f7123314345c6248.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
9b8e02c9169932cb809300c4dff5afc240aba4d5a87264f0f7123314345c6248.exe9b8e02c9169932cb809300c4dff5afc240aba4d5a87264f0f7123314345c6248.exepid process 1596 9b8e02c9169932cb809300c4dff5afc240aba4d5a87264f0f7123314345c6248.exe 1596 9b8e02c9169932cb809300c4dff5afc240aba4d5a87264f0f7123314345c6248.exe 1596 9b8e02c9169932cb809300c4dff5afc240aba4d5a87264f0f7123314345c6248.exe 1596 9b8e02c9169932cb809300c4dff5afc240aba4d5a87264f0f7123314345c6248.exe 1268 9b8e02c9169932cb809300c4dff5afc240aba4d5a87264f0f7123314345c6248.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
9b8e02c9169932cb809300c4dff5afc240aba4d5a87264f0f7123314345c6248.exepid process 1596 9b8e02c9169932cb809300c4dff5afc240aba4d5a87264f0f7123314345c6248.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
9b8e02c9169932cb809300c4dff5afc240aba4d5a87264f0f7123314345c6248.exedescription pid process target process PID 1596 wrote to memory of 1268 1596 9b8e02c9169932cb809300c4dff5afc240aba4d5a87264f0f7123314345c6248.exe 9b8e02c9169932cb809300c4dff5afc240aba4d5a87264f0f7123314345c6248.exe PID 1596 wrote to memory of 1268 1596 9b8e02c9169932cb809300c4dff5afc240aba4d5a87264f0f7123314345c6248.exe 9b8e02c9169932cb809300c4dff5afc240aba4d5a87264f0f7123314345c6248.exe PID 1596 wrote to memory of 1268 1596 9b8e02c9169932cb809300c4dff5afc240aba4d5a87264f0f7123314345c6248.exe 9b8e02c9169932cb809300c4dff5afc240aba4d5a87264f0f7123314345c6248.exe PID 1596 wrote to memory of 1268 1596 9b8e02c9169932cb809300c4dff5afc240aba4d5a87264f0f7123314345c6248.exe 9b8e02c9169932cb809300c4dff5afc240aba4d5a87264f0f7123314345c6248.exe PID 1596 wrote to memory of 1268 1596 9b8e02c9169932cb809300c4dff5afc240aba4d5a87264f0f7123314345c6248.exe 9b8e02c9169932cb809300c4dff5afc240aba4d5a87264f0f7123314345c6248.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9b8e02c9169932cb809300c4dff5afc240aba4d5a87264f0f7123314345c6248.exe"C:\Users\Admin\AppData\Local\Temp\9b8e02c9169932cb809300c4dff5afc240aba4d5a87264f0f7123314345c6248.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9b8e02c9169932cb809300c4dff5afc240aba4d5a87264f0f7123314345c6248.exe"C:\Users\Admin\AppData\Local\Temp\9b8e02c9169932cb809300c4dff5afc240aba4d5a87264f0f7123314345c6248.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsn77C0.tmp\cx67q960gnfsak.dllMD5
7c62e61b4ef935588ae9f1ac06f25aef
SHA1bebd69699282e251febeea424c26184987fe4b0f
SHA2568044fa7a693f7616b70f2bb1b99c7247f6b5daf9792d0916431ca72afca6806d
SHA512dc55efba66637352aa1cc723e40386af58fbce9e4d2b43f49f739b234484af277c666fdb44e53f80f6653b21b361dbd1fe999ce60a385ec019b0317b67dc6a07
-
memory/1268-4-0x000000000041D100-mapping.dmp
-
memory/1268-5-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1268-6-0x0000000000850000-0x0000000000B53000-memory.dmpFilesize
3.0MB
-
memory/1596-2-0x0000000075781000-0x0000000075783000-memory.dmpFilesize
8KB