Analysis
-
max time kernel
12s -
max time network
118s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
08-04-2021 08:13
Static task
static1
Behavioral task
behavioral1
Sample
91523f8d438585534d9466432cc4665d.exe
Resource
win7v20201028
General
-
Target
91523f8d438585534d9466432cc4665d.exe
-
Size
201KB
-
MD5
91523f8d438585534d9466432cc4665d
-
SHA1
e34b69f0ded056eca7dd43b8f5be2edf7198c211
-
SHA256
b5e3426a888ddb5751f9802093f1bd10ec696b2994bee03b99b7ba2b4f21a57d
-
SHA512
e8035c994acd9e46738b87eae25248df1548f8782d7475b4e9d362b68362ce62962780e46be0e054b9645d1be4e1eea8c93096f8e90bcb179040b5014eeec77b
Malware Config
Extracted
xloader
2.3
http://www.simplyhealrhcareplans.com/sqra/
edwardjonescredticard.com
muzhskoy-eskort.site
home-sou.com
entohops.com
orchidandiris.com
kellnetworks.com
shopthen2.site
jimmysga.com
carobbella.com
fenuadiscovery.com
huongdandidong.com
greenesgoodies.com
socialunified.com
azure-vs-google.cloud
bardototonho.com
anadelalastra.art
godseyepiece.com
18082020.com
3559044.com
hvacservicecoldwater.com
inlandempiresublease.com
cenconsulting.com
clavunica.com
zx765.com
ndrossignol.com
lumpkinforless.com
merrypopinnannies.com
herbalbooze.com
opusleaf.com
karizcustomizeme.com
miss-windy.com
esl-materials.com
flcpyl.com
metort.com
ggapp.run
josiahtreatenglishportfolio.com
charmdalat.com
kaashir.com
magenx2.info
mysfmp.com
dailyhyundaihanoi.net
camperlifeclub.com
familymedicalurgentcare.com
unityprawn.com
crosswhiteconsulting.com
luxel01.com
runwithbe.com
marfrigs.com
lewishackney.com
legalhelp.black
thedorkweb.com
carritogastronomico.com
sniffai.com
myboardinghome.com
szameitat.net
wegawk.com
ecomcourse.online
heritagelcc.com
launchtutor.com
bricksli.com
911salesrescue.com
shangbinjieneng.com
seymor-law.com
decoviewer.com
Signatures
-
Xloader Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2380-117-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
91523f8d438585534d9466432cc4665d.exepid process 2612 91523f8d438585534d9466432cc4665d.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
91523f8d438585534d9466432cc4665d.exedescription pid process target process PID 2612 set thread context of 2380 2612 91523f8d438585534d9466432cc4665d.exe 91523f8d438585534d9466432cc4665d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
91523f8d438585534d9466432cc4665d.exepid process 2380 91523f8d438585534d9466432cc4665d.exe 2380 91523f8d438585534d9466432cc4665d.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
91523f8d438585534d9466432cc4665d.exepid process 2612 91523f8d438585534d9466432cc4665d.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
91523f8d438585534d9466432cc4665d.exedescription pid process target process PID 2612 wrote to memory of 2380 2612 91523f8d438585534d9466432cc4665d.exe 91523f8d438585534d9466432cc4665d.exe PID 2612 wrote to memory of 2380 2612 91523f8d438585534d9466432cc4665d.exe 91523f8d438585534d9466432cc4665d.exe PID 2612 wrote to memory of 2380 2612 91523f8d438585534d9466432cc4665d.exe 91523f8d438585534d9466432cc4665d.exe PID 2612 wrote to memory of 2380 2612 91523f8d438585534d9466432cc4665d.exe 91523f8d438585534d9466432cc4665d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\91523f8d438585534d9466432cc4665d.exe"C:\Users\Admin\AppData\Local\Temp\91523f8d438585534d9466432cc4665d.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\91523f8d438585534d9466432cc4665d.exe"C:\Users\Admin\AppData\Local\Temp\91523f8d438585534d9466432cc4665d.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsh337A.tmp\9a5t.dllMD5
e5a5e61ad269d94aa1f74f929f76addc
SHA141a4642319054581903776cd0fe5ac282ec6fc8a
SHA2563e39c71277fd492f9e995a5913176bebd8f78b9cff306a9ce6e5c8dba7600015
SHA51281f2245b1c4c465acfc6ba70a81ba840a04b65d87f7c88ac44cbe816e8be546fd7b4a56d5a162da5f4bc991436d95a0d0ab289856f1f3d2472c690ebdda07fa9
-
memory/2380-115-0x000000000041D080-mapping.dmp
-
memory/2380-117-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2380-118-0x0000000000A90000-0x0000000000DB0000-memory.dmpFilesize
3.1MB
-
memory/2612-116-0x00000000028D0000-0x00000000028D2000-memory.dmpFilesize
8KB