Analysis
-
max time kernel
3s -
max time network
10s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
08-04-2021 07:47
Static task
static1
Behavioral task
behavioral1
Sample
3ee47ef2fed1383543fed2509ee9d533.exe
Resource
win7v20201028
General
-
Target
3ee47ef2fed1383543fed2509ee9d533.exe
-
Size
201KB
-
MD5
3ee47ef2fed1383543fed2509ee9d533
-
SHA1
25bb17677a44eef76caab249e90188e2b6263b98
-
SHA256
6a708470ee13d86b51352b69e755a9bcbd2730ecef34133dd1b5ed10b95f56a3
-
SHA512
e42958a2b5d334fff9cbbb03259df1583be3bcb43807e786d6f896f1c78af22dfc8110687c4e6e5bca7a2a6a9a586af537568780b801258e9718d080c8507106
Malware Config
Extracted
xloader
2.3
http://www.856380692.xyz/nsag/
usopencoverage.com
5bo5j.com
deliveryourvote.com
bestbuycarpethd.com
worldsourcecloud.com
glowtheblog.com
translations.tools
ithacapella.com
machinerysubway.com
aashlokhospitals.com
athara-kiano.com
anabittencourt.com
hakimkhawatmi.com
fashionwatchesstore.com
krishnagiri.info
tencenttexts.com
kodairo.com
ouitum.club
robertbeauford.net
polling.asia
evoslancete.com
4676sabalkey.com
chechadskeitaro.com
babyhopeful.com
11376.xyz
oryanomer.com
jyxxfy.com
scanourworld.com
thevistadrinksco.com
meow-cafe.com
xfixpros.com
botaniquecouture.com
bkhlep.xyz
mauriciozarate.com
icepolo.com
siyezim.com
myfeezinc.com
nooshone.com
wholesalerbargains.com
winabeel.com
frankfrango.com
patientsbooking.info
ineedahealer.com
thefamilyorchard.net
clericallyco.com
overseaexpert.com
bukaino.net
womens-secrets.love
skinjunkie.site
dccheavydutydiv.net
explorerthecity.com
droneserviceshouston.com
creationsbyjamie.com
profirma-nachfolge.com
oasisbracelet.com
maurobenetti.com
mecs.club
mistressofherdivinity.com
vooronsland.com
navia.world
commagx4.info
caresring.com
yourstrivingforexcellence.com
alpinevalleytimeshares.com
Signatures
-
Xloader Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1924-63-0x0000000000400000-0x0000000000428000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
3ee47ef2fed1383543fed2509ee9d533.exepid process 1640 3ee47ef2fed1383543fed2509ee9d533.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
3ee47ef2fed1383543fed2509ee9d533.exedescription pid process target process PID 1640 set thread context of 1924 1640 3ee47ef2fed1383543fed2509ee9d533.exe 3ee47ef2fed1383543fed2509ee9d533.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
3ee47ef2fed1383543fed2509ee9d533.exepid process 1924 3ee47ef2fed1383543fed2509ee9d533.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
3ee47ef2fed1383543fed2509ee9d533.exepid process 1640 3ee47ef2fed1383543fed2509ee9d533.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
3ee47ef2fed1383543fed2509ee9d533.exedescription pid process target process PID 1640 wrote to memory of 1924 1640 3ee47ef2fed1383543fed2509ee9d533.exe 3ee47ef2fed1383543fed2509ee9d533.exe PID 1640 wrote to memory of 1924 1640 3ee47ef2fed1383543fed2509ee9d533.exe 3ee47ef2fed1383543fed2509ee9d533.exe PID 1640 wrote to memory of 1924 1640 3ee47ef2fed1383543fed2509ee9d533.exe 3ee47ef2fed1383543fed2509ee9d533.exe PID 1640 wrote to memory of 1924 1640 3ee47ef2fed1383543fed2509ee9d533.exe 3ee47ef2fed1383543fed2509ee9d533.exe PID 1640 wrote to memory of 1924 1640 3ee47ef2fed1383543fed2509ee9d533.exe 3ee47ef2fed1383543fed2509ee9d533.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ee47ef2fed1383543fed2509ee9d533.exe"C:\Users\Admin\AppData\Local\Temp\3ee47ef2fed1383543fed2509ee9d533.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3ee47ef2fed1383543fed2509ee9d533.exe"C:\Users\Admin\AppData\Local\Temp\3ee47ef2fed1383543fed2509ee9d533.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsnFF18.tmp\utxxc4czqys.dllMD5
a25fe018f6fb4fcd1134d4ffa75e9029
SHA1e79647b873328ea7c0bb78002aebfcb28faac117
SHA2563782ffc7a3c50c4953d328144e6e6c154eaf4986f2a4c7cb5781d64790c8cc9b
SHA5128260e5008728bd161fc7f16923de5e266ffc5ac1d3758b667a275dfd5ac3f2fb713193b477b0565e5a9dfdf5b52428a9a6f33fb53a6572573bea637da772a15c
-
memory/1640-59-0x00000000761E1000-0x00000000761E3000-memory.dmpFilesize
8KB
-
memory/1640-62-0x00000000020E0000-0x00000000020E2000-memory.dmpFilesize
8KB
-
memory/1924-61-0x000000000041D000-mapping.dmp
-
memory/1924-63-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1924-64-0x0000000000860000-0x0000000000B63000-memory.dmpFilesize
3.0MB