Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
08-04-2021 07:05
Static task
static1
Behavioral task
behavioral1
Sample
PO7321.exe
Resource
win7v20201028
General
-
Target
PO7321.exe
-
Size
562KB
-
MD5
774eca4068dce6d3db505c49af0a516e
-
SHA1
7708d1ed2bb3166bf74d0e92ac95bb8e379e1cf4
-
SHA256
3a96891372a8578aab18d70a377d68a795ab2f92c4c97c5f0986d7f1006490d1
-
SHA512
b9534efd5b6d87f87cc5a83f3e8a8875600f059bcfef60daa5526908cb0414d291682953cae75fab6c48805cfa9f5711f2b6dac04b299741a78a71f82b3954e0
Malware Config
Extracted
xloader
2.3
http://www.013y.com/pnqr/
bullexch9.com
hiiidesigns.com
yosapark-gakuenmae.com
movementinspires.com
orlandas.com
flowga.world
opende.info
jiconic.com
selviclothingco.com
herbalmedicineresearch.com
contex33.xyz
riord.com
alchemistslibrary.com
ecalyte.com
tutu119.com
61ue00.com
properwayllc.com
tamitoe.com
adacompliantsoftware.com
deliabe.com
edrcounselling.group
indigoconsultinguganda.com
stjom.church
vegansonfire.com
bostonimaginggroup.com
greenchilicountryjamboree.com
culvercoop.com
northlakerental.com
lpp888.xyz
hostinganl.com
spin889988.club
thedoctornearme.com
luolan99.com
gamers-casino.space
dailyovertips.com
torer.net
fuhrerscheindienst.com
diysergeant.com
neuralnuture.net
hysplashes.xyz
tretkurbel.site
ccelaya.com
electricalpanelmonterey.com
hullabaloocookies.com
sunnyshousebrooklyn.com
mini-jeep-willys.online
angelaharriotthomes.com
vpathletics.online
moeginokai.com
jesusistderweg.info
printsublimbandung.com
empirehomeservicesllc.com
fiestaselenas.com
elyonkioficial.com
instaseries94.com
digivalplan.com
highaltitudeballooning.com
choosefour.com
fitpawsmobile.com
radiancebyreilly.com
finlst.com
volmaqhsogroup.com
malayziascandles.com
lazerworkshop.com
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1684-5-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral2/memory/376-13-0x0000000000930000-0x0000000000958000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
PO7321.exepid process 1176 PO7321.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
PO7321.exePO7321.exeipconfig.exedescription pid process target process PID 1176 set thread context of 1684 1176 PO7321.exe PO7321.exe PID 1684 set thread context of 2984 1684 PO7321.exe Explorer.EXE PID 376 set thread context of 2984 376 ipconfig.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 376 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
PO7321.exeipconfig.exepid process 1684 PO7321.exe 1684 PO7321.exe 1684 PO7321.exe 1684 PO7321.exe 376 ipconfig.exe 376 ipconfig.exe 376 ipconfig.exe 376 ipconfig.exe 376 ipconfig.exe 376 ipconfig.exe 376 ipconfig.exe 376 ipconfig.exe 376 ipconfig.exe 376 ipconfig.exe 376 ipconfig.exe 376 ipconfig.exe 376 ipconfig.exe 376 ipconfig.exe 376 ipconfig.exe 376 ipconfig.exe 376 ipconfig.exe 376 ipconfig.exe 376 ipconfig.exe 376 ipconfig.exe 376 ipconfig.exe 376 ipconfig.exe 376 ipconfig.exe 376 ipconfig.exe 376 ipconfig.exe 376 ipconfig.exe 376 ipconfig.exe 376 ipconfig.exe 376 ipconfig.exe 376 ipconfig.exe 376 ipconfig.exe 376 ipconfig.exe 376 ipconfig.exe 376 ipconfig.exe 376 ipconfig.exe 376 ipconfig.exe 376 ipconfig.exe 376 ipconfig.exe 376 ipconfig.exe 376 ipconfig.exe 376 ipconfig.exe 376 ipconfig.exe 376 ipconfig.exe 376 ipconfig.exe 376 ipconfig.exe 376 ipconfig.exe 376 ipconfig.exe 376 ipconfig.exe 376 ipconfig.exe 376 ipconfig.exe 376 ipconfig.exe 376 ipconfig.exe 376 ipconfig.exe 376 ipconfig.exe 376 ipconfig.exe 376 ipconfig.exe 376 ipconfig.exe 376 ipconfig.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
PO7321.exePO7321.exeipconfig.exepid process 1176 PO7321.exe 1684 PO7321.exe 1684 PO7321.exe 1684 PO7321.exe 376 ipconfig.exe 376 ipconfig.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
PO7321.exeExplorer.EXEipconfig.exedescription pid process Token: SeDebugPrivilege 1684 PO7321.exe Token: SeShutdownPrivilege 2984 Explorer.EXE Token: SeCreatePagefilePrivilege 2984 Explorer.EXE Token: SeShutdownPrivilege 2984 Explorer.EXE Token: SeCreatePagefilePrivilege 2984 Explorer.EXE Token: SeDebugPrivilege 376 ipconfig.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 2984 Explorer.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
PO7321.exeExplorer.EXEipconfig.exedescription pid process target process PID 1176 wrote to memory of 1684 1176 PO7321.exe PO7321.exe PID 1176 wrote to memory of 1684 1176 PO7321.exe PO7321.exe PID 1176 wrote to memory of 1684 1176 PO7321.exe PO7321.exe PID 1176 wrote to memory of 1684 1176 PO7321.exe PO7321.exe PID 2984 wrote to memory of 376 2984 Explorer.EXE ipconfig.exe PID 2984 wrote to memory of 376 2984 Explorer.EXE ipconfig.exe PID 2984 wrote to memory of 376 2984 Explorer.EXE ipconfig.exe PID 376 wrote to memory of 2768 376 ipconfig.exe cmd.exe PID 376 wrote to memory of 2768 376 ipconfig.exe cmd.exe PID 376 wrote to memory of 2768 376 ipconfig.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PO7321.exe"C:\Users\Admin\AppData\Local\Temp\PO7321.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PO7321.exe"C:\Users\Admin\AppData\Local\Temp\PO7321.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\SysWOW64\ipconfig.exe"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\PO7321.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsi6901.tmp\57cmo2.dllMD5
7418f8dc5479eeb371264cf36b4cf551
SHA140401572084a68334c508d98bf10aaa5a199bdc5
SHA256c5adce72a02aafb28dab7c360b1f5555bdedfe1d9d97bda574b6d9d29377bda0
SHA51295d76945159a4e25440281d4c361f3672798c0129aa0cdc18f187e98df90e499d30da80c6c9d8e3ae5cbebc9b98084b8cf10e3716f88e042140e07c80ca7406b
-
memory/376-10-0x0000000000000000-mapping.dmp
-
memory/376-17-0x0000000003120000-0x00000000031AF000-memory.dmpFilesize
572KB
-
memory/376-14-0x0000000003390000-0x00000000036B0000-memory.dmpFilesize
3.1MB
-
memory/376-13-0x0000000000930000-0x0000000000958000-memory.dmpFilesize
160KB
-
memory/376-12-0x0000000000D80000-0x0000000000D8B000-memory.dmpFilesize
44KB
-
memory/1176-4-0x0000000002680000-0x0000000002682000-memory.dmpFilesize
8KB
-
memory/1684-5-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1684-7-0x0000000000AE0000-0x0000000000E00000-memory.dmpFilesize
3.1MB
-
memory/1684-8-0x0000000000670000-0x0000000000680000-memory.dmpFilesize
64KB
-
memory/1684-3-0x000000000041D020-mapping.dmp
-
memory/2768-11-0x0000000000000000-mapping.dmp
-
memory/2984-9-0x0000000002CE0000-0x0000000002DAA000-memory.dmpFilesize
808KB
-
memory/2984-18-0x0000000005330000-0x0000000005433000-memory.dmpFilesize
1.0MB