Analysis
-
max time kernel
153s -
max time network
152s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
12-04-2021 12:05
Static task
static1
Behavioral task
behavioral1
Sample
12042021493876783,xlsx.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
12042021493876783,xlsx.exe
Resource
win10v20210410
General
-
Target
12042021493876783,xlsx.exe
-
Size
761KB
-
MD5
cd20bbd3e19a80fa77317cd2c42facdd
-
SHA1
41f9e2ee597df731ccd379c7e2a393fbafdbf6c0
-
SHA256
f2a1b48f82208d3d1bf4e613fd7c6a16f63c96ebb2c31ed502ec67cb6768b2f6
-
SHA512
4dd51b8d788bfaf6428b3b6336272d3ac5660d52d0efcda28bc0641ddf9d65b74c4700e6922b97a63e8edc82fd4b3e4e35f374b71251f205aefbe040d6ff2995
Malware Config
Extracted
xloader
2.3
http://www.werealestatephotography.com/hw6d/
medicare101now.com
danahillathletics.com
realjobexpert.com
boulderhalle-hamburg.com
idoweddinghair.com
awdcompanies.com
thevillaflora.com
neutrasystems.com
allwest-originals.com
designtehengsg.com
thenewyorker.computer
ladybugtubs.com
silina-beauty24.com
mifangtu.com
fashionbranddeveloper.com
istanbulhookah.com
askyoyo.com
osaka-computer.net
conegenie.com
agteless.com
carsoncredittx.com
wellalytics.com
onjulitrading.com
thelocallawnmen.com
loanascustomboutique.com
ohcaftanmycaftan.com
ardor-fitness.com
benzinhayvancilik.com
apthaiproperty.com
maxim.technology
dfch18.com
davaoaffordablecondo.com
sueshemp.com
missmaltese.com
lakecountrydems.com
lastminuteminister.com
sofiascelebrations.com
socialaspecthouston.com
rechnung.pro
kathyscrabhouse.com
themusasoficial.com
reversemortgageloanmiami.com
vrventurebsp.com
whatalode.com
xh03.net
qiqihao.site
specstrii.com
organicfarmteam.com
codebinnovations.net
kizunaservice.com
lboclkchain.com
frorool.com
dpok.network
desafogados.com
vestblue.net
forguyshere.com
recordprosperity.info
theballoonbirds.com
adityabirla-loan.com
midgex.info
qishuxia.com
panopticop.com
gd-kangda.com
hotelbrainclub.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1880-62-0x0000000000000000-mapping.dmp xloader behavioral1/memory/1880-74-0x0000000010410000-0x0000000010439000-memory.dmp xloader behavioral1/memory/844-83-0x0000000000080000-0x00000000000A9000-memory.dmp xloader -
Executes dropped EXE 2 IoCs
Processes:
Netplwiz.exeNetplwiz.exepid process 1140 Netplwiz.exe 1640 Netplwiz.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
12042021493876783,xlsx.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dhiuyy = "C:\\Users\\Public\\Libraries\\yyuihD.url" 12042021493876783,xlsx.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
dialer.exemsdt.exedescription pid process target process PID 1880 set thread context of 1200 1880 dialer.exe Explorer.EXE PID 844 set thread context of 1200 844 msdt.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
dialer.exemsdt.exepid process 1880 dialer.exe 1880 dialer.exe 844 msdt.exe 844 msdt.exe 844 msdt.exe 844 msdt.exe 844 msdt.exe 844 msdt.exe 844 msdt.exe 844 msdt.exe 844 msdt.exe 844 msdt.exe 844 msdt.exe 844 msdt.exe 844 msdt.exe 844 msdt.exe 844 msdt.exe 844 msdt.exe 844 msdt.exe 844 msdt.exe 844 msdt.exe 844 msdt.exe 844 msdt.exe 844 msdt.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1200 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
dialer.exemsdt.exepid process 1880 dialer.exe 1880 dialer.exe 1880 dialer.exe 844 msdt.exe 844 msdt.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
dialer.exeExplorer.EXEmsdt.exedescription pid process Token: SeDebugPrivilege 1880 dialer.exe Token: SeShutdownPrivilege 1200 Explorer.EXE Token: SeShutdownPrivilege 1200 Explorer.EXE Token: SeDebugPrivilege 844 msdt.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1200 Explorer.EXE 1200 Explorer.EXE 1200 Explorer.EXE 1200 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1200 Explorer.EXE 1200 Explorer.EXE 1200 Explorer.EXE 1200 Explorer.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
12042021493876783,xlsx.execmd.exeExplorer.EXEmsdt.exedescription pid process target process PID 980 wrote to memory of 1880 980 12042021493876783,xlsx.exe dialer.exe PID 980 wrote to memory of 1880 980 12042021493876783,xlsx.exe dialer.exe PID 980 wrote to memory of 1880 980 12042021493876783,xlsx.exe dialer.exe PID 980 wrote to memory of 1880 980 12042021493876783,xlsx.exe dialer.exe PID 980 wrote to memory of 1880 980 12042021493876783,xlsx.exe dialer.exe PID 980 wrote to memory of 1880 980 12042021493876783,xlsx.exe dialer.exe PID 980 wrote to memory of 1880 980 12042021493876783,xlsx.exe dialer.exe PID 980 wrote to memory of 628 980 12042021493876783,xlsx.exe cmd.exe PID 980 wrote to memory of 628 980 12042021493876783,xlsx.exe cmd.exe PID 980 wrote to memory of 628 980 12042021493876783,xlsx.exe cmd.exe PID 980 wrote to memory of 628 980 12042021493876783,xlsx.exe cmd.exe PID 628 wrote to memory of 1696 628 cmd.exe cmd.exe PID 628 wrote to memory of 1696 628 cmd.exe cmd.exe PID 628 wrote to memory of 1696 628 cmd.exe cmd.exe PID 628 wrote to memory of 1696 628 cmd.exe cmd.exe PID 1200 wrote to memory of 844 1200 Explorer.EXE msdt.exe PID 1200 wrote to memory of 844 1200 Explorer.EXE msdt.exe PID 1200 wrote to memory of 844 1200 Explorer.EXE msdt.exe PID 1200 wrote to memory of 844 1200 Explorer.EXE msdt.exe PID 844 wrote to memory of 1376 844 msdt.exe cmd.exe PID 844 wrote to memory of 1376 844 msdt.exe cmd.exe PID 844 wrote to memory of 1376 844 msdt.exe cmd.exe PID 844 wrote to memory of 1376 844 msdt.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\12042021493876783,xlsx.exe"C:\Users\Admin\AppData\Local\Temp\12042021493876783,xlsx.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\dialer.exeC:\Windows\System32\dialer.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Public\stt.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Public\PXOR.bat4⤵
-
C:\Windows \System32\Netplwiz.exe"C:\Windows \System32\Netplwiz.exe"5⤵
- Executes dropped EXE
-
C:\Windows \System32\Netplwiz.exe"C:\Windows \System32\Netplwiz.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\msdt.exe"C:\Windows\SysWOW64\msdt.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\dialer.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\NETUTILS.dllMD5
39507d772c63ca496a25a14a8b5d14b2
SHA15b603f5c11eb9ab4313694315b4d4894ff4641d4
SHA25636d1fa474cd8271f9b74b9481025614b6ff309f767f69d9f1ff3960c7205ad12
SHA5120c740fd7b6d67d9938b0d8e1ea7d6c41910dd6d0b85b4ec8b6015ff8c0c73798dee01f01da0b5b0c07038663aca7945faca0e2b5afc1cb751aaba7567d332f5f
-
C:\Users\Public\Netplwiz.exeMD5
f94b7fb6dac49844d03c7087b2d8b472
SHA10e84139fced0ee8ef929d0bd5f01559a7dcf1db0
SHA25646e31f337ed0d9a6fe3f159abc91c9b9b6a6062982bbcd84a51784d7128e7ae4
SHA512d63878f94f7699e4cc63c2cd885c29455e0c423d32dba750e4fc3aa74dbaca80a1a4b176719213b9fc6584de6a40cddff7864c7fb4cfba13dfcb437a36e41b80
-
C:\Users\Public\PXOR.batMD5
0d8aef656413642f55e0902cc5df5e6f
SHA173ec56d08bd9b3c45d55c97bd1c1286b77c8ff49
SHA256670f94b92f45bc2f3f44a80c7f3021f874aa16fde38ed7d7f3ebed13ae09fa11
SHA512efe690b1bcf06e16be469622b45c98b5dc1f1e06410cbf7e7dccb2975524c4d6bc7e23de9a129d50d73cd924f02e23f925555894f2c7da1064dcc57151f50876
-
C:\Users\Public\stt.batMD5
8a850253c31df9a7e1c00c80df2630d5
SHA1e3da74081b027a3b591488b28da22742bcfe8495
SHA2568fdeba3ec903bde700342083d16f72452366aa0b1b30d0e58dee0af74cebfa35
SHA51230510bdc34680a0865a0811d9be29dec91c74717feccd58c9b4d88e77be9e5d13a539806a1b2901aff595b2fe2cc45926b69ed42e899d2dd2913c78a732e84d1
-
C:\Windows \System32\Netplwiz.exeMD5
f94b7fb6dac49844d03c7087b2d8b472
SHA10e84139fced0ee8ef929d0bd5f01559a7dcf1db0
SHA25646e31f337ed0d9a6fe3f159abc91c9b9b6a6062982bbcd84a51784d7128e7ae4
SHA512d63878f94f7699e4cc63c2cd885c29455e0c423d32dba750e4fc3aa74dbaca80a1a4b176719213b9fc6584de6a40cddff7864c7fb4cfba13dfcb437a36e41b80
-
C:\Windows \System32\Netplwiz.exeMD5
f94b7fb6dac49844d03c7087b2d8b472
SHA10e84139fced0ee8ef929d0bd5f01559a7dcf1db0
SHA25646e31f337ed0d9a6fe3f159abc91c9b9b6a6062982bbcd84a51784d7128e7ae4
SHA512d63878f94f7699e4cc63c2cd885c29455e0c423d32dba750e4fc3aa74dbaca80a1a4b176719213b9fc6584de6a40cddff7864c7fb4cfba13dfcb437a36e41b80
-
memory/628-63-0x0000000000000000-mapping.dmp
-
memory/844-85-0x0000000000820000-0x00000000008AF000-memory.dmpFilesize
572KB
-
memory/844-84-0x00000000021F0000-0x00000000024F3000-memory.dmpFilesize
3.0MB
-
memory/844-83-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/844-82-0x0000000000140000-0x0000000000234000-memory.dmpFilesize
976KB
-
memory/844-79-0x0000000000000000-mapping.dmp
-
memory/980-61-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/980-60-0x0000000075FF1000-0x0000000075FF3000-memory.dmpFilesize
8KB
-
memory/1200-78-0x0000000005FD0000-0x0000000006171000-memory.dmpFilesize
1.6MB
-
memory/1200-86-0x0000000006180000-0x00000000062D9000-memory.dmpFilesize
1.3MB
-
memory/1376-81-0x0000000000000000-mapping.dmp
-
memory/1696-75-0x0000000002280000-0x0000000002281000-memory.dmpFilesize
4KB
-
memory/1696-66-0x0000000000000000-mapping.dmp
-
memory/1880-73-0x00000000000D0000-0x00000000000D1000-memory.dmpFilesize
4KB
-
memory/1880-74-0x0000000010410000-0x0000000010439000-memory.dmpFilesize
164KB
-
memory/1880-76-0x0000000000C80000-0x0000000000F83000-memory.dmpFilesize
3.0MB
-
memory/1880-77-0x0000000000210000-0x0000000000220000-memory.dmpFilesize
64KB
-
memory/1880-62-0x0000000000000000-mapping.dmp