Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
30-04-2021 08:40
Static task
static1
Behavioral task
behavioral1
Sample
raw f.exe
Resource
win7v20210410
General
-
Target
raw f.exe
-
Size
208KB
-
MD5
319f554641bef914792208e976030780
-
SHA1
111fd72e1f312727754f784a0da9b1a98fb4a00b
-
SHA256
ec2271f9e6e57b84cae0e6df2af197a02133e5644d55eb3d2be373681397f919
-
SHA512
a3f900284c9295e3378f291e41b7ddec4316c6916ba54b8fb7f448acda4c44bf9ec0331287a03b719ff451e9380b9a790cb7a60cb926103a97cd8617b3c2be6b
Malware Config
Extracted
xloader
2.3
http://www.citestaccnt1597666144.com/ud9e/
casezs.com
gascubby.com
pekodains.com
superskosh.com
avktinfracon.com
slink.finance
thegreathopeofearth.com
thebattleofthestars.com
utmxpxq.icu
mamaandbabycleaningservice.com
officialtimelessbeauty.com
keeper.network
leyingcp.com
helpforharrysheroes.com
cohenforleehealthboard.com
wsilhavy.net
logisticsconsultinglimited.com
btechnician.com
dynamicpersiankitten.com
nuplaz.com
localrealtypros.com
thamtuchuyentam.com
teiegraaf.com
halloweensweet.com
challengerburgess.com
martinsburgmethadone.com
peapatchvideo.com
gungoretiket.com
princesssexyluxwear.com
inlogservices.com
birrificiobastardo.com
meflyingbird.com
fishbasketapp.com
cbluebaytvwdmall.com
ceyrox.com
roanokevalleyautoparts.com
kunharindia.com
disneycollevtion.com
ullaskclc.com
businessresolve360.com
tignatine.com
aucpaimai.com
melfisherssilverbar.com
aimages.xyz
directsourc.com
kssunflowercoffee.com
enthuqsjhiasm.com
by-khaira.com
livetrancoso.com
muaythaiparaiba.com
check999.com
idahozip.com
jiguangtech.com
wondermadecreative.com
pigift.site
jomepc.com
kimsnagelstudiodiemen.com
tropicaliacalcados.com
jifang.xyz
bestreviews24x7.com
purehealings.com
contorig2.com
banirestaurant.com
ficvgroup.com
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/580-117-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/2844-123-0x0000000002C00000-0x0000000002C29000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
raw f.exepid process 904 raw f.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
raw f.exeraw f.execscript.exedescription pid process target process PID 904 set thread context of 580 904 raw f.exe raw f.exe PID 580 set thread context of 3052 580 raw f.exe Explorer.EXE PID 2844 set thread context of 3052 2844 cscript.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
raw f.execscript.exepid process 580 raw f.exe 580 raw f.exe 580 raw f.exe 580 raw f.exe 2844 cscript.exe 2844 cscript.exe 2844 cscript.exe 2844 cscript.exe 2844 cscript.exe 2844 cscript.exe 2844 cscript.exe 2844 cscript.exe 2844 cscript.exe 2844 cscript.exe 2844 cscript.exe 2844 cscript.exe 2844 cscript.exe 2844 cscript.exe 2844 cscript.exe 2844 cscript.exe 2844 cscript.exe 2844 cscript.exe 2844 cscript.exe 2844 cscript.exe 2844 cscript.exe 2844 cscript.exe 2844 cscript.exe 2844 cscript.exe 2844 cscript.exe 2844 cscript.exe 2844 cscript.exe 2844 cscript.exe 2844 cscript.exe 2844 cscript.exe 2844 cscript.exe 2844 cscript.exe 2844 cscript.exe 2844 cscript.exe 2844 cscript.exe 2844 cscript.exe 2844 cscript.exe 2844 cscript.exe 2844 cscript.exe 2844 cscript.exe 2844 cscript.exe 2844 cscript.exe 2844 cscript.exe 2844 cscript.exe 2844 cscript.exe 2844 cscript.exe 2844 cscript.exe 2844 cscript.exe 2844 cscript.exe 2844 cscript.exe 2844 cscript.exe 2844 cscript.exe 2844 cscript.exe 2844 cscript.exe 2844 cscript.exe 2844 cscript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3052 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
raw f.exeraw f.execscript.exepid process 904 raw f.exe 580 raw f.exe 580 raw f.exe 580 raw f.exe 2844 cscript.exe 2844 cscript.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
raw f.execscript.exedescription pid process Token: SeDebugPrivilege 580 raw f.exe Token: SeDebugPrivilege 2844 cscript.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3052 Explorer.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
raw f.exeExplorer.EXEcscript.exedescription pid process target process PID 904 wrote to memory of 580 904 raw f.exe raw f.exe PID 904 wrote to memory of 580 904 raw f.exe raw f.exe PID 904 wrote to memory of 580 904 raw f.exe raw f.exe PID 904 wrote to memory of 580 904 raw f.exe raw f.exe PID 3052 wrote to memory of 2844 3052 Explorer.EXE cscript.exe PID 3052 wrote to memory of 2844 3052 Explorer.EXE cscript.exe PID 3052 wrote to memory of 2844 3052 Explorer.EXE cscript.exe PID 2844 wrote to memory of 1308 2844 cscript.exe cmd.exe PID 2844 wrote to memory of 1308 2844 cscript.exe cmd.exe PID 2844 wrote to memory of 1308 2844 cscript.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\raw f.exe"C:\Users\Admin\AppData\Local\Temp\raw f.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\raw f.exe"C:\Users\Admin\AppData\Local\Temp\raw f.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\raw f.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsi9A92.tmp\kmz6hm1h6.dllMD5
b937f8200c5d612b33a43dd0b6d64876
SHA18545ea96f096b6f51021c2318bddaf7862d4aca0
SHA256fd88cde6d3171f1f9ce43388c9a7994475785fbb4897e4e1c7a64025217f0530
SHA512fcc86a5d75d8c1db30e6b8bb720d3ddc7e8e7944c75f4c342ef6649334afd529d5e0bd0426d9434ce547b3d3bd5e6937dd32d2726fbe60d35f3768b651aea90a
-
memory/580-120-0x00000000009D0000-0x0000000000CF0000-memory.dmpFilesize
3.1MB
-
memory/580-117-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/580-118-0x00000000009B0000-0x00000000009C0000-memory.dmpFilesize
64KB
-
memory/580-115-0x000000000041D110-mapping.dmp
-
memory/904-116-0x0000000002FD0000-0x0000000002FF3000-memory.dmpFilesize
140KB
-
memory/1308-124-0x0000000000000000-mapping.dmp
-
memory/2844-121-0x0000000000000000-mapping.dmp
-
memory/2844-122-0x00000000001D0000-0x00000000001F7000-memory.dmpFilesize
156KB
-
memory/2844-123-0x0000000002C00000-0x0000000002C29000-memory.dmpFilesize
164KB
-
memory/2844-125-0x00000000045F0000-0x0000000004910000-memory.dmpFilesize
3.1MB
-
memory/2844-126-0x0000000004440000-0x00000000044CF000-memory.dmpFilesize
572KB
-
memory/3052-119-0x0000000002680000-0x0000000002746000-memory.dmpFilesize
792KB
-
memory/3052-127-0x0000000004C80000-0x0000000004D77000-memory.dmpFilesize
988KB