Analysis
-
max time kernel
4s -
max time network
8s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
03-05-2021 12:06
Static task
static1
Behavioral task
behavioral1
Sample
2833ffeca48c46759cb0d4c984e81a9b69614c368bf0052600786e55fd534d67.exe
Resource
win7v20210408
General
-
Target
2833ffeca48c46759cb0d4c984e81a9b69614c368bf0052600786e55fd534d67.exe
-
Size
207KB
-
MD5
716f61cba6d08cd0c1904bcc827b56a0
-
SHA1
357a1acb28174392e191716972537555790ae792
-
SHA256
2833ffeca48c46759cb0d4c984e81a9b69614c368bf0052600786e55fd534d67
-
SHA512
6b392de718dca8d95b05f06a466b9e52ad0f757fef81a6237b541563f60cb2238ea5f451fe6ed4ca1edb9ba8af14318ea3c6d6708e456273544ddfdd5328d24e
Malware Config
Extracted
xloader
2.3
http://www.stonescapes1.com/de92/
zindaginews.com
tyelevator.com
schustermaninterests.com
algemixdelchef.com
doubscollectivites.com
e-butchery.com
hellbentmask.com
jumbpprivacy.com
teeniestiedye.com
playfulartwork.com
desertvacahs.com
w5470-hed.net
nepalearningpods.com
smoothandsleek.com
thecannaglow.com
torrentkittyla.com
industrytoyou.com
raquelvargas.net
rlc-nc.net
cryptoprises.com
chinjungmom.com
blondedevil.com
associationindependence.com
tokachiashi50.xyz
cantstoptennis.com
english3s.com
flowtechblasting.com
customputtputtgolf.com
onointeriors.com
lenafive.com
jygraphics.com
plantologia.com
withatwist2016.com
bingent.info
nakedsumac.com
rosetheamazingrealtor.com
gogoivyschool.com
silhouettebodyspa.com
fomssdf4.com
goodcontractor.net
republicpc.com
zante2020.com
t-junko.com
kittens.finance
mkchemicalvina.com
quadacross.com
maemaetravelworld.com
bradforrexchange.com
fashiongomaufacturer.com
hollapac.com
qxmenye.com
neuro-robotics.com
365shared.com
dinamisapp.com
b3service.com
getyourquan.com
udothat.com
cutting21778.com
vdacouture.com
venerossala.com
thefunboxshoppe.com
indomedianewsc.com
nagansatu.com
precisionoxes.com
Signatures
-
Xloader Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1844-63-0x0000000000400000-0x0000000000428000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
2833ffeca48c46759cb0d4c984e81a9b69614c368bf0052600786e55fd534d67.exepid process 1992 2833ffeca48c46759cb0d4c984e81a9b69614c368bf0052600786e55fd534d67.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
2833ffeca48c46759cb0d4c984e81a9b69614c368bf0052600786e55fd534d67.exedescription pid process target process PID 1992 set thread context of 1844 1992 2833ffeca48c46759cb0d4c984e81a9b69614c368bf0052600786e55fd534d67.exe 2833ffeca48c46759cb0d4c984e81a9b69614c368bf0052600786e55fd534d67.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
2833ffeca48c46759cb0d4c984e81a9b69614c368bf0052600786e55fd534d67.exepid process 1844 2833ffeca48c46759cb0d4c984e81a9b69614c368bf0052600786e55fd534d67.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
2833ffeca48c46759cb0d4c984e81a9b69614c368bf0052600786e55fd534d67.exepid process 1992 2833ffeca48c46759cb0d4c984e81a9b69614c368bf0052600786e55fd534d67.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
2833ffeca48c46759cb0d4c984e81a9b69614c368bf0052600786e55fd534d67.exedescription pid process target process PID 1992 wrote to memory of 1844 1992 2833ffeca48c46759cb0d4c984e81a9b69614c368bf0052600786e55fd534d67.exe 2833ffeca48c46759cb0d4c984e81a9b69614c368bf0052600786e55fd534d67.exe PID 1992 wrote to memory of 1844 1992 2833ffeca48c46759cb0d4c984e81a9b69614c368bf0052600786e55fd534d67.exe 2833ffeca48c46759cb0d4c984e81a9b69614c368bf0052600786e55fd534d67.exe PID 1992 wrote to memory of 1844 1992 2833ffeca48c46759cb0d4c984e81a9b69614c368bf0052600786e55fd534d67.exe 2833ffeca48c46759cb0d4c984e81a9b69614c368bf0052600786e55fd534d67.exe PID 1992 wrote to memory of 1844 1992 2833ffeca48c46759cb0d4c984e81a9b69614c368bf0052600786e55fd534d67.exe 2833ffeca48c46759cb0d4c984e81a9b69614c368bf0052600786e55fd534d67.exe PID 1992 wrote to memory of 1844 1992 2833ffeca48c46759cb0d4c984e81a9b69614c368bf0052600786e55fd534d67.exe 2833ffeca48c46759cb0d4c984e81a9b69614c368bf0052600786e55fd534d67.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2833ffeca48c46759cb0d4c984e81a9b69614c368bf0052600786e55fd534d67.exe"C:\Users\Admin\AppData\Local\Temp\2833ffeca48c46759cb0d4c984e81a9b69614c368bf0052600786e55fd534d67.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Users\Admin\AppData\Local\Temp\2833ffeca48c46759cb0d4c984e81a9b69614c368bf0052600786e55fd534d67.exe"C:\Users\Admin\AppData\Local\Temp\2833ffeca48c46759cb0d4c984e81a9b69614c368bf0052600786e55fd534d67.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1844
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
754f65f8025460256126f94d880be78e
SHA1888427853b9b5d919423eaabe8be2fb126a80203
SHA2564f70280ff2a0811ddcb7fee2893d432e78234f8121f83c8d51f4ad3f0caaa75d
SHA5123a1079624bc0b56f14e9b991540d9f8e8ef8085d8b133eb340a0320f6db4a44ecbec778be29cf0bf175c9479b1c88dc0d30b8458750983fbe08229c89cbb197a