Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
04-05-2021 09:39
Static task
static1
Behavioral task
behavioral1
Sample
Lanco,pdf.exe
Resource
win7v20210408
General
-
Target
Lanco,pdf.exe
-
Size
245KB
-
MD5
d539972067e967998d09d0a2f1b31b52
-
SHA1
20fce9b0e4e0f86143dfba1259b0293a32d74cbb
-
SHA256
b36a2901bfafd8723bfddd0388f65b0a46237b063ca33edbf773bb589f929981
-
SHA512
ffa91ce8a780bf1a8fb9f2dba0d5fc74744c82a600d6890acafeff6610828e6d8da751b34cb2ea46558c9a2387c66415c82c254c6131467546fbbae19b3bcd65
Malware Config
Extracted
xloader
2.3
http://www.buymobilia.com/ugtw/
keystohumanconnection.com
kba5imberly.xyz
wanshuila.com
haus2690dsgnbuild.com
sf-exprrss.com
volesvip.com
pointmansoutpost.com
rytfs.com
hosoume.com
momentsbymich.com
foxterrier-vonderfinsterley.com
uviibe.com
chiaraborrello.com
ild.academy
chinchinyap.com
cn-emmy.com
ixhaberler.com
styles28.space
schutz-service.com
ycgcwsp.com
wmylb.com
chepuha.info
ddklm.net
vaesports.design
buyroguevalley.com
nuoandianli.com
conmidinerono.com
luchericleaningservices.com
carlapendergraft.com
realtybyaustin.com
callforwebdev.com
rosalestransport.com
shopstashtea.com
fldkfkdklfdklder.com
astrorelay.net
astrokhushbooshokeen.com
beckyhallcoaching.com
littlebrothersandsisters.net
neckoart.com
folkloremine.guru
gabrielaaa.com
allinindustry.com
tepeyacoriginal.com
astardream.com
cunerier.com
urimi-ks.com
point1properties.com
outlawldn.com
malcolmxtc.com
cafe-genova.com
cheapdroptaxi.com
nailsbymoni.com
talbotserver.com
zhbook.net
thekizplay.com
okg11uf.com
docjini.com
augmenteddataanalytics.com
nationwidescholarship.com
warnerconnect.tech
ffseinc.com
shopthehonorcode.mobi
spinewiz.com
adinaroseyoga.com
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2968-117-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral2/memory/848-124-0x0000000000360000-0x0000000000388000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
Lanco,pdf.exepid process 912 Lanco,pdf.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Lanco,pdf.exeLanco,pdf.exehelp.exedescription pid process target process PID 912 set thread context of 2968 912 Lanco,pdf.exe Lanco,pdf.exe PID 2968 set thread context of 2740 2968 Lanco,pdf.exe Explorer.EXE PID 848 set thread context of 2740 848 help.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
Lanco,pdf.exehelp.exepid process 2968 Lanco,pdf.exe 2968 Lanco,pdf.exe 2968 Lanco,pdf.exe 2968 Lanco,pdf.exe 848 help.exe 848 help.exe 848 help.exe 848 help.exe 848 help.exe 848 help.exe 848 help.exe 848 help.exe 848 help.exe 848 help.exe 848 help.exe 848 help.exe 848 help.exe 848 help.exe 848 help.exe 848 help.exe 848 help.exe 848 help.exe 848 help.exe 848 help.exe 848 help.exe 848 help.exe 848 help.exe 848 help.exe 848 help.exe 848 help.exe 848 help.exe 848 help.exe 848 help.exe 848 help.exe 848 help.exe 848 help.exe 848 help.exe 848 help.exe 848 help.exe 848 help.exe 848 help.exe 848 help.exe 848 help.exe 848 help.exe 848 help.exe 848 help.exe 848 help.exe 848 help.exe 848 help.exe 848 help.exe 848 help.exe 848 help.exe 848 help.exe 848 help.exe 848 help.exe 848 help.exe 848 help.exe 848 help.exe 848 help.exe 848 help.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2740 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
Lanco,pdf.exeLanco,pdf.exehelp.exepid process 912 Lanco,pdf.exe 2968 Lanco,pdf.exe 2968 Lanco,pdf.exe 2968 Lanco,pdf.exe 848 help.exe 848 help.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Lanco,pdf.exehelp.exedescription pid process Token: SeDebugPrivilege 2968 Lanco,pdf.exe Token: SeDebugPrivilege 848 help.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 2740 Explorer.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Lanco,pdf.exeExplorer.EXEhelp.exedescription pid process target process PID 912 wrote to memory of 2968 912 Lanco,pdf.exe Lanco,pdf.exe PID 912 wrote to memory of 2968 912 Lanco,pdf.exe Lanco,pdf.exe PID 912 wrote to memory of 2968 912 Lanco,pdf.exe Lanco,pdf.exe PID 912 wrote to memory of 2968 912 Lanco,pdf.exe Lanco,pdf.exe PID 2740 wrote to memory of 848 2740 Explorer.EXE help.exe PID 2740 wrote to memory of 848 2740 Explorer.EXE help.exe PID 2740 wrote to memory of 848 2740 Explorer.EXE help.exe PID 848 wrote to memory of 684 848 help.exe cmd.exe PID 848 wrote to memory of 684 848 help.exe cmd.exe PID 848 wrote to memory of 684 848 help.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Users\Admin\AppData\Local\Temp\Lanco,pdf.exe"C:\Users\Admin\AppData\Local\Temp\Lanco,pdf.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Users\Admin\AppData\Local\Temp\Lanco,pdf.exe"C:\Users\Admin\AppData\Local\Temp\Lanco,pdf.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2968
-
-
-
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Lanco,pdf.exe"3⤵PID:684
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c51e82e4d8b71b52311dd3b83ed82da8
SHA1d30a8cd5a36fe7d59b1ec9209913e2297e588b7c
SHA2565293ac79c7ae9256c12874bacd71b555250484a139726625ebc414e871616f12
SHA51245127a9290386396b26f050ed653985651c7c19f281743fc3aa9d0f7b69c72a22a9b5fee09c2862360ef3d1b289a1569babd5b25a0861c271efc7f0e15183c93