Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
04-05-2021 09:58
Static task
static1
Behavioral task
behavioral1
Sample
Lanco,pdf.exe
Resource
win7v20210408
General
-
Target
Lanco,pdf.exe
-
Size
245KB
-
MD5
d539972067e967998d09d0a2f1b31b52
-
SHA1
20fce9b0e4e0f86143dfba1259b0293a32d74cbb
-
SHA256
b36a2901bfafd8723bfddd0388f65b0a46237b063ca33edbf773bb589f929981
-
SHA512
ffa91ce8a780bf1a8fb9f2dba0d5fc74744c82a600d6890acafeff6610828e6d8da751b34cb2ea46558c9a2387c66415c82c254c6131467546fbbae19b3bcd65
Malware Config
Extracted
xloader
2.3
http://www.buymobilia.com/ugtw/
keystohumanconnection.com
kba5imberly.xyz
wanshuila.com
haus2690dsgnbuild.com
sf-exprrss.com
volesvip.com
pointmansoutpost.com
rytfs.com
hosoume.com
momentsbymich.com
foxterrier-vonderfinsterley.com
uviibe.com
chiaraborrello.com
ild.academy
chinchinyap.com
cn-emmy.com
ixhaberler.com
styles28.space
schutz-service.com
ycgcwsp.com
wmylb.com
chepuha.info
ddklm.net
vaesports.design
buyroguevalley.com
nuoandianli.com
conmidinerono.com
luchericleaningservices.com
carlapendergraft.com
realtybyaustin.com
callforwebdev.com
rosalestransport.com
shopstashtea.com
fldkfkdklfdklder.com
astrorelay.net
astrokhushbooshokeen.com
beckyhallcoaching.com
littlebrothersandsisters.net
neckoart.com
folkloremine.guru
gabrielaaa.com
allinindustry.com
tepeyacoriginal.com
astardream.com
cunerier.com
urimi-ks.com
point1properties.com
outlawldn.com
malcolmxtc.com
cafe-genova.com
cheapdroptaxi.com
nailsbymoni.com
talbotserver.com
zhbook.net
thekizplay.com
okg11uf.com
docjini.com
augmenteddataanalytics.com
nationwidescholarship.com
warnerconnect.tech
ffseinc.com
shopthehonorcode.mobi
spinewiz.com
adinaroseyoga.com
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/908-117-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral2/memory/2336-124-0x00000000031C0000-0x00000000031E8000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
Lanco,pdf.exepid process 3944 Lanco,pdf.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Lanco,pdf.exeLanco,pdf.exemsdt.exedescription pid process target process PID 3944 set thread context of 908 3944 Lanco,pdf.exe Lanco,pdf.exe PID 908 set thread context of 2492 908 Lanco,pdf.exe Explorer.EXE PID 2336 set thread context of 2492 2336 msdt.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
Lanco,pdf.exemsdt.exepid process 908 Lanco,pdf.exe 908 Lanco,pdf.exe 908 Lanco,pdf.exe 908 Lanco,pdf.exe 2336 msdt.exe 2336 msdt.exe 2336 msdt.exe 2336 msdt.exe 2336 msdt.exe 2336 msdt.exe 2336 msdt.exe 2336 msdt.exe 2336 msdt.exe 2336 msdt.exe 2336 msdt.exe 2336 msdt.exe 2336 msdt.exe 2336 msdt.exe 2336 msdt.exe 2336 msdt.exe 2336 msdt.exe 2336 msdt.exe 2336 msdt.exe 2336 msdt.exe 2336 msdt.exe 2336 msdt.exe 2336 msdt.exe 2336 msdt.exe 2336 msdt.exe 2336 msdt.exe 2336 msdt.exe 2336 msdt.exe 2336 msdt.exe 2336 msdt.exe 2336 msdt.exe 2336 msdt.exe 2336 msdt.exe 2336 msdt.exe 2336 msdt.exe 2336 msdt.exe 2336 msdt.exe 2336 msdt.exe 2336 msdt.exe 2336 msdt.exe 2336 msdt.exe 2336 msdt.exe 2336 msdt.exe 2336 msdt.exe 2336 msdt.exe 2336 msdt.exe 2336 msdt.exe 2336 msdt.exe 2336 msdt.exe 2336 msdt.exe 2336 msdt.exe 2336 msdt.exe 2336 msdt.exe 2336 msdt.exe 2336 msdt.exe 2336 msdt.exe 2336 msdt.exe 2336 msdt.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2492 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
Lanco,pdf.exeLanco,pdf.exemsdt.exepid process 3944 Lanco,pdf.exe 908 Lanco,pdf.exe 908 Lanco,pdf.exe 908 Lanco,pdf.exe 2336 msdt.exe 2336 msdt.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
Lanco,pdf.exeExplorer.EXEmsdt.exedescription pid process Token: SeDebugPrivilege 908 Lanco,pdf.exe Token: SeShutdownPrivilege 2492 Explorer.EXE Token: SeCreatePagefilePrivilege 2492 Explorer.EXE Token: SeShutdownPrivilege 2492 Explorer.EXE Token: SeCreatePagefilePrivilege 2492 Explorer.EXE Token: SeDebugPrivilege 2336 msdt.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 2492 Explorer.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Lanco,pdf.exeExplorer.EXEmsdt.exedescription pid process target process PID 3944 wrote to memory of 908 3944 Lanco,pdf.exe Lanco,pdf.exe PID 3944 wrote to memory of 908 3944 Lanco,pdf.exe Lanco,pdf.exe PID 3944 wrote to memory of 908 3944 Lanco,pdf.exe Lanco,pdf.exe PID 3944 wrote to memory of 908 3944 Lanco,pdf.exe Lanco,pdf.exe PID 2492 wrote to memory of 2336 2492 Explorer.EXE msdt.exe PID 2492 wrote to memory of 2336 2492 Explorer.EXE msdt.exe PID 2492 wrote to memory of 2336 2492 Explorer.EXE msdt.exe PID 2336 wrote to memory of 2948 2336 msdt.exe cmd.exe PID 2336 wrote to memory of 2948 2336 msdt.exe cmd.exe PID 2336 wrote to memory of 2948 2336 msdt.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Lanco,pdf.exe"C:\Users\Admin\AppData\Local\Temp\Lanco,pdf.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Lanco,pdf.exe"C:\Users\Admin\AppData\Local\Temp\Lanco,pdf.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\msdt.exe"C:\Windows\SysWOW64\msdt.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Lanco,pdf.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsu538.tmp\b64gt.dllMD5
c51e82e4d8b71b52311dd3b83ed82da8
SHA1d30a8cd5a36fe7d59b1ec9209913e2297e588b7c
SHA2565293ac79c7ae9256c12874bacd71b555250484a139726625ebc414e871616f12
SHA51245127a9290386396b26f050ed653985651c7c19f281743fc3aa9d0f7b69c72a22a9b5fee09c2862360ef3d1b289a1569babd5b25a0861c271efc7f0e15183c93
-
memory/908-119-0x00000000008B0000-0x00000000008C0000-memory.dmpFilesize
64KB
-
memory/908-115-0x000000000041D040-mapping.dmp
-
memory/908-117-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/908-118-0x0000000000BB0000-0x0000000000ED0000-memory.dmpFilesize
3.1MB
-
memory/2336-124-0x00000000031C0000-0x00000000031E8000-memory.dmpFilesize
160KB
-
memory/2336-121-0x0000000000000000-mapping.dmp
-
memory/2336-123-0x0000000001020000-0x0000000001193000-memory.dmpFilesize
1.4MB
-
memory/2336-125-0x00000000049B0000-0x0000000004CD0000-memory.dmpFilesize
3.1MB
-
memory/2336-126-0x0000000004D60000-0x0000000004DEF000-memory.dmpFilesize
572KB
-
memory/2492-120-0x00000000058D0000-0x00000000059CD000-memory.dmpFilesize
1012KB
-
memory/2492-127-0x00000000033A0000-0x000000000347F000-memory.dmpFilesize
892KB
-
memory/2948-122-0x0000000000000000-mapping.dmp
-
memory/3944-116-0x0000000000AC0000-0x0000000000AC2000-memory.dmpFilesize
8KB