Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
04-05-2021 11:01
Static task
static1
Behavioral task
behavioral1
Sample
08917506_by_Libranalysis.exe
Resource
win7v20210410
General
-
Target
08917506_by_Libranalysis.exe
-
Size
671KB
-
MD5
089175069d5c095f078b7f8a3b28a22d
-
SHA1
a563615dfe562e7a11c2b7f21dcfcd412594eeee
-
SHA256
173797a7a7a881f3d6230015620bae28d21b4b41b7e568c2a881b3c0829dd67e
-
SHA512
987900b187a7757e186238fcc1a6b72c26a8b6619818ea34d91df86c8f1a1f79e31323d42f054f98cb705ec9c6b4720c5159f5746739388fa971942db79b5694
Malware Config
Extracted
xloader
2.3
http://www.evrbrite.com/o86d/
marielivet.com
shadowlovely.com
novfarm.com
genialnetero.com
nj-yanhua.com
thaihuay88.com
iizponja.com
stark-stg.net
nueforma.com
fincheckxu.com
joycasino-2020.club
9thwrld.com
komofood.com
weekendcost.com
marczeimet.com
santequebec.info
arpinaindustriesllc.com
soyakmuzayede.com
trivesse.online
shonanwakukengyou.com
whatisleanmanagement.com
9icem.com
blueberry-intl.com
mylifequotenow.com
octafxmate.com
garnogroup.com
saurara.com
mydreamtv.net
1fhewm.com
agungproduk.com
be7tv.com
ohyescart.com
sherylabrahamphotography.com
oxfordfinancialadvising.com
xn--80aaf2ckffc3a.xn--p1acf
firstcoastelope.com
novaquitaine-solidaire.com
morumi.site
lr-tn.com
avondalevotes.com
saranaturals.net
thebraidedbreadcompany.com
recruit-japan-hcm.com
innovate.works
changfangxinxi.com
ckitco.com
lacommusic.net
cibass.com
cafeciberseguridad.com
fittogo.net
franciszekmanteau.com
liquidmarin.com
toky5555.xyz
bloomberg.sucks
bluejay.ventures
valleywomanforwoman.com
helmutbuntjer.com
870830.com
xmrxapp.com
lashicorn.com
visionsbarbershop.com
cinmax.xyz
website-bazar.com
zenseotools.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1324-121-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral2/memory/1324-122-0x000000000041CFB0-mapping.dmp xloader behavioral2/memory/3936-130-0x00000000005B0000-0x00000000005D8000-memory.dmp xloader -
Suspicious use of SetThreadContext 3 IoCs
Processes:
08917506_by_Libranalysis.exe08917506_by_Libranalysis.exenetsh.exedescription pid process target process PID 3920 set thread context of 1324 3920 08917506_by_Libranalysis.exe 08917506_by_Libranalysis.exe PID 1324 set thread context of 3000 1324 08917506_by_Libranalysis.exe Explorer.EXE PID 3936 set thread context of 3000 3936 netsh.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
08917506_by_Libranalysis.exenetsh.exepid process 1324 08917506_by_Libranalysis.exe 1324 08917506_by_Libranalysis.exe 1324 08917506_by_Libranalysis.exe 1324 08917506_by_Libranalysis.exe 3936 netsh.exe 3936 netsh.exe 3936 netsh.exe 3936 netsh.exe 3936 netsh.exe 3936 netsh.exe 3936 netsh.exe 3936 netsh.exe 3936 netsh.exe 3936 netsh.exe 3936 netsh.exe 3936 netsh.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
08917506_by_Libranalysis.exenetsh.exepid process 1324 08917506_by_Libranalysis.exe 1324 08917506_by_Libranalysis.exe 1324 08917506_by_Libranalysis.exe 3936 netsh.exe 3936 netsh.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
08917506_by_Libranalysis.exeExplorer.EXEnetsh.exedescription pid process Token: SeDebugPrivilege 1324 08917506_by_Libranalysis.exe Token: SeShutdownPrivilege 3000 Explorer.EXE Token: SeCreatePagefilePrivilege 3000 Explorer.EXE Token: SeShutdownPrivilege 3000 Explorer.EXE Token: SeCreatePagefilePrivilege 3000 Explorer.EXE Token: SeDebugPrivilege 3936 netsh.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
08917506_by_Libranalysis.exepid process 3920 08917506_by_Libranalysis.exe 3920 08917506_by_Libranalysis.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
08917506_by_Libranalysis.exeExplorer.EXEnetsh.exedescription pid process target process PID 3920 wrote to memory of 3384 3920 08917506_by_Libranalysis.exe schtasks.exe PID 3920 wrote to memory of 3384 3920 08917506_by_Libranalysis.exe schtasks.exe PID 3920 wrote to memory of 3384 3920 08917506_by_Libranalysis.exe schtasks.exe PID 3920 wrote to memory of 1324 3920 08917506_by_Libranalysis.exe 08917506_by_Libranalysis.exe PID 3920 wrote to memory of 1324 3920 08917506_by_Libranalysis.exe 08917506_by_Libranalysis.exe PID 3920 wrote to memory of 1324 3920 08917506_by_Libranalysis.exe 08917506_by_Libranalysis.exe PID 3920 wrote to memory of 1324 3920 08917506_by_Libranalysis.exe 08917506_by_Libranalysis.exe PID 3920 wrote to memory of 1324 3920 08917506_by_Libranalysis.exe 08917506_by_Libranalysis.exe PID 3920 wrote to memory of 1324 3920 08917506_by_Libranalysis.exe 08917506_by_Libranalysis.exe PID 3000 wrote to memory of 3936 3000 Explorer.EXE netsh.exe PID 3000 wrote to memory of 3936 3000 Explorer.EXE netsh.exe PID 3000 wrote to memory of 3936 3000 Explorer.EXE netsh.exe PID 3936 wrote to memory of 3748 3936 netsh.exe cmd.exe PID 3936 wrote to memory of 3748 3936 netsh.exe cmd.exe PID 3936 wrote to memory of 3748 3936 netsh.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\08917506_by_Libranalysis.exe"C:\Users\Admin\AppData\Local\Temp\08917506_by_Libranalysis.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OfCxSfBf" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE0AC.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\08917506_by_Libranalysis.exe"C:\Users\Admin\AppData\Local\Temp\08917506_by_Libranalysis.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\08917506_by_Libranalysis.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpE0AC.tmpMD5
698d6e5c852a842b8ce33e35a48b34fb
SHA17889f46e0065ea8892c742df6827da9283917be9
SHA256be72d2f135c045173cbc0493b14686376cbd399d94dc16c030e56384a6e9a94d
SHA51272acc7a8a83982fafb1e6625bf126bb11fb1a2277d210d2732dc0055eb6282733f172565d2ba626a8c033d74a509b3dd62eaf03eb046c0840454da8a170ba5f0
-
memory/1324-125-0x0000000001200000-0x00000000012AE000-memory.dmpFilesize
696KB
-
memory/1324-124-0x00000000017A0000-0x0000000001AC0000-memory.dmpFilesize
3.1MB
-
memory/1324-121-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1324-122-0x000000000041CFB0-mapping.dmp
-
memory/3000-133-0x0000000002DB0000-0x0000000002E43000-memory.dmpFilesize
588KB
-
memory/3000-126-0x0000000002CD0000-0x0000000002DB0000-memory.dmpFilesize
896KB
-
memory/3384-119-0x0000000000000000-mapping.dmp
-
memory/3748-128-0x0000000000000000-mapping.dmp
-
memory/3920-117-0x0000000000E10000-0x0000000000F5A000-memory.dmpFilesize
1.3MB
-
memory/3920-114-0x0000000000E10000-0x0000000000F5A000-memory.dmpFilesize
1.3MB
-
memory/3920-118-0x0000000000E10000-0x0000000000F5A000-memory.dmpFilesize
1.3MB
-
memory/3920-116-0x0000000000E10000-0x0000000000F5A000-memory.dmpFilesize
1.3MB
-
memory/3920-115-0x0000000000E10000-0x0000000000F5A000-memory.dmpFilesize
1.3MB
-
memory/3936-127-0x0000000000000000-mapping.dmp
-
memory/3936-130-0x00000000005B0000-0x00000000005D8000-memory.dmpFilesize
160KB
-
memory/3936-129-0x0000000000900000-0x000000000091E000-memory.dmpFilesize
120KB
-
memory/3936-131-0x0000000002E90000-0x00000000031B0000-memory.dmpFilesize
3.1MB
-
memory/3936-132-0x0000000002D80000-0x0000000002E0F000-memory.dmpFilesize
572KB