Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
05-05-2021 18:00
Static task
static1
Behavioral task
behavioral1
Sample
qt-64647euro.exe
Resource
win7v20210408
General
-
Target
qt-64647euro.exe
-
Size
376KB
-
MD5
c7869904df7369ecb0e07caa879bb981
-
SHA1
f35f9af1d4cb23da445e03a9763663790aeec6f1
-
SHA256
078e4b00d3b4cf59fcdb2ec643fa91edb000419950a3e5ac973b0ed0c648d87a
-
SHA512
0453ceb6e22b5a0449af4a17a0ea41bb107328a436810339061f9b3a74b5b30cb427c61671199248683db145fed7fe8ded88e836191b27f6ae3db07e1bbe3122
Malware Config
Extracted
xloader
2.3
http://www.wwwnptpool.com/cea0/
answerwith.com
bingji5.com
choicesrecoverytrainings.com
goodyearpromotions.com
projectguruji.com
outofsandbox.com
chicagosingersforhire.com
goprosquad.com
askmohsin.com
avangardinmobiliaria.com
ultimabritannia.com
alimentafricain.com
recruit-marilyn.com
massu-blog.com
commandsilicon.icu
clearchannel.sucks
greenatlasng.com
spatialdesignoxford.com
nurzia.net
technocratbusiness.com
dentdont-express.com
nanomist-sprayer.com
ndawir05.space
good402o8.com
pizzeriacorecor.com
rent.zone
bunies3.com
eeserfi.com
strabet365.com
beeriderrebates.com
vr385.com
tuljasharma.com
container-bnb.com
infolafinanciere.com
globalpvmarketing.com
berandabintoro.com
levantinenaturals.com
cosydrink.com
alltegori.com
fortunitystar.club
comedypizza.net
tinnitus-center-frankfurt.net
igenmarijuana.com
kennewickriverfront.net
parbakedparties.com
scdphispaniccaucus.com
upcellsmartphones.com
bowwowclothingco.com
ranchplaza.com
ottonlineeducation.com
legalleadslab.com
smartchoicesmall.com
collectivesoma.com
primaverastorecolombia.com
gorisingcaptial.com
pridenjoyenterprises.com
emafrancois.com
editmatters.info
tiendadigitalmundial.com
wearethenursery.com
meshlyft.com
casketofnuts.com
theserialgirlfriend.com
culturaretro.com
Signatures
-
Xloader Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/1820-114-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/1820-115-0x000000000041D0B0-mapping.dmp xloader behavioral2/memory/1820-118-0x0000000000530000-0x000000000067A000-memory.dmp xloader behavioral2/memory/2500-123-0x0000000000EE0000-0x0000000000F09000-memory.dmp xloader -
Suspicious use of SetThreadContext 3 IoCs
Processes:
qt-64647euro.exeqt-64647euro.exewlanext.exedescription pid process target process PID 3560 set thread context of 1820 3560 qt-64647euro.exe qt-64647euro.exe PID 1820 set thread context of 2984 1820 qt-64647euro.exe Explorer.EXE PID 2500 set thread context of 2984 2500 wlanext.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
qt-64647euro.exewlanext.exepid process 1820 qt-64647euro.exe 1820 qt-64647euro.exe 1820 qt-64647euro.exe 1820 qt-64647euro.exe 2500 wlanext.exe 2500 wlanext.exe 2500 wlanext.exe 2500 wlanext.exe 2500 wlanext.exe 2500 wlanext.exe 2500 wlanext.exe 2500 wlanext.exe 2500 wlanext.exe 2500 wlanext.exe 2500 wlanext.exe 2500 wlanext.exe 2500 wlanext.exe 2500 wlanext.exe 2500 wlanext.exe 2500 wlanext.exe 2500 wlanext.exe 2500 wlanext.exe 2500 wlanext.exe 2500 wlanext.exe 2500 wlanext.exe 2500 wlanext.exe 2500 wlanext.exe 2500 wlanext.exe 2500 wlanext.exe 2500 wlanext.exe 2500 wlanext.exe 2500 wlanext.exe 2500 wlanext.exe 2500 wlanext.exe 2500 wlanext.exe 2500 wlanext.exe 2500 wlanext.exe 2500 wlanext.exe 2500 wlanext.exe 2500 wlanext.exe 2500 wlanext.exe 2500 wlanext.exe 2500 wlanext.exe 2500 wlanext.exe 2500 wlanext.exe 2500 wlanext.exe 2500 wlanext.exe 2500 wlanext.exe 2500 wlanext.exe 2500 wlanext.exe 2500 wlanext.exe 2500 wlanext.exe 2500 wlanext.exe 2500 wlanext.exe 2500 wlanext.exe 2500 wlanext.exe 2500 wlanext.exe 2500 wlanext.exe 2500 wlanext.exe 2500 wlanext.exe 2500 wlanext.exe 2500 wlanext.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2984 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
qt-64647euro.exewlanext.exepid process 1820 qt-64647euro.exe 1820 qt-64647euro.exe 1820 qt-64647euro.exe 2500 wlanext.exe 2500 wlanext.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
qt-64647euro.exewlanext.exedescription pid process Token: SeDebugPrivilege 1820 qt-64647euro.exe Token: SeDebugPrivilege 2500 wlanext.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 2984 Explorer.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
qt-64647euro.exeExplorer.EXEwlanext.exedescription pid process target process PID 3560 wrote to memory of 1820 3560 qt-64647euro.exe qt-64647euro.exe PID 3560 wrote to memory of 1820 3560 qt-64647euro.exe qt-64647euro.exe PID 3560 wrote to memory of 1820 3560 qt-64647euro.exe qt-64647euro.exe PID 3560 wrote to memory of 1820 3560 qt-64647euro.exe qt-64647euro.exe PID 3560 wrote to memory of 1820 3560 qt-64647euro.exe qt-64647euro.exe PID 3560 wrote to memory of 1820 3560 qt-64647euro.exe qt-64647euro.exe PID 2984 wrote to memory of 2500 2984 Explorer.EXE wlanext.exe PID 2984 wrote to memory of 2500 2984 Explorer.EXE wlanext.exe PID 2984 wrote to memory of 2500 2984 Explorer.EXE wlanext.exe PID 2500 wrote to memory of 3976 2500 wlanext.exe cmd.exe PID 2500 wrote to memory of 3976 2500 wlanext.exe cmd.exe PID 2500 wrote to memory of 3976 2500 wlanext.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Users\Admin\AppData\Local\Temp\qt-64647euro.exe"C:\Users\Admin\AppData\Local\Temp\qt-64647euro.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3560 -
C:\Users\Admin\AppData\Local\Temp\qt-64647euro.exe"C:\Users\Admin\AppData\Local\Temp\qt-64647euro.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1820 -
C:\Windows\SysWOW64\wlanext.exe"C:\Windows\SysWOW64\wlanext.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\qt-64647euro.exe"3⤵PID:3976
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1820-118-0x0000000000530000-0x000000000067A000-memory.dmpFilesize
1.3MB
-
memory/1820-115-0x000000000041D0B0-mapping.dmp
-
memory/1820-114-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1820-119-0x0000000000AD0000-0x0000000000DF0000-memory.dmpFilesize
3.1MB
-
memory/2500-121-0x0000000000000000-mapping.dmp
-
memory/2500-122-0x0000000001300000-0x0000000001317000-memory.dmpFilesize
92KB
-
memory/2500-123-0x0000000000EE0000-0x0000000000F09000-memory.dmpFilesize
164KB
-
memory/2500-125-0x0000000003670000-0x0000000003990000-memory.dmpFilesize
3.1MB
-
memory/2500-126-0x0000000003420000-0x00000000034AF000-memory.dmpFilesize
572KB
-
memory/2984-120-0x00000000057C0000-0x00000000058B6000-memory.dmpFilesize
984KB
-
memory/2984-127-0x0000000003050000-0x00000000030E4000-memory.dmpFilesize
592KB
-
memory/3560-116-0x0000000000990000-0x0000000000ADA000-memory.dmpFilesize
1.3MB
-
memory/3976-124-0x0000000000000000-mapping.dmp