Analysis
-
max time kernel
146s -
max time network
145s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
06-05-2021 12:06
Static task
static1
Behavioral task
behavioral1
Sample
8c2d96ab_by_Libranalysis.exe
Resource
win7v20210410
General
-
Target
8c2d96ab_by_Libranalysis.exe
-
Size
205KB
-
MD5
8c2d96abda99516a36f04f6a504bf79e
-
SHA1
b2e6c392636248c2705ac3a23a6fafbc8e5c1897
-
SHA256
a0b018fb2193eec4f61de14d4d60b1cae8ba46b2cabfc704d59ac6d134dbf4e5
-
SHA512
f1223ff5e2c800b049600264a6fa69293dc7c404697a506da7cfa29e1977b8ce97860c164b46e9840d89dba69defafa9930b7af76e0a6617691bf5bc1e4e3144
Malware Config
Extracted
xloader
2.3
http://www.onyxcomputing.com/u8nw/
constructionjadams.com
organicwellnessfarm.com
beautiful.tours
medvows.com
foxparanormal.com
fsmxmc.com
graniterealestategroup.net
qgi1.com
astrologicsolutions.com
rafbar.com
bastiontools.net
emotist.com
stacyleets.com
bloodtypealpha.com
healtybenenfitsplus.com
vavadadoa3.com
chefbenhk.com
dotgz.com
xn--z4qm188e645c.com
ethyi.com
farrellforcouncil.com
everythingcornea.com
pensje.net
haichuanxin.com
codeproper.com
beautyblvdca.com
namastecarrier.com
xtrator.com
alphabrainbalancing.com
sensationalcleaningservices.net
magistv.info
shotsbynox.com
zioninfosystems.net
yourstoryplace.com
ebmulla.com
turkeyvisa-government.com
albertsonsolutions.com
7brochasmagicas.com
revolutiontourselsalvador.com
eastboundanddowntrucking.com
jkskylights.com
ultimatepoolwater.com
diurr.com
investmentfocused.com
dogscanstay.com
inov8digital.com
paragoncraftevents.com
reservesunbeds.com
melaniesalascosmetics.com
vissito.com
axolc-upoc.xyz
customessayjojo.com
kladki.com
online-securegov.com
xn--demirelik-u3a.com
plgmap.com
contorig2.com
dgyzgs8.com
valuedmind.com
sanacolitademarijuana.com
xn--6j1bs50berk.com
labkitsforstudents.com
lifehakershagirl.online
candidanddevout.com
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1744-64-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1700-71-0x0000000000080000-0x00000000000A9000-memory.dmp xloader -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 888 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
8c2d96ab_by_Libranalysis.exepid process 1084 8c2d96ab_by_Libranalysis.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
8c2d96ab_by_Libranalysis.exe8c2d96ab_by_Libranalysis.exesvchost.exedescription pid process target process PID 1084 set thread context of 1744 1084 8c2d96ab_by_Libranalysis.exe 8c2d96ab_by_Libranalysis.exe PID 1744 set thread context of 1288 1744 8c2d96ab_by_Libranalysis.exe Explorer.EXE PID 1700 set thread context of 1288 1700 svchost.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
8c2d96ab_by_Libranalysis.exesvchost.exepid process 1744 8c2d96ab_by_Libranalysis.exe 1744 8c2d96ab_by_Libranalysis.exe 1700 svchost.exe 1700 svchost.exe 1700 svchost.exe 1700 svchost.exe 1700 svchost.exe 1700 svchost.exe 1700 svchost.exe 1700 svchost.exe 1700 svchost.exe 1700 svchost.exe 1700 svchost.exe 1700 svchost.exe 1700 svchost.exe 1700 svchost.exe 1700 svchost.exe 1700 svchost.exe 1700 svchost.exe 1700 svchost.exe 1700 svchost.exe 1700 svchost.exe 1700 svchost.exe 1700 svchost.exe 1700 svchost.exe 1700 svchost.exe 1700 svchost.exe 1700 svchost.exe 1700 svchost.exe 1700 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1288 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
8c2d96ab_by_Libranalysis.exe8c2d96ab_by_Libranalysis.exesvchost.exepid process 1084 8c2d96ab_by_Libranalysis.exe 1744 8c2d96ab_by_Libranalysis.exe 1744 8c2d96ab_by_Libranalysis.exe 1744 8c2d96ab_by_Libranalysis.exe 1700 svchost.exe 1700 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
8c2d96ab_by_Libranalysis.exesvchost.exedescription pid process Token: SeDebugPrivilege 1744 8c2d96ab_by_Libranalysis.exe Token: SeDebugPrivilege 1700 svchost.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1288 Explorer.EXE 1288 Explorer.EXE 1288 Explorer.EXE 1288 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1288 Explorer.EXE 1288 Explorer.EXE 1288 Explorer.EXE 1288 Explorer.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
8c2d96ab_by_Libranalysis.exeExplorer.EXEsvchost.exedescription pid process target process PID 1084 wrote to memory of 1744 1084 8c2d96ab_by_Libranalysis.exe 8c2d96ab_by_Libranalysis.exe PID 1084 wrote to memory of 1744 1084 8c2d96ab_by_Libranalysis.exe 8c2d96ab_by_Libranalysis.exe PID 1084 wrote to memory of 1744 1084 8c2d96ab_by_Libranalysis.exe 8c2d96ab_by_Libranalysis.exe PID 1084 wrote to memory of 1744 1084 8c2d96ab_by_Libranalysis.exe 8c2d96ab_by_Libranalysis.exe PID 1084 wrote to memory of 1744 1084 8c2d96ab_by_Libranalysis.exe 8c2d96ab_by_Libranalysis.exe PID 1288 wrote to memory of 1700 1288 Explorer.EXE svchost.exe PID 1288 wrote to memory of 1700 1288 Explorer.EXE svchost.exe PID 1288 wrote to memory of 1700 1288 Explorer.EXE svchost.exe PID 1288 wrote to memory of 1700 1288 Explorer.EXE svchost.exe PID 1700 wrote to memory of 888 1700 svchost.exe cmd.exe PID 1700 wrote to memory of 888 1700 svchost.exe cmd.exe PID 1700 wrote to memory of 888 1700 svchost.exe cmd.exe PID 1700 wrote to memory of 888 1700 svchost.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8c2d96ab_by_Libranalysis.exe"C:\Users\Admin\AppData\Local\Temp\8c2d96ab_by_Libranalysis.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8c2d96ab_by_Libranalysis.exe"C:\Users\Admin\AppData\Local\Temp\8c2d96ab_by_Libranalysis.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\8c2d96ab_by_Libranalysis.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsx56E.tmp\ijjn4rmb.dllMD5
b8d5ccc0769f2b46d120f58366a70748
SHA1e18714d1745d50244f38d1d5450fb0dc138e4a9a
SHA2565e31e46243351c07b44e1ab234751d077675afa3b9ace2467bffb5d83001efbd
SHA5129ce576c9ffbe2eb355e553a1396bbf3e6d929cacf4c77429db1b090eff526da6c12438f8fde33787d745775fb149f9d3921785d3b9b4ed26d9835198ef063e2c
-
memory/888-69-0x0000000000000000-mapping.dmp
-
memory/1084-63-0x00000000002F0000-0x00000000002F2000-memory.dmpFilesize
8KB
-
memory/1084-60-0x00000000752F1000-0x00000000752F3000-memory.dmpFilesize
8KB
-
memory/1288-67-0x0000000004FF0000-0x0000000005197000-memory.dmpFilesize
1.7MB
-
memory/1288-74-0x00000000049A0000-0x0000000004A73000-memory.dmpFilesize
844KB
-
memory/1700-68-0x0000000000000000-mapping.dmp
-
memory/1700-70-0x0000000000610000-0x0000000000618000-memory.dmpFilesize
32KB
-
memory/1700-71-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/1700-72-0x00000000008F0000-0x0000000000BF3000-memory.dmpFilesize
3.0MB
-
memory/1700-73-0x0000000000460000-0x00000000004EF000-memory.dmpFilesize
572KB
-
memory/1744-64-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1744-65-0x0000000000840000-0x0000000000B43000-memory.dmpFilesize
3.0MB
-
memory/1744-66-0x00000000002B0000-0x00000000002C0000-memory.dmpFilesize
64KB
-
memory/1744-62-0x000000000041D0C0-mapping.dmp