Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
06-05-2021 11:02
Static task
static1
Behavioral task
behavioral1
Sample
8c2d96ab_by_Libranalysis.exe
Resource
win7v20210410
General
-
Target
8c2d96ab_by_Libranalysis.exe
-
Size
205KB
-
MD5
8c2d96abda99516a36f04f6a504bf79e
-
SHA1
b2e6c392636248c2705ac3a23a6fafbc8e5c1897
-
SHA256
a0b018fb2193eec4f61de14d4d60b1cae8ba46b2cabfc704d59ac6d134dbf4e5
-
SHA512
f1223ff5e2c800b049600264a6fa69293dc7c404697a506da7cfa29e1977b8ce97860c164b46e9840d89dba69defafa9930b7af76e0a6617691bf5bc1e4e3144
Malware Config
Extracted
xloader
2.3
http://www.onyxcomputing.com/u8nw/
constructionjadams.com
organicwellnessfarm.com
beautiful.tours
medvows.com
foxparanormal.com
fsmxmc.com
graniterealestategroup.net
qgi1.com
astrologicsolutions.com
rafbar.com
bastiontools.net
emotist.com
stacyleets.com
bloodtypealpha.com
healtybenenfitsplus.com
vavadadoa3.com
chefbenhk.com
dotgz.com
xn--z4qm188e645c.com
ethyi.com
farrellforcouncil.com
everythingcornea.com
pensje.net
haichuanxin.com
codeproper.com
beautyblvdca.com
namastecarrier.com
xtrator.com
alphabrainbalancing.com
sensationalcleaningservices.net
magistv.info
shotsbynox.com
zioninfosystems.net
yourstoryplace.com
ebmulla.com
turkeyvisa-government.com
albertsonsolutions.com
7brochasmagicas.com
revolutiontourselsalvador.com
eastboundanddowntrucking.com
jkskylights.com
ultimatepoolwater.com
diurr.com
investmentfocused.com
dogscanstay.com
inov8digital.com
paragoncraftevents.com
reservesunbeds.com
melaniesalascosmetics.com
vissito.com
axolc-upoc.xyz
customessayjojo.com
kladki.com
online-securegov.com
xn--demirelik-u3a.com
plgmap.com
contorig2.com
dgyzgs8.com
valuedmind.com
sanacolitademarijuana.com
xn--6j1bs50berk.com
labkitsforstudents.com
lifehakershagirl.online
candidanddevout.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2640-117-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/2640-119-0x0000000000530000-0x000000000067A000-memory.dmp xloader behavioral2/memory/3224-124-0x0000000000BC0000-0x0000000000BE9000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
8c2d96ab_by_Libranalysis.exepid process 3260 8c2d96ab_by_Libranalysis.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
8c2d96ab_by_Libranalysis.exe8c2d96ab_by_Libranalysis.exemsdt.exedescription pid process target process PID 3260 set thread context of 2640 3260 8c2d96ab_by_Libranalysis.exe 8c2d96ab_by_Libranalysis.exe PID 2640 set thread context of 3016 2640 8c2d96ab_by_Libranalysis.exe Explorer.EXE PID 3224 set thread context of 3016 3224 msdt.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
8c2d96ab_by_Libranalysis.exemsdt.exepid process 2640 8c2d96ab_by_Libranalysis.exe 2640 8c2d96ab_by_Libranalysis.exe 2640 8c2d96ab_by_Libranalysis.exe 2640 8c2d96ab_by_Libranalysis.exe 3224 msdt.exe 3224 msdt.exe 3224 msdt.exe 3224 msdt.exe 3224 msdt.exe 3224 msdt.exe 3224 msdt.exe 3224 msdt.exe 3224 msdt.exe 3224 msdt.exe 3224 msdt.exe 3224 msdt.exe 3224 msdt.exe 3224 msdt.exe 3224 msdt.exe 3224 msdt.exe 3224 msdt.exe 3224 msdt.exe 3224 msdt.exe 3224 msdt.exe 3224 msdt.exe 3224 msdt.exe 3224 msdt.exe 3224 msdt.exe 3224 msdt.exe 3224 msdt.exe 3224 msdt.exe 3224 msdt.exe 3224 msdt.exe 3224 msdt.exe 3224 msdt.exe 3224 msdt.exe 3224 msdt.exe 3224 msdt.exe 3224 msdt.exe 3224 msdt.exe 3224 msdt.exe 3224 msdt.exe 3224 msdt.exe 3224 msdt.exe 3224 msdt.exe 3224 msdt.exe 3224 msdt.exe 3224 msdt.exe 3224 msdt.exe 3224 msdt.exe 3224 msdt.exe 3224 msdt.exe 3224 msdt.exe 3224 msdt.exe 3224 msdt.exe 3224 msdt.exe 3224 msdt.exe 3224 msdt.exe 3224 msdt.exe 3224 msdt.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3016 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
8c2d96ab_by_Libranalysis.exe8c2d96ab_by_Libranalysis.exemsdt.exepid process 3260 8c2d96ab_by_Libranalysis.exe 2640 8c2d96ab_by_Libranalysis.exe 2640 8c2d96ab_by_Libranalysis.exe 2640 8c2d96ab_by_Libranalysis.exe 3224 msdt.exe 3224 msdt.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
8c2d96ab_by_Libranalysis.exemsdt.exedescription pid process Token: SeDebugPrivilege 2640 8c2d96ab_by_Libranalysis.exe Token: SeDebugPrivilege 3224 msdt.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3016 Explorer.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
8c2d96ab_by_Libranalysis.exeExplorer.EXEmsdt.exedescription pid process target process PID 3260 wrote to memory of 2640 3260 8c2d96ab_by_Libranalysis.exe 8c2d96ab_by_Libranalysis.exe PID 3260 wrote to memory of 2640 3260 8c2d96ab_by_Libranalysis.exe 8c2d96ab_by_Libranalysis.exe PID 3260 wrote to memory of 2640 3260 8c2d96ab_by_Libranalysis.exe 8c2d96ab_by_Libranalysis.exe PID 3260 wrote to memory of 2640 3260 8c2d96ab_by_Libranalysis.exe 8c2d96ab_by_Libranalysis.exe PID 3016 wrote to memory of 3224 3016 Explorer.EXE msdt.exe PID 3016 wrote to memory of 3224 3016 Explorer.EXE msdt.exe PID 3016 wrote to memory of 3224 3016 Explorer.EXE msdt.exe PID 3224 wrote to memory of 2204 3224 msdt.exe cmd.exe PID 3224 wrote to memory of 2204 3224 msdt.exe cmd.exe PID 3224 wrote to memory of 2204 3224 msdt.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8c2d96ab_by_Libranalysis.exe"C:\Users\Admin\AppData\Local\Temp\8c2d96ab_by_Libranalysis.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8c2d96ab_by_Libranalysis.exe"C:\Users\Admin\AppData\Local\Temp\8c2d96ab_by_Libranalysis.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\msdt.exe"C:\Windows\SysWOW64\msdt.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\8c2d96ab_by_Libranalysis.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsa61DD.tmp\ijjn4rmb.dllMD5
b8d5ccc0769f2b46d120f58366a70748
SHA1e18714d1745d50244f38d1d5450fb0dc138e4a9a
SHA2565e31e46243351c07b44e1ab234751d077675afa3b9ace2467bffb5d83001efbd
SHA5129ce576c9ffbe2eb355e553a1396bbf3e6d929cacf4c77429db1b090eff526da6c12438f8fde33787d745775fb149f9d3921785d3b9b4ed26d9835198ef063e2c
-
memory/2204-122-0x0000000000000000-mapping.dmp
-
memory/2640-115-0x000000000041D0C0-mapping.dmp
-
memory/2640-117-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2640-118-0x0000000000A50000-0x0000000000D70000-memory.dmpFilesize
3.1MB
-
memory/2640-119-0x0000000000530000-0x000000000067A000-memory.dmpFilesize
1.3MB
-
memory/3016-120-0x0000000005840000-0x0000000005977000-memory.dmpFilesize
1.2MB
-
memory/3016-127-0x0000000005980000-0x0000000005A59000-memory.dmpFilesize
868KB
-
memory/3224-121-0x0000000000000000-mapping.dmp
-
memory/3224-124-0x0000000000BC0000-0x0000000000BE9000-memory.dmpFilesize
164KB
-
memory/3224-123-0x00000000013A0000-0x0000000001513000-memory.dmpFilesize
1.4MB
-
memory/3224-125-0x0000000004FD0000-0x00000000052F0000-memory.dmpFilesize
3.1MB
-
memory/3224-126-0x0000000004BD0000-0x0000000004C5F000-memory.dmpFilesize
572KB
-
memory/3260-116-0x0000000000AE0000-0x0000000000B03000-memory.dmpFilesize
140KB