Analysis
-
max time kernel
10s -
max time network
119s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
06-05-2021 10:38
Static task
static1
Behavioral task
behavioral1
Sample
b2e6c392636248c2705ac3a23a6fafbc8e5c1897.exe
Resource
win7v20210408
General
-
Target
b2e6c392636248c2705ac3a23a6fafbc8e5c1897.exe
-
Size
205KB
-
MD5
8c2d96abda99516a36f04f6a504bf79e
-
SHA1
b2e6c392636248c2705ac3a23a6fafbc8e5c1897
-
SHA256
a0b018fb2193eec4f61de14d4d60b1cae8ba46b2cabfc704d59ac6d134dbf4e5
-
SHA512
f1223ff5e2c800b049600264a6fa69293dc7c404697a506da7cfa29e1977b8ce97860c164b46e9840d89dba69defafa9930b7af76e0a6617691bf5bc1e4e3144
Malware Config
Extracted
xloader
2.3
http://www.onyxcomputing.com/u8nw/
constructionjadams.com
organicwellnessfarm.com
beautiful.tours
medvows.com
foxparanormal.com
fsmxmc.com
graniterealestategroup.net
qgi1.com
astrologicsolutions.com
rafbar.com
bastiontools.net
emotist.com
stacyleets.com
bloodtypealpha.com
healtybenenfitsplus.com
vavadadoa3.com
chefbenhk.com
dotgz.com
xn--z4qm188e645c.com
ethyi.com
farrellforcouncil.com
everythingcornea.com
pensje.net
haichuanxin.com
codeproper.com
beautyblvdca.com
namastecarrier.com
xtrator.com
alphabrainbalancing.com
sensationalcleaningservices.net
magistv.info
shotsbynox.com
zioninfosystems.net
yourstoryplace.com
ebmulla.com
turkeyvisa-government.com
albertsonsolutions.com
7brochasmagicas.com
revolutiontourselsalvador.com
eastboundanddowntrucking.com
jkskylights.com
ultimatepoolwater.com
diurr.com
investmentfocused.com
dogscanstay.com
inov8digital.com
paragoncraftevents.com
reservesunbeds.com
melaniesalascosmetics.com
vissito.com
axolc-upoc.xyz
customessayjojo.com
kladki.com
online-securegov.com
xn--demirelik-u3a.com
plgmap.com
contorig2.com
dgyzgs8.com
valuedmind.com
sanacolitademarijuana.com
xn--6j1bs50berk.com
labkitsforstudents.com
lifehakershagirl.online
candidanddevout.com
Signatures
-
Xloader Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1600-117-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
b2e6c392636248c2705ac3a23a6fafbc8e5c1897.exepid process 3876 b2e6c392636248c2705ac3a23a6fafbc8e5c1897.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
b2e6c392636248c2705ac3a23a6fafbc8e5c1897.exedescription pid process target process PID 3876 set thread context of 1600 3876 b2e6c392636248c2705ac3a23a6fafbc8e5c1897.exe b2e6c392636248c2705ac3a23a6fafbc8e5c1897.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
b2e6c392636248c2705ac3a23a6fafbc8e5c1897.exepid process 1600 b2e6c392636248c2705ac3a23a6fafbc8e5c1897.exe 1600 b2e6c392636248c2705ac3a23a6fafbc8e5c1897.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
b2e6c392636248c2705ac3a23a6fafbc8e5c1897.exepid process 3876 b2e6c392636248c2705ac3a23a6fafbc8e5c1897.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
b2e6c392636248c2705ac3a23a6fafbc8e5c1897.exedescription pid process target process PID 3876 wrote to memory of 1600 3876 b2e6c392636248c2705ac3a23a6fafbc8e5c1897.exe b2e6c392636248c2705ac3a23a6fafbc8e5c1897.exe PID 3876 wrote to memory of 1600 3876 b2e6c392636248c2705ac3a23a6fafbc8e5c1897.exe b2e6c392636248c2705ac3a23a6fafbc8e5c1897.exe PID 3876 wrote to memory of 1600 3876 b2e6c392636248c2705ac3a23a6fafbc8e5c1897.exe b2e6c392636248c2705ac3a23a6fafbc8e5c1897.exe PID 3876 wrote to memory of 1600 3876 b2e6c392636248c2705ac3a23a6fafbc8e5c1897.exe b2e6c392636248c2705ac3a23a6fafbc8e5c1897.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2e6c392636248c2705ac3a23a6fafbc8e5c1897.exe"C:\Users\Admin\AppData\Local\Temp\b2e6c392636248c2705ac3a23a6fafbc8e5c1897.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b2e6c392636248c2705ac3a23a6fafbc8e5c1897.exe"C:\Users\Admin\AppData\Local\Temp\b2e6c392636248c2705ac3a23a6fafbc8e5c1897.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsx1A74.tmp\ijjn4rmb.dllMD5
b8d5ccc0769f2b46d120f58366a70748
SHA1e18714d1745d50244f38d1d5450fb0dc138e4a9a
SHA2565e31e46243351c07b44e1ab234751d077675afa3b9ace2467bffb5d83001efbd
SHA5129ce576c9ffbe2eb355e553a1396bbf3e6d929cacf4c77429db1b090eff526da6c12438f8fde33787d745775fb149f9d3921785d3b9b4ed26d9835198ef063e2c
-
memory/1600-115-0x000000000041D0C0-mapping.dmp
-
memory/1600-117-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1600-118-0x0000000000A40000-0x0000000000D60000-memory.dmpFilesize
3.1MB
-
memory/3876-116-0x0000000000AD0000-0x0000000000AD2000-memory.dmpFilesize
8KB