Analysis
-
max time kernel
74s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
07-05-2021 19:33
Static task
static1
Behavioral task
behavioral1
Sample
5fc118f68d961f9bd3c38d15bd6c0e6eed0b66c12412c344d766460b48355706.exe
Resource
win7v20210408
General
-
Target
5fc118f68d961f9bd3c38d15bd6c0e6eed0b66c12412c344d766460b48355706.exe
-
Size
219KB
-
MD5
5972ee4c522e2f18ff3102bb94444db5
-
SHA1
1439b110cd660222879bc7ff4716c1498a87f5c4
-
SHA256
5fc118f68d961f9bd3c38d15bd6c0e6eed0b66c12412c344d766460b48355706
-
SHA512
2b621f69ceb36cfe9f3fe68a2df2a5685c0c2b73699ff8cc06b24b510714d43bd267876760fa3768effed7539b61d4957ad660ce135b3261e83984e9ea8584ea
Malware Config
Extracted
xloader
2.3
http://www.christopherngai.com/boit/
kuhanticiy.site
rosecoline.com
lapertuna.com
fedeschwalb.com
cvstore1.com
761215.com
secretivecriticaldeeply.net
2503322.com
zhongda8.com
xsynergysip.com
hologramhell.com
argetench.com
rsmenterprises.net
sunsasound.com
thietbinuoc.com
proofreadingbypaulina.com
apnidukan.life
petsmartapp.com
raumluftraum.com
whitehorseavon.com
wapwings.com
coretfaudfu.com
trebal-dev.com
xtremecleancoinlaundry.com
boxchick.net
jimmysudscharities.com
przes91.com
present-sense.store
spancer.net
proyiquan.com
praveenbhandari.com
daves2atraining.com
rapid-recoveries.com
salterspropanete.com
somlimited.com
firedupseminar.com
kyonyuch.com
lilbossgloss.com
countrygirlpottery.com
qtxdfehsm.com
happyfaceofsweden.com
pueblodailynews.com
the-lost-apron.com
daleshomeinspections.com
thebrunelquartet.com
athletesmovers.com
fast-eth.club
designamorf.com
origogin.com
veganfites.com
iameducationalseries.info
gautre.com
lookforjon.com
comepick.site
allinceforadvancedhealth.com
aiougame.com
rplof.com
cultivatingthemind.net
akademiya23.online
magen-tracks.xyz
aothunphanquang.net
jhkimd.com
foreverspring.xyz
gwdb0635.com
Signatures
-
Xloader Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3328-116-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
5fc118f68d961f9bd3c38d15bd6c0e6eed0b66c12412c344d766460b48355706.exepid process 752 5fc118f68d961f9bd3c38d15bd6c0e6eed0b66c12412c344d766460b48355706.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
5fc118f68d961f9bd3c38d15bd6c0e6eed0b66c12412c344d766460b48355706.exedescription pid process target process PID 752 set thread context of 3328 752 5fc118f68d961f9bd3c38d15bd6c0e6eed0b66c12412c344d766460b48355706.exe 5fc118f68d961f9bd3c38d15bd6c0e6eed0b66c12412c344d766460b48355706.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
5fc118f68d961f9bd3c38d15bd6c0e6eed0b66c12412c344d766460b48355706.exe5fc118f68d961f9bd3c38d15bd6c0e6eed0b66c12412c344d766460b48355706.exepid process 752 5fc118f68d961f9bd3c38d15bd6c0e6eed0b66c12412c344d766460b48355706.exe 752 5fc118f68d961f9bd3c38d15bd6c0e6eed0b66c12412c344d766460b48355706.exe 752 5fc118f68d961f9bd3c38d15bd6c0e6eed0b66c12412c344d766460b48355706.exe 752 5fc118f68d961f9bd3c38d15bd6c0e6eed0b66c12412c344d766460b48355706.exe 752 5fc118f68d961f9bd3c38d15bd6c0e6eed0b66c12412c344d766460b48355706.exe 752 5fc118f68d961f9bd3c38d15bd6c0e6eed0b66c12412c344d766460b48355706.exe 752 5fc118f68d961f9bd3c38d15bd6c0e6eed0b66c12412c344d766460b48355706.exe 752 5fc118f68d961f9bd3c38d15bd6c0e6eed0b66c12412c344d766460b48355706.exe 3328 5fc118f68d961f9bd3c38d15bd6c0e6eed0b66c12412c344d766460b48355706.exe 3328 5fc118f68d961f9bd3c38d15bd6c0e6eed0b66c12412c344d766460b48355706.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
5fc118f68d961f9bd3c38d15bd6c0e6eed0b66c12412c344d766460b48355706.exepid process 752 5fc118f68d961f9bd3c38d15bd6c0e6eed0b66c12412c344d766460b48355706.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
5fc118f68d961f9bd3c38d15bd6c0e6eed0b66c12412c344d766460b48355706.exedescription pid process target process PID 752 wrote to memory of 3328 752 5fc118f68d961f9bd3c38d15bd6c0e6eed0b66c12412c344d766460b48355706.exe 5fc118f68d961f9bd3c38d15bd6c0e6eed0b66c12412c344d766460b48355706.exe PID 752 wrote to memory of 3328 752 5fc118f68d961f9bd3c38d15bd6c0e6eed0b66c12412c344d766460b48355706.exe 5fc118f68d961f9bd3c38d15bd6c0e6eed0b66c12412c344d766460b48355706.exe PID 752 wrote to memory of 3328 752 5fc118f68d961f9bd3c38d15bd6c0e6eed0b66c12412c344d766460b48355706.exe 5fc118f68d961f9bd3c38d15bd6c0e6eed0b66c12412c344d766460b48355706.exe PID 752 wrote to memory of 3328 752 5fc118f68d961f9bd3c38d15bd6c0e6eed0b66c12412c344d766460b48355706.exe 5fc118f68d961f9bd3c38d15bd6c0e6eed0b66c12412c344d766460b48355706.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5fc118f68d961f9bd3c38d15bd6c0e6eed0b66c12412c344d766460b48355706.exe"C:\Users\Admin\AppData\Local\Temp\5fc118f68d961f9bd3c38d15bd6c0e6eed0b66c12412c344d766460b48355706.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5fc118f68d961f9bd3c38d15bd6c0e6eed0b66c12412c344d766460b48355706.exe"C:\Users\Admin\AppData\Local\Temp\5fc118f68d961f9bd3c38d15bd6c0e6eed0b66c12412c344d766460b48355706.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsx73A0.tmp\l6q09tpj2i.dllMD5
a11ccf3cb9aac8360e27c60f4b8d9a2b
SHA11e0cee6a0282a754f7c59ddd05c78fd5aaac14a7
SHA2563fc0051d7156d6c97ef54e91dac26bb39a96a74149fe53583adfd4d7619fd9b0
SHA5127d680f10512a5c5d8e76b2c39168added0ab408c506dff90a9fc6ada61aef17f2694f029fb2df9b09d2106b45e380fa73234fabc0f52d5542a3d1c043e94f0c7
-
memory/3328-115-0x000000000041D060-mapping.dmp
-
memory/3328-116-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/3328-117-0x0000000000AB0000-0x0000000000DD0000-memory.dmpFilesize
3.1MB