Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
07-05-2021 19:03
Static task
static1
Behavioral task
behavioral1
Sample
winlog.exe
Resource
win7v20210408
General
-
Target
winlog.exe
-
Size
696KB
-
MD5
5d2f26ac6b48725279d98aa87eff8506
-
SHA1
7ab3874eb9d316a503133367b12d3628e6dbe264
-
SHA256
06bed76c389db454d5b86a64bf7127a21c013b48d79b3b83511263c424f5cf65
-
SHA512
e81c607ee870bde0e5a84714f1634e19f6959d1f46a4d5ffea2baeba241712ca4f2e2bdf4f6c8794db7b35216ded5d52743b7faac75d3382dd58f88e24294e41
Malware Config
Extracted
xloader
2.3
http://www.zlzntiayc.icu/a6ru/
noseainsight.com
chateaudedigoine.com
tezhonda.com
lowergwyeneddmassage.com
convenienttext.com
quickbookaccountingpros.com
mashburneventcenter.com
marthabymsfashion.com
thearcadela.com
invisiblefingerprint.com
nikadoo.com
artsmartclinton.com
elitetouringinnovations.com
atualizarapp2020.com
nideke1.com
fyj-sh.com
rufflesales.com
algemixdelchef.com
appleoneplus.com
ryosuketanikawa.com
domainsforpharma.com
sxhsti.com
squeakyslimes.com
theccmsacademy.com
ketquavip1.net
hstchwritr.com
cabinettec.com
iiscoder.com
ozdjservices.com
needscheck.com
hammocksrecovery.com
thedaiquiriexplosion.com
tantricgirlclothing.com
stealthpup.com
homehunters-eg.com
buffaloce.com
resilientquality.com
020view.com
cheapyetihats.com
allamericanqueens.com
massagerest.com
photogenic.homes
globalcheapflights.net
kuppers.info
redfiendpub.com
nrbadvogados.com
nighthawkmediagroup.com
gilsilva022pro.com
healthpossibilities.com
japlasmartshop.com
6927199.com
pizzanpickle.com
schnitzel.party
spkariyer.com
amsterdambrownies.com
laboratorioinfodigital.com
retailmedicaldepot.com
registeraccountants.amsterdam
khadeidralegendre.com
indialearninghub.com
xinjidf.com
thehawkproz.com
shpmtents14.com
kelaskaya.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2116-125-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/2116-126-0x000000000041D0C0-mapping.dmp xloader behavioral2/memory/3924-133-0x0000000000EC0000-0x0000000000EE9000-memory.dmp xloader -
Suspicious use of SetThreadContext 3 IoCs
Processes:
winlog.exewinlog.exeNETSTAT.EXEdescription pid process target process PID 2840 set thread context of 2116 2840 winlog.exe winlog.exe PID 2116 set thread context of 3020 2116 winlog.exe Explorer.EXE PID 3924 set thread context of 3020 3924 NETSTAT.EXE Explorer.EXE -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 3924 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
winlog.exewinlog.exeNETSTAT.EXEpid process 2840 winlog.exe 2840 winlog.exe 2840 winlog.exe 2840 winlog.exe 2840 winlog.exe 2840 winlog.exe 2840 winlog.exe 2840 winlog.exe 2116 winlog.exe 2116 winlog.exe 2116 winlog.exe 2116 winlog.exe 3924 NETSTAT.EXE 3924 NETSTAT.EXE 3924 NETSTAT.EXE 3924 NETSTAT.EXE 3924 NETSTAT.EXE 3924 NETSTAT.EXE 3924 NETSTAT.EXE 3924 NETSTAT.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
winlog.exeNETSTAT.EXEpid process 2116 winlog.exe 2116 winlog.exe 2116 winlog.exe 3924 NETSTAT.EXE 3924 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
winlog.exewinlog.exeNETSTAT.EXEdescription pid process Token: SeDebugPrivilege 2840 winlog.exe Token: SeDebugPrivilege 2116 winlog.exe Token: SeDebugPrivilege 3924 NETSTAT.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
winlog.exeExplorer.EXENETSTAT.EXEdescription pid process target process PID 2840 wrote to memory of 1324 2840 winlog.exe winlog.exe PID 2840 wrote to memory of 1324 2840 winlog.exe winlog.exe PID 2840 wrote to memory of 1324 2840 winlog.exe winlog.exe PID 2840 wrote to memory of 1340 2840 winlog.exe winlog.exe PID 2840 wrote to memory of 1340 2840 winlog.exe winlog.exe PID 2840 wrote to memory of 1340 2840 winlog.exe winlog.exe PID 2840 wrote to memory of 1928 2840 winlog.exe winlog.exe PID 2840 wrote to memory of 1928 2840 winlog.exe winlog.exe PID 2840 wrote to memory of 1928 2840 winlog.exe winlog.exe PID 2840 wrote to memory of 2100 2840 winlog.exe winlog.exe PID 2840 wrote to memory of 2100 2840 winlog.exe winlog.exe PID 2840 wrote to memory of 2100 2840 winlog.exe winlog.exe PID 2840 wrote to memory of 2116 2840 winlog.exe winlog.exe PID 2840 wrote to memory of 2116 2840 winlog.exe winlog.exe PID 2840 wrote to memory of 2116 2840 winlog.exe winlog.exe PID 2840 wrote to memory of 2116 2840 winlog.exe winlog.exe PID 2840 wrote to memory of 2116 2840 winlog.exe winlog.exe PID 2840 wrote to memory of 2116 2840 winlog.exe winlog.exe PID 3020 wrote to memory of 3924 3020 Explorer.EXE NETSTAT.EXE PID 3020 wrote to memory of 3924 3020 Explorer.EXE NETSTAT.EXE PID 3020 wrote to memory of 3924 3020 Explorer.EXE NETSTAT.EXE PID 3924 wrote to memory of 1816 3924 NETSTAT.EXE cmd.exe PID 3924 wrote to memory of 1816 3924 NETSTAT.EXE cmd.exe PID 3924 wrote to memory of 1816 3924 NETSTAT.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\winlog.exe"C:\Users\Admin\AppData\Local\Temp\winlog.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\winlog.exe"C:\Users\Admin\AppData\Local\Temp\winlog.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\winlog.exe"C:\Users\Admin\AppData\Local\Temp\winlog.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\winlog.exe"C:\Users\Admin\AppData\Local\Temp\winlog.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\winlog.exe"C:\Users\Admin\AppData\Local\Temp\winlog.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\winlog.exe"C:\Users\Admin\AppData\Local\Temp\winlog.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\winlog.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1816-135-0x0000000000000000-mapping.dmp
-
memory/2116-125-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2116-129-0x0000000000E10000-0x0000000000E20000-memory.dmpFilesize
64KB
-
memory/2116-128-0x00000000012E0000-0x0000000001600000-memory.dmpFilesize
3.1MB
-
memory/2116-126-0x000000000041D0C0-mapping.dmp
-
memory/2840-120-0x0000000005430000-0x0000000005431000-memory.dmpFilesize
4KB
-
memory/2840-116-0x00000000054B0000-0x00000000054B1000-memory.dmpFilesize
4KB
-
memory/2840-122-0x0000000005700000-0x000000000570E000-memory.dmpFilesize
56KB
-
memory/2840-123-0x0000000001420000-0x0000000001497000-memory.dmpFilesize
476KB
-
memory/2840-124-0x0000000001050000-0x0000000001080000-memory.dmpFilesize
192KB
-
memory/2840-114-0x0000000000A30000-0x0000000000A31000-memory.dmpFilesize
4KB
-
memory/2840-119-0x0000000005550000-0x0000000005A4E000-memory.dmpFilesize
5.0MB
-
memory/2840-118-0x0000000005550000-0x0000000005551000-memory.dmpFilesize
4KB
-
memory/2840-117-0x0000000005A50000-0x0000000005A51000-memory.dmpFilesize
4KB
-
memory/2840-121-0x0000000005710000-0x0000000005711000-memory.dmpFilesize
4KB
-
memory/3020-130-0x0000000004A30000-0x0000000004B8B000-memory.dmpFilesize
1.4MB
-
memory/3020-137-0x00000000024A0000-0x000000000254A000-memory.dmpFilesize
680KB
-
memory/3924-132-0x0000000001290000-0x000000000129B000-memory.dmpFilesize
44KB
-
memory/3924-133-0x0000000000EC0000-0x0000000000EE9000-memory.dmpFilesize
164KB
-
memory/3924-134-0x0000000003620000-0x0000000003940000-memory.dmpFilesize
3.1MB
-
memory/3924-131-0x0000000000000000-mapping.dmp
-
memory/3924-136-0x0000000003570000-0x00000000035FF000-memory.dmpFilesize
572KB