Analysis
-
max time kernel
148s -
max time network
146s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
08-05-2021 07:32
Static task
static1
Behavioral task
behavioral1
Sample
Request for Quotation.exe
Resource
win7v20210408
General
-
Target
Request for Quotation.exe
-
Size
205KB
-
MD5
a464acd5b3a7def21690a99978d7bf42
-
SHA1
6b3b29a4675c4ce774c65f6b832fa0162e8dfb3b
-
SHA256
7bcbf4813256ce1a199f54f824f5e337a6ab4709287dcfa78f0cb24392e735a9
-
SHA512
4569ae903139750900068f7a1808a6f0d3f65917c62bb1e24bab3d422a96090746e12e7446ba0f7065c0da37d48cfe01706a12313e0d47db9a89137d81223dba
Malware Config
Extracted
xloader
2.3
http://www.onyxcomputing.com/u8nw/
constructionjadams.com
organicwellnessfarm.com
beautiful.tours
medvows.com
foxparanormal.com
fsmxmc.com
graniterealestategroup.net
qgi1.com
astrologicsolutions.com
rafbar.com
bastiontools.net
emotist.com
stacyleets.com
bloodtypealpha.com
healtybenenfitsplus.com
vavadadoa3.com
chefbenhk.com
dotgz.com
xn--z4qm188e645c.com
ethyi.com
farrellforcouncil.com
everythingcornea.com
pensje.net
haichuanxin.com
codeproper.com
beautyblvdca.com
namastecarrier.com
xtrator.com
alphabrainbalancing.com
sensationalcleaningservices.net
magistv.info
shotsbynox.com
zioninfosystems.net
yourstoryplace.com
ebmulla.com
turkeyvisa-government.com
albertsonsolutions.com
7brochasmagicas.com
revolutiontourselsalvador.com
eastboundanddowntrucking.com
jkskylights.com
ultimatepoolwater.com
diurr.com
investmentfocused.com
dogscanstay.com
inov8digital.com
paragoncraftevents.com
reservesunbeds.com
melaniesalascosmetics.com
vissito.com
axolc-upoc.xyz
customessayjojo.com
kladki.com
online-securegov.com
xn--demirelik-u3a.com
plgmap.com
contorig2.com
dgyzgs8.com
valuedmind.com
sanacolitademarijuana.com
xn--6j1bs50berk.com
labkitsforstudents.com
lifehakershagirl.online
candidanddevout.com
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1984-64-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/2024-72-0x00000000000C0000-0x00000000000E9000-memory.dmp xloader -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 524 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
Request for Quotation.exepid process 684 Request for Quotation.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Request for Quotation.exeRequest for Quotation.exeexplorer.exedescription pid process target process PID 684 set thread context of 1984 684 Request for Quotation.exe Request for Quotation.exe PID 1984 set thread context of 1252 1984 Request for Quotation.exe Explorer.EXE PID 2024 set thread context of 1252 2024 explorer.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
Request for Quotation.exeexplorer.exepid process 1984 Request for Quotation.exe 1984 Request for Quotation.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe 2024 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1252 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
Request for Quotation.exeRequest for Quotation.exeexplorer.exepid process 684 Request for Quotation.exe 1984 Request for Quotation.exe 1984 Request for Quotation.exe 1984 Request for Quotation.exe 2024 explorer.exe 2024 explorer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Request for Quotation.exeexplorer.exedescription pid process Token: SeDebugPrivilege 1984 Request for Quotation.exe Token: SeDebugPrivilege 2024 explorer.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1252 Explorer.EXE 1252 Explorer.EXE 1252 Explorer.EXE 1252 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1252 Explorer.EXE 1252 Explorer.EXE 1252 Explorer.EXE 1252 Explorer.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Request for Quotation.exeExplorer.EXEexplorer.exedescription pid process target process PID 684 wrote to memory of 1984 684 Request for Quotation.exe Request for Quotation.exe PID 684 wrote to memory of 1984 684 Request for Quotation.exe Request for Quotation.exe PID 684 wrote to memory of 1984 684 Request for Quotation.exe Request for Quotation.exe PID 684 wrote to memory of 1984 684 Request for Quotation.exe Request for Quotation.exe PID 684 wrote to memory of 1984 684 Request for Quotation.exe Request for Quotation.exe PID 1252 wrote to memory of 2024 1252 Explorer.EXE explorer.exe PID 1252 wrote to memory of 2024 1252 Explorer.EXE explorer.exe PID 1252 wrote to memory of 2024 1252 Explorer.EXE explorer.exe PID 1252 wrote to memory of 2024 1252 Explorer.EXE explorer.exe PID 2024 wrote to memory of 524 2024 explorer.exe cmd.exe PID 2024 wrote to memory of 524 2024 explorer.exe cmd.exe PID 2024 wrote to memory of 524 2024 explorer.exe cmd.exe PID 2024 wrote to memory of 524 2024 explorer.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsx5F02.tmp\o75u.dllMD5
942d262973dab9e3b1d475015e4d92cd
SHA185ac06efcd0024710ac208ef8245d1dddbbf7d9f
SHA2567a87934d117e5f192b6268a29e6cf220155849dbed4148bd0b0c38c81892b132
SHA512e610c6fd7e065304894f0e97f1993e6e8bdb2267ab6b94a43ffc5efd909af40479862accdb6e003d75410ed539aa3259314c8f9d73cf20b68fe5042a51b6aa3f
-
memory/524-73-0x0000000000000000-mapping.dmp
-
memory/684-60-0x0000000075C71000-0x0000000075C73000-memory.dmpFilesize
8KB
-
memory/684-63-0x00000000003C0000-0x00000000003C2000-memory.dmpFilesize
8KB
-
memory/1252-65-0x0000000007210000-0x0000000007383000-memory.dmpFilesize
1.4MB
-
memory/1252-76-0x0000000005110000-0x00000000051B6000-memory.dmpFilesize
664KB
-
memory/1984-66-0x0000000000730000-0x0000000000A33000-memory.dmpFilesize
3.0MB
-
memory/1984-67-0x00000000002F0000-0x0000000000300000-memory.dmpFilesize
64KB
-
memory/1984-64-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1984-62-0x000000000041D0C0-mapping.dmp
-
memory/2024-68-0x0000000000000000-mapping.dmp
-
memory/2024-70-0x0000000074831000-0x0000000074833000-memory.dmpFilesize
8KB
-
memory/2024-71-0x0000000000590000-0x0000000000811000-memory.dmpFilesize
2.5MB
-
memory/2024-72-0x00000000000C0000-0x00000000000E9000-memory.dmpFilesize
164KB
-
memory/2024-74-0x00000000022B0000-0x00000000025B3000-memory.dmpFilesize
3.0MB
-
memory/2024-75-0x0000000002070000-0x00000000020FF000-memory.dmpFilesize
572KB