Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
08-05-2021 07:32
Static task
static1
Behavioral task
behavioral1
Sample
Request for Quotation.exe
Resource
win7v20210408
General
-
Target
Request for Quotation.exe
-
Size
205KB
-
MD5
a464acd5b3a7def21690a99978d7bf42
-
SHA1
6b3b29a4675c4ce774c65f6b832fa0162e8dfb3b
-
SHA256
7bcbf4813256ce1a199f54f824f5e337a6ab4709287dcfa78f0cb24392e735a9
-
SHA512
4569ae903139750900068f7a1808a6f0d3f65917c62bb1e24bab3d422a96090746e12e7446ba0f7065c0da37d48cfe01706a12313e0d47db9a89137d81223dba
Malware Config
Extracted
xloader
2.3
http://www.onyxcomputing.com/u8nw/
constructionjadams.com
organicwellnessfarm.com
beautiful.tours
medvows.com
foxparanormal.com
fsmxmc.com
graniterealestategroup.net
qgi1.com
astrologicsolutions.com
rafbar.com
bastiontools.net
emotist.com
stacyleets.com
bloodtypealpha.com
healtybenenfitsplus.com
vavadadoa3.com
chefbenhk.com
dotgz.com
xn--z4qm188e645c.com
ethyi.com
farrellforcouncil.com
everythingcornea.com
pensje.net
haichuanxin.com
codeproper.com
beautyblvdca.com
namastecarrier.com
xtrator.com
alphabrainbalancing.com
sensationalcleaningservices.net
magistv.info
shotsbynox.com
zioninfosystems.net
yourstoryplace.com
ebmulla.com
turkeyvisa-government.com
albertsonsolutions.com
7brochasmagicas.com
revolutiontourselsalvador.com
eastboundanddowntrucking.com
jkskylights.com
ultimatepoolwater.com
diurr.com
investmentfocused.com
dogscanstay.com
inov8digital.com
paragoncraftevents.com
reservesunbeds.com
melaniesalascosmetics.com
vissito.com
axolc-upoc.xyz
customessayjojo.com
kladki.com
online-securegov.com
xn--demirelik-u3a.com
plgmap.com
contorig2.com
dgyzgs8.com
valuedmind.com
sanacolitademarijuana.com
xn--6j1bs50berk.com
labkitsforstudents.com
lifehakershagirl.online
candidanddevout.com
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/800-117-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/1164-124-0x0000000002D20000-0x0000000002D49000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
Request for Quotation.exepid process 1000 Request for Quotation.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Request for Quotation.exeRequest for Quotation.execontrol.exedescription pid process target process PID 1000 set thread context of 800 1000 Request for Quotation.exe Request for Quotation.exe PID 800 set thread context of 2180 800 Request for Quotation.exe Explorer.EXE PID 1164 set thread context of 2180 1164 control.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
Request for Quotation.execontrol.exepid process 800 Request for Quotation.exe 800 Request for Quotation.exe 800 Request for Quotation.exe 800 Request for Quotation.exe 1164 control.exe 1164 control.exe 1164 control.exe 1164 control.exe 1164 control.exe 1164 control.exe 1164 control.exe 1164 control.exe 1164 control.exe 1164 control.exe 1164 control.exe 1164 control.exe 1164 control.exe 1164 control.exe 1164 control.exe 1164 control.exe 1164 control.exe 1164 control.exe 1164 control.exe 1164 control.exe 1164 control.exe 1164 control.exe 1164 control.exe 1164 control.exe 1164 control.exe 1164 control.exe 1164 control.exe 1164 control.exe 1164 control.exe 1164 control.exe 1164 control.exe 1164 control.exe 1164 control.exe 1164 control.exe 1164 control.exe 1164 control.exe 1164 control.exe 1164 control.exe 1164 control.exe 1164 control.exe 1164 control.exe 1164 control.exe 1164 control.exe 1164 control.exe 1164 control.exe 1164 control.exe 1164 control.exe 1164 control.exe 1164 control.exe 1164 control.exe 1164 control.exe 1164 control.exe 1164 control.exe 1164 control.exe 1164 control.exe 1164 control.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2180 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
Request for Quotation.exeRequest for Quotation.execontrol.exepid process 1000 Request for Quotation.exe 800 Request for Quotation.exe 800 Request for Quotation.exe 800 Request for Quotation.exe 1164 control.exe 1164 control.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Request for Quotation.execontrol.exedescription pid process Token: SeDebugPrivilege 800 Request for Quotation.exe Token: SeDebugPrivilege 1164 control.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 2180 Explorer.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Request for Quotation.exeExplorer.EXEcontrol.exedescription pid process target process PID 1000 wrote to memory of 800 1000 Request for Quotation.exe Request for Quotation.exe PID 1000 wrote to memory of 800 1000 Request for Quotation.exe Request for Quotation.exe PID 1000 wrote to memory of 800 1000 Request for Quotation.exe Request for Quotation.exe PID 1000 wrote to memory of 800 1000 Request for Quotation.exe Request for Quotation.exe PID 2180 wrote to memory of 1164 2180 Explorer.EXE control.exe PID 2180 wrote to memory of 1164 2180 Explorer.EXE control.exe PID 2180 wrote to memory of 1164 2180 Explorer.EXE control.exe PID 1164 wrote to memory of 3600 1164 control.exe cmd.exe PID 1164 wrote to memory of 3600 1164 control.exe cmd.exe PID 1164 wrote to memory of 3600 1164 control.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\control.exe"C:\Windows\SysWOW64\control.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsm578D.tmp\o75u.dllMD5
942d262973dab9e3b1d475015e4d92cd
SHA185ac06efcd0024710ac208ef8245d1dddbbf7d9f
SHA2567a87934d117e5f192b6268a29e6cf220155849dbed4148bd0b0c38c81892b132
SHA512e610c6fd7e065304894f0e97f1993e6e8bdb2267ab6b94a43ffc5efd909af40479862accdb6e003d75410ed539aa3259314c8f9d73cf20b68fe5042a51b6aa3f
-
memory/800-115-0x000000000041D0C0-mapping.dmp
-
memory/800-117-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/800-118-0x0000000000A10000-0x0000000000D30000-memory.dmpFilesize
3.1MB
-
memory/800-119-0x0000000000430000-0x00000000004DE000-memory.dmpFilesize
696KB
-
memory/1000-116-0x0000000000C70000-0x0000000000C72000-memory.dmpFilesize
8KB
-
memory/1164-123-0x0000000000020000-0x0000000000040000-memory.dmpFilesize
128KB
-
memory/1164-121-0x0000000000000000-mapping.dmp
-
memory/1164-124-0x0000000002D20000-0x0000000002D49000-memory.dmpFilesize
164KB
-
memory/1164-125-0x0000000004480000-0x00000000047A0000-memory.dmpFilesize
3.1MB
-
memory/1164-126-0x0000000004830000-0x00000000048BF000-memory.dmpFilesize
572KB
-
memory/2180-120-0x0000000005660000-0x00000000057CA000-memory.dmpFilesize
1.4MB
-
memory/2180-127-0x00000000057D0000-0x0000000005945000-memory.dmpFilesize
1.5MB
-
memory/3600-122-0x0000000000000000-mapping.dmp