Analysis
-
max time kernel
5s -
max time network
10s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
08-05-2021 04:01
Static task
static1
Behavioral task
behavioral1
Sample
babda8d430f5f46986eacf505ee1cb9cf017032bf4ec985fa20a1a6c73e7543e.exe
Resource
win7v20210408
General
-
Target
babda8d430f5f46986eacf505ee1cb9cf017032bf4ec985fa20a1a6c73e7543e.exe
-
Size
212KB
-
MD5
4d2dfa95fd5af26aa2c2f44b4f54a73a
-
SHA1
2dd957be65d8a28140b7a910e8b9da9b695ef281
-
SHA256
babda8d430f5f46986eacf505ee1cb9cf017032bf4ec985fa20a1a6c73e7543e
-
SHA512
c82d9424722d5a36904963e1cfab6602721495bfde358a8517a5ef7d78d34a2c52546127ff3a4954ce69832e5b936690c9389dd94f7a5598ad37f905ae30c56f
Malware Config
Extracted
xloader
2.3
http://www.hono-idea.com/bncm/
reflexinsurance.com
autofilterfinder.com
tonisoftball.com
xl0775.com
ekeela.com
yuukaidojo.com
power199.com
smilingpress.net
ssmnashvillerecordingstudio.com
lagacetarivieramaya.com
reves-ailes.com
unattractiveappearance.cloud
sabinoforshe.com
hiphopnaija.xyz
cxosshatch.com
positivses.com
o0djh.site
yfsdy33.club
eesap.com
nothingbutallgoods.com
midgex.info
com443.com
gardencovedistrict.com
ngameplay.com
12thlevelcap.com
k2lstudios.com
di-vita.com
vw-forum.com
fersaid.com
phonejey.fund
10gb.site
mykaaagritech.com
build2rent.site
eatasado.com
inursedelegate.com
herreramedical.com
aaaonlinebiz.com
2kmp.com
jujiuwo.com
wenhuaqingxi.com
urne24.online
alopexy.com
differentbreed1.com
officesetup.tech
telemedicinechina.com
extracrypto.trade
aanista.xyz
robert-owens.com
advancedstudying.com
mybbfi.com
blendandspend.com
verhaftet.com
holisticwellnesstrend.com
ebit-software.net
changeyourlifebooks.net
tab-nejersey.com
grcyouthtouch.com
biasistan.net
muabanotolamdong.com
angelicusy.com
watermelonmoda.com
afroeathub.com
cluria2.com
halogexp.com
Signatures
-
Xloader Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2036-63-0x0000000000400000-0x0000000000428000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
babda8d430f5f46986eacf505ee1cb9cf017032bf4ec985fa20a1a6c73e7543e.exepid process 1632 babda8d430f5f46986eacf505ee1cb9cf017032bf4ec985fa20a1a6c73e7543e.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
babda8d430f5f46986eacf505ee1cb9cf017032bf4ec985fa20a1a6c73e7543e.exedescription pid process target process PID 1632 set thread context of 2036 1632 babda8d430f5f46986eacf505ee1cb9cf017032bf4ec985fa20a1a6c73e7543e.exe babda8d430f5f46986eacf505ee1cb9cf017032bf4ec985fa20a1a6c73e7543e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
babda8d430f5f46986eacf505ee1cb9cf017032bf4ec985fa20a1a6c73e7543e.exebabda8d430f5f46986eacf505ee1cb9cf017032bf4ec985fa20a1a6c73e7543e.exepid process 1632 babda8d430f5f46986eacf505ee1cb9cf017032bf4ec985fa20a1a6c73e7543e.exe 1632 babda8d430f5f46986eacf505ee1cb9cf017032bf4ec985fa20a1a6c73e7543e.exe 1632 babda8d430f5f46986eacf505ee1cb9cf017032bf4ec985fa20a1a6c73e7543e.exe 1632 babda8d430f5f46986eacf505ee1cb9cf017032bf4ec985fa20a1a6c73e7543e.exe 2036 babda8d430f5f46986eacf505ee1cb9cf017032bf4ec985fa20a1a6c73e7543e.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
babda8d430f5f46986eacf505ee1cb9cf017032bf4ec985fa20a1a6c73e7543e.exepid process 1632 babda8d430f5f46986eacf505ee1cb9cf017032bf4ec985fa20a1a6c73e7543e.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
babda8d430f5f46986eacf505ee1cb9cf017032bf4ec985fa20a1a6c73e7543e.exedescription pid process target process PID 1632 wrote to memory of 2036 1632 babda8d430f5f46986eacf505ee1cb9cf017032bf4ec985fa20a1a6c73e7543e.exe babda8d430f5f46986eacf505ee1cb9cf017032bf4ec985fa20a1a6c73e7543e.exe PID 1632 wrote to memory of 2036 1632 babda8d430f5f46986eacf505ee1cb9cf017032bf4ec985fa20a1a6c73e7543e.exe babda8d430f5f46986eacf505ee1cb9cf017032bf4ec985fa20a1a6c73e7543e.exe PID 1632 wrote to memory of 2036 1632 babda8d430f5f46986eacf505ee1cb9cf017032bf4ec985fa20a1a6c73e7543e.exe babda8d430f5f46986eacf505ee1cb9cf017032bf4ec985fa20a1a6c73e7543e.exe PID 1632 wrote to memory of 2036 1632 babda8d430f5f46986eacf505ee1cb9cf017032bf4ec985fa20a1a6c73e7543e.exe babda8d430f5f46986eacf505ee1cb9cf017032bf4ec985fa20a1a6c73e7543e.exe PID 1632 wrote to memory of 2036 1632 babda8d430f5f46986eacf505ee1cb9cf017032bf4ec985fa20a1a6c73e7543e.exe babda8d430f5f46986eacf505ee1cb9cf017032bf4ec985fa20a1a6c73e7543e.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\babda8d430f5f46986eacf505ee1cb9cf017032bf4ec985fa20a1a6c73e7543e.exe"C:\Users\Admin\AppData\Local\Temp\babda8d430f5f46986eacf505ee1cb9cf017032bf4ec985fa20a1a6c73e7543e.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\babda8d430f5f46986eacf505ee1cb9cf017032bf4ec985fa20a1a6c73e7543e.exe"C:\Users\Admin\AppData\Local\Temp\babda8d430f5f46986eacf505ee1cb9cf017032bf4ec985fa20a1a6c73e7543e.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsi4E80.tmp\xm4g7kn3knz8.dllMD5
01b11ba883e3966751feccccaab081ad
SHA1c6f907f8bee6c7cd9997b881f775953961b9454e
SHA256857d06ea32e6156371392551315ae85a5bebf6096e200f4ce68a1e0588ae1cb5
SHA5125ddbef372d739a7119c31e57d7566d8fcb2ca75708e4b15f6b2b2c4f721c07bfbd413f8346812566700cc5db85683d603d11e51e1bb5be75ab386531d5895817
-
memory/1632-60-0x0000000075551000-0x0000000075553000-memory.dmpFilesize
8KB
-
memory/2036-62-0x000000000041CFF0-mapping.dmp
-
memory/2036-63-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/2036-64-0x0000000000730000-0x0000000000A33000-memory.dmpFilesize
3.0MB