Analysis
-
max time kernel
150s -
max time network
162s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
24-06-2021 12:04
Static task
static1
Behavioral task
behavioral1
Sample
PO.exe
Resource
win7v20210408
General
-
Target
PO.exe
-
Size
225KB
-
MD5
42a437dc06eea16fa8adaa67e08091d4
-
SHA1
4e3ecf96e002babd033d12183493e45747a179b4
-
SHA256
660708a7f99d26de87386ca21682b96179f16f2dbc67578a704cb94d78e9848f
-
SHA512
0dc7c2308ccdd6e31e9fc1f31d06dc1113a5153cd6cdd71094e08f216fbbc62af0775b404cbb12b03eeb4ab6f59c92930c0404ac136d94ccd7f711bc9c6bfe44
Malware Config
Extracted
xloader
2.3
http://www.mertztaxprep.com/ubuq/
lockielan.com
maltaprefix.icu
smarteryou6g1.club
paulinequinonero.com
bluezonephysiotherapy.com
xbikinix.com
kleverfilms.com
zsintion60.com
clawlabs.com
promositransvision.com
toesinthesandwedding.com
superkiski.com
2385jsdfndsd.life
consultingthehive.com
blockchainskillslab.com
zeuzcreative.com
szkemijx.com
mikenewellhomes.com
xywehwpibm.net
forevervalley.com
fjlufei.com
costatropicalchocolate.com
perodua-sales.com
chushiba.com
qingquanbay.com
dayanahotvenezuelan.com
winestreetspirits.com
floatnorth.com
alohasurfsoul.com
spaceplix.com
domentemenegi34.net
huntingtonsellcarforcash.com
christinaaskew.net
seedsforsainthood.com
unboxed4real.com
fleischhauer.gmbh
goddess.tours
metercovid.com
bluechipnm.com
fastsalvage.com
iunionbuy.net
dramirazad.com
gwh212.xyz
weworkhome.info
lym37.com
mankosjp.xyz
xingyedk.com
sat-tones.com
urblco.com
jswz888.com
thewfhkitchen.com
fleursoleil.com
langtonmedicaltraining.com
bkfly.com
lapmangfpthanoi.net
optionsvig.com
xfbav8.com
leslymassage.com
monyoune.com
brateix.info
netabis.com
rocketcompaniesopinions.com
thekitchenbeauty.com
rbcroyalclientcare.com
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2328-117-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral2/memory/2756-124-0x0000000000CA0000-0x0000000000CC8000-memory.dmp xloader -
Loads dropped DLL 2 IoCs
Processes:
PO.exepid process 3980 PO.exe 3980 PO.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
PO.exePO.exeNETSTAT.EXEdescription pid process target process PID 3980 set thread context of 2328 3980 PO.exe PO.exe PID 2328 set thread context of 2504 2328 PO.exe Explorer.EXE PID 2756 set thread context of 2504 2756 NETSTAT.EXE Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 2756 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
PO.exeNETSTAT.EXEpid process 2328 PO.exe 2328 PO.exe 2328 PO.exe 2328 PO.exe 2756 NETSTAT.EXE 2756 NETSTAT.EXE 2756 NETSTAT.EXE 2756 NETSTAT.EXE 2756 NETSTAT.EXE 2756 NETSTAT.EXE 2756 NETSTAT.EXE 2756 NETSTAT.EXE 2756 NETSTAT.EXE 2756 NETSTAT.EXE 2756 NETSTAT.EXE 2756 NETSTAT.EXE 2756 NETSTAT.EXE 2756 NETSTAT.EXE 2756 NETSTAT.EXE 2756 NETSTAT.EXE 2756 NETSTAT.EXE 2756 NETSTAT.EXE 2756 NETSTAT.EXE 2756 NETSTAT.EXE 2756 NETSTAT.EXE 2756 NETSTAT.EXE 2756 NETSTAT.EXE 2756 NETSTAT.EXE 2756 NETSTAT.EXE 2756 NETSTAT.EXE 2756 NETSTAT.EXE 2756 NETSTAT.EXE 2756 NETSTAT.EXE 2756 NETSTAT.EXE 2756 NETSTAT.EXE 2756 NETSTAT.EXE 2756 NETSTAT.EXE 2756 NETSTAT.EXE 2756 NETSTAT.EXE 2756 NETSTAT.EXE 2756 NETSTAT.EXE 2756 NETSTAT.EXE 2756 NETSTAT.EXE 2756 NETSTAT.EXE 2756 NETSTAT.EXE 2756 NETSTAT.EXE 2756 NETSTAT.EXE 2756 NETSTAT.EXE 2756 NETSTAT.EXE 2756 NETSTAT.EXE 2756 NETSTAT.EXE 2756 NETSTAT.EXE 2756 NETSTAT.EXE 2756 NETSTAT.EXE 2756 NETSTAT.EXE 2756 NETSTAT.EXE 2756 NETSTAT.EXE 2756 NETSTAT.EXE 2756 NETSTAT.EXE 2756 NETSTAT.EXE 2756 NETSTAT.EXE 2756 NETSTAT.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2504 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
PO.exePO.exeNETSTAT.EXEpid process 3980 PO.exe 2328 PO.exe 2328 PO.exe 2328 PO.exe 2756 NETSTAT.EXE 2756 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
PO.exeExplorer.EXENETSTAT.EXEdescription pid process Token: SeDebugPrivilege 2328 PO.exe Token: SeShutdownPrivilege 2504 Explorer.EXE Token: SeCreatePagefilePrivilege 2504 Explorer.EXE Token: SeShutdownPrivilege 2504 Explorer.EXE Token: SeCreatePagefilePrivilege 2504 Explorer.EXE Token: SeShutdownPrivilege 2504 Explorer.EXE Token: SeCreatePagefilePrivilege 2504 Explorer.EXE Token: SeShutdownPrivilege 2504 Explorer.EXE Token: SeCreatePagefilePrivilege 2504 Explorer.EXE Token: SeDebugPrivilege 2756 NETSTAT.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
PO.exeExplorer.EXENETSTAT.EXEdescription pid process target process PID 3980 wrote to memory of 2328 3980 PO.exe PO.exe PID 3980 wrote to memory of 2328 3980 PO.exe PO.exe PID 3980 wrote to memory of 2328 3980 PO.exe PO.exe PID 3980 wrote to memory of 2328 3980 PO.exe PO.exe PID 2504 wrote to memory of 2756 2504 Explorer.EXE NETSTAT.EXE PID 2504 wrote to memory of 2756 2504 Explorer.EXE NETSTAT.EXE PID 2504 wrote to memory of 2756 2504 Explorer.EXE NETSTAT.EXE PID 2756 wrote to memory of 3392 2756 NETSTAT.EXE cmd.exe PID 2756 wrote to memory of 3392 2756 NETSTAT.EXE cmd.exe PID 2756 wrote to memory of 3392 2756 NETSTAT.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PO.exe"C:\Users\Admin\AppData\Local\Temp\PO.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PO.exe"C:\Users\Admin\AppData\Local\Temp\PO.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\PO.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsb6365.tmp\System.dllMD5
56a321bd011112ec5d8a32b2f6fd3231
SHA1df20e3a35a1636de64df5290ae5e4e7572447f78
SHA256bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1
SHA5125354890cbc53ce51081a78c64ba9c4c8c4dc9e01141798c1e916e19c5776dac7c82989fad0f08c73e81aaba332dad81205f90d0663119af45550b97b338b9cc3
-
\Users\Admin\AppData\Local\Temp\nsb6365.tmp\System.dllMD5
56a321bd011112ec5d8a32b2f6fd3231
SHA1df20e3a35a1636de64df5290ae5e4e7572447f78
SHA256bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1
SHA5125354890cbc53ce51081a78c64ba9c4c8c4dc9e01141798c1e916e19c5776dac7c82989fad0f08c73e81aaba332dad81205f90d0663119af45550b97b338b9cc3
-
memory/2328-116-0x000000000041D010-mapping.dmp
-
memory/2328-117-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/2328-118-0x0000000000B20000-0x0000000000E40000-memory.dmpFilesize
3.1MB
-
memory/2328-119-0x0000000000580000-0x00000000006CA000-memory.dmpFilesize
1.3MB
-
memory/2504-120-0x0000000004E00000-0x0000000004F0B000-memory.dmpFilesize
1.0MB
-
memory/2504-127-0x0000000004F20000-0x0000000005064000-memory.dmpFilesize
1.3MB
-
memory/2756-121-0x0000000000000000-mapping.dmp
-
memory/2756-124-0x0000000000CA0000-0x0000000000CC8000-memory.dmpFilesize
160KB
-
memory/2756-123-0x0000000000F90000-0x0000000000F9B000-memory.dmpFilesize
44KB
-
memory/2756-125-0x0000000003430000-0x0000000003750000-memory.dmpFilesize
3.1MB
-
memory/2756-126-0x0000000003280000-0x000000000330F000-memory.dmpFilesize
572KB
-
memory/3392-122-0x0000000000000000-mapping.dmp