Analysis
-
max time kernel
82s -
max time network
149s -
platform
windows10_x64 -
resource
win10-en -
submitted
20-09-2021 10:34
Static task
static1
General
-
Target
1898f81a98377b5461ebcdc775708f9f27e3f721f3f822383d58271f8c36940e.exe
-
Size
256KB
-
MD5
f8e9ce19f4c0d0896203a7caf2fc5cd0
-
SHA1
b009e148764404c040683318e2a451ef61fd949d
-
SHA256
1898f81a98377b5461ebcdc775708f9f27e3f721f3f822383d58271f8c36940e
-
SHA512
2b071b94827972e65f0ca010b22d9d5a3b5fb35a77d97bd968aae2aad4b73f072e2ece013b877f441df675fd234795266979d9a45acd29d4141e7b25f011d5b1
Malware Config
Extracted
xloader
2.5
m0np
http://www.devmedicalcentre.com/m0np/
gruppovimar.com
seniordatingtv.com
pinpinyouqian.website
retreatreflectreplenish.com
baby-handmade.store
econsupplies.com
helloaustinpodcast.com
europe-lodging.com
ferahanaokulu.com
thehomeinspo.com
rawhoneytnpasumo6.xyz
tyckasei.quest
scissorsandbuffer.com
jatinvestmentsmaldives.com
softandcute.store
afuturemakerspromotions.online
leonsigntech.com
havetheshortscovered.com
cvkf.email
iplyyu.com
motphimz.net
slimmerpage.com
fifthbelle.com
moneybagsinfinity.com
architettoaroma.com
rio-script.com
millieandmaude.net
pvinayak.com
nyctattoing.com
fermanfood.com
medardlake.com
40acgidd.com
mrbrianalba.com
110bao.com
shguitong.com
why5mkt.com
diptv.xyz
gotbn-a01.com
rene-weise.com
meltaluminum.com
tobiasqbrown.com
eiqor.com
bnabd.com
painubloc.com
bofoz.com
maxicashprogtq.xyz
probinns.com
yourroddays1.xyz
friedmantrusts.com
patrianilancamentos.com
cetpa.solutions
fengxiaowangluo.com
zkimax.com
bibberyhills.com
colegiodeltaaps.com
fraternitybrand.com
codemais.net
ohayouwww.com
keenflat.com
devvabaek.com
rouxbylarease.online
hongyuyinji.com
cybersecurity-andorra.online
zs4.info
Signatures
-
Xloader Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/3612-117-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
1898f81a98377b5461ebcdc775708f9f27e3f721f3f822383d58271f8c36940e.exepid process 3388 1898f81a98377b5461ebcdc775708f9f27e3f721f3f822383d58271f8c36940e.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
1898f81a98377b5461ebcdc775708f9f27e3f721f3f822383d58271f8c36940e.exedescription pid process target process PID 3388 set thread context of 3612 3388 1898f81a98377b5461ebcdc775708f9f27e3f721f3f822383d58271f8c36940e.exe 1898f81a98377b5461ebcdc775708f9f27e3f721f3f822383d58271f8c36940e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
1898f81a98377b5461ebcdc775708f9f27e3f721f3f822383d58271f8c36940e.exepid process 3612 1898f81a98377b5461ebcdc775708f9f27e3f721f3f822383d58271f8c36940e.exe 3612 1898f81a98377b5461ebcdc775708f9f27e3f721f3f822383d58271f8c36940e.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
1898f81a98377b5461ebcdc775708f9f27e3f721f3f822383d58271f8c36940e.exepid process 3388 1898f81a98377b5461ebcdc775708f9f27e3f721f3f822383d58271f8c36940e.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
1898f81a98377b5461ebcdc775708f9f27e3f721f3f822383d58271f8c36940e.exedescription pid process target process PID 3388 wrote to memory of 3612 3388 1898f81a98377b5461ebcdc775708f9f27e3f721f3f822383d58271f8c36940e.exe 1898f81a98377b5461ebcdc775708f9f27e3f721f3f822383d58271f8c36940e.exe PID 3388 wrote to memory of 3612 3388 1898f81a98377b5461ebcdc775708f9f27e3f721f3f822383d58271f8c36940e.exe 1898f81a98377b5461ebcdc775708f9f27e3f721f3f822383d58271f8c36940e.exe PID 3388 wrote to memory of 3612 3388 1898f81a98377b5461ebcdc775708f9f27e3f721f3f822383d58271f8c36940e.exe 1898f81a98377b5461ebcdc775708f9f27e3f721f3f822383d58271f8c36940e.exe PID 3388 wrote to memory of 3612 3388 1898f81a98377b5461ebcdc775708f9f27e3f721f3f822383d58271f8c36940e.exe 1898f81a98377b5461ebcdc775708f9f27e3f721f3f822383d58271f8c36940e.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1898f81a98377b5461ebcdc775708f9f27e3f721f3f822383d58271f8c36940e.exe"C:\Users\Admin\AppData\Local\Temp\1898f81a98377b5461ebcdc775708f9f27e3f721f3f822383d58271f8c36940e.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3388 -
C:\Users\Admin\AppData\Local\Temp\1898f81a98377b5461ebcdc775708f9f27e3f721f3f822383d58271f8c36940e.exe"C:\Users\Admin\AppData\Local\Temp\1898f81a98377b5461ebcdc775708f9f27e3f721f3f822383d58271f8c36940e.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3612
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nssD1E7.tmp\qehsdu.dllMD5
16f9fe837743898ba9ba9e3d30aa34b6
SHA131ac075fee8d161827faada1fdd35869361bcd1a
SHA25637834fc5f894997545a3dc8d5b9dca86233c864196b5a227e3dda68451d1cc9a
SHA51286340b6105cabe8c32413a4b08a54ce0819c24c7f7d51e846aa590de43feb5f8ddd9e82054ed2d0b87280fc4c77ea054fbd2818ede3e30728d041b7fdf197c44
-
memory/3612-116-0x000000000041D450-mapping.dmp
-
memory/3612-117-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/3612-118-0x0000000000A40000-0x0000000000D60000-memory.dmpFilesize
3.1MB