Analysis
-
max time kernel
134s -
max time network
146s -
platform
windows10_x64 -
resource
win10-en -
submitted
20-09-2021 12:15
Static task
static1
General
-
Target
b32448dbeec13e1eb23e55a57ffc06f9dfc8fd44687e19fc0be1c4fbabc10abb.exe
-
Size
253KB
-
MD5
dfbd95b518ecc9178415c3b24078c94f
-
SHA1
6881c018ddf6fcbd775c92bb897967408f0f504a
-
SHA256
b32448dbeec13e1eb23e55a57ffc06f9dfc8fd44687e19fc0be1c4fbabc10abb
-
SHA512
981c786a7f8688574de78b1c722126456307e56d0ca6c22a1e06ff73dd9fcc13c94767caddcb61d0600e793cb9ef00b21f97e581949d194fbe00d65d7f2509db
Malware Config
Extracted
xloader
2.5
m0np
http://www.devmedicalcentre.com/m0np/
gruppovimar.com
seniordatingtv.com
pinpinyouqian.website
retreatreflectreplenish.com
baby-handmade.store
econsupplies.com
helloaustinpodcast.com
europe-lodging.com
ferahanaokulu.com
thehomeinspo.com
rawhoneytnpasumo6.xyz
tyckasei.quest
scissorsandbuffer.com
jatinvestmentsmaldives.com
softandcute.store
afuturemakerspromotions.online
leonsigntech.com
havetheshortscovered.com
cvkf.email
iplyyu.com
motphimz.net
slimmerpage.com
fifthbelle.com
moneybagsinfinity.com
architettoaroma.com
rio-script.com
millieandmaude.net
pvinayak.com
nyctattoing.com
fermanfood.com
medardlake.com
40acgidd.com
mrbrianalba.com
110bao.com
shguitong.com
why5mkt.com
diptv.xyz
gotbn-a01.com
rene-weise.com
meltaluminum.com
tobiasqbrown.com
eiqor.com
bnabd.com
painubloc.com
bofoz.com
maxicashprogtq.xyz
probinns.com
yourroddays1.xyz
friedmantrusts.com
patrianilancamentos.com
cetpa.solutions
fengxiaowangluo.com
zkimax.com
bibberyhills.com
colegiodeltaaps.com
fraternitybrand.com
codemais.net
ohayouwww.com
keenflat.com
devvabaek.com
rouxbylarease.online
hongyuyinji.com
cybersecurity-andorra.online
zs4.info
Signatures
-
Xloader Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/4732-117-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
b32448dbeec13e1eb23e55a57ffc06f9dfc8fd44687e19fc0be1c4fbabc10abb.exepid process 4700 b32448dbeec13e1eb23e55a57ffc06f9dfc8fd44687e19fc0be1c4fbabc10abb.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
b32448dbeec13e1eb23e55a57ffc06f9dfc8fd44687e19fc0be1c4fbabc10abb.exedescription pid process target process PID 4700 set thread context of 4732 4700 b32448dbeec13e1eb23e55a57ffc06f9dfc8fd44687e19fc0be1c4fbabc10abb.exe b32448dbeec13e1eb23e55a57ffc06f9dfc8fd44687e19fc0be1c4fbabc10abb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
b32448dbeec13e1eb23e55a57ffc06f9dfc8fd44687e19fc0be1c4fbabc10abb.exepid process 4732 b32448dbeec13e1eb23e55a57ffc06f9dfc8fd44687e19fc0be1c4fbabc10abb.exe 4732 b32448dbeec13e1eb23e55a57ffc06f9dfc8fd44687e19fc0be1c4fbabc10abb.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
b32448dbeec13e1eb23e55a57ffc06f9dfc8fd44687e19fc0be1c4fbabc10abb.exepid process 4700 b32448dbeec13e1eb23e55a57ffc06f9dfc8fd44687e19fc0be1c4fbabc10abb.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
b32448dbeec13e1eb23e55a57ffc06f9dfc8fd44687e19fc0be1c4fbabc10abb.exedescription pid process target process PID 4700 wrote to memory of 4732 4700 b32448dbeec13e1eb23e55a57ffc06f9dfc8fd44687e19fc0be1c4fbabc10abb.exe b32448dbeec13e1eb23e55a57ffc06f9dfc8fd44687e19fc0be1c4fbabc10abb.exe PID 4700 wrote to memory of 4732 4700 b32448dbeec13e1eb23e55a57ffc06f9dfc8fd44687e19fc0be1c4fbabc10abb.exe b32448dbeec13e1eb23e55a57ffc06f9dfc8fd44687e19fc0be1c4fbabc10abb.exe PID 4700 wrote to memory of 4732 4700 b32448dbeec13e1eb23e55a57ffc06f9dfc8fd44687e19fc0be1c4fbabc10abb.exe b32448dbeec13e1eb23e55a57ffc06f9dfc8fd44687e19fc0be1c4fbabc10abb.exe PID 4700 wrote to memory of 4732 4700 b32448dbeec13e1eb23e55a57ffc06f9dfc8fd44687e19fc0be1c4fbabc10abb.exe b32448dbeec13e1eb23e55a57ffc06f9dfc8fd44687e19fc0be1c4fbabc10abb.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b32448dbeec13e1eb23e55a57ffc06f9dfc8fd44687e19fc0be1c4fbabc10abb.exe"C:\Users\Admin\AppData\Local\Temp\b32448dbeec13e1eb23e55a57ffc06f9dfc8fd44687e19fc0be1c4fbabc10abb.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b32448dbeec13e1eb23e55a57ffc06f9dfc8fd44687e19fc0be1c4fbabc10abb.exe"C:\Users\Admin\AppData\Local\Temp\b32448dbeec13e1eb23e55a57ffc06f9dfc8fd44687e19fc0be1c4fbabc10abb.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nszC94C.tmp\gogxofveb.dllMD5
5e0c4458aeaf4004eda52aef446624b7
SHA12c4e328afe87b6de681fc433978ce8e09ccd5a2d
SHA25643ae5a5e3fd660e0b3b281a44d82ca2a651c126fc5ff8f540fb32145665b0b74
SHA512f3b024fa981ff0548be4452195dd66cd5cd06135158175da7eb1a4ce0c62ec531e513fbc997bbc67c78ce444818a52223923f18418642badec7b63e0a41254d5
-
memory/4732-116-0x000000000041D450-mapping.dmp
-
memory/4732-117-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4732-118-0x0000000000B80000-0x0000000000EA0000-memory.dmpFilesize
3.1MB