Analysis
-
max time kernel
75s -
max time network
164s -
platform
windows10_x64 -
resource
win10-en -
submitted
20-09-2021 13:59
Static task
static1
Behavioral task
behavioral1
Sample
dfbd95b518ecc9178415c3b24078c94f.exe
Resource
win7v20210408
General
-
Target
dfbd95b518ecc9178415c3b24078c94f.exe
-
Size
253KB
-
MD5
dfbd95b518ecc9178415c3b24078c94f
-
SHA1
6881c018ddf6fcbd775c92bb897967408f0f504a
-
SHA256
b32448dbeec13e1eb23e55a57ffc06f9dfc8fd44687e19fc0be1c4fbabc10abb
-
SHA512
981c786a7f8688574de78b1c722126456307e56d0ca6c22a1e06ff73dd9fcc13c94767caddcb61d0600e793cb9ef00b21f97e581949d194fbe00d65d7f2509db
Malware Config
Extracted
xloader
2.5
m0np
http://www.devmedicalcentre.com/m0np/
gruppovimar.com
seniordatingtv.com
pinpinyouqian.website
retreatreflectreplenish.com
baby-handmade.store
econsupplies.com
helloaustinpodcast.com
europe-lodging.com
ferahanaokulu.com
thehomeinspo.com
rawhoneytnpasumo6.xyz
tyckasei.quest
scissorsandbuffer.com
jatinvestmentsmaldives.com
softandcute.store
afuturemakerspromotions.online
leonsigntech.com
havetheshortscovered.com
cvkf.email
iplyyu.com
motphimz.net
slimmerpage.com
fifthbelle.com
moneybagsinfinity.com
architettoaroma.com
rio-script.com
millieandmaude.net
pvinayak.com
nyctattoing.com
fermanfood.com
medardlake.com
40acgidd.com
mrbrianalba.com
110bao.com
shguitong.com
why5mkt.com
diptv.xyz
gotbn-a01.com
rene-weise.com
meltaluminum.com
tobiasqbrown.com
eiqor.com
bnabd.com
painubloc.com
bofoz.com
maxicashprogtq.xyz
probinns.com
yourroddays1.xyz
friedmantrusts.com
patrianilancamentos.com
cetpa.solutions
fengxiaowangluo.com
zkimax.com
bibberyhills.com
colegiodeltaaps.com
fraternitybrand.com
codemais.net
ohayouwww.com
keenflat.com
devvabaek.com
rouxbylarease.online
hongyuyinji.com
cybersecurity-andorra.online
zs4.info
Signatures
-
Xloader Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4032-117-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
dfbd95b518ecc9178415c3b24078c94f.exepid process 3556 dfbd95b518ecc9178415c3b24078c94f.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
dfbd95b518ecc9178415c3b24078c94f.exedescription pid process target process PID 3556 set thread context of 4032 3556 dfbd95b518ecc9178415c3b24078c94f.exe dfbd95b518ecc9178415c3b24078c94f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
dfbd95b518ecc9178415c3b24078c94f.exepid process 4032 dfbd95b518ecc9178415c3b24078c94f.exe 4032 dfbd95b518ecc9178415c3b24078c94f.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
dfbd95b518ecc9178415c3b24078c94f.exepid process 3556 dfbd95b518ecc9178415c3b24078c94f.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
dfbd95b518ecc9178415c3b24078c94f.exedescription pid process target process PID 3556 wrote to memory of 4032 3556 dfbd95b518ecc9178415c3b24078c94f.exe dfbd95b518ecc9178415c3b24078c94f.exe PID 3556 wrote to memory of 4032 3556 dfbd95b518ecc9178415c3b24078c94f.exe dfbd95b518ecc9178415c3b24078c94f.exe PID 3556 wrote to memory of 4032 3556 dfbd95b518ecc9178415c3b24078c94f.exe dfbd95b518ecc9178415c3b24078c94f.exe PID 3556 wrote to memory of 4032 3556 dfbd95b518ecc9178415c3b24078c94f.exe dfbd95b518ecc9178415c3b24078c94f.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dfbd95b518ecc9178415c3b24078c94f.exe"C:\Users\Admin\AppData\Local\Temp\dfbd95b518ecc9178415c3b24078c94f.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dfbd95b518ecc9178415c3b24078c94f.exe"C:\Users\Admin\AppData\Local\Temp\dfbd95b518ecc9178415c3b24078c94f.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsiF85B.tmp\gogxofveb.dllMD5
5e0c4458aeaf4004eda52aef446624b7
SHA12c4e328afe87b6de681fc433978ce8e09ccd5a2d
SHA25643ae5a5e3fd660e0b3b281a44d82ca2a651c126fc5ff8f540fb32145665b0b74
SHA512f3b024fa981ff0548be4452195dd66cd5cd06135158175da7eb1a4ce0c62ec531e513fbc997bbc67c78ce444818a52223923f18418642badec7b63e0a41254d5
-
memory/4032-116-0x000000000041D450-mapping.dmp
-
memory/4032-118-0x0000000000A70000-0x0000000000D90000-memory.dmpFilesize
3.1MB
-
memory/4032-117-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB