Analysis
-
max time kernel
116s -
max time network
119s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
21-09-2021 14:02
Static task
static1
Behavioral task
behavioral1
Sample
4a1f2305b60236d5c00c871a92a9a693.exe
Resource
win7-en-20210920
General
-
Target
4a1f2305b60236d5c00c871a92a9a693.exe
-
Size
249KB
-
MD5
4a1f2305b60236d5c00c871a92a9a693
-
SHA1
ca9c84820c9960d0c294e684be2acb11736ccfd1
-
SHA256
8a95ac711537aeb1c93c61e541077005f5226e4150c2669742d1b612cfc25788
-
SHA512
43846983e68ce4eba961ea7bfc3d1816da756c411e27aac47d7bd38e15b05271bb51d768f5c2a1d70d883f35ce3297b768df51223b7eb536c4e700bc6b6a3811
Malware Config
Extracted
xloader
2.5
m0np
http://www.devmedicalcentre.com/m0np/
gruppovimar.com
seniordatingtv.com
pinpinyouqian.website
retreatreflectreplenish.com
baby-handmade.store
econsupplies.com
helloaustinpodcast.com
europe-lodging.com
ferahanaokulu.com
thehomeinspo.com
rawhoneytnpasumo6.xyz
tyckasei.quest
scissorsandbuffer.com
jatinvestmentsmaldives.com
softandcute.store
afuturemakerspromotions.online
leonsigntech.com
havetheshortscovered.com
cvkf.email
iplyyu.com
motphimz.net
slimmerpage.com
fifthbelle.com
moneybagsinfinity.com
architettoaroma.com
rio-script.com
millieandmaude.net
pvinayak.com
nyctattoing.com
fermanfood.com
medardlake.com
40acgidd.com
mrbrianalba.com
110bao.com
shguitong.com
why5mkt.com
diptv.xyz
gotbn-a01.com
rene-weise.com
meltaluminum.com
tobiasqbrown.com
eiqor.com
bnabd.com
painubloc.com
bofoz.com
maxicashprogtq.xyz
probinns.com
yourroddays1.xyz
friedmantrusts.com
patrianilancamentos.com
cetpa.solutions
fengxiaowangluo.com
zkimax.com
bibberyhills.com
colegiodeltaaps.com
fraternitybrand.com
codemais.net
ohayouwww.com
keenflat.com
devvabaek.com
rouxbylarease.online
hongyuyinji.com
cybersecurity-andorra.online
zs4.info
Signatures
-
Xloader Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2064-117-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
4a1f2305b60236d5c00c871a92a9a693.exepid process 1952 4a1f2305b60236d5c00c871a92a9a693.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
4a1f2305b60236d5c00c871a92a9a693.exedescription pid process target process PID 1952 set thread context of 2064 1952 4a1f2305b60236d5c00c871a92a9a693.exe 4a1f2305b60236d5c00c871a92a9a693.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
4a1f2305b60236d5c00c871a92a9a693.exepid process 2064 4a1f2305b60236d5c00c871a92a9a693.exe 2064 4a1f2305b60236d5c00c871a92a9a693.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
4a1f2305b60236d5c00c871a92a9a693.exepid process 1952 4a1f2305b60236d5c00c871a92a9a693.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
4a1f2305b60236d5c00c871a92a9a693.exedescription pid process target process PID 1952 wrote to memory of 2064 1952 4a1f2305b60236d5c00c871a92a9a693.exe 4a1f2305b60236d5c00c871a92a9a693.exe PID 1952 wrote to memory of 2064 1952 4a1f2305b60236d5c00c871a92a9a693.exe 4a1f2305b60236d5c00c871a92a9a693.exe PID 1952 wrote to memory of 2064 1952 4a1f2305b60236d5c00c871a92a9a693.exe 4a1f2305b60236d5c00c871a92a9a693.exe PID 1952 wrote to memory of 2064 1952 4a1f2305b60236d5c00c871a92a9a693.exe 4a1f2305b60236d5c00c871a92a9a693.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a1f2305b60236d5c00c871a92a9a693.exe"C:\Users\Admin\AppData\Local\Temp\4a1f2305b60236d5c00c871a92a9a693.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Users\Admin\AppData\Local\Temp\4a1f2305b60236d5c00c871a92a9a693.exe"C:\Users\Admin\AppData\Local\Temp\4a1f2305b60236d5c00c871a92a9a693.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2064
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsg8AF1.tmp\wrhedcmv.dllMD5
40755d4adf9071e160bb3918c0475100
SHA10267456c7f0071be51272af2e952a7f28a5f6c5c
SHA2563ae448f0c4e9df7bb0d60ddb2825007a69e1208df0543d2de95e27408c908c57
SHA5126215a33c68d78d9c330dc8b3d962d9317678b3571f81d8dde02de145db7750c86429d6a8284d5f864e0817905bf34568e8b93ed7c615f90b18e359b59d10d727
-
memory/2064-116-0x000000000041D450-mapping.dmp
-
memory/2064-117-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2064-118-0x0000000000A30000-0x0000000000D50000-memory.dmpFilesize
3.1MB