Analysis
-
max time kernel
123s -
max time network
43s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
21-09-2021 20:11
Static task
static1
Behavioral task
behavioral1
Sample
259c7a6403af1553ed0436fbf9e592b8.exe
Resource
win7v20210408
General
-
Target
259c7a6403af1553ed0436fbf9e592b8.exe
-
Size
262KB
-
MD5
259c7a6403af1553ed0436fbf9e592b8
-
SHA1
b0aa55e4f8a14c48f844a3e90e9ba74e476fe0de
-
SHA256
64c00be3d0bc5f000ee6d2d6d49e72c9e9f36090f19b7f9620ff0993a0e84025
-
SHA512
e48738b38934fb0f8c94f9f81d8448e610ab02d0819897e7be66d082154828681d9603c51d5dffd7224c2d9d1df35c97f70056df20b73a665447318d576cee37
Malware Config
Extracted
xloader
2.5
m0np
http://www.devmedicalcentre.com/m0np/
gruppovimar.com
seniordatingtv.com
pinpinyouqian.website
retreatreflectreplenish.com
baby-handmade.store
econsupplies.com
helloaustinpodcast.com
europe-lodging.com
ferahanaokulu.com
thehomeinspo.com
rawhoneytnpasumo6.xyz
tyckasei.quest
scissorsandbuffer.com
jatinvestmentsmaldives.com
softandcute.store
afuturemakerspromotions.online
leonsigntech.com
havetheshortscovered.com
cvkf.email
iplyyu.com
motphimz.net
slimmerpage.com
fifthbelle.com
moneybagsinfinity.com
architettoaroma.com
rio-script.com
millieandmaude.net
pvinayak.com
nyctattoing.com
fermanfood.com
medardlake.com
40acgidd.com
mrbrianalba.com
110bao.com
shguitong.com
why5mkt.com
diptv.xyz
gotbn-a01.com
rene-weise.com
meltaluminum.com
tobiasqbrown.com
eiqor.com
bnabd.com
painubloc.com
bofoz.com
maxicashprogtq.xyz
probinns.com
yourroddays1.xyz
friedmantrusts.com
patrianilancamentos.com
cetpa.solutions
fengxiaowangluo.com
zkimax.com
bibberyhills.com
colegiodeltaaps.com
fraternitybrand.com
codemais.net
ohayouwww.com
keenflat.com
devvabaek.com
rouxbylarease.online
hongyuyinji.com
cybersecurity-andorra.online
zs4.info
Signatures
-
Xloader Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1912-62-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
259c7a6403af1553ed0436fbf9e592b8.exepid process 1632 259c7a6403af1553ed0436fbf9e592b8.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
259c7a6403af1553ed0436fbf9e592b8.exedescription pid process target process PID 1632 set thread context of 1912 1632 259c7a6403af1553ed0436fbf9e592b8.exe 259c7a6403af1553ed0436fbf9e592b8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
259c7a6403af1553ed0436fbf9e592b8.exepid process 1912 259c7a6403af1553ed0436fbf9e592b8.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
259c7a6403af1553ed0436fbf9e592b8.exepid process 1632 259c7a6403af1553ed0436fbf9e592b8.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
259c7a6403af1553ed0436fbf9e592b8.exedescription pid process target process PID 1632 wrote to memory of 1912 1632 259c7a6403af1553ed0436fbf9e592b8.exe 259c7a6403af1553ed0436fbf9e592b8.exe PID 1632 wrote to memory of 1912 1632 259c7a6403af1553ed0436fbf9e592b8.exe 259c7a6403af1553ed0436fbf9e592b8.exe PID 1632 wrote to memory of 1912 1632 259c7a6403af1553ed0436fbf9e592b8.exe 259c7a6403af1553ed0436fbf9e592b8.exe PID 1632 wrote to memory of 1912 1632 259c7a6403af1553ed0436fbf9e592b8.exe 259c7a6403af1553ed0436fbf9e592b8.exe PID 1632 wrote to memory of 1912 1632 259c7a6403af1553ed0436fbf9e592b8.exe 259c7a6403af1553ed0436fbf9e592b8.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\259c7a6403af1553ed0436fbf9e592b8.exe"C:\Users\Admin\AppData\Local\Temp\259c7a6403af1553ed0436fbf9e592b8.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Users\Admin\AppData\Local\Temp\259c7a6403af1553ed0436fbf9e592b8.exe"C:\Users\Admin\AppData\Local\Temp\259c7a6403af1553ed0436fbf9e592b8.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1912
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsgC31.tmp\zghj.dllMD5
232cae5eddd5fae3327da010858e3065
SHA1eef27ff768dafd59901ff338fc77ab31bcdb3ba2
SHA25660a6cb735a0b35c181fdee04ecd7f0c83078a5549043071c7b9881bc2cc2d328
SHA512d4336d92b23a088e99a17e03ace46ba69a87bbcc5182c8e91e35e5e5f5f90f9c6fcb6f89bc404d81e95d16411af330ecbeed53a0dc8f83d01ce27fa5fe38ef2c
-
memory/1632-59-0x0000000075041000-0x0000000075043000-memory.dmpFilesize
8KB
-
memory/1912-61-0x000000000041D450-mapping.dmp
-
memory/1912-62-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1912-63-0x0000000000930000-0x0000000000C33000-memory.dmpFilesize
3.0MB