Analysis
-
max time kernel
84s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
23-09-2021 00:51
Static task
static1
General
-
Target
990a8fa7e96d2cd90b09ab39794df984bc153d0dcd390afbca19a42b689d4e7d.exe
-
Size
262KB
-
MD5
62c72f781d7001dff6d747ee91e33e32
-
SHA1
ed9fb1d769fd4655a335884d26875758fe67433c
-
SHA256
990a8fa7e96d2cd90b09ab39794df984bc153d0dcd390afbca19a42b689d4e7d
-
SHA512
2b4e491681ddeebbf0eadb0f86923cedd6bc22c168c33aaa0363069df317a6bf5bde74f614abc97dde35185aa8f1f8fd5c0340a4b4c509fdf3f1837bbfb6473d
Malware Config
Extracted
xloader
2.5
m0np
http://www.devmedicalcentre.com/m0np/
gruppovimar.com
seniordatingtv.com
pinpinyouqian.website
retreatreflectreplenish.com
baby-handmade.store
econsupplies.com
helloaustinpodcast.com
europe-lodging.com
ferahanaokulu.com
thehomeinspo.com
rawhoneytnpasumo6.xyz
tyckasei.quest
scissorsandbuffer.com
jatinvestmentsmaldives.com
softandcute.store
afuturemakerspromotions.online
leonsigntech.com
havetheshortscovered.com
cvkf.email
iplyyu.com
motphimz.net
slimmerpage.com
fifthbelle.com
moneybagsinfinity.com
architettoaroma.com
rio-script.com
millieandmaude.net
pvinayak.com
nyctattoing.com
fermanfood.com
medardlake.com
40acgidd.com
mrbrianalba.com
110bao.com
shguitong.com
why5mkt.com
diptv.xyz
gotbn-a01.com
rene-weise.com
meltaluminum.com
tobiasqbrown.com
eiqor.com
bnabd.com
painubloc.com
bofoz.com
maxicashprogtq.xyz
probinns.com
yourroddays1.xyz
friedmantrusts.com
patrianilancamentos.com
cetpa.solutions
fengxiaowangluo.com
zkimax.com
bibberyhills.com
colegiodeltaaps.com
fraternitybrand.com
codemais.net
ohayouwww.com
keenflat.com
devvabaek.com
rouxbylarease.online
hongyuyinji.com
cybersecurity-andorra.online
zs4.info
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/4000-115-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/4000-116-0x000000000041D450-mapping.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
990a8fa7e96d2cd90b09ab39794df984bc153d0dcd390afbca19a42b689d4e7d.exepid process 504 990a8fa7e96d2cd90b09ab39794df984bc153d0dcd390afbca19a42b689d4e7d.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
990a8fa7e96d2cd90b09ab39794df984bc153d0dcd390afbca19a42b689d4e7d.exedescription pid process target process PID 504 set thread context of 4000 504 990a8fa7e96d2cd90b09ab39794df984bc153d0dcd390afbca19a42b689d4e7d.exe 990a8fa7e96d2cd90b09ab39794df984bc153d0dcd390afbca19a42b689d4e7d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
990a8fa7e96d2cd90b09ab39794df984bc153d0dcd390afbca19a42b689d4e7d.exepid process 4000 990a8fa7e96d2cd90b09ab39794df984bc153d0dcd390afbca19a42b689d4e7d.exe 4000 990a8fa7e96d2cd90b09ab39794df984bc153d0dcd390afbca19a42b689d4e7d.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
990a8fa7e96d2cd90b09ab39794df984bc153d0dcd390afbca19a42b689d4e7d.exedescription pid process target process PID 504 wrote to memory of 4000 504 990a8fa7e96d2cd90b09ab39794df984bc153d0dcd390afbca19a42b689d4e7d.exe 990a8fa7e96d2cd90b09ab39794df984bc153d0dcd390afbca19a42b689d4e7d.exe PID 504 wrote to memory of 4000 504 990a8fa7e96d2cd90b09ab39794df984bc153d0dcd390afbca19a42b689d4e7d.exe 990a8fa7e96d2cd90b09ab39794df984bc153d0dcd390afbca19a42b689d4e7d.exe PID 504 wrote to memory of 4000 504 990a8fa7e96d2cd90b09ab39794df984bc153d0dcd390afbca19a42b689d4e7d.exe 990a8fa7e96d2cd90b09ab39794df984bc153d0dcd390afbca19a42b689d4e7d.exe PID 504 wrote to memory of 4000 504 990a8fa7e96d2cd90b09ab39794df984bc153d0dcd390afbca19a42b689d4e7d.exe 990a8fa7e96d2cd90b09ab39794df984bc153d0dcd390afbca19a42b689d4e7d.exe PID 504 wrote to memory of 4000 504 990a8fa7e96d2cd90b09ab39794df984bc153d0dcd390afbca19a42b689d4e7d.exe 990a8fa7e96d2cd90b09ab39794df984bc153d0dcd390afbca19a42b689d4e7d.exe PID 504 wrote to memory of 4000 504 990a8fa7e96d2cd90b09ab39794df984bc153d0dcd390afbca19a42b689d4e7d.exe 990a8fa7e96d2cd90b09ab39794df984bc153d0dcd390afbca19a42b689d4e7d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\990a8fa7e96d2cd90b09ab39794df984bc153d0dcd390afbca19a42b689d4e7d.exe"C:\Users\Admin\AppData\Local\Temp\990a8fa7e96d2cd90b09ab39794df984bc153d0dcd390afbca19a42b689d4e7d.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\990a8fa7e96d2cd90b09ab39794df984bc153d0dcd390afbca19a42b689d4e7d.exe"C:\Users\Admin\AppData\Local\Temp\990a8fa7e96d2cd90b09ab39794df984bc153d0dcd390afbca19a42b689d4e7d.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsr42F0.tmp\ojcwnasg.dllMD5
a1c31e0436d00eb00481b5c0f39fa849
SHA11c71dc6fb7b93c99722dba7deee53dda9e19f5a5
SHA256856362062f444906aa7cce79dab2727d9fbcdfc3d6ac5241819c1586d3693f8b
SHA512466bbf168192502b718eca1e83f5120e4b144f77754ac276b577ec7cddd30dd93c3a3465e1e6ff9db0884cf4c3ca9a62867a9522dd88f20cf93200be3287768b
-
memory/4000-115-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4000-116-0x000000000041D450-mapping.dmp
-
memory/4000-117-0x00000000009C0000-0x0000000000CE0000-memory.dmpFilesize
3.1MB