Analysis
-
max time kernel
126s -
max time network
153s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
23-09-2021 06:23
Static task
static1
Behavioral task
behavioral1
Sample
62c72f781d7001dff6d747ee91e33e32.exe
Resource
win7v20210408
General
-
Target
62c72f781d7001dff6d747ee91e33e32.exe
-
Size
262KB
-
MD5
62c72f781d7001dff6d747ee91e33e32
-
SHA1
ed9fb1d769fd4655a335884d26875758fe67433c
-
SHA256
990a8fa7e96d2cd90b09ab39794df984bc153d0dcd390afbca19a42b689d4e7d
-
SHA512
2b4e491681ddeebbf0eadb0f86923cedd6bc22c168c33aaa0363069df317a6bf5bde74f614abc97dde35185aa8f1f8fd5c0340a4b4c509fdf3f1837bbfb6473d
Malware Config
Extracted
xloader
2.5
m0np
http://www.devmedicalcentre.com/m0np/
gruppovimar.com
seniordatingtv.com
pinpinyouqian.website
retreatreflectreplenish.com
baby-handmade.store
econsupplies.com
helloaustinpodcast.com
europe-lodging.com
ferahanaokulu.com
thehomeinspo.com
rawhoneytnpasumo6.xyz
tyckasei.quest
scissorsandbuffer.com
jatinvestmentsmaldives.com
softandcute.store
afuturemakerspromotions.online
leonsigntech.com
havetheshortscovered.com
cvkf.email
iplyyu.com
motphimz.net
slimmerpage.com
fifthbelle.com
moneybagsinfinity.com
architettoaroma.com
rio-script.com
millieandmaude.net
pvinayak.com
nyctattoing.com
fermanfood.com
medardlake.com
40acgidd.com
mrbrianalba.com
110bao.com
shguitong.com
why5mkt.com
diptv.xyz
gotbn-a01.com
rene-weise.com
meltaluminum.com
tobiasqbrown.com
eiqor.com
bnabd.com
painubloc.com
bofoz.com
maxicashprogtq.xyz
probinns.com
yourroddays1.xyz
friedmantrusts.com
patrianilancamentos.com
cetpa.solutions
fengxiaowangluo.com
zkimax.com
bibberyhills.com
colegiodeltaaps.com
fraternitybrand.com
codemais.net
ohayouwww.com
keenflat.com
devvabaek.com
rouxbylarease.online
hongyuyinji.com
cybersecurity-andorra.online
zs4.info
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1636-62-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1636-63-0x000000000041D450-mapping.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
62c72f781d7001dff6d747ee91e33e32.exepid process 1660 62c72f781d7001dff6d747ee91e33e32.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
62c72f781d7001dff6d747ee91e33e32.exedescription pid process target process PID 1660 set thread context of 1636 1660 62c72f781d7001dff6d747ee91e33e32.exe 62c72f781d7001dff6d747ee91e33e32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
62c72f781d7001dff6d747ee91e33e32.exepid process 1636 62c72f781d7001dff6d747ee91e33e32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
62c72f781d7001dff6d747ee91e33e32.exedescription pid process target process PID 1660 wrote to memory of 1636 1660 62c72f781d7001dff6d747ee91e33e32.exe 62c72f781d7001dff6d747ee91e33e32.exe PID 1660 wrote to memory of 1636 1660 62c72f781d7001dff6d747ee91e33e32.exe 62c72f781d7001dff6d747ee91e33e32.exe PID 1660 wrote to memory of 1636 1660 62c72f781d7001dff6d747ee91e33e32.exe 62c72f781d7001dff6d747ee91e33e32.exe PID 1660 wrote to memory of 1636 1660 62c72f781d7001dff6d747ee91e33e32.exe 62c72f781d7001dff6d747ee91e33e32.exe PID 1660 wrote to memory of 1636 1660 62c72f781d7001dff6d747ee91e33e32.exe 62c72f781d7001dff6d747ee91e33e32.exe PID 1660 wrote to memory of 1636 1660 62c72f781d7001dff6d747ee91e33e32.exe 62c72f781d7001dff6d747ee91e33e32.exe PID 1660 wrote to memory of 1636 1660 62c72f781d7001dff6d747ee91e33e32.exe 62c72f781d7001dff6d747ee91e33e32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\62c72f781d7001dff6d747ee91e33e32.exe"C:\Users\Admin\AppData\Local\Temp\62c72f781d7001dff6d747ee91e33e32.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\62c72f781d7001dff6d747ee91e33e32.exe"C:\Users\Admin\AppData\Local\Temp\62c72f781d7001dff6d747ee91e33e32.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsq1AC1.tmp\ojcwnasg.dllMD5
a1c31e0436d00eb00481b5c0f39fa849
SHA11c71dc6fb7b93c99722dba7deee53dda9e19f5a5
SHA256856362062f444906aa7cce79dab2727d9fbcdfc3d6ac5241819c1586d3693f8b
SHA512466bbf168192502b718eca1e83f5120e4b144f77754ac276b577ec7cddd30dd93c3a3465e1e6ff9db0884cf4c3ca9a62867a9522dd88f20cf93200be3287768b
-
memory/1636-62-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1636-63-0x000000000041D450-mapping.dmp
-
memory/1636-64-0x0000000000910000-0x0000000000C13000-memory.dmpFilesize
3.0MB
-
memory/1660-60-0x00000000762C1000-0x00000000762C3000-memory.dmpFilesize
8KB