Analysis
-
max time kernel
73s -
max time network
76s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
23-09-2021 18:18
Static task
static1
General
-
Target
e777ad1dca2df7e7c9b06832349f82e10af2259f68b0f855b10899fae8a29e7a.exe
-
Size
256KB
-
MD5
5ca262d947bc9ae36f5adcc8e29d170d
-
SHA1
d2a942058386c631b7f53a055768a6ac9852d1af
-
SHA256
e777ad1dca2df7e7c9b06832349f82e10af2259f68b0f855b10899fae8a29e7a
-
SHA512
8fc417879c493879514cea3bc936c9a817568a35eccb7b7766f83a6327eb1a97ab5904af76ee7e393d6529f158f279d56410079faa8188e45bcab714bb384055
Malware Config
Extracted
xloader
2.5
m0np
http://www.devmedicalcentre.com/m0np/
gruppovimar.com
seniordatingtv.com
pinpinyouqian.website
retreatreflectreplenish.com
baby-handmade.store
econsupplies.com
helloaustinpodcast.com
europe-lodging.com
ferahanaokulu.com
thehomeinspo.com
rawhoneytnpasumo6.xyz
tyckasei.quest
scissorsandbuffer.com
jatinvestmentsmaldives.com
softandcute.store
afuturemakerspromotions.online
leonsigntech.com
havetheshortscovered.com
cvkf.email
iplyyu.com
motphimz.net
slimmerpage.com
fifthbelle.com
moneybagsinfinity.com
architettoaroma.com
rio-script.com
millieandmaude.net
pvinayak.com
nyctattoing.com
fermanfood.com
medardlake.com
40acgidd.com
mrbrianalba.com
110bao.com
shguitong.com
why5mkt.com
diptv.xyz
gotbn-a01.com
rene-weise.com
meltaluminum.com
tobiasqbrown.com
eiqor.com
bnabd.com
painubloc.com
bofoz.com
maxicashprogtq.xyz
probinns.com
yourroddays1.xyz
friedmantrusts.com
patrianilancamentos.com
cetpa.solutions
fengxiaowangluo.com
zkimax.com
bibberyhills.com
colegiodeltaaps.com
fraternitybrand.com
codemais.net
ohayouwww.com
keenflat.com
devvabaek.com
rouxbylarease.online
hongyuyinji.com
cybersecurity-andorra.online
zs4.info
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/864-115-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/864-116-0x000000000041D450-mapping.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
e777ad1dca2df7e7c9b06832349f82e10af2259f68b0f855b10899fae8a29e7a.exepid process 636 e777ad1dca2df7e7c9b06832349f82e10af2259f68b0f855b10899fae8a29e7a.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
e777ad1dca2df7e7c9b06832349f82e10af2259f68b0f855b10899fae8a29e7a.exedescription pid process target process PID 636 set thread context of 864 636 e777ad1dca2df7e7c9b06832349f82e10af2259f68b0f855b10899fae8a29e7a.exe e777ad1dca2df7e7c9b06832349f82e10af2259f68b0f855b10899fae8a29e7a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
e777ad1dca2df7e7c9b06832349f82e10af2259f68b0f855b10899fae8a29e7a.exepid process 864 e777ad1dca2df7e7c9b06832349f82e10af2259f68b0f855b10899fae8a29e7a.exe 864 e777ad1dca2df7e7c9b06832349f82e10af2259f68b0f855b10899fae8a29e7a.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
e777ad1dca2df7e7c9b06832349f82e10af2259f68b0f855b10899fae8a29e7a.exedescription pid process target process PID 636 wrote to memory of 864 636 e777ad1dca2df7e7c9b06832349f82e10af2259f68b0f855b10899fae8a29e7a.exe e777ad1dca2df7e7c9b06832349f82e10af2259f68b0f855b10899fae8a29e7a.exe PID 636 wrote to memory of 864 636 e777ad1dca2df7e7c9b06832349f82e10af2259f68b0f855b10899fae8a29e7a.exe e777ad1dca2df7e7c9b06832349f82e10af2259f68b0f855b10899fae8a29e7a.exe PID 636 wrote to memory of 864 636 e777ad1dca2df7e7c9b06832349f82e10af2259f68b0f855b10899fae8a29e7a.exe e777ad1dca2df7e7c9b06832349f82e10af2259f68b0f855b10899fae8a29e7a.exe PID 636 wrote to memory of 864 636 e777ad1dca2df7e7c9b06832349f82e10af2259f68b0f855b10899fae8a29e7a.exe e777ad1dca2df7e7c9b06832349f82e10af2259f68b0f855b10899fae8a29e7a.exe PID 636 wrote to memory of 864 636 e777ad1dca2df7e7c9b06832349f82e10af2259f68b0f855b10899fae8a29e7a.exe e777ad1dca2df7e7c9b06832349f82e10af2259f68b0f855b10899fae8a29e7a.exe PID 636 wrote to memory of 864 636 e777ad1dca2df7e7c9b06832349f82e10af2259f68b0f855b10899fae8a29e7a.exe e777ad1dca2df7e7c9b06832349f82e10af2259f68b0f855b10899fae8a29e7a.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e777ad1dca2df7e7c9b06832349f82e10af2259f68b0f855b10899fae8a29e7a.exe"C:\Users\Admin\AppData\Local\Temp\e777ad1dca2df7e7c9b06832349f82e10af2259f68b0f855b10899fae8a29e7a.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e777ad1dca2df7e7c9b06832349f82e10af2259f68b0f855b10899fae8a29e7a.exe"C:\Users\Admin\AppData\Local\Temp\e777ad1dca2df7e7c9b06832349f82e10af2259f68b0f855b10899fae8a29e7a.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsk627F.tmp\wkzjhxmxqy.dllMD5
ebc8401ae6d5bc99d4863ff597589162
SHA163a939c2bd9a0ff69436207d333fcf20624b4dde
SHA2563ca853a062094c294fd1c277dd37fab54b78fe8e679bc79ed28595eaae9c9848
SHA512979df0e6e4570edf85dcc26fda797f7ca67cbe47ec8fc0a22d231d5ca81a859f6fcd07504a4f54c13afb8e99ad409585e127c1f929d6253273f8fd336ec34836
-
memory/864-115-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/864-116-0x000000000041D450-mapping.dmp
-
memory/864-117-0x0000000000970000-0x0000000000C90000-memory.dmpFilesize
3.1MB