Analysis
-
max time kernel
96s -
max time network
98s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
23-09-2021 19:46
Static task
static1
General
-
Target
6724b4abaf05bc011ee266d499d2eecadd61a305cd0a8e3c099193a3b9323a3c.exe
-
Size
252KB
-
MD5
0efbf49197257609b692c8579c7c15cd
-
SHA1
5390a1eb61e84c9d546178e7c43a810c309f9013
-
SHA256
6724b4abaf05bc011ee266d499d2eecadd61a305cd0a8e3c099193a3b9323a3c
-
SHA512
823c648b4a3a196d98446ca9c5177cbd8ac0c753e372daf789ca8f6b3848344160b859de9e0a353d252a37b112abe30f8f5e0a28ceae6da61d47928f80c19a1c
Malware Config
Extracted
xloader
2.5
9gdg
http://www.dechocolate.online/9gdg/
cao-catos.ca
humanityumbrella.com
heatherflintford.com
paddyjulian.com
venturedart.com
pimpyoursmile.com
shellbacklabs.com
acesteeisupply.com
socotrajeweltours.com
aykutozden.com
corncobmeal.com
lesbiansforever.com
picknock.com
pawspetreiki.com
waikikidesignco.com
lelittnpasumo4.xyz
billing-updating.info
barangdapo.com
gatorfirerescue.com
jmovt.com
yozotnpasumo4.xyz
theindiandreams.com
javfish.com
algorham.photography
eurocustompainting.com
commentcard.club
probinns.com
yourlenderjake.net
bestofmdi.guide
miniperfumeria.com
shanxishuangcheng.com
viviantle.com
metaverseliveshopping.com
xn--vckzfv91k.com
garygoodtime.com
meysaninsaat.com
vietnamagritourism.online
greenpillers.net
hughhegartyhedgecutting.com
clarkdn.com
b148t1rfm01qvtbnvgc5418.com
trump-911-memorial.com
seekr.tech
amarettoliqueur.info
planext4u.com
dzairfoot24.com
freshstartdaycarecenterinc.com
redwoodwomen.com
reallyfuntastic.com
cc-expert.com
vaccineexemption.net
goforgreentech.com
800maintenance.services
xn--zimmerei-lking-psb.info
football-latest.mobi
livenetsex.com
christinamossoriginals.com
zebraadz.com
targonia.com
pampashub.com
pallavitatelier.com
aboveallsupplies.com
hyderabadgroceries.com
starpluscommercial.com
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/356-115-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/356-116-0x000000000041D4A0-mapping.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
6724b4abaf05bc011ee266d499d2eecadd61a305cd0a8e3c099193a3b9323a3c.exepid process 808 6724b4abaf05bc011ee266d499d2eecadd61a305cd0a8e3c099193a3b9323a3c.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
6724b4abaf05bc011ee266d499d2eecadd61a305cd0a8e3c099193a3b9323a3c.exedescription pid process target process PID 808 set thread context of 356 808 6724b4abaf05bc011ee266d499d2eecadd61a305cd0a8e3c099193a3b9323a3c.exe 6724b4abaf05bc011ee266d499d2eecadd61a305cd0a8e3c099193a3b9323a3c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
6724b4abaf05bc011ee266d499d2eecadd61a305cd0a8e3c099193a3b9323a3c.exepid process 356 6724b4abaf05bc011ee266d499d2eecadd61a305cd0a8e3c099193a3b9323a3c.exe 356 6724b4abaf05bc011ee266d499d2eecadd61a305cd0a8e3c099193a3b9323a3c.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
6724b4abaf05bc011ee266d499d2eecadd61a305cd0a8e3c099193a3b9323a3c.exedescription pid process target process PID 808 wrote to memory of 356 808 6724b4abaf05bc011ee266d499d2eecadd61a305cd0a8e3c099193a3b9323a3c.exe 6724b4abaf05bc011ee266d499d2eecadd61a305cd0a8e3c099193a3b9323a3c.exe PID 808 wrote to memory of 356 808 6724b4abaf05bc011ee266d499d2eecadd61a305cd0a8e3c099193a3b9323a3c.exe 6724b4abaf05bc011ee266d499d2eecadd61a305cd0a8e3c099193a3b9323a3c.exe PID 808 wrote to memory of 356 808 6724b4abaf05bc011ee266d499d2eecadd61a305cd0a8e3c099193a3b9323a3c.exe 6724b4abaf05bc011ee266d499d2eecadd61a305cd0a8e3c099193a3b9323a3c.exe PID 808 wrote to memory of 356 808 6724b4abaf05bc011ee266d499d2eecadd61a305cd0a8e3c099193a3b9323a3c.exe 6724b4abaf05bc011ee266d499d2eecadd61a305cd0a8e3c099193a3b9323a3c.exe PID 808 wrote to memory of 356 808 6724b4abaf05bc011ee266d499d2eecadd61a305cd0a8e3c099193a3b9323a3c.exe 6724b4abaf05bc011ee266d499d2eecadd61a305cd0a8e3c099193a3b9323a3c.exe PID 808 wrote to memory of 356 808 6724b4abaf05bc011ee266d499d2eecadd61a305cd0a8e3c099193a3b9323a3c.exe 6724b4abaf05bc011ee266d499d2eecadd61a305cd0a8e3c099193a3b9323a3c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6724b4abaf05bc011ee266d499d2eecadd61a305cd0a8e3c099193a3b9323a3c.exe"C:\Users\Admin\AppData\Local\Temp\6724b4abaf05bc011ee266d499d2eecadd61a305cd0a8e3c099193a3b9323a3c.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\6724b4abaf05bc011ee266d499d2eecadd61a305cd0a8e3c099193a3b9323a3c.exe"C:\Users\Admin\AppData\Local\Temp\6724b4abaf05bc011ee266d499d2eecadd61a305cd0a8e3c099193a3b9323a3c.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsv65CA.tmp\iynunsqb.dllMD5
fdb24702ac3d38f586aa0343d71ba1d5
SHA1662c61e11802ae875d864c6b8002ecfa5d7872f1
SHA256e2bd42815d0ad61ad0f55056b9e78939a025f8b63c204afbf1ea1abf64adb71c
SHA51226a86d2a7c7a4ef06e562e8cf2a40fd343b721539ef1808de6e1c6fa75a3bd1e2e3b85542aad76264792e776439e9dd1fe4fc282dee7a32948e2caa03a8e7051
-
memory/356-115-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/356-116-0x000000000041D4A0-mapping.dmp
-
memory/356-117-0x0000000000970000-0x0000000000C90000-memory.dmpFilesize
3.1MB