Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
23-09-2021 21:09
Static task
static1
Behavioral task
behavioral1
Sample
HSBC94302,pdf.exe
Resource
win7-en-20210920
General
-
Target
HSBC94302,pdf.exe
-
Size
255KB
-
MD5
f074678a2c588e8741918098804e2a54
-
SHA1
8f6ece4353671a76abea3621a1ae05886bfd181c
-
SHA256
fa76022bffd0d6d87ad3baab7b9839f0b172ce1ccd264759d88e9df1a77291f1
-
SHA512
21092cf587641e2f00758b98629c086f3d04aa9ef1da4b095c5d98764d57e8ed90ec947e9787fad7dce2a2dddd0444cb3def5c5ea500e43ad081c764f5e888f2
Malware Config
Extracted
xloader
2.5
dhua
http://www.segurosramosroman.com/dhua/
ketostar.club
icanmakeyoufamous.com
claimygdejection.com
garlicinterestedparent.xyz
bits-clicks.com
030atk.xyz
ballwiegand.com
logs-illumidesk.com
785686.com
flnewsfeed.com
transporteshrj.net
agenciamundodigital.online
bowersllc.com
urchncenw.com
wuauwuaumx.com
littlesportsacademy.com
xn--m3chb3ax0abdta3fwhk.com
prmarketings.com
jiaozhanlianmeng.com
whenisthestore.space
ventureagora.net
ditrixmed.store
gitlab-tamskillpage.com
samgravikasnidhi.com
lenti4you.com
reviewallstarscommerce.com
nissimarble.com
md2px.xyz
tristarelectronics.net
you11.net
vaccinationfraud.xyz
bu3helo.com
marcellcheckpoint.com
hassinkandroos.com
socw.quest
screenedscooptoknow-today.info
aciburada.com
edimacare.com
smokenation.net
elga-groupinc.com
26dgj.xyz
chandleenews.com
sugarcanemultisport.com
nichellejonesrealtor.com
architektschnur.com
atehgroup.com
ocoeeboys.com
zanesells.com
878971.com
infringement-notice.com
orzame.com
darlindough.com
bwpassionenterprise.com
switchress.com
willcowblog.online
rsyncpalace.com
ayderstudio.com
ascotintrenational.com
omeducationhelp.com
kimberleydawnwallace.com
thereisnooneway.com
marketobserve.com
sildenafilnrx.com
willowbaldwin.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4176-116-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/4176-117-0x000000000041D4E0-mapping.dmp xloader behavioral2/memory/8-123-0x0000000000500000-0x0000000000529000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
HSBC94302,pdf.exepid process 3704 HSBC94302,pdf.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
HSBC94302,pdf.exeHSBC94302,pdf.execmd.exedescription pid process target process PID 3704 set thread context of 4176 3704 HSBC94302,pdf.exe HSBC94302,pdf.exe PID 4176 set thread context of 3048 4176 HSBC94302,pdf.exe Explorer.EXE PID 8 set thread context of 3048 8 cmd.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
HSBC94302,pdf.execmd.exepid process 4176 HSBC94302,pdf.exe 4176 HSBC94302,pdf.exe 4176 HSBC94302,pdf.exe 4176 HSBC94302,pdf.exe 8 cmd.exe 8 cmd.exe 8 cmd.exe 8 cmd.exe 8 cmd.exe 8 cmd.exe 8 cmd.exe 8 cmd.exe 8 cmd.exe 8 cmd.exe 8 cmd.exe 8 cmd.exe 8 cmd.exe 8 cmd.exe 8 cmd.exe 8 cmd.exe 8 cmd.exe 8 cmd.exe 8 cmd.exe 8 cmd.exe 8 cmd.exe 8 cmd.exe 8 cmd.exe 8 cmd.exe 8 cmd.exe 8 cmd.exe 8 cmd.exe 8 cmd.exe 8 cmd.exe 8 cmd.exe 8 cmd.exe 8 cmd.exe 8 cmd.exe 8 cmd.exe 8 cmd.exe 8 cmd.exe 8 cmd.exe 8 cmd.exe 8 cmd.exe 8 cmd.exe 8 cmd.exe 8 cmd.exe 8 cmd.exe 8 cmd.exe 8 cmd.exe 8 cmd.exe 8 cmd.exe 8 cmd.exe 8 cmd.exe 8 cmd.exe 8 cmd.exe 8 cmd.exe 8 cmd.exe 8 cmd.exe 8 cmd.exe 8 cmd.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3048 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
HSBC94302,pdf.execmd.exepid process 4176 HSBC94302,pdf.exe 4176 HSBC94302,pdf.exe 4176 HSBC94302,pdf.exe 8 cmd.exe 8 cmd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
HSBC94302,pdf.execmd.exedescription pid process Token: SeDebugPrivilege 4176 HSBC94302,pdf.exe Token: SeDebugPrivilege 8 cmd.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
HSBC94302,pdf.exeExplorer.EXEcmd.exedescription pid process target process PID 3704 wrote to memory of 4176 3704 HSBC94302,pdf.exe HSBC94302,pdf.exe PID 3704 wrote to memory of 4176 3704 HSBC94302,pdf.exe HSBC94302,pdf.exe PID 3704 wrote to memory of 4176 3704 HSBC94302,pdf.exe HSBC94302,pdf.exe PID 3704 wrote to memory of 4176 3704 HSBC94302,pdf.exe HSBC94302,pdf.exe PID 3704 wrote to memory of 4176 3704 HSBC94302,pdf.exe HSBC94302,pdf.exe PID 3704 wrote to memory of 4176 3704 HSBC94302,pdf.exe HSBC94302,pdf.exe PID 3048 wrote to memory of 8 3048 Explorer.EXE cmd.exe PID 3048 wrote to memory of 8 3048 Explorer.EXE cmd.exe PID 3048 wrote to memory of 8 3048 Explorer.EXE cmd.exe PID 8 wrote to memory of 2096 8 cmd.exe cmd.exe PID 8 wrote to memory of 2096 8 cmd.exe cmd.exe PID 8 wrote to memory of 2096 8 cmd.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\HSBC94302,pdf.exe"C:\Users\Admin\AppData\Local\Temp\HSBC94302,pdf.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\HSBC94302,pdf.exe"C:\Users\Admin\AppData\Local\Temp\HSBC94302,pdf.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\HSBC94302,pdf.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsl89D8.tmp\injpp.dllMD5
52230408da822ac77450b0e11c41d28d
SHA17c5394bb747a4a6fea18955e1da878cd87a7e86a
SHA2567318f7a1bb662ba2d27530ec87866144ac7a0532a642a27e1924987e498af153
SHA512fae0a23cb2e3bcecaca88307c1584462645db1c7fab08fc9327419fdae533e213e5968604d7ea49b4705f62c29824e171bb004b9ae426bff3aa7ae0dd4079ef1
-
memory/8-121-0x0000000000000000-mapping.dmp
-
memory/8-126-0x0000000000C60000-0x0000000000CF0000-memory.dmpFilesize
576KB
-
memory/8-125-0x0000000000D90000-0x00000000010B0000-memory.dmpFilesize
3.1MB
-
memory/8-123-0x0000000000500000-0x0000000000529000-memory.dmpFilesize
164KB
-
memory/8-122-0x00000000012A0000-0x00000000012F9000-memory.dmpFilesize
356KB
-
memory/2096-124-0x0000000000000000-mapping.dmp
-
memory/3048-120-0x0000000002400000-0x00000000024D7000-memory.dmpFilesize
860KB
-
memory/3048-127-0x0000000005750000-0x00000000057EE000-memory.dmpFilesize
632KB
-
memory/4176-119-0x0000000000600000-0x0000000000611000-memory.dmpFilesize
68KB
-
memory/4176-118-0x0000000000A40000-0x0000000000D60000-memory.dmpFilesize
3.1MB
-
memory/4176-117-0x000000000041D4E0-mapping.dmp
-
memory/4176-116-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB