Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
26-09-2021 23:30
Static task
static1
General
-
Target
c5ccdeea44050d8be9cf04b42ba6336dfd81e4a930ec6cd916f5f4e3a5f713bb.exe
-
Size
253KB
-
MD5
196ef716e51eb90f7ffcfd2219ce1d5e
-
SHA1
3c5d438cb3dee2b0474ea45be67069db184e26bb
-
SHA256
c5ccdeea44050d8be9cf04b42ba6336dfd81e4a930ec6cd916f5f4e3a5f713bb
-
SHA512
e303bd36a6cd409bf146b0716a52c50ab5069b3dd513303a8c63c1494013450e5a84ee0bf7eb5d7396946080f57ef08275e09326bc2bd3fc80f94f911e872759
Malware Config
Extracted
xloader
2.5
m0np
http://www.devmedicalcentre.com/m0np/
gruppovimar.com
seniordatingtv.com
pinpinyouqian.website
retreatreflectreplenish.com
baby-handmade.store
econsupplies.com
helloaustinpodcast.com
europe-lodging.com
ferahanaokulu.com
thehomeinspo.com
rawhoneytnpasumo6.xyz
tyckasei.quest
scissorsandbuffer.com
jatinvestmentsmaldives.com
softandcute.store
afuturemakerspromotions.online
leonsigntech.com
havetheshortscovered.com
cvkf.email
iplyyu.com
motphimz.net
slimmerpage.com
fifthbelle.com
moneybagsinfinity.com
architettoaroma.com
rio-script.com
millieandmaude.net
pvinayak.com
nyctattoing.com
fermanfood.com
medardlake.com
40acgidd.com
mrbrianalba.com
110bao.com
shguitong.com
why5mkt.com
diptv.xyz
gotbn-a01.com
rene-weise.com
meltaluminum.com
tobiasqbrown.com
eiqor.com
bnabd.com
painubloc.com
bofoz.com
maxicashprogtq.xyz
probinns.com
yourroddays1.xyz
friedmantrusts.com
patrianilancamentos.com
cetpa.solutions
fengxiaowangluo.com
zkimax.com
bibberyhills.com
colegiodeltaaps.com
fraternitybrand.com
codemais.net
ohayouwww.com
keenflat.com
devvabaek.com
rouxbylarease.online
hongyuyinji.com
cybersecurity-andorra.online
zs4.info
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2312-116-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/2312-117-0x000000000041D450-mapping.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
c5ccdeea44050d8be9cf04b42ba6336dfd81e4a930ec6cd916f5f4e3a5f713bb.exepid process 2068 c5ccdeea44050d8be9cf04b42ba6336dfd81e4a930ec6cd916f5f4e3a5f713bb.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
c5ccdeea44050d8be9cf04b42ba6336dfd81e4a930ec6cd916f5f4e3a5f713bb.exedescription pid process target process PID 2068 set thread context of 2312 2068 c5ccdeea44050d8be9cf04b42ba6336dfd81e4a930ec6cd916f5f4e3a5f713bb.exe c5ccdeea44050d8be9cf04b42ba6336dfd81e4a930ec6cd916f5f4e3a5f713bb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
c5ccdeea44050d8be9cf04b42ba6336dfd81e4a930ec6cd916f5f4e3a5f713bb.exepid process 2312 c5ccdeea44050d8be9cf04b42ba6336dfd81e4a930ec6cd916f5f4e3a5f713bb.exe 2312 c5ccdeea44050d8be9cf04b42ba6336dfd81e4a930ec6cd916f5f4e3a5f713bb.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
c5ccdeea44050d8be9cf04b42ba6336dfd81e4a930ec6cd916f5f4e3a5f713bb.exedescription pid process target process PID 2068 wrote to memory of 2312 2068 c5ccdeea44050d8be9cf04b42ba6336dfd81e4a930ec6cd916f5f4e3a5f713bb.exe c5ccdeea44050d8be9cf04b42ba6336dfd81e4a930ec6cd916f5f4e3a5f713bb.exe PID 2068 wrote to memory of 2312 2068 c5ccdeea44050d8be9cf04b42ba6336dfd81e4a930ec6cd916f5f4e3a5f713bb.exe c5ccdeea44050d8be9cf04b42ba6336dfd81e4a930ec6cd916f5f4e3a5f713bb.exe PID 2068 wrote to memory of 2312 2068 c5ccdeea44050d8be9cf04b42ba6336dfd81e4a930ec6cd916f5f4e3a5f713bb.exe c5ccdeea44050d8be9cf04b42ba6336dfd81e4a930ec6cd916f5f4e3a5f713bb.exe PID 2068 wrote to memory of 2312 2068 c5ccdeea44050d8be9cf04b42ba6336dfd81e4a930ec6cd916f5f4e3a5f713bb.exe c5ccdeea44050d8be9cf04b42ba6336dfd81e4a930ec6cd916f5f4e3a5f713bb.exe PID 2068 wrote to memory of 2312 2068 c5ccdeea44050d8be9cf04b42ba6336dfd81e4a930ec6cd916f5f4e3a5f713bb.exe c5ccdeea44050d8be9cf04b42ba6336dfd81e4a930ec6cd916f5f4e3a5f713bb.exe PID 2068 wrote to memory of 2312 2068 c5ccdeea44050d8be9cf04b42ba6336dfd81e4a930ec6cd916f5f4e3a5f713bb.exe c5ccdeea44050d8be9cf04b42ba6336dfd81e4a930ec6cd916f5f4e3a5f713bb.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c5ccdeea44050d8be9cf04b42ba6336dfd81e4a930ec6cd916f5f4e3a5f713bb.exe"C:\Users\Admin\AppData\Local\Temp\c5ccdeea44050d8be9cf04b42ba6336dfd81e4a930ec6cd916f5f4e3a5f713bb.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c5ccdeea44050d8be9cf04b42ba6336dfd81e4a930ec6cd916f5f4e3a5f713bb.exe"C:\Users\Admin\AppData\Local\Temp\c5ccdeea44050d8be9cf04b42ba6336dfd81e4a930ec6cd916f5f4e3a5f713bb.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsm8CE5.tmp\wkpnpsjabyz.dllMD5
cceb1c08032a04804191f34f7e070d5d
SHA17a6628b4b164874e61a034b17b669631dc3d7eb7
SHA256eed96b31d0af300135ddd50ba8274b31d7902564bcb5c84224e5d1b2e357aaae
SHA512e5ac48d0d422dc53133c15a1e8029cdf500186096b253e9893568410a20dfe25301e897db2b1cf902e2d1c85cde0309b1e4ac2c9b7cdeed5c41f1af472c23467
-
memory/2312-116-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2312-117-0x000000000041D450-mapping.dmp
-
memory/2312-118-0x00000000009B0000-0x0000000000CD0000-memory.dmpFilesize
3.1MB