Analysis
-
max time kernel
316s -
max time network
300s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
27-09-2021 03:23
Static task
static1
Behavioral task
behavioral1
Sample
1bbc9d68daddfbdb240d292ad00c3a50.exe
Resource
win7-en-20210920
General
-
Target
1bbc9d68daddfbdb240d292ad00c3a50.exe
-
Size
778KB
-
MD5
1bbc9d68daddfbdb240d292ad00c3a50
-
SHA1
5a3a7e4891e4e24c5d3dacd58fcc6b8ccc02cda5
-
SHA256
f35e37b873cb4bee71eab9a5caa6bc7bcb592d84b7924e83ec00a5c9058eb03b
-
SHA512
a8350519a5b25b9b9dc09daccea215cf616dfb9cbd2770de9ec11fd91667e32358b6abb22d2f1451c88d3ddaa4e1a847e42dfa834f112fe60240651d330919f5
Malware Config
Extracted
xloader
2.3
utrf
http://www.xiaohe-jiankang.com/utrf/
poppup.store
memoria-helvetica.net
rkx6.com
god-gym.com
ninuweyr.com
icilanaudiere.com
boardabird.com
moorefamilyholdingsllc.com
sakudata.com
vluowqvc.icu
misscakehead.com
studentoflife4life.com
488prospectst.com
jugoon.xyz
privatemortgageinvest.com
leeeg.com
eventoslasperlas.com
azx2.com
pcwebdesign65656.xyz
aura-tic.com
blueamber-bio.com
theerf.com
defeaturie.com
bertram-fritz.com
boutique-virebent.com
bevanmorgantrucking.com
dabanse.info
lebdpathe.com
myhbappofapproval.com
onedecorworld.com
bestey.com
sripechiamman.online
mielly.pro
mychallengeiam.com
boxedhawaii.com
sustainablemarketing101.com
st-poelten.com
lenaten.com
vbetunitedstates.com
thevone.net
jeannaloveschristmas.com
74flags.com
sppradar.com
siddharthmakharia.com
carnuntumgut.gmbh
mlwpbllau.icu
nantucketbraceletkits.com
digipreneur.academy
phliet.com
yaorganika.store
fivedollargold.com
mountaintownmarket.com
iclaimz.com
mindd.net
izobiz.net
wingsforhorses.com
selectvalleyfood.com
woma1tt.com
cuidamosec.com
cardinternetltd.com
myworldourworld.com
toksex.xyz
maathiyoshi.com
americasbestcannabislawyers.com
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1036-60-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral1/memory/1036-61-0x000000000041D030-mapping.dmp xloader -
Suspicious use of SetThreadContext 1 IoCs
Processes:
1bbc9d68daddfbdb240d292ad00c3a50.exedescription pid process target process PID 612 set thread context of 1036 612 1bbc9d68daddfbdb240d292ad00c3a50.exe 1bbc9d68daddfbdb240d292ad00c3a50.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
1bbc9d68daddfbdb240d292ad00c3a50.exepowershell.exepid process 1036 1bbc9d68daddfbdb240d292ad00c3a50.exe 1800 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1800 powershell.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
1bbc9d68daddfbdb240d292ad00c3a50.exedescription pid process target process PID 612 wrote to memory of 1800 612 1bbc9d68daddfbdb240d292ad00c3a50.exe powershell.exe PID 612 wrote to memory of 1800 612 1bbc9d68daddfbdb240d292ad00c3a50.exe powershell.exe PID 612 wrote to memory of 1800 612 1bbc9d68daddfbdb240d292ad00c3a50.exe powershell.exe PID 612 wrote to memory of 1800 612 1bbc9d68daddfbdb240d292ad00c3a50.exe powershell.exe PID 612 wrote to memory of 1036 612 1bbc9d68daddfbdb240d292ad00c3a50.exe 1bbc9d68daddfbdb240d292ad00c3a50.exe PID 612 wrote to memory of 1036 612 1bbc9d68daddfbdb240d292ad00c3a50.exe 1bbc9d68daddfbdb240d292ad00c3a50.exe PID 612 wrote to memory of 1036 612 1bbc9d68daddfbdb240d292ad00c3a50.exe 1bbc9d68daddfbdb240d292ad00c3a50.exe PID 612 wrote to memory of 1036 612 1bbc9d68daddfbdb240d292ad00c3a50.exe 1bbc9d68daddfbdb240d292ad00c3a50.exe PID 612 wrote to memory of 1036 612 1bbc9d68daddfbdb240d292ad00c3a50.exe 1bbc9d68daddfbdb240d292ad00c3a50.exe PID 612 wrote to memory of 1036 612 1bbc9d68daddfbdb240d292ad00c3a50.exe 1bbc9d68daddfbdb240d292ad00c3a50.exe PID 612 wrote to memory of 1036 612 1bbc9d68daddfbdb240d292ad00c3a50.exe 1bbc9d68daddfbdb240d292ad00c3a50.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1bbc9d68daddfbdb240d292ad00c3a50.exe"C:\Users\Admin\AppData\Local\Temp\1bbc9d68daddfbdb240d292ad00c3a50.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1bbc9d68daddfbdb240d292ad00c3a50.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1bbc9d68daddfbdb240d292ad00c3a50.exe"C:\Users\Admin\AppData\Local\Temp\1bbc9d68daddfbdb240d292ad00c3a50.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/612-53-0x00000000009F0000-0x00000000009F1000-memory.dmpFilesize
4KB
-
memory/612-55-0x0000000000590000-0x00000000005AD000-memory.dmpFilesize
116KB
-
memory/612-56-0x0000000004C70000-0x0000000004C71000-memory.dmpFilesize
4KB
-
memory/612-57-0x0000000004FF0000-0x0000000005055000-memory.dmpFilesize
404KB
-
memory/612-58-0x0000000002170000-0x00000000021A5000-memory.dmpFilesize
212KB
-
memory/1036-60-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1036-61-0x000000000041D030-mapping.dmp
-
memory/1036-64-0x0000000000AC0000-0x0000000000DC3000-memory.dmpFilesize
3.0MB
-
memory/1800-59-0x0000000000000000-mapping.dmp
-
memory/1800-62-0x0000000075651000-0x0000000075653000-memory.dmpFilesize
8KB
-
memory/1800-63-0x0000000002370000-0x0000000002371000-memory.dmpFilesize
4KB
-
memory/1800-65-0x0000000002371000-0x0000000002372000-memory.dmpFilesize
4KB
-
memory/1800-66-0x0000000002372000-0x0000000002374000-memory.dmpFilesize
8KB