Analysis
-
max time kernel
300s -
max time network
300s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
27-09-2021 05:07
Static task
static1
Behavioral task
behavioral1
Sample
loader1.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
loader1.exe
Resource
win10v20210408
General
-
Target
loader1.exe
-
Size
253KB
-
MD5
196ef716e51eb90f7ffcfd2219ce1d5e
-
SHA1
3c5d438cb3dee2b0474ea45be67069db184e26bb
-
SHA256
c5ccdeea44050d8be9cf04b42ba6336dfd81e4a930ec6cd916f5f4e3a5f713bb
-
SHA512
e303bd36a6cd409bf146b0716a52c50ab5069b3dd513303a8c63c1494013450e5a84ee0bf7eb5d7396946080f57ef08275e09326bc2bd3fc80f94f911e872759
Malware Config
Extracted
xloader
2.5
m0np
http://www.devmedicalcentre.com/m0np/
gruppovimar.com
seniordatingtv.com
pinpinyouqian.website
retreatreflectreplenish.com
baby-handmade.store
econsupplies.com
helloaustinpodcast.com
europe-lodging.com
ferahanaokulu.com
thehomeinspo.com
rawhoneytnpasumo6.xyz
tyckasei.quest
scissorsandbuffer.com
jatinvestmentsmaldives.com
softandcute.store
afuturemakerspromotions.online
leonsigntech.com
havetheshortscovered.com
cvkf.email
iplyyu.com
motphimz.net
slimmerpage.com
fifthbelle.com
moneybagsinfinity.com
architettoaroma.com
rio-script.com
millieandmaude.net
pvinayak.com
nyctattoing.com
fermanfood.com
medardlake.com
40acgidd.com
mrbrianalba.com
110bao.com
shguitong.com
why5mkt.com
diptv.xyz
gotbn-a01.com
rene-weise.com
meltaluminum.com
tobiasqbrown.com
eiqor.com
bnabd.com
painubloc.com
bofoz.com
maxicashprogtq.xyz
probinns.com
yourroddays1.xyz
friedmantrusts.com
patrianilancamentos.com
cetpa.solutions
fengxiaowangluo.com
zkimax.com
bibberyhills.com
colegiodeltaaps.com
fraternitybrand.com
codemais.net
ohayouwww.com
keenflat.com
devvabaek.com
rouxbylarease.online
hongyuyinji.com
cybersecurity-andorra.online
zs4.info
Signatures
-
Xloader Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/996-115-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/996-116-0x000000000041D450-mapping.dmp xloader behavioral2/memory/376-122-0x0000000002FB0000-0x0000000002FD9000-memory.dmp xloader behavioral2/memory/1200-133-0x000000000041D450-mapping.dmp xloader -
Executes dropped EXE 2 IoCs
Processes:
itsdv4vlzj8ft.exeitsdv4vlzj8ft.exepid process 3036 itsdv4vlzj8ft.exe 1200 itsdv4vlzj8ft.exe -
Loads dropped DLL 2 IoCs
Processes:
loader1.exeitsdv4vlzj8ft.exepid process 900 loader1.exe 3036 itsdv4vlzj8ft.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
colorcpl.exedescription ioc process Key created \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run colorcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DXRHVXIXNDL = "C:\\Program Files (x86)\\K8ptdkzi\\itsdv4vlzj8ft.exe" colorcpl.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
loader1.exeloader1.execolorcpl.exeitsdv4vlzj8ft.exedescription pid process target process PID 900 set thread context of 996 900 loader1.exe loader1.exe PID 996 set thread context of 3024 996 loader1.exe Explorer.EXE PID 376 set thread context of 3024 376 colorcpl.exe Explorer.EXE PID 3036 set thread context of 1200 3036 itsdv4vlzj8ft.exe itsdv4vlzj8ft.exe -
Drops file in Program Files directory 4 IoCs
Processes:
colorcpl.exeExplorer.EXEdescription ioc process File opened for modification C:\Program Files (x86)\K8ptdkzi\itsdv4vlzj8ft.exe colorcpl.exe File opened for modification C:\Program Files (x86)\K8ptdkzi Explorer.EXE File created C:\Program Files (x86)\K8ptdkzi\itsdv4vlzj8ft.exe Explorer.EXE File opened for modification C:\Program Files (x86)\K8ptdkzi\itsdv4vlzj8ft.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 6 IoCs
Processes:
resource yara_rule C:\Program Files (x86)\K8ptdkzi\itsdv4vlzj8ft.exe nsis_installer_1 C:\Program Files (x86)\K8ptdkzi\itsdv4vlzj8ft.exe nsis_installer_2 C:\Program Files (x86)\K8ptdkzi\itsdv4vlzj8ft.exe nsis_installer_1 C:\Program Files (x86)\K8ptdkzi\itsdv4vlzj8ft.exe nsis_installer_2 C:\Program Files (x86)\K8ptdkzi\itsdv4vlzj8ft.exe nsis_installer_1 C:\Program Files (x86)\K8ptdkzi\itsdv4vlzj8ft.exe nsis_installer_2 -
Processes:
colorcpl.exedescription ioc process Key created \Registry\User\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 colorcpl.exe -
Modifies registry class 2 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
loader1.execolorcpl.exepid process 996 loader1.exe 996 loader1.exe 996 loader1.exe 996 loader1.exe 376 colorcpl.exe 376 colorcpl.exe 376 colorcpl.exe 376 colorcpl.exe 376 colorcpl.exe 376 colorcpl.exe 376 colorcpl.exe 376 colorcpl.exe 376 colorcpl.exe 376 colorcpl.exe 376 colorcpl.exe 376 colorcpl.exe 376 colorcpl.exe 376 colorcpl.exe 376 colorcpl.exe 376 colorcpl.exe 376 colorcpl.exe 376 colorcpl.exe 376 colorcpl.exe 376 colorcpl.exe 376 colorcpl.exe 376 colorcpl.exe 376 colorcpl.exe 376 colorcpl.exe 376 colorcpl.exe 376 colorcpl.exe 376 colorcpl.exe 376 colorcpl.exe 376 colorcpl.exe 376 colorcpl.exe 376 colorcpl.exe 376 colorcpl.exe 376 colorcpl.exe 376 colorcpl.exe 376 colorcpl.exe 376 colorcpl.exe 376 colorcpl.exe 376 colorcpl.exe 376 colorcpl.exe 376 colorcpl.exe 376 colorcpl.exe 376 colorcpl.exe 376 colorcpl.exe 376 colorcpl.exe 376 colorcpl.exe 376 colorcpl.exe 376 colorcpl.exe 376 colorcpl.exe 376 colorcpl.exe 376 colorcpl.exe 376 colorcpl.exe 376 colorcpl.exe 376 colorcpl.exe 376 colorcpl.exe 376 colorcpl.exe 376 colorcpl.exe 376 colorcpl.exe 376 colorcpl.exe 376 colorcpl.exe 376 colorcpl.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3024 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
loader1.execolorcpl.exepid process 996 loader1.exe 996 loader1.exe 996 loader1.exe 376 colorcpl.exe 376 colorcpl.exe 376 colorcpl.exe 376 colorcpl.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
loader1.execolorcpl.exeExplorer.EXEitsdv4vlzj8ft.exedescription pid process Token: SeDebugPrivilege 996 loader1.exe Token: SeDebugPrivilege 376 colorcpl.exe Token: SeShutdownPrivilege 3024 Explorer.EXE Token: SeCreatePagefilePrivilege 3024 Explorer.EXE Token: SeShutdownPrivilege 3024 Explorer.EXE Token: SeCreatePagefilePrivilege 3024 Explorer.EXE Token: SeShutdownPrivilege 3024 Explorer.EXE Token: SeCreatePagefilePrivilege 3024 Explorer.EXE Token: SeShutdownPrivilege 3024 Explorer.EXE Token: SeCreatePagefilePrivilege 3024 Explorer.EXE Token: SeShutdownPrivilege 3024 Explorer.EXE Token: SeCreatePagefilePrivilege 3024 Explorer.EXE Token: SeShutdownPrivilege 3024 Explorer.EXE Token: SeCreatePagefilePrivilege 3024 Explorer.EXE Token: SeDebugPrivilege 1200 itsdv4vlzj8ft.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
Processes:
Explorer.EXEpid process 3024 Explorer.EXE 3024 Explorer.EXE 3024 Explorer.EXE 3024 Explorer.EXE 3024 Explorer.EXE 3024 Explorer.EXE 3024 Explorer.EXE 3024 Explorer.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
loader1.exeExplorer.EXEcolorcpl.exeitsdv4vlzj8ft.exedescription pid process target process PID 900 wrote to memory of 996 900 loader1.exe loader1.exe PID 900 wrote to memory of 996 900 loader1.exe loader1.exe PID 900 wrote to memory of 996 900 loader1.exe loader1.exe PID 900 wrote to memory of 996 900 loader1.exe loader1.exe PID 900 wrote to memory of 996 900 loader1.exe loader1.exe PID 900 wrote to memory of 996 900 loader1.exe loader1.exe PID 3024 wrote to memory of 376 3024 Explorer.EXE colorcpl.exe PID 3024 wrote to memory of 376 3024 Explorer.EXE colorcpl.exe PID 3024 wrote to memory of 376 3024 Explorer.EXE colorcpl.exe PID 376 wrote to memory of 1152 376 colorcpl.exe cmd.exe PID 376 wrote to memory of 1152 376 colorcpl.exe cmd.exe PID 376 wrote to memory of 1152 376 colorcpl.exe cmd.exe PID 376 wrote to memory of 2696 376 colorcpl.exe Firefox.exe PID 376 wrote to memory of 2696 376 colorcpl.exe Firefox.exe PID 3024 wrote to memory of 3036 3024 Explorer.EXE itsdv4vlzj8ft.exe PID 3024 wrote to memory of 3036 3024 Explorer.EXE itsdv4vlzj8ft.exe PID 3024 wrote to memory of 3036 3024 Explorer.EXE itsdv4vlzj8ft.exe PID 3036 wrote to memory of 1200 3036 itsdv4vlzj8ft.exe itsdv4vlzj8ft.exe PID 3036 wrote to memory of 1200 3036 itsdv4vlzj8ft.exe itsdv4vlzj8ft.exe PID 3036 wrote to memory of 1200 3036 itsdv4vlzj8ft.exe itsdv4vlzj8ft.exe PID 3036 wrote to memory of 1200 3036 itsdv4vlzj8ft.exe itsdv4vlzj8ft.exe PID 3036 wrote to memory of 1200 3036 itsdv4vlzj8ft.exe itsdv4vlzj8ft.exe PID 3036 wrote to memory of 1200 3036 itsdv4vlzj8ft.exe itsdv4vlzj8ft.exe PID 376 wrote to memory of 2696 376 colorcpl.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\loader1.exe"C:\Users\Admin\AppData\Local\Temp\loader1.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\loader1.exe"C:\Users\Admin\AppData\Local\Temp\loader1.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\colorcpl.exe"C:\Windows\SysWOW64\colorcpl.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\loader1.exe"3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Program Files (x86)\K8ptdkzi\itsdv4vlzj8ft.exe"C:\Program Files (x86)\K8ptdkzi\itsdv4vlzj8ft.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\K8ptdkzi\itsdv4vlzj8ft.exe"C:\Program Files (x86)\K8ptdkzi\itsdv4vlzj8ft.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\K8ptdkzi\itsdv4vlzj8ft.exeMD5
196ef716e51eb90f7ffcfd2219ce1d5e
SHA13c5d438cb3dee2b0474ea45be67069db184e26bb
SHA256c5ccdeea44050d8be9cf04b42ba6336dfd81e4a930ec6cd916f5f4e3a5f713bb
SHA512e303bd36a6cd409bf146b0716a52c50ab5069b3dd513303a8c63c1494013450e5a84ee0bf7eb5d7396946080f57ef08275e09326bc2bd3fc80f94f911e872759
-
C:\Program Files (x86)\K8ptdkzi\itsdv4vlzj8ft.exeMD5
196ef716e51eb90f7ffcfd2219ce1d5e
SHA13c5d438cb3dee2b0474ea45be67069db184e26bb
SHA256c5ccdeea44050d8be9cf04b42ba6336dfd81e4a930ec6cd916f5f4e3a5f713bb
SHA512e303bd36a6cd409bf146b0716a52c50ab5069b3dd513303a8c63c1494013450e5a84ee0bf7eb5d7396946080f57ef08275e09326bc2bd3fc80f94f911e872759
-
C:\Program Files (x86)\K8ptdkzi\itsdv4vlzj8ft.exeMD5
196ef716e51eb90f7ffcfd2219ce1d5e
SHA13c5d438cb3dee2b0474ea45be67069db184e26bb
SHA256c5ccdeea44050d8be9cf04b42ba6336dfd81e4a930ec6cd916f5f4e3a5f713bb
SHA512e303bd36a6cd409bf146b0716a52c50ab5069b3dd513303a8c63c1494013450e5a84ee0bf7eb5d7396946080f57ef08275e09326bc2bd3fc80f94f911e872759
-
C:\Users\Admin\AppData\Local\Temp\oxp407vczottnMD5
ac7a35a54ad3d34e18ee939ea1678e21
SHA15a673519a148588580d76db26f72bfecfddedf24
SHA256bb46faeb56bad25dba83768bbbb1f91a57c535b2aad86ce6d1253b8dfedd8f3e
SHA5121140fef1699b9bf4a8d1f4a04a55f33aab019008259776babb973169ede9031c37ee3c0da0567d634c2563a687332624040ae9b6e48367805eb0f06363ecc3c1
-
\Users\Admin\AppData\Local\Temp\nsh81DE.tmp\wkpnpsjabyz.dllMD5
cceb1c08032a04804191f34f7e070d5d
SHA17a6628b4b164874e61a034b17b669631dc3d7eb7
SHA256eed96b31d0af300135ddd50ba8274b31d7902564bcb5c84224e5d1b2e357aaae
SHA512e5ac48d0d422dc53133c15a1e8029cdf500186096b253e9893568410a20dfe25301e897db2b1cf902e2d1c85cde0309b1e4ac2c9b7cdeed5c41f1af472c23467
-
\Users\Admin\AppData\Local\Temp\nsm55ED.tmp\wkpnpsjabyz.dllMD5
cceb1c08032a04804191f34f7e070d5d
SHA17a6628b4b164874e61a034b17b669631dc3d7eb7
SHA256eed96b31d0af300135ddd50ba8274b31d7902564bcb5c84224e5d1b2e357aaae
SHA512e5ac48d0d422dc53133c15a1e8029cdf500186096b253e9893568410a20dfe25301e897db2b1cf902e2d1c85cde0309b1e4ac2c9b7cdeed5c41f1af472c23467
-
memory/376-121-0x00000000003B0000-0x00000000003C9000-memory.dmpFilesize
100KB
-
memory/376-122-0x0000000002FB0000-0x0000000002FD9000-memory.dmpFilesize
164KB
-
memory/376-120-0x0000000000000000-mapping.dmp
-
memory/376-124-0x00000000048A0000-0x0000000004BC0000-memory.dmpFilesize
3.1MB
-
memory/376-125-0x0000000004790000-0x0000000004820000-memory.dmpFilesize
576KB
-
memory/996-117-0x0000000000B80000-0x0000000000EA0000-memory.dmpFilesize
3.1MB
-
memory/996-118-0x00000000006D0000-0x00000000006E1000-memory.dmpFilesize
68KB
-
memory/996-116-0x000000000041D450-mapping.dmp
-
memory/996-115-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1152-123-0x0000000000000000-mapping.dmp
-
memory/1200-133-0x000000000041D450-mapping.dmp
-
memory/1200-135-0x0000000000A80000-0x0000000000DA0000-memory.dmpFilesize
3.1MB
-
memory/2696-136-0x0000000000000000-mapping.dmp
-
memory/2696-138-0x0000025A041E0000-0x0000025A0427E000-memory.dmpFilesize
632KB
-
memory/2696-137-0x00007FF639090000-0x00007FF639123000-memory.dmpFilesize
588KB
-
memory/3024-126-0x0000000004DA0000-0x0000000004EAE000-memory.dmpFilesize
1.1MB
-
memory/3024-119-0x0000000006C10000-0x0000000006D3E000-memory.dmpFilesize
1.2MB
-
memory/3036-127-0x0000000000000000-mapping.dmp