Analysis
-
max time kernel
112s -
max time network
116s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
27-09-2021 09:10
Static task
static1
Behavioral task
behavioral1
Sample
196ef716e51eb90f7ffcfd2219ce1d5e.exe
Resource
win7v20210408
General
-
Target
196ef716e51eb90f7ffcfd2219ce1d5e.exe
-
Size
253KB
-
MD5
196ef716e51eb90f7ffcfd2219ce1d5e
-
SHA1
3c5d438cb3dee2b0474ea45be67069db184e26bb
-
SHA256
c5ccdeea44050d8be9cf04b42ba6336dfd81e4a930ec6cd916f5f4e3a5f713bb
-
SHA512
e303bd36a6cd409bf146b0716a52c50ab5069b3dd513303a8c63c1494013450e5a84ee0bf7eb5d7396946080f57ef08275e09326bc2bd3fc80f94f911e872759
Malware Config
Extracted
xloader
2.5
m0np
http://www.devmedicalcentre.com/m0np/
gruppovimar.com
seniordatingtv.com
pinpinyouqian.website
retreatreflectreplenish.com
baby-handmade.store
econsupplies.com
helloaustinpodcast.com
europe-lodging.com
ferahanaokulu.com
thehomeinspo.com
rawhoneytnpasumo6.xyz
tyckasei.quest
scissorsandbuffer.com
jatinvestmentsmaldives.com
softandcute.store
afuturemakerspromotions.online
leonsigntech.com
havetheshortscovered.com
cvkf.email
iplyyu.com
motphimz.net
slimmerpage.com
fifthbelle.com
moneybagsinfinity.com
architettoaroma.com
rio-script.com
millieandmaude.net
pvinayak.com
nyctattoing.com
fermanfood.com
medardlake.com
40acgidd.com
mrbrianalba.com
110bao.com
shguitong.com
why5mkt.com
diptv.xyz
gotbn-a01.com
rene-weise.com
meltaluminum.com
tobiasqbrown.com
eiqor.com
bnabd.com
painubloc.com
bofoz.com
maxicashprogtq.xyz
probinns.com
yourroddays1.xyz
friedmantrusts.com
patrianilancamentos.com
cetpa.solutions
fengxiaowangluo.com
zkimax.com
bibberyhills.com
colegiodeltaaps.com
fraternitybrand.com
codemais.net
ohayouwww.com
keenflat.com
devvabaek.com
rouxbylarease.online
hongyuyinji.com
cybersecurity-andorra.online
zs4.info
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3628-117-0x000000000041D450-mapping.dmp xloader behavioral2/memory/3628-116-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
196ef716e51eb90f7ffcfd2219ce1d5e.exepid process 3716 196ef716e51eb90f7ffcfd2219ce1d5e.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
196ef716e51eb90f7ffcfd2219ce1d5e.exedescription pid process target process PID 3716 set thread context of 3628 3716 196ef716e51eb90f7ffcfd2219ce1d5e.exe 196ef716e51eb90f7ffcfd2219ce1d5e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
196ef716e51eb90f7ffcfd2219ce1d5e.exepid process 3628 196ef716e51eb90f7ffcfd2219ce1d5e.exe 3628 196ef716e51eb90f7ffcfd2219ce1d5e.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
196ef716e51eb90f7ffcfd2219ce1d5e.exedescription pid process target process PID 3716 wrote to memory of 3628 3716 196ef716e51eb90f7ffcfd2219ce1d5e.exe 196ef716e51eb90f7ffcfd2219ce1d5e.exe PID 3716 wrote to memory of 3628 3716 196ef716e51eb90f7ffcfd2219ce1d5e.exe 196ef716e51eb90f7ffcfd2219ce1d5e.exe PID 3716 wrote to memory of 3628 3716 196ef716e51eb90f7ffcfd2219ce1d5e.exe 196ef716e51eb90f7ffcfd2219ce1d5e.exe PID 3716 wrote to memory of 3628 3716 196ef716e51eb90f7ffcfd2219ce1d5e.exe 196ef716e51eb90f7ffcfd2219ce1d5e.exe PID 3716 wrote to memory of 3628 3716 196ef716e51eb90f7ffcfd2219ce1d5e.exe 196ef716e51eb90f7ffcfd2219ce1d5e.exe PID 3716 wrote to memory of 3628 3716 196ef716e51eb90f7ffcfd2219ce1d5e.exe 196ef716e51eb90f7ffcfd2219ce1d5e.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\196ef716e51eb90f7ffcfd2219ce1d5e.exe"C:\Users\Admin\AppData\Local\Temp\196ef716e51eb90f7ffcfd2219ce1d5e.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\196ef716e51eb90f7ffcfd2219ce1d5e.exe"C:\Users\Admin\AppData\Local\Temp\196ef716e51eb90f7ffcfd2219ce1d5e.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsw98EB.tmp\wkpnpsjabyz.dllMD5
cceb1c08032a04804191f34f7e070d5d
SHA17a6628b4b164874e61a034b17b669631dc3d7eb7
SHA256eed96b31d0af300135ddd50ba8274b31d7902564bcb5c84224e5d1b2e357aaae
SHA512e5ac48d0d422dc53133c15a1e8029cdf500186096b253e9893568410a20dfe25301e897db2b1cf902e2d1c85cde0309b1e4ac2c9b7cdeed5c41f1af472c23467
-
memory/3628-117-0x000000000041D450-mapping.dmp
-
memory/3628-116-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/3628-118-0x0000000000A10000-0x0000000000D30000-memory.dmpFilesize
3.1MB