Analysis
-
max time kernel
117s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
28-09-2021 07:13
Static task
static1
Behavioral task
behavioral1
Sample
fbaece4205ad6b13817946a0bdf13900.exe
Resource
win7v20210408
General
-
Target
fbaece4205ad6b13817946a0bdf13900.exe
-
Size
260KB
-
MD5
fbaece4205ad6b13817946a0bdf13900
-
SHA1
5a90df6971a60dc7f17bdd2f7ee35e041f3ee14b
-
SHA256
31accabae2032a0fda8dd449182167521360e258df6ebd2316130399d910e990
-
SHA512
3dea45a7d59261311cd4a27603b730e32dd29cb4679f762904c615aa09f2e099c536dd9892cda2de8714201411dc101e1dd73c3a76484127aa57bbca2e70751b
Malware Config
Extracted
xloader
2.5
m0np
http://www.devmedicalcentre.com/m0np/
gruppovimar.com
seniordatingtv.com
pinpinyouqian.website
retreatreflectreplenish.com
baby-handmade.store
econsupplies.com
helloaustinpodcast.com
europe-lodging.com
ferahanaokulu.com
thehomeinspo.com
rawhoneytnpasumo6.xyz
tyckasei.quest
scissorsandbuffer.com
jatinvestmentsmaldives.com
softandcute.store
afuturemakerspromotions.online
leonsigntech.com
havetheshortscovered.com
cvkf.email
iplyyu.com
motphimz.net
slimmerpage.com
fifthbelle.com
moneybagsinfinity.com
architettoaroma.com
rio-script.com
millieandmaude.net
pvinayak.com
nyctattoing.com
fermanfood.com
medardlake.com
40acgidd.com
mrbrianalba.com
110bao.com
shguitong.com
why5mkt.com
diptv.xyz
gotbn-a01.com
rene-weise.com
meltaluminum.com
tobiasqbrown.com
eiqor.com
bnabd.com
painubloc.com
bofoz.com
maxicashprogtq.xyz
probinns.com
yourroddays1.xyz
friedmantrusts.com
patrianilancamentos.com
cetpa.solutions
fengxiaowangluo.com
zkimax.com
bibberyhills.com
colegiodeltaaps.com
fraternitybrand.com
codemais.net
ohayouwww.com
keenflat.com
devvabaek.com
rouxbylarease.online
hongyuyinji.com
cybersecurity-andorra.online
zs4.info
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2404-116-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/2404-117-0x000000000041D450-mapping.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
fbaece4205ad6b13817946a0bdf13900.exepid process 2112 fbaece4205ad6b13817946a0bdf13900.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
fbaece4205ad6b13817946a0bdf13900.exedescription pid process target process PID 2112 set thread context of 2404 2112 fbaece4205ad6b13817946a0bdf13900.exe fbaece4205ad6b13817946a0bdf13900.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
fbaece4205ad6b13817946a0bdf13900.exepid process 2404 fbaece4205ad6b13817946a0bdf13900.exe 2404 fbaece4205ad6b13817946a0bdf13900.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
fbaece4205ad6b13817946a0bdf13900.exedescription pid process target process PID 2112 wrote to memory of 2404 2112 fbaece4205ad6b13817946a0bdf13900.exe fbaece4205ad6b13817946a0bdf13900.exe PID 2112 wrote to memory of 2404 2112 fbaece4205ad6b13817946a0bdf13900.exe fbaece4205ad6b13817946a0bdf13900.exe PID 2112 wrote to memory of 2404 2112 fbaece4205ad6b13817946a0bdf13900.exe fbaece4205ad6b13817946a0bdf13900.exe PID 2112 wrote to memory of 2404 2112 fbaece4205ad6b13817946a0bdf13900.exe fbaece4205ad6b13817946a0bdf13900.exe PID 2112 wrote to memory of 2404 2112 fbaece4205ad6b13817946a0bdf13900.exe fbaece4205ad6b13817946a0bdf13900.exe PID 2112 wrote to memory of 2404 2112 fbaece4205ad6b13817946a0bdf13900.exe fbaece4205ad6b13817946a0bdf13900.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fbaece4205ad6b13817946a0bdf13900.exe"C:\Users\Admin\AppData\Local\Temp\fbaece4205ad6b13817946a0bdf13900.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fbaece4205ad6b13817946a0bdf13900.exe"C:\Users\Admin\AppData\Local\Temp\fbaece4205ad6b13817946a0bdf13900.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsc9959.tmp\iwhlrzyfkva.dllMD5
7bbc8a60fde970a12ab12018708b2014
SHA1101c1e0c7ab4341db608895153628db9202fc05b
SHA25620534b6c0ec991ba4aa2add53cee1f0c69344b2d3a5f3451595e2ffa335e123c
SHA51291eb09c7636e880ec3f785ca8da558c32ee4bcf769b74f166eb542dfea9fd6dfc6514d274b4e5327cb554ef3e9a655526e30e374a86ff08b8d8ee2808c1d380e
-
memory/2404-116-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2404-117-0x000000000041D450-mapping.dmp
-
memory/2404-118-0x0000000000970000-0x0000000000C90000-memory.dmpFilesize
3.1MB