Analysis
-
max time kernel
301s -
max time network
301s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
29-09-2021 03:10
Static task
static1
Behavioral task
behavioral1
Sample
QUOTE_PRICE_REQUEST.exe
Resource
win7v20210408
General
-
Target
QUOTE_PRICE_REQUEST.exe
-
Size
252KB
-
MD5
48043c9a21d0547478331c1613660595
-
SHA1
9985a65e0aa690308454632223393d8d18a1c744
-
SHA256
75772375acbcfb6cb668fc2449671a6a83afe1434184ac7c01fd895825fcf5e6
-
SHA512
408613c89266eedf165e465e6021880cb4e2db943bec88d068db954ee23f80b55445fd9fd66f42f08924a93fa11f25e343c8f654c7cc2918efa09b00570294db
Malware Config
Extracted
xloader
2.5
m6rs
http://www.litediv.com/m6rs/
globalsovereignbank.com
ktnrape.xyz
churchybulletin.com
ddyla.com
imatge.cat
iwholesalestore.com
cultivapro.club
ibcfcl.com
refurbisheddildo.com
killerinktnpasumo4.xyz
mdphotoart.com
smi-ity.com
stanprolearningcenter.com
companyintelapp.com
tacticarc.com
soolls.com
gra68.net
cedricettori.digital
mossobuy.com
way2liv.com
j9b.xyz
bmfgi.com
gargantua-traiteur.com
tavolabread.com
neoplus-create.com
tracks-clicks.com
santsp.com
tokusa-f.com
yardparx.online
seinvestments-sg.com
elegantbrushes.net
restaurantemachupicchu.com
ha0313.com
dock7rods.com
emphatictrifles.com
onefunline.top
caulsshop.com
kittyol.com
thehealthyheifer.net
plotmyplot.com
leewaysvcs.com
eur86.com
lightsinwall.com
jiankangkyw.com
travilent.com
dvaccounts.com
wittyon.com
tommywoodenski.com
dividendoylibertad.com
aqscksw.com
familiapena2475.com
australianmeatandwine.com
leading.delivery
giftcards2you.com
bethlehemsmith.com
osterparrots.com
getignore.com
joyandsatisfy.club
sanibelislandhomesearch.com
smedivision.com
kitcycle.com
hills-renta.com
brownbeargraphics.com
46sheridan.com
Signatures
-
Xloader Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/864-115-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/864-116-0x000000000041D3D0-mapping.dmp xloader behavioral2/memory/616-122-0x00000000008D0000-0x00000000008F9000-memory.dmp xloader behavioral2/memory/3148-133-0x000000000041D3D0-mapping.dmp xloader -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
help.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\OFUDRZZHOL6 = "C:\\Program Files (x86)\\Z8p8tit\\0zhhzlp2u8ft.exe" help.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run help.exe -
Executes dropped EXE 2 IoCs
Processes:
0zhhzlp2u8ft.exe0zhhzlp2u8ft.exepid process 1268 0zhhzlp2u8ft.exe 3148 0zhhzlp2u8ft.exe -
Loads dropped DLL 2 IoCs
Processes:
QUOTE_PRICE_REQUEST.exe0zhhzlp2u8ft.exepid process 636 QUOTE_PRICE_REQUEST.exe 1268 0zhhzlp2u8ft.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
QUOTE_PRICE_REQUEST.exeQUOTE_PRICE_REQUEST.exehelp.exe0zhhzlp2u8ft.exedescription pid process target process PID 636 set thread context of 864 636 QUOTE_PRICE_REQUEST.exe QUOTE_PRICE_REQUEST.exe PID 864 set thread context of 3052 864 QUOTE_PRICE_REQUEST.exe Explorer.EXE PID 616 set thread context of 3052 616 help.exe Explorer.EXE PID 1268 set thread context of 3148 1268 0zhhzlp2u8ft.exe 0zhhzlp2u8ft.exe -
Drops file in Program Files directory 4 IoCs
Processes:
help.exeExplorer.EXEdescription ioc process File opened for modification C:\Program Files (x86)\Z8p8tit\0zhhzlp2u8ft.exe help.exe File opened for modification C:\Program Files (x86)\Z8p8tit Explorer.EXE File created C:\Program Files (x86)\Z8p8tit\0zhhzlp2u8ft.exe Explorer.EXE File opened for modification C:\Program Files (x86)\Z8p8tit\0zhhzlp2u8ft.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 6 IoCs
Processes:
resource yara_rule C:\Program Files (x86)\Z8p8tit\0zhhzlp2u8ft.exe nsis_installer_1 C:\Program Files (x86)\Z8p8tit\0zhhzlp2u8ft.exe nsis_installer_2 C:\Program Files (x86)\Z8p8tit\0zhhzlp2u8ft.exe nsis_installer_1 C:\Program Files (x86)\Z8p8tit\0zhhzlp2u8ft.exe nsis_installer_2 C:\Program Files (x86)\Z8p8tit\0zhhzlp2u8ft.exe nsis_installer_1 C:\Program Files (x86)\Z8p8tit\0zhhzlp2u8ft.exe nsis_installer_2 -
Processes:
help.exedescription ioc process Key created \Registry\User\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 help.exe -
Modifies registry class 2 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
QUOTE_PRICE_REQUEST.exehelp.exe0zhhzlp2u8ft.exepid process 864 QUOTE_PRICE_REQUEST.exe 864 QUOTE_PRICE_REQUEST.exe 864 QUOTE_PRICE_REQUEST.exe 864 QUOTE_PRICE_REQUEST.exe 616 help.exe 616 help.exe 616 help.exe 616 help.exe 616 help.exe 616 help.exe 616 help.exe 616 help.exe 616 help.exe 616 help.exe 616 help.exe 616 help.exe 616 help.exe 616 help.exe 616 help.exe 616 help.exe 616 help.exe 616 help.exe 616 help.exe 616 help.exe 616 help.exe 616 help.exe 616 help.exe 616 help.exe 616 help.exe 616 help.exe 616 help.exe 616 help.exe 616 help.exe 616 help.exe 616 help.exe 616 help.exe 616 help.exe 616 help.exe 616 help.exe 616 help.exe 616 help.exe 616 help.exe 616 help.exe 616 help.exe 616 help.exe 616 help.exe 616 help.exe 616 help.exe 616 help.exe 616 help.exe 616 help.exe 616 help.exe 616 help.exe 616 help.exe 616 help.exe 616 help.exe 616 help.exe 616 help.exe 616 help.exe 616 help.exe 616 help.exe 616 help.exe 3148 0zhhzlp2u8ft.exe 3148 0zhhzlp2u8ft.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3052 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
QUOTE_PRICE_REQUEST.exehelp.exepid process 864 QUOTE_PRICE_REQUEST.exe 864 QUOTE_PRICE_REQUEST.exe 864 QUOTE_PRICE_REQUEST.exe 616 help.exe 616 help.exe 616 help.exe 616 help.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
QUOTE_PRICE_REQUEST.exehelp.exeExplorer.EXE0zhhzlp2u8ft.exedescription pid process Token: SeDebugPrivilege 864 QUOTE_PRICE_REQUEST.exe Token: SeDebugPrivilege 616 help.exe Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE Token: SeDebugPrivilege 3148 0zhhzlp2u8ft.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
Processes:
Explorer.EXEpid process 3052 Explorer.EXE 3052 Explorer.EXE 3052 Explorer.EXE 3052 Explorer.EXE 3052 Explorer.EXE 3052 Explorer.EXE 3052 Explorer.EXE 3052 Explorer.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
QUOTE_PRICE_REQUEST.exeExplorer.EXEhelp.exe0zhhzlp2u8ft.exedescription pid process target process PID 636 wrote to memory of 864 636 QUOTE_PRICE_REQUEST.exe QUOTE_PRICE_REQUEST.exe PID 636 wrote to memory of 864 636 QUOTE_PRICE_REQUEST.exe QUOTE_PRICE_REQUEST.exe PID 636 wrote to memory of 864 636 QUOTE_PRICE_REQUEST.exe QUOTE_PRICE_REQUEST.exe PID 636 wrote to memory of 864 636 QUOTE_PRICE_REQUEST.exe QUOTE_PRICE_REQUEST.exe PID 636 wrote to memory of 864 636 QUOTE_PRICE_REQUEST.exe QUOTE_PRICE_REQUEST.exe PID 636 wrote to memory of 864 636 QUOTE_PRICE_REQUEST.exe QUOTE_PRICE_REQUEST.exe PID 3052 wrote to memory of 616 3052 Explorer.EXE help.exe PID 3052 wrote to memory of 616 3052 Explorer.EXE help.exe PID 3052 wrote to memory of 616 3052 Explorer.EXE help.exe PID 616 wrote to memory of 1120 616 help.exe cmd.exe PID 616 wrote to memory of 1120 616 help.exe cmd.exe PID 616 wrote to memory of 1120 616 help.exe cmd.exe PID 616 wrote to memory of 824 616 help.exe Firefox.exe PID 616 wrote to memory of 824 616 help.exe Firefox.exe PID 3052 wrote to memory of 1268 3052 Explorer.EXE 0zhhzlp2u8ft.exe PID 3052 wrote to memory of 1268 3052 Explorer.EXE 0zhhzlp2u8ft.exe PID 3052 wrote to memory of 1268 3052 Explorer.EXE 0zhhzlp2u8ft.exe PID 1268 wrote to memory of 3148 1268 0zhhzlp2u8ft.exe 0zhhzlp2u8ft.exe PID 1268 wrote to memory of 3148 1268 0zhhzlp2u8ft.exe 0zhhzlp2u8ft.exe PID 1268 wrote to memory of 3148 1268 0zhhzlp2u8ft.exe 0zhhzlp2u8ft.exe PID 1268 wrote to memory of 3148 1268 0zhhzlp2u8ft.exe 0zhhzlp2u8ft.exe PID 1268 wrote to memory of 3148 1268 0zhhzlp2u8ft.exe 0zhhzlp2u8ft.exe PID 1268 wrote to memory of 3148 1268 0zhhzlp2u8ft.exe 0zhhzlp2u8ft.exe PID 616 wrote to memory of 824 616 help.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\QUOTE_PRICE_REQUEST.exe"C:\Users\Admin\AppData\Local\Temp\QUOTE_PRICE_REQUEST.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\QUOTE_PRICE_REQUEST.exe"C:\Users\Admin\AppData\Local\Temp\QUOTE_PRICE_REQUEST.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\QUOTE_PRICE_REQUEST.exe"3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Program Files (x86)\Z8p8tit\0zhhzlp2u8ft.exe"C:\Program Files (x86)\Z8p8tit\0zhhzlp2u8ft.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Z8p8tit\0zhhzlp2u8ft.exe"C:\Program Files (x86)\Z8p8tit\0zhhzlp2u8ft.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Z8p8tit\0zhhzlp2u8ft.exeMD5
48043c9a21d0547478331c1613660595
SHA19985a65e0aa690308454632223393d8d18a1c744
SHA25675772375acbcfb6cb668fc2449671a6a83afe1434184ac7c01fd895825fcf5e6
SHA512408613c89266eedf165e465e6021880cb4e2db943bec88d068db954ee23f80b55445fd9fd66f42f08924a93fa11f25e343c8f654c7cc2918efa09b00570294db
-
C:\Program Files (x86)\Z8p8tit\0zhhzlp2u8ft.exeMD5
48043c9a21d0547478331c1613660595
SHA19985a65e0aa690308454632223393d8d18a1c744
SHA25675772375acbcfb6cb668fc2449671a6a83afe1434184ac7c01fd895825fcf5e6
SHA512408613c89266eedf165e465e6021880cb4e2db943bec88d068db954ee23f80b55445fd9fd66f42f08924a93fa11f25e343c8f654c7cc2918efa09b00570294db
-
C:\Program Files (x86)\Z8p8tit\0zhhzlp2u8ft.exeMD5
48043c9a21d0547478331c1613660595
SHA19985a65e0aa690308454632223393d8d18a1c744
SHA25675772375acbcfb6cb668fc2449671a6a83afe1434184ac7c01fd895825fcf5e6
SHA512408613c89266eedf165e465e6021880cb4e2db943bec88d068db954ee23f80b55445fd9fd66f42f08924a93fa11f25e343c8f654c7cc2918efa09b00570294db
-
C:\Users\Admin\AppData\Local\Temp\th19982acuMD5
1c6b09fb0644c6df432a098c2fd13fe9
SHA1ea0972772fc86209e8b3ea7fe83e053aa54d339a
SHA2562678c4bbb08d2bb52156db1b66e528c44bb18d212f077dcc28675f73435eda7b
SHA5125538a3a3353ea736bff0aa2993c88f8551fd5d1dec9fa679a69b7ce70f0f236e6734cd6dd6d49586d8a33b93fd4ec8e3cb79e461b4acc192a33e6e98ed4cbad5
-
\Users\Admin\AppData\Local\Temp\nsj61F2.tmp\vogxk.dllMD5
1fea91e3debf7c3115cd97b8be64da57
SHA1dc1fd88108a94cea7d802f9e8ab20c8d120c7602
SHA256fae6a3048e91247206a42ee5f9261b9602afc2bd7fd8665f5a08b82c517a1789
SHA51276357d24719d57f73b39fa3418897e90a817fdea4f54f588cc7958baeefa0028310b8a94b08627d45fd1a4f7a5a63b54a470bc02ccd24bbcf3f6df4a7039a850
-
\Users\Admin\AppData\Local\Temp\nsrD62E.tmp\vogxk.dllMD5
1fea91e3debf7c3115cd97b8be64da57
SHA1dc1fd88108a94cea7d802f9e8ab20c8d120c7602
SHA256fae6a3048e91247206a42ee5f9261b9602afc2bd7fd8665f5a08b82c517a1789
SHA51276357d24719d57f73b39fa3418897e90a817fdea4f54f588cc7958baeefa0028310b8a94b08627d45fd1a4f7a5a63b54a470bc02ccd24bbcf3f6df4a7039a850
-
memory/616-124-0x00000000031A0000-0x00000000034C0000-memory.dmpFilesize
3.1MB
-
memory/616-125-0x0000000003090000-0x0000000003120000-memory.dmpFilesize
576KB
-
memory/616-121-0x0000000000910000-0x0000000000917000-memory.dmpFilesize
28KB
-
memory/616-122-0x00000000008D0000-0x00000000008F9000-memory.dmpFilesize
164KB
-
memory/616-120-0x0000000000000000-mapping.dmp
-
memory/824-137-0x00007FF7B2F80000-0x00007FF7B3013000-memory.dmpFilesize
588KB
-
memory/824-136-0x0000000000000000-mapping.dmp
-
memory/824-138-0x0000018AD2770000-0x0000018AD2806000-memory.dmpFilesize
600KB
-
memory/864-118-0x00000000006E0000-0x00000000006F1000-memory.dmpFilesize
68KB
-
memory/864-117-0x0000000000B40000-0x0000000000E60000-memory.dmpFilesize
3.1MB
-
memory/864-116-0x000000000041D3D0-mapping.dmp
-
memory/864-115-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1120-123-0x0000000000000000-mapping.dmp
-
memory/1268-127-0x0000000000000000-mapping.dmp
-
memory/3052-126-0x0000000005C80000-0x0000000005DC4000-memory.dmpFilesize
1.3MB
-
memory/3052-119-0x0000000002550000-0x0000000002625000-memory.dmpFilesize
852KB
-
memory/3148-135-0x00000000009B0000-0x0000000000CD0000-memory.dmpFilesize
3.1MB
-
memory/3148-133-0x000000000041D3D0-mapping.dmp