Analysis
-
max time kernel
118s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
29-09-2021 07:30
Static task
static1
General
-
Target
81b5af95b241a5a77293e9a905ea32c69da468f568f798ec5ea535071e930596.exe
-
Size
289KB
-
MD5
51c46cfdcb94cf241595e99600ba40b3
-
SHA1
00ca9779115daee4f009d1048994270e5d9f86ab
-
SHA256
81b5af95b241a5a77293e9a905ea32c69da468f568f798ec5ea535071e930596
-
SHA512
75cc385fd4b22d55cd5b89b417b81abe98689e6cad7977ca8eb2348a74eb54f60f53868f3e4d08ac47dfc79553ee78e41bc0c6f51d98a87b14ad78bd00b6cb63
Malware Config
Extracted
xloader
2.5
m0np
http://www.devmedicalcentre.com/m0np/
gruppovimar.com
seniordatingtv.com
pinpinyouqian.website
retreatreflectreplenish.com
baby-handmade.store
econsupplies.com
helloaustinpodcast.com
europe-lodging.com
ferahanaokulu.com
thehomeinspo.com
rawhoneytnpasumo6.xyz
tyckasei.quest
scissorsandbuffer.com
jatinvestmentsmaldives.com
softandcute.store
afuturemakerspromotions.online
leonsigntech.com
havetheshortscovered.com
cvkf.email
iplyyu.com
motphimz.net
slimmerpage.com
fifthbelle.com
moneybagsinfinity.com
architettoaroma.com
rio-script.com
millieandmaude.net
pvinayak.com
nyctattoing.com
fermanfood.com
medardlake.com
40acgidd.com
mrbrianalba.com
110bao.com
shguitong.com
why5mkt.com
diptv.xyz
gotbn-a01.com
rene-weise.com
meltaluminum.com
tobiasqbrown.com
eiqor.com
bnabd.com
painubloc.com
bofoz.com
maxicashprogtq.xyz
probinns.com
yourroddays1.xyz
friedmantrusts.com
patrianilancamentos.com
cetpa.solutions
fengxiaowangluo.com
zkimax.com
bibberyhills.com
colegiodeltaaps.com
fraternitybrand.com
codemais.net
ohayouwww.com
keenflat.com
devvabaek.com
rouxbylarease.online
hongyuyinji.com
cybersecurity-andorra.online
zs4.info
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/3668-116-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/3668-117-0x000000000041D450-mapping.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
81b5af95b241a5a77293e9a905ea32c69da468f568f798ec5ea535071e930596.exepid process 3320 81b5af95b241a5a77293e9a905ea32c69da468f568f798ec5ea535071e930596.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
81b5af95b241a5a77293e9a905ea32c69da468f568f798ec5ea535071e930596.exedescription pid process target process PID 3320 set thread context of 3668 3320 81b5af95b241a5a77293e9a905ea32c69da468f568f798ec5ea535071e930596.exe 81b5af95b241a5a77293e9a905ea32c69da468f568f798ec5ea535071e930596.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
81b5af95b241a5a77293e9a905ea32c69da468f568f798ec5ea535071e930596.exepid process 3668 81b5af95b241a5a77293e9a905ea32c69da468f568f798ec5ea535071e930596.exe 3668 81b5af95b241a5a77293e9a905ea32c69da468f568f798ec5ea535071e930596.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
81b5af95b241a5a77293e9a905ea32c69da468f568f798ec5ea535071e930596.exedescription pid process target process PID 3320 wrote to memory of 3668 3320 81b5af95b241a5a77293e9a905ea32c69da468f568f798ec5ea535071e930596.exe 81b5af95b241a5a77293e9a905ea32c69da468f568f798ec5ea535071e930596.exe PID 3320 wrote to memory of 3668 3320 81b5af95b241a5a77293e9a905ea32c69da468f568f798ec5ea535071e930596.exe 81b5af95b241a5a77293e9a905ea32c69da468f568f798ec5ea535071e930596.exe PID 3320 wrote to memory of 3668 3320 81b5af95b241a5a77293e9a905ea32c69da468f568f798ec5ea535071e930596.exe 81b5af95b241a5a77293e9a905ea32c69da468f568f798ec5ea535071e930596.exe PID 3320 wrote to memory of 3668 3320 81b5af95b241a5a77293e9a905ea32c69da468f568f798ec5ea535071e930596.exe 81b5af95b241a5a77293e9a905ea32c69da468f568f798ec5ea535071e930596.exe PID 3320 wrote to memory of 3668 3320 81b5af95b241a5a77293e9a905ea32c69da468f568f798ec5ea535071e930596.exe 81b5af95b241a5a77293e9a905ea32c69da468f568f798ec5ea535071e930596.exe PID 3320 wrote to memory of 3668 3320 81b5af95b241a5a77293e9a905ea32c69da468f568f798ec5ea535071e930596.exe 81b5af95b241a5a77293e9a905ea32c69da468f568f798ec5ea535071e930596.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\81b5af95b241a5a77293e9a905ea32c69da468f568f798ec5ea535071e930596.exe"C:\Users\Admin\AppData\Local\Temp\81b5af95b241a5a77293e9a905ea32c69da468f568f798ec5ea535071e930596.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\81b5af95b241a5a77293e9a905ea32c69da468f568f798ec5ea535071e930596.exe"C:\Users\Admin\AppData\Local\Temp\81b5af95b241a5a77293e9a905ea32c69da468f568f798ec5ea535071e930596.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsp8600.tmp\xbinoq.dllMD5
0b920b2f27590b67c54f3787103f2180
SHA1029a495fbb09ea3dca28807fd815baf8b541206f
SHA256a9f72389f209e74e5e0ccc368a81866e59f873869e17e9e03572e3419f20d14f
SHA5128833913d5cafba7b025096cb573aeebf64f62e13ecccabd6d07e076293abba3c103d6abd4cc607086184fe45516dc26b117d871ab33b1b6f210f7b76079c4b4b
-
memory/3668-116-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/3668-117-0x000000000041D450-mapping.dmp
-
memory/3668-118-0x0000000000A00000-0x0000000000D20000-memory.dmpFilesize
3.1MB