Analysis
-
max time kernel
85s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
29-09-2021 09:54
Static task
static1
Behavioral task
behavioral1
Sample
51c46cfdcb94cf241595e99600ba40b3.exe
Resource
win7-en-20210920
General
-
Target
51c46cfdcb94cf241595e99600ba40b3.exe
-
Size
289KB
-
MD5
51c46cfdcb94cf241595e99600ba40b3
-
SHA1
00ca9779115daee4f009d1048994270e5d9f86ab
-
SHA256
81b5af95b241a5a77293e9a905ea32c69da468f568f798ec5ea535071e930596
-
SHA512
75cc385fd4b22d55cd5b89b417b81abe98689e6cad7977ca8eb2348a74eb54f60f53868f3e4d08ac47dfc79553ee78e41bc0c6f51d98a87b14ad78bd00b6cb63
Malware Config
Extracted
xloader
2.5
m0np
http://www.devmedicalcentre.com/m0np/
gruppovimar.com
seniordatingtv.com
pinpinyouqian.website
retreatreflectreplenish.com
baby-handmade.store
econsupplies.com
helloaustinpodcast.com
europe-lodging.com
ferahanaokulu.com
thehomeinspo.com
rawhoneytnpasumo6.xyz
tyckasei.quest
scissorsandbuffer.com
jatinvestmentsmaldives.com
softandcute.store
afuturemakerspromotions.online
leonsigntech.com
havetheshortscovered.com
cvkf.email
iplyyu.com
motphimz.net
slimmerpage.com
fifthbelle.com
moneybagsinfinity.com
architettoaroma.com
rio-script.com
millieandmaude.net
pvinayak.com
nyctattoing.com
fermanfood.com
medardlake.com
40acgidd.com
mrbrianalba.com
110bao.com
shguitong.com
why5mkt.com
diptv.xyz
gotbn-a01.com
rene-weise.com
meltaluminum.com
tobiasqbrown.com
eiqor.com
bnabd.com
painubloc.com
bofoz.com
maxicashprogtq.xyz
probinns.com
yourroddays1.xyz
friedmantrusts.com
patrianilancamentos.com
cetpa.solutions
fengxiaowangluo.com
zkimax.com
bibberyhills.com
colegiodeltaaps.com
fraternitybrand.com
codemais.net
ohayouwww.com
keenflat.com
devvabaek.com
rouxbylarease.online
hongyuyinji.com
cybersecurity-andorra.online
zs4.info
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/628-115-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/628-116-0x000000000041D450-mapping.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
51c46cfdcb94cf241595e99600ba40b3.exepid process 3128 51c46cfdcb94cf241595e99600ba40b3.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
51c46cfdcb94cf241595e99600ba40b3.exedescription pid process target process PID 3128 set thread context of 628 3128 51c46cfdcb94cf241595e99600ba40b3.exe 51c46cfdcb94cf241595e99600ba40b3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
51c46cfdcb94cf241595e99600ba40b3.exepid process 628 51c46cfdcb94cf241595e99600ba40b3.exe 628 51c46cfdcb94cf241595e99600ba40b3.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
51c46cfdcb94cf241595e99600ba40b3.exedescription pid process target process PID 3128 wrote to memory of 628 3128 51c46cfdcb94cf241595e99600ba40b3.exe 51c46cfdcb94cf241595e99600ba40b3.exe PID 3128 wrote to memory of 628 3128 51c46cfdcb94cf241595e99600ba40b3.exe 51c46cfdcb94cf241595e99600ba40b3.exe PID 3128 wrote to memory of 628 3128 51c46cfdcb94cf241595e99600ba40b3.exe 51c46cfdcb94cf241595e99600ba40b3.exe PID 3128 wrote to memory of 628 3128 51c46cfdcb94cf241595e99600ba40b3.exe 51c46cfdcb94cf241595e99600ba40b3.exe PID 3128 wrote to memory of 628 3128 51c46cfdcb94cf241595e99600ba40b3.exe 51c46cfdcb94cf241595e99600ba40b3.exe PID 3128 wrote to memory of 628 3128 51c46cfdcb94cf241595e99600ba40b3.exe 51c46cfdcb94cf241595e99600ba40b3.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\51c46cfdcb94cf241595e99600ba40b3.exe"C:\Users\Admin\AppData\Local\Temp\51c46cfdcb94cf241595e99600ba40b3.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Users\Admin\AppData\Local\Temp\51c46cfdcb94cf241595e99600ba40b3.exe"C:\Users\Admin\AppData\Local\Temp\51c46cfdcb94cf241595e99600ba40b3.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:628
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsa4C37.tmp\xbinoq.dllMD5
0b920b2f27590b67c54f3787103f2180
SHA1029a495fbb09ea3dca28807fd815baf8b541206f
SHA256a9f72389f209e74e5e0ccc368a81866e59f873869e17e9e03572e3419f20d14f
SHA5128833913d5cafba7b025096cb573aeebf64f62e13ecccabd6d07e076293abba3c103d6abd4cc607086184fe45516dc26b117d871ab33b1b6f210f7b76079c4b4b
-
memory/628-115-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/628-116-0x000000000041D450-mapping.dmp
-
memory/628-117-0x00000000009E0000-0x0000000000D00000-memory.dmpFilesize
3.1MB