Analysis
-
max time kernel
114s -
max time network
153s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
05-10-2021 14:30
Static task
static1
General
-
Target
f89bda22f77706b290e5f56032cd4c884f8da016a379f6c6a978acf4983f0175.exe
-
Size
440KB
-
MD5
f51da2ac8cdfc1ff41921f0fceee4514
-
SHA1
f910ed6637480ff6930df72d9258029641a186ba
-
SHA256
f89bda22f77706b290e5f56032cd4c884f8da016a379f6c6a978acf4983f0175
-
SHA512
830f6fadf25b3b839d648a71e82eb3fb37c0e5376d5ce76044a39321ab54f356cec4f9a8ef08f01ebe2d86b6e6643a24a591b680ab2f88c29ecb8e43e837ed46
Malware Config
Extracted
xloader
2.5
noha
http://www.mglracing.com/noha/
iphone13promax.support
trailer-racks.xyz
overseaspoolservice.com
r2d2u.com
dawajeju.com
nextgenproxyvote.com
xn--vhqp8mm8dbtz.group
commonsenserisk.com
cmcqgxtyd.com
data2form.com
bois-applique.com
originallollipop.com
lj0008lj.net
spfldvaccineday.info
phalcosnusa.com
llcmastermachine.com
onlyforu14.rest
bestmarketingautomations.com
officialswitchmusic.com
thepretenseofjustice.com
authenticradio.net
standardizedsubmissions.com
aegnoshipping.com
478762.com
inclusionchecks.com
number-is-04.net
yyds9527.space
big-thought.com
controle2.email
groupninemed.com
fisworkdeck.com
imonbayazid.com
pixlrz.com
headlinebysmp.com
simulatefuck.com
efficientmother.com
wkshops22012.xyz
artehamburguer.com
beauallenpoetry.com
bonairemarathon.com
sprintfingers.com
ranbix.com
denghaoxin.club
jillianvansice.com
purpledge.com
mariadimitropoulou.com
surveyplanetgroup.tech
apocalyptoapertureserrature.net
cbd-cannabis.store
dirtcheapfire.com
xn--zbss74a16j.xn--czru2d
auth-appsgo.com
estchemdelat.space
kweeka.money
marketingtipsntricks.com
dayandwestbeauty.com
paddlercentral.com
nongminle.net
aodesai.store
evtasimaucretleri.com
micj7873.com
unarecord.com
zsnhviig.xyz
hallmark-transport.com
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2168-116-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/2168-117-0x000000000041D490-mapping.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
f89bda22f77706b290e5f56032cd4c884f8da016a379f6c6a978acf4983f0175.exepid process 3144 f89bda22f77706b290e5f56032cd4c884f8da016a379f6c6a978acf4983f0175.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
f89bda22f77706b290e5f56032cd4c884f8da016a379f6c6a978acf4983f0175.exedescription pid process target process PID 3144 set thread context of 2168 3144 f89bda22f77706b290e5f56032cd4c884f8da016a379f6c6a978acf4983f0175.exe f89bda22f77706b290e5f56032cd4c884f8da016a379f6c6a978acf4983f0175.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
f89bda22f77706b290e5f56032cd4c884f8da016a379f6c6a978acf4983f0175.exepid process 2168 f89bda22f77706b290e5f56032cd4c884f8da016a379f6c6a978acf4983f0175.exe 2168 f89bda22f77706b290e5f56032cd4c884f8da016a379f6c6a978acf4983f0175.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
f89bda22f77706b290e5f56032cd4c884f8da016a379f6c6a978acf4983f0175.exedescription pid process target process PID 3144 wrote to memory of 2168 3144 f89bda22f77706b290e5f56032cd4c884f8da016a379f6c6a978acf4983f0175.exe f89bda22f77706b290e5f56032cd4c884f8da016a379f6c6a978acf4983f0175.exe PID 3144 wrote to memory of 2168 3144 f89bda22f77706b290e5f56032cd4c884f8da016a379f6c6a978acf4983f0175.exe f89bda22f77706b290e5f56032cd4c884f8da016a379f6c6a978acf4983f0175.exe PID 3144 wrote to memory of 2168 3144 f89bda22f77706b290e5f56032cd4c884f8da016a379f6c6a978acf4983f0175.exe f89bda22f77706b290e5f56032cd4c884f8da016a379f6c6a978acf4983f0175.exe PID 3144 wrote to memory of 2168 3144 f89bda22f77706b290e5f56032cd4c884f8da016a379f6c6a978acf4983f0175.exe f89bda22f77706b290e5f56032cd4c884f8da016a379f6c6a978acf4983f0175.exe PID 3144 wrote to memory of 2168 3144 f89bda22f77706b290e5f56032cd4c884f8da016a379f6c6a978acf4983f0175.exe f89bda22f77706b290e5f56032cd4c884f8da016a379f6c6a978acf4983f0175.exe PID 3144 wrote to memory of 2168 3144 f89bda22f77706b290e5f56032cd4c884f8da016a379f6c6a978acf4983f0175.exe f89bda22f77706b290e5f56032cd4c884f8da016a379f6c6a978acf4983f0175.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f89bda22f77706b290e5f56032cd4c884f8da016a379f6c6a978acf4983f0175.exe"C:\Users\Admin\AppData\Local\Temp\f89bda22f77706b290e5f56032cd4c884f8da016a379f6c6a978acf4983f0175.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f89bda22f77706b290e5f56032cd4c884f8da016a379f6c6a978acf4983f0175.exe"C:\Users\Admin\AppData\Local\Temp\f89bda22f77706b290e5f56032cd4c884f8da016a379f6c6a978acf4983f0175.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nssB4EF.tmp\iivedwr.dllMD5
3e9d045c2d39e938be8d6ca201334b33
SHA12d186f686d45dfdd4657b905ae96976696fd8413
SHA256017ac808ba839b52ff09e5cced4a6a7e1673a8bdbcc4f5e78d8e0ce3b05acc7d
SHA51248ffe8f61bc0ee3121658600ae91e63631b99c1d7332898ac4e68fcde6348a6ff419d71171905c1ee1f5440e13405bbd1734fe2f3e0e460ffc0a9c86bac724d1
-
memory/2168-116-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2168-117-0x000000000041D490-mapping.dmp
-
memory/2168-118-0x0000000000A50000-0x0000000000D70000-memory.dmpFilesize
3.1MB