Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
07-10-2021 09:01
Static task
static1
Behavioral task
behavioral1
Sample
5ecdf9607af624d3ec1ed2bc9f0e9146.exe
Resource
win7v20210408
General
-
Target
5ecdf9607af624d3ec1ed2bc9f0e9146.exe
-
Size
339KB
-
MD5
5ecdf9607af624d3ec1ed2bc9f0e9146
-
SHA1
d68079d495932ef242efc76e96fe6d75a1ab8dc0
-
SHA256
934615bde495d4cbbfd0178c6eea46804cb19a447db1a8781bb43c5986012cbb
-
SHA512
b7fe77eb6f6fbd620a5a7d187d1355fb43ece505d46846703ea71e84205fb6511867756552202a5b95163cc651a5ab9a14cb1b0c13e50260a5c57993df39835c
Malware Config
Extracted
xloader
2.5
p08r
http://www.puremicrodosing.com/p08r/
focalstead.com
adult-affi2401.com
tamaracastrillejo.com
klimatika.pro
vineyardsimple.com
maskrgl.com
anamontenegro.website
lockolock.com
lkdgd.com
bgcs.online
tasteofgadsdencounty.com
abbastanza.info
serviciomovistar.online
xaudix.com
flintandfern.com
ranchoptician.com
tradeplay.net
chazuo.store
fb90km.com
americandropper.com
shopmoly.com
standunitedforamerica.us
whiteknucklegrips.com
clarysvillemotel.online
cunnters.com
cameroon-infos.net
minisoshop.com
consulitate.xyz
iriny1.com
globalservicesproviders.com
mai1xia.xyz
apeironnature.com
snobite.net
hyvecommerce.com
consumersvoice.net
blinglj.com
oarlary.xyz
elemnetoutdoor.com
wandawallinbristow.com
cyworldl.com
windpeople.store
happinessfashionline.com
representelectrical.com
istc3.com
alskdfalskdf.com
micaixmt.com
outnoble.online
bbeway.com
truenettnpasumo3.xyz
989451.com
kennycheng.tech
rankedclub.com
alynzmy.top
topcatrecords.net
yappiiblog.com
cannaonline.net
universityplacehome.com
tksonline.club
curlya-shop.com
checkbox-staging-pmgi.com
ziomotors.com
underdodrat.info
110cy.top
musiciridium.com
Signatures
-
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
5ecdf9607af624d3ec1ed2bc9f0e9146.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 5ecdf9607af624d3ec1ed2bc9f0e9146.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2684-119-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/2684-120-0x000000000041D440-mapping.dmp xloader -
Executes dropped EXE 2 IoCs
Processes:
5ecdf9607af624d3ec1ed2bc9f0e9146.exe5ecdf9607af624d3ec1ed2bc9f0e9146.exepid process 2628 5ecdf9607af624d3ec1ed2bc9f0e9146.exe 2684 5ecdf9607af624d3ec1ed2bc9f0e9146.exe -
Loads dropped DLL 1 IoCs
Processes:
5ecdf9607af624d3ec1ed2bc9f0e9146.exepid process 2628 5ecdf9607af624d3ec1ed2bc9f0e9146.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
5ecdf9607af624d3ec1ed2bc9f0e9146.exedescription pid process target process PID 2628 set thread context of 2684 2628 5ecdf9607af624d3ec1ed2bc9f0e9146.exe 5ecdf9607af624d3ec1ed2bc9f0e9146.exe -
Drops file in Program Files directory 53 IoCs
Processes:
5ecdf9607af624d3ec1ed2bc9f0e9146.exedescription ioc process File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe 5ecdf9607af624d3ec1ed2bc9f0e9146.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE 5ecdf9607af624d3ec1ed2bc9f0e9146.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 5ecdf9607af624d3ec1ed2bc9f0e9146.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe 5ecdf9607af624d3ec1ed2bc9f0e9146.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe 5ecdf9607af624d3ec1ed2bc9f0e9146.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe 5ecdf9607af624d3ec1ed2bc9f0e9146.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE 5ecdf9607af624d3ec1ed2bc9f0e9146.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE 5ecdf9607af624d3ec1ed2bc9f0e9146.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe 5ecdf9607af624d3ec1ed2bc9f0e9146.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE 5ecdf9607af624d3ec1ed2bc9f0e9146.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE 5ecdf9607af624d3ec1ed2bc9f0e9146.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE 5ecdf9607af624d3ec1ed2bc9f0e9146.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE 5ecdf9607af624d3ec1ed2bc9f0e9146.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe 5ecdf9607af624d3ec1ed2bc9f0e9146.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe 5ecdf9607af624d3ec1ed2bc9f0e9146.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE 5ecdf9607af624d3ec1ed2bc9f0e9146.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe 5ecdf9607af624d3ec1ed2bc9f0e9146.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE 5ecdf9607af624d3ec1ed2bc9f0e9146.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe 5ecdf9607af624d3ec1ed2bc9f0e9146.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe 5ecdf9607af624d3ec1ed2bc9f0e9146.exe File opened for modification C:\PROGRA~2\WINDOW~2\WinMail.exe 5ecdf9607af624d3ec1ed2bc9f0e9146.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE 5ecdf9607af624d3ec1ed2bc9f0e9146.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE 5ecdf9607af624d3ec1ed2bc9f0e9146.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe 5ecdf9607af624d3ec1ed2bc9f0e9146.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE 5ecdf9607af624d3ec1ed2bc9f0e9146.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe 5ecdf9607af624d3ec1ed2bc9f0e9146.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe 5ecdf9607af624d3ec1ed2bc9f0e9146.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE 5ecdf9607af624d3ec1ed2bc9f0e9146.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE 5ecdf9607af624d3ec1ed2bc9f0e9146.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE 5ecdf9607af624d3ec1ed2bc9f0e9146.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE 5ecdf9607af624d3ec1ed2bc9f0e9146.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe 5ecdf9607af624d3ec1ed2bc9f0e9146.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe 5ecdf9607af624d3ec1ed2bc9f0e9146.exe File opened for modification C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE 5ecdf9607af624d3ec1ed2bc9f0e9146.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe 5ecdf9607af624d3ec1ed2bc9f0e9146.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE 5ecdf9607af624d3ec1ed2bc9f0e9146.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE 5ecdf9607af624d3ec1ed2bc9f0e9146.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe 5ecdf9607af624d3ec1ed2bc9f0e9146.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe 5ecdf9607af624d3ec1ed2bc9f0e9146.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe 5ecdf9607af624d3ec1ed2bc9f0e9146.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE 5ecdf9607af624d3ec1ed2bc9f0e9146.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE 5ecdf9607af624d3ec1ed2bc9f0e9146.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 5ecdf9607af624d3ec1ed2bc9f0e9146.exe File opened for modification C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe 5ecdf9607af624d3ec1ed2bc9f0e9146.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE 5ecdf9607af624d3ec1ed2bc9f0e9146.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE 5ecdf9607af624d3ec1ed2bc9f0e9146.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE 5ecdf9607af624d3ec1ed2bc9f0e9146.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe 5ecdf9607af624d3ec1ed2bc9f0e9146.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe 5ecdf9607af624d3ec1ed2bc9f0e9146.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe 5ecdf9607af624d3ec1ed2bc9f0e9146.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe 5ecdf9607af624d3ec1ed2bc9f0e9146.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 5ecdf9607af624d3ec1ed2bc9f0e9146.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE 5ecdf9607af624d3ec1ed2bc9f0e9146.exe -
Drops file in Windows directory 1 IoCs
Processes:
5ecdf9607af624d3ec1ed2bc9f0e9146.exedescription ioc process File opened for modification C:\Windows\svchost.com 5ecdf9607af624d3ec1ed2bc9f0e9146.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 6 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\3582-490\5ecdf9607af624d3ec1ed2bc9f0e9146.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\3582-490\5ecdf9607af624d3ec1ed2bc9f0e9146.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\3582-490\5ecdf9607af624d3ec1ed2bc9f0e9146.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\3582-490\5ecdf9607af624d3ec1ed2bc9f0e9146.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\3582-490\5ecdf9607af624d3ec1ed2bc9f0e9146.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\3582-490\5ecdf9607af624d3ec1ed2bc9f0e9146.exe nsis_installer_2 -
Modifies registry class 1 IoCs
Processes:
5ecdf9607af624d3ec1ed2bc9f0e9146.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 5ecdf9607af624d3ec1ed2bc9f0e9146.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
5ecdf9607af624d3ec1ed2bc9f0e9146.exepid process 2684 5ecdf9607af624d3ec1ed2bc9f0e9146.exe 2684 5ecdf9607af624d3ec1ed2bc9f0e9146.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
5ecdf9607af624d3ec1ed2bc9f0e9146.exe5ecdf9607af624d3ec1ed2bc9f0e9146.exedescription pid process target process PID 2160 wrote to memory of 2628 2160 5ecdf9607af624d3ec1ed2bc9f0e9146.exe 5ecdf9607af624d3ec1ed2bc9f0e9146.exe PID 2160 wrote to memory of 2628 2160 5ecdf9607af624d3ec1ed2bc9f0e9146.exe 5ecdf9607af624d3ec1ed2bc9f0e9146.exe PID 2160 wrote to memory of 2628 2160 5ecdf9607af624d3ec1ed2bc9f0e9146.exe 5ecdf9607af624d3ec1ed2bc9f0e9146.exe PID 2628 wrote to memory of 2684 2628 5ecdf9607af624d3ec1ed2bc9f0e9146.exe 5ecdf9607af624d3ec1ed2bc9f0e9146.exe PID 2628 wrote to memory of 2684 2628 5ecdf9607af624d3ec1ed2bc9f0e9146.exe 5ecdf9607af624d3ec1ed2bc9f0e9146.exe PID 2628 wrote to memory of 2684 2628 5ecdf9607af624d3ec1ed2bc9f0e9146.exe 5ecdf9607af624d3ec1ed2bc9f0e9146.exe PID 2628 wrote to memory of 2684 2628 5ecdf9607af624d3ec1ed2bc9f0e9146.exe 5ecdf9607af624d3ec1ed2bc9f0e9146.exe PID 2628 wrote to memory of 2684 2628 5ecdf9607af624d3ec1ed2bc9f0e9146.exe 5ecdf9607af624d3ec1ed2bc9f0e9146.exe PID 2628 wrote to memory of 2684 2628 5ecdf9607af624d3ec1ed2bc9f0e9146.exe 5ecdf9607af624d3ec1ed2bc9f0e9146.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ecdf9607af624d3ec1ed2bc9f0e9146.exe"C:\Users\Admin\AppData\Local\Temp\5ecdf9607af624d3ec1ed2bc9f0e9146.exe"1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5ecdf9607af624d3ec1ed2bc9f0e9146.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\5ecdf9607af624d3ec1ed2bc9f0e9146.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Users\Admin\AppData\Local\Temp\3582-490\5ecdf9607af624d3ec1ed2bc9f0e9146.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\5ecdf9607af624d3ec1ed2bc9f0e9146.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2684
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5ecdf9607af624d3ec1ed2bc9f0e9146.exeMD5
d41f65d9b8b141d40387320ce54f9ac3
SHA133fea576d37736131811f5c528aa6439ca53ed95
SHA25621350c749a15b06efda33cae533086eab02ef83685d539556407633676de94bb
SHA5125dd5cc2e596cdab2209ecea994739a0c476b869545d2e5446d6f57237b1d6a539de48d407ec065ee9406ca1933104e7db585c59a80ec7933206ead7fc2c73851
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5ecdf9607af624d3ec1ed2bc9f0e9146.exeMD5
d41f65d9b8b141d40387320ce54f9ac3
SHA133fea576d37736131811f5c528aa6439ca53ed95
SHA25621350c749a15b06efda33cae533086eab02ef83685d539556407633676de94bb
SHA5125dd5cc2e596cdab2209ecea994739a0c476b869545d2e5446d6f57237b1d6a539de48d407ec065ee9406ca1933104e7db585c59a80ec7933206ead7fc2c73851
-
C:\Users\Admin\AppData\Local\Temp\3582-490\5ecdf9607af624d3ec1ed2bc9f0e9146.exeMD5
d41f65d9b8b141d40387320ce54f9ac3
SHA133fea576d37736131811f5c528aa6439ca53ed95
SHA25621350c749a15b06efda33cae533086eab02ef83685d539556407633676de94bb
SHA5125dd5cc2e596cdab2209ecea994739a0c476b869545d2e5446d6f57237b1d6a539de48d407ec065ee9406ca1933104e7db585c59a80ec7933206ead7fc2c73851
-
\Users\Admin\AppData\Local\Temp\nsq96F7.tmp\xkbzkendk.dllMD5
78443d8d2652df75871fecb3890f917f
SHA1c44b6f398134befbb76700830deb602453167660
SHA256bb9fc7790c243f818df28e4bd1acfcef303a2391163444daec38edc99b5b39be
SHA512dc30b45af4cac2735edd0953c7197e801d716f4f891611af6b80f16d8b2b2053ca5477a66964cee499d53dc40820ac08796037ba5855c9c521a7cee64dda0a76
-
memory/2628-115-0x0000000000000000-mapping.dmp
-
memory/2684-119-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2684-120-0x000000000041D440-mapping.dmp
-
memory/2684-122-0x0000000000A00000-0x0000000000D20000-memory.dmpFilesize
3.1MB