Analysis
-
max time kernel
35s -
max time network
124s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
12-10-2021 12:05
Static task
static1
Behavioral task
behavioral1
Sample
3737a705b553c9a6245722aa948a2beb.exe
Resource
win7-en-20210920
General
-
Target
3737a705b553c9a6245722aa948a2beb.exe
-
Size
423KB
-
MD5
3737a705b553c9a6245722aa948a2beb
-
SHA1
b6a2abfaaffbb3560dc9ebae6f3bd14aa0594b44
-
SHA256
612a346d3e2412113c53343b67419bc7a13bcf1bfe890137b68b3b5553a20096
-
SHA512
401c211911ab46dfe85c015e2aa9c469f5486457f980c5eea4bf5e27ca74d13069c74ff9844cfd2d755e6ca44997e1ad49655bd8d383366ab40ed48e709ef22a
Malware Config
Extracted
xloader
2.5
b2c0
http://www.thesewhitevvalls.com/b2c0/
bjyxszd520.xyz
hsvfingerprinting.com
elliotpioneer.com
bf396.com
chinaopedia.com
6233v.com
shopeuphoricapparel.com
loccssol.store
truefictionpictures.com
playstarexch.com
peruviancoffee.store
shobhajoshi.com
philme.net
avito-rules.com
independencehomecenters.com
atp-cayenne.com
invetorsbank.com
sasanos.com
scentfreebnb.com
catfuid.com
sunshinefamilysupport.com
madison-co-atty.net
newhousebr.com
newstodayupdate.com
kamalaanjna.com
itpronto.com
hi-loentertainment.com
sadpartyrentals.com
vertuminy.com
khomayphotocopy.club
roleconstructora.com
cottonhome.online
starsspell.com
bedrijfs-kledingshop.com
aydeyahouse.com
miaintervista.com
taolemix.com
lnagvv.space
bjmobi.com
collabkc.art
onayli.net
ecostainable.com
vi88.info
brightlifeprochoice.com
taoluzhibo.info
techgobble.com
ideemimarlikinsaat.com
andajzx.com
shineshaft.website
arroundworld.com
reyuzed.com
emilfaucets.com
lumberjackguitarloops.com
pearl-interior.com
altitudebc.com
cqjiubai.com
kutahyaescortbayanlarim.xyz
metalworkingadditives.online
unasolucioendesa.com
andrewfjohnston.com
visionmark.net
dxxlewis.com
carts-amazon.com
anadolu.academy
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3828-115-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/3828-116-0x000000000041D4C0-mapping.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
3737a705b553c9a6245722aa948a2beb.exepid process 3492 3737a705b553c9a6245722aa948a2beb.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
3737a705b553c9a6245722aa948a2beb.exedescription pid process target process PID 3492 set thread context of 3828 3492 3737a705b553c9a6245722aa948a2beb.exe 3737a705b553c9a6245722aa948a2beb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
3737a705b553c9a6245722aa948a2beb.exepid process 3828 3737a705b553c9a6245722aa948a2beb.exe 3828 3737a705b553c9a6245722aa948a2beb.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
3737a705b553c9a6245722aa948a2beb.exedescription pid process target process PID 3492 wrote to memory of 3828 3492 3737a705b553c9a6245722aa948a2beb.exe 3737a705b553c9a6245722aa948a2beb.exe PID 3492 wrote to memory of 3828 3492 3737a705b553c9a6245722aa948a2beb.exe 3737a705b553c9a6245722aa948a2beb.exe PID 3492 wrote to memory of 3828 3492 3737a705b553c9a6245722aa948a2beb.exe 3737a705b553c9a6245722aa948a2beb.exe PID 3492 wrote to memory of 3828 3492 3737a705b553c9a6245722aa948a2beb.exe 3737a705b553c9a6245722aa948a2beb.exe PID 3492 wrote to memory of 3828 3492 3737a705b553c9a6245722aa948a2beb.exe 3737a705b553c9a6245722aa948a2beb.exe PID 3492 wrote to memory of 3828 3492 3737a705b553c9a6245722aa948a2beb.exe 3737a705b553c9a6245722aa948a2beb.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3737a705b553c9a6245722aa948a2beb.exe"C:\Users\Admin\AppData\Local\Temp\3737a705b553c9a6245722aa948a2beb.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3737a705b553c9a6245722aa948a2beb.exe"C:\Users\Admin\AppData\Local\Temp\3737a705b553c9a6245722aa948a2beb.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsv61BE.tmp\wxmkcb.dllMD5
0c830a1bd50b239167ea8a7bdd68e095
SHA1e65f3280c817f0f7e52a52112121d17ffcbc7e5d
SHA256b31b5199366598aa7e035d334e1f045b79902aedb13186f8ba178f9cc8d7b49a
SHA512c81ced34a906cfcd2e79466a0cbed7bcca3d5d830dcb5b710d45ea2d572d19763bd7721c55368e80a015e716f47e0fe8f45acf30d8e8e24e9d4c0e3d00dffa17
-
memory/3828-115-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/3828-116-0x000000000041D4C0-mapping.dmp
-
memory/3828-117-0x00000000009C0000-0x0000000000CE0000-memory.dmpFilesize
3.1MB