Analysis
-
max time kernel
78s -
max time network
121s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
12-10-2021 11:20
Static task
static1
General
-
Target
612a346d3e2412113c53343b67419bc7a13bcf1bfe890137b68b3b5553a20096.exe
-
Size
423KB
-
MD5
3737a705b553c9a6245722aa948a2beb
-
SHA1
b6a2abfaaffbb3560dc9ebae6f3bd14aa0594b44
-
SHA256
612a346d3e2412113c53343b67419bc7a13bcf1bfe890137b68b3b5553a20096
-
SHA512
401c211911ab46dfe85c015e2aa9c469f5486457f980c5eea4bf5e27ca74d13069c74ff9844cfd2d755e6ca44997e1ad49655bd8d383366ab40ed48e709ef22a
Malware Config
Extracted
xloader
2.5
b2c0
http://www.thesewhitevvalls.com/b2c0/
bjyxszd520.xyz
hsvfingerprinting.com
elliotpioneer.com
bf396.com
chinaopedia.com
6233v.com
shopeuphoricapparel.com
loccssol.store
truefictionpictures.com
playstarexch.com
peruviancoffee.store
shobhajoshi.com
philme.net
avito-rules.com
independencehomecenters.com
atp-cayenne.com
invetorsbank.com
sasanos.com
scentfreebnb.com
catfuid.com
sunshinefamilysupport.com
madison-co-atty.net
newhousebr.com
newstodayupdate.com
kamalaanjna.com
itpronto.com
hi-loentertainment.com
sadpartyrentals.com
vertuminy.com
khomayphotocopy.club
roleconstructora.com
cottonhome.online
starsspell.com
bedrijfs-kledingshop.com
aydeyahouse.com
miaintervista.com
taolemix.com
lnagvv.space
bjmobi.com
collabkc.art
onayli.net
ecostainable.com
vi88.info
brightlifeprochoice.com
taoluzhibo.info
techgobble.com
ideemimarlikinsaat.com
andajzx.com
shineshaft.website
arroundworld.com
reyuzed.com
emilfaucets.com
lumberjackguitarloops.com
pearl-interior.com
altitudebc.com
cqjiubai.com
kutahyaescortbayanlarim.xyz
metalworkingadditives.online
unasolucioendesa.com
andrewfjohnston.com
visionmark.net
dxxlewis.com
carts-amazon.com
anadolu.academy
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/3792-116-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/3792-117-0x000000000041D4C0-mapping.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
612a346d3e2412113c53343b67419bc7a13bcf1bfe890137b68b3b5553a20096.exepid process 1812 612a346d3e2412113c53343b67419bc7a13bcf1bfe890137b68b3b5553a20096.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
612a346d3e2412113c53343b67419bc7a13bcf1bfe890137b68b3b5553a20096.exedescription pid process target process PID 1812 set thread context of 3792 1812 612a346d3e2412113c53343b67419bc7a13bcf1bfe890137b68b3b5553a20096.exe 612a346d3e2412113c53343b67419bc7a13bcf1bfe890137b68b3b5553a20096.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
612a346d3e2412113c53343b67419bc7a13bcf1bfe890137b68b3b5553a20096.exepid process 3792 612a346d3e2412113c53343b67419bc7a13bcf1bfe890137b68b3b5553a20096.exe 3792 612a346d3e2412113c53343b67419bc7a13bcf1bfe890137b68b3b5553a20096.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
612a346d3e2412113c53343b67419bc7a13bcf1bfe890137b68b3b5553a20096.exedescription pid process target process PID 1812 wrote to memory of 3792 1812 612a346d3e2412113c53343b67419bc7a13bcf1bfe890137b68b3b5553a20096.exe 612a346d3e2412113c53343b67419bc7a13bcf1bfe890137b68b3b5553a20096.exe PID 1812 wrote to memory of 3792 1812 612a346d3e2412113c53343b67419bc7a13bcf1bfe890137b68b3b5553a20096.exe 612a346d3e2412113c53343b67419bc7a13bcf1bfe890137b68b3b5553a20096.exe PID 1812 wrote to memory of 3792 1812 612a346d3e2412113c53343b67419bc7a13bcf1bfe890137b68b3b5553a20096.exe 612a346d3e2412113c53343b67419bc7a13bcf1bfe890137b68b3b5553a20096.exe PID 1812 wrote to memory of 3792 1812 612a346d3e2412113c53343b67419bc7a13bcf1bfe890137b68b3b5553a20096.exe 612a346d3e2412113c53343b67419bc7a13bcf1bfe890137b68b3b5553a20096.exe PID 1812 wrote to memory of 3792 1812 612a346d3e2412113c53343b67419bc7a13bcf1bfe890137b68b3b5553a20096.exe 612a346d3e2412113c53343b67419bc7a13bcf1bfe890137b68b3b5553a20096.exe PID 1812 wrote to memory of 3792 1812 612a346d3e2412113c53343b67419bc7a13bcf1bfe890137b68b3b5553a20096.exe 612a346d3e2412113c53343b67419bc7a13bcf1bfe890137b68b3b5553a20096.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\612a346d3e2412113c53343b67419bc7a13bcf1bfe890137b68b3b5553a20096.exe"C:\Users\Admin\AppData\Local\Temp\612a346d3e2412113c53343b67419bc7a13bcf1bfe890137b68b3b5553a20096.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\612a346d3e2412113c53343b67419bc7a13bcf1bfe890137b68b3b5553a20096.exe"C:\Users\Admin\AppData\Local\Temp\612a346d3e2412113c53343b67419bc7a13bcf1bfe890137b68b3b5553a20096.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nswADF5.tmp\wxmkcb.dllMD5
0c830a1bd50b239167ea8a7bdd68e095
SHA1e65f3280c817f0f7e52a52112121d17ffcbc7e5d
SHA256b31b5199366598aa7e035d334e1f045b79902aedb13186f8ba178f9cc8d7b49a
SHA512c81ced34a906cfcd2e79466a0cbed7bcca3d5d830dcb5b710d45ea2d572d19763bd7721c55368e80a015e716f47e0fe8f45acf30d8e8e24e9d4c0e3d00dffa17
-
memory/3792-116-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/3792-117-0x000000000041D4C0-mapping.dmp
-
memory/3792-118-0x0000000000A60000-0x0000000000D80000-memory.dmpFilesize
3.1MB