Analysis
-
max time kernel
123s -
max time network
125s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
14-10-2021 18:26
Static task
static1
Behavioral task
behavioral1
Sample
b610b5c669611fbb55ed5965a8cd0c10.exe
Resource
win7-en-20211014
General
-
Target
b610b5c669611fbb55ed5965a8cd0c10.exe
-
Size
252KB
-
MD5
b610b5c669611fbb55ed5965a8cd0c10
-
SHA1
ecd743dc78d7aedaf33ffe0ddb8a6f242cb28b87
-
SHA256
062a33046cca90bc6364cc29ccd47ae7f4165d388f5fb699bb88c35c4509bb90
-
SHA512
33a51739fb7daed438c380fa54a9f8a39d80fffd5da709fab6bd2ccadc156c03a349bda89c4ee2677d4a1cf1fc2b7428be6cc005188b9d2305f7205020c220c3
Malware Config
Extracted
xloader
2.5
mxnu
http://www.naplesconciergerealty.com/mxnu/
insightmyhome.com
gabriellamaxey.com
029atk.xyz
marshconstructions.com
technichoffghosts.com
blue-ivy-boutique-au.com
1sunsetgroup.com
elfkuhnispb.store
caoliudh.club
verifiedpaypal.net
jellyice-tr.com
gatescres.com
bloomberq.online
crystaltopagent.net
uggs-line.com
ecommerceplatform.xyz
historyofcambridge.com
sattaking-gaziabad.xyz
digisor.com
beachpawsmobilegrooming.com
whitebot.xyz
zacky6.online
qlfa8gzk8f.com
scottjasonfowler.com
influxair.com
desongli.com
xn--w7uy63f0ne2sj.com
pinup722bk.com
haohuatour.com
dharmathinkural.com
hanjyu.com
tbrhc.com
clarityflux.com
meltonandcompany.com
revgeek.com
onehigh.club
closetu.com
yama-nkok.com
brandonhistoryandinfo.com
funkidsroomdecor.com
epilasyonmerkeziankara.com
265411.com
watch12.online
dealsbonaza.com
gold2guide.art
tomclark.online
877961.com
washingtonboatrentals.com
promovart.com
megapollice.online
taquerialoteria.com
foxsontreeservice.com
safebookkeeping.com
theeducationwheel.online
sasanos.com
procurovariedades.com
normandia.pro
ingdalynnia.xyz
campusguideconsulting.com
ashramseries.com
clubcupids.art
mortgagerates.solutions
deepscanlabs.com
insulated-box.com
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2044-56-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/2044-57-0x000000000041D4A0-mapping.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
b610b5c669611fbb55ed5965a8cd0c10.exepid process 1684 b610b5c669611fbb55ed5965a8cd0c10.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
b610b5c669611fbb55ed5965a8cd0c10.exedescription pid process target process PID 1684 set thread context of 2044 1684 b610b5c669611fbb55ed5965a8cd0c10.exe b610b5c669611fbb55ed5965a8cd0c10.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
b610b5c669611fbb55ed5965a8cd0c10.exepid process 2044 b610b5c669611fbb55ed5965a8cd0c10.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
b610b5c669611fbb55ed5965a8cd0c10.exedescription pid process target process PID 1684 wrote to memory of 2044 1684 b610b5c669611fbb55ed5965a8cd0c10.exe b610b5c669611fbb55ed5965a8cd0c10.exe PID 1684 wrote to memory of 2044 1684 b610b5c669611fbb55ed5965a8cd0c10.exe b610b5c669611fbb55ed5965a8cd0c10.exe PID 1684 wrote to memory of 2044 1684 b610b5c669611fbb55ed5965a8cd0c10.exe b610b5c669611fbb55ed5965a8cd0c10.exe PID 1684 wrote to memory of 2044 1684 b610b5c669611fbb55ed5965a8cd0c10.exe b610b5c669611fbb55ed5965a8cd0c10.exe PID 1684 wrote to memory of 2044 1684 b610b5c669611fbb55ed5965a8cd0c10.exe b610b5c669611fbb55ed5965a8cd0c10.exe PID 1684 wrote to memory of 2044 1684 b610b5c669611fbb55ed5965a8cd0c10.exe b610b5c669611fbb55ed5965a8cd0c10.exe PID 1684 wrote to memory of 2044 1684 b610b5c669611fbb55ed5965a8cd0c10.exe b610b5c669611fbb55ed5965a8cd0c10.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b610b5c669611fbb55ed5965a8cd0c10.exe"C:\Users\Admin\AppData\Local\Temp\b610b5c669611fbb55ed5965a8cd0c10.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b610b5c669611fbb55ed5965a8cd0c10.exe"C:\Users\Admin\AppData\Local\Temp\b610b5c669611fbb55ed5965a8cd0c10.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nstE235.tmp\rznjhun.dllMD5
49e3e63ae4d93b065720946ee9cfb161
SHA135634d8953dc28f7d5f9712e0f9839142f142a59
SHA2567df0582dfc9b39225e3f5db2c9d707f392fa0cf96c440388bc97f792de260563
SHA51230a3171524548d60451ecc6e8f6c95315d7e60d4a69e54071e7ef54a916ab4e59ab4d02d5eddf12073ebffc8fc8127eedf133f787ffcb0e8e0f30f9bf699c1d6
-
memory/1684-54-0x0000000075191000-0x0000000075193000-memory.dmpFilesize
8KB
-
memory/2044-56-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2044-57-0x000000000041D4A0-mapping.dmp
-
memory/2044-58-0x00000000008E0000-0x0000000000BE3000-memory.dmpFilesize
3.0MB