Analysis
-
max time kernel
155s -
max time network
156s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
21-10-2021 12:23
Static task
static1
Behavioral task
behavioral1
Sample
REE20212110575259OCT.exe
Resource
win7-ja-20211014
Behavioral task
behavioral2
Sample
REE20212110575259OCT.exe
Resource
win7-en-20210920
Behavioral task
behavioral3
Sample
REE20212110575259OCT.exe
Resource
win7-de-20211014
Behavioral task
behavioral4
Sample
REE20212110575259OCT.exe
Resource
win11
Behavioral task
behavioral5
Sample
REE20212110575259OCT.exe
Resource
win10-ja-20211014
Behavioral task
behavioral6
Sample
REE20212110575259OCT.exe
Resource
win10-en-20210920
General
-
Target
REE20212110575259OCT.exe
-
Size
498KB
-
MD5
9c00fc940483cff2a0f3f619db16ad54
-
SHA1
6f9c746d9cfb4e0bbf829783a82b883f7317b16b
-
SHA256
8a54e41751369783c64f56f30133b985933092324e9b2dad025641d23643280c
-
SHA512
30451538f9ed65159280a168c711056d7bc0776d0c30f1c82bfa4dfacfe4373c01f503004f1eacc1a690104f99bf7e78c61c5436261c0813508467ff5dd4ff21
Malware Config
Extracted
xloader
2.5
gab8
http://www.purodetalle.com/gab8/
amateurfeetworship.com
big-food.biz
metaversevolution.com
profecional-pacasmayo.com
royzoom.com
bekindevolution.com
hokozaki.com
waltersswholesale.com
wayfinderacu.com
schnurrgallery.com
babygearrentals.net
imggtoken.club
24x7x366.com
lakiernictwo.info
les-cours.com
dwticket.com
onarollshades.com
ramireztradepartners.com
safarparfums.com
6ngie.info
hoedetamni.quest
europeangurl.com
sakhakot.com
franciscoalpizar.com
jsyysn.com
goldberg-lighting.com
symbebidas.online
aucoeurducadeau.com
diamondscaterers.com
surswain.quest
gequper.xyz
roytsb.com
332151.com
hienrenow.com
skullother.com
betnubhelp.com
donerightcleaningnation.info
noukou-tonkotsu.xyz
bulkysofthome.com
yuejiayouhua.com
sevillalimpieza.com
involvefinance.com
obz7mo9amu.com
niftyfashionreward.com
refunddngame.com
norllix.com
vergadercentrumdji.com
1006e.com
boraeresici.com
partnerbebefits.com
hejabbanifatemi.com
bigskypediatrics.com
thefortclub.com
blacksource.xyz
happyklikshop.com
fullamodatoptan.com
pinupcams.info
javnfts.com
duocvietpharmacy.com
babyfloki.tech
cequitycorp.com
frenziedflora.com
5cherries.com
slurcap.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1292-63-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/1292-64-0x000000000041D3B0-mapping.dmp xloader behavioral2/memory/1428-76-0x0000000000080000-0x00000000000A9000-memory.dmp xloader -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1672 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
REE20212110575259OCT.exeREE20212110575259OCT.execolorcpl.exedescription pid process target process PID 1704 set thread context of 1292 1704 REE20212110575259OCT.exe REE20212110575259OCT.exe PID 1292 set thread context of 1264 1292 REE20212110575259OCT.exe Explorer.EXE PID 1428 set thread context of 1264 1428 colorcpl.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
REE20212110575259OCT.exepowershell.execolorcpl.exepid process 1292 REE20212110575259OCT.exe 1292 REE20212110575259OCT.exe 1972 powershell.exe 1428 colorcpl.exe 1428 colorcpl.exe 1428 colorcpl.exe 1428 colorcpl.exe 1428 colorcpl.exe 1428 colorcpl.exe 1428 colorcpl.exe 1428 colorcpl.exe 1428 colorcpl.exe 1428 colorcpl.exe 1428 colorcpl.exe 1428 colorcpl.exe 1428 colorcpl.exe 1428 colorcpl.exe 1428 colorcpl.exe 1428 colorcpl.exe 1428 colorcpl.exe 1428 colorcpl.exe 1428 colorcpl.exe 1428 colorcpl.exe 1428 colorcpl.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
REE20212110575259OCT.execolorcpl.exepid process 1292 REE20212110575259OCT.exe 1292 REE20212110575259OCT.exe 1292 REE20212110575259OCT.exe 1428 colorcpl.exe 1428 colorcpl.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
REE20212110575259OCT.exepowershell.execolorcpl.exedescription pid process Token: SeDebugPrivilege 1292 REE20212110575259OCT.exe Token: SeDebugPrivilege 1972 powershell.exe Token: SeDebugPrivilege 1428 colorcpl.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
REE20212110575259OCT.exeExplorer.EXEcolorcpl.exedescription pid process target process PID 1704 wrote to memory of 1972 1704 REE20212110575259OCT.exe powershell.exe PID 1704 wrote to memory of 1972 1704 REE20212110575259OCT.exe powershell.exe PID 1704 wrote to memory of 1972 1704 REE20212110575259OCT.exe powershell.exe PID 1704 wrote to memory of 1972 1704 REE20212110575259OCT.exe powershell.exe PID 1704 wrote to memory of 1292 1704 REE20212110575259OCT.exe REE20212110575259OCT.exe PID 1704 wrote to memory of 1292 1704 REE20212110575259OCT.exe REE20212110575259OCT.exe PID 1704 wrote to memory of 1292 1704 REE20212110575259OCT.exe REE20212110575259OCT.exe PID 1704 wrote to memory of 1292 1704 REE20212110575259OCT.exe REE20212110575259OCT.exe PID 1704 wrote to memory of 1292 1704 REE20212110575259OCT.exe REE20212110575259OCT.exe PID 1704 wrote to memory of 1292 1704 REE20212110575259OCT.exe REE20212110575259OCT.exe PID 1704 wrote to memory of 1292 1704 REE20212110575259OCT.exe REE20212110575259OCT.exe PID 1264 wrote to memory of 1428 1264 Explorer.EXE colorcpl.exe PID 1264 wrote to memory of 1428 1264 Explorer.EXE colorcpl.exe PID 1264 wrote to memory of 1428 1264 Explorer.EXE colorcpl.exe PID 1264 wrote to memory of 1428 1264 Explorer.EXE colorcpl.exe PID 1428 wrote to memory of 1672 1428 colorcpl.exe cmd.exe PID 1428 wrote to memory of 1672 1428 colorcpl.exe cmd.exe PID 1428 wrote to memory of 1672 1428 colorcpl.exe cmd.exe PID 1428 wrote to memory of 1672 1428 colorcpl.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\REE20212110575259OCT.exe"C:\Users\Admin\AppData\Local\Temp\REE20212110575259OCT.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\REE20212110575259OCT.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\REE20212110575259OCT.exe"C:\Users\Admin\AppData\Local\Temp\REE20212110575259OCT.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\colorcpl.exe"C:\Windows\SysWOW64\colorcpl.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\REE20212110575259OCT.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1264-69-0x0000000004A20000-0x0000000004B0B000-memory.dmpFilesize
940KB
-
memory/1264-80-0x0000000006CE0000-0x0000000006E4D000-memory.dmpFilesize
1.4MB
-
memory/1292-63-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1292-67-0x0000000000C30000-0x0000000000F33000-memory.dmpFilesize
3.0MB
-
memory/1292-68-0x0000000000180000-0x0000000000191000-memory.dmpFilesize
68KB
-
memory/1292-64-0x000000000041D3B0-mapping.dmp
-
memory/1292-61-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1292-62-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1428-79-0x0000000001E40000-0x0000000001ED0000-memory.dmpFilesize
576KB
-
memory/1428-78-0x0000000002250000-0x0000000002553000-memory.dmpFilesize
3.0MB
-
memory/1428-73-0x0000000000000000-mapping.dmp
-
memory/1428-75-0x0000000000890000-0x00000000008A8000-memory.dmpFilesize
96KB
-
memory/1428-76-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/1672-77-0x0000000000000000-mapping.dmp
-
memory/1704-54-0x0000000000BA0000-0x0000000000BA1000-memory.dmpFilesize
4KB
-
memory/1704-59-0x0000000004E60000-0x0000000004EAB000-memory.dmpFilesize
300KB
-
memory/1704-58-0x0000000004E20000-0x0000000004E21000-memory.dmpFilesize
4KB
-
memory/1704-57-0x0000000000420000-0x0000000000427000-memory.dmpFilesize
28KB
-
memory/1704-56-0x0000000075821000-0x0000000075823000-memory.dmpFilesize
8KB
-
memory/1972-60-0x0000000000000000-mapping.dmp
-
memory/1972-70-0x00000000023C0000-0x000000000300A000-memory.dmpFilesize
12.3MB
-
memory/1972-71-0x00000000023C0000-0x000000000300A000-memory.dmpFilesize
12.3MB
-
memory/1972-72-0x00000000023C0000-0x000000000300A000-memory.dmpFilesize
12.3MB