Analysis
-
max time kernel
600s -
max time network
600s -
platform
windows7_x64 -
resource
win7-de-20211014 -
submitted
21-10-2021 12:23
Static task
static1
Behavioral task
behavioral1
Sample
371c76d36256463a54d34e12d6741720.exe
Resource
win7-ja-20210920
Behavioral task
behavioral2
Sample
371c76d36256463a54d34e12d6741720.exe
Resource
win7-en-20210920
Behavioral task
behavioral3
Sample
371c76d36256463a54d34e12d6741720.exe
Resource
win7-de-20211014
Behavioral task
behavioral4
Sample
371c76d36256463a54d34e12d6741720.exe
Resource
win11
Behavioral task
behavioral5
Sample
371c76d36256463a54d34e12d6741720.exe
Resource
win10-ja-20211014
Behavioral task
behavioral6
Sample
371c76d36256463a54d34e12d6741720.exe
Resource
win10-en-20210920
Behavioral task
behavioral7
Sample
371c76d36256463a54d34e12d6741720.exe
Resource
win10-de-20210920
General
-
Target
371c76d36256463a54d34e12d6741720.exe
-
Size
251KB
-
MD5
371c76d36256463a54d34e12d6741720
-
SHA1
41843093a5b3a7f5712abd30937004b203851252
-
SHA256
4de35ea5d1f54708e27e4806246a6c9d9b2217cfef24c7b2321a8f6026c5d98c
-
SHA512
f2e87fb4628a8b413ced0d92bcedafc4667e8655ac2c13fa15b7f806ddd19daec919003da80f4157f83e5a24b24a4ccac98c2dfd351227b6a549443c8e7c5759
Malware Config
Extracted
xloader
2.5
m5cw
http://www.art-for-a-cause.com/m5cw/
stolpfabriken.com
aromaessentialco.com
rmcclaincpa.com
wuruixin.com
sidhyanticlasses.com
horilka.store
organic-outlaws.com
customsoftwarelogistics.com
cheryltesting.com
thecompacthomegym.com
the22yards.club
quickloanprovidersservices.com
grippyent.com
guard-usa.com
agircredit.com
classificationmetallurgie.com
quizzesandcode.com
catdanos.com
8676789.rest
gotbestshavlngplansforyou.com
supboarddesign.com
byrdemailplans.xyz
anngola.com
milelefoods.com
runawaypklyau.xyz
redesignyourpain.com
yourtv2ship.info
jxypc.com
lerjighjuij.store
spiruline-shop.com
qarziba-therapy.care
hardayumangosteen.com
freevolttech.com
xiongbaosp.xyz
balanzasdeplataforma.com
johnathanmanney.com
estcequecestgreen.com
france-temps-partage.net
fbiicrc.com
privateairjets.com
xn--5m4a23skoc.group
andrewmurnane.com
exitin90.com
depofmvz.com
bosphorus.website
aragon.store
nrnmuhendislik.com
thesharingcorporation.com
tccraft.online
carjabber.com
limitlesschurchbf.com
dazalogistics.com
x-play.club
bitterbay.net
forwardhcd.com
smance.xyz
netgearcloud.net
wellaspiron.com
heidelay.xyz
qknzutohbtro.mobi
epurhybrid.com
pelitupmukaeksklusif.com
secondave.online
lockdownshowdown.online
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral3/memory/272-57-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral3/memory/272-58-0x000000000041D4C0-mapping.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
371c76d36256463a54d34e12d6741720.exepid process 916 371c76d36256463a54d34e12d6741720.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
371c76d36256463a54d34e12d6741720.exedescription pid process target process PID 916 set thread context of 272 916 371c76d36256463a54d34e12d6741720.exe 371c76d36256463a54d34e12d6741720.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
371c76d36256463a54d34e12d6741720.exepid process 272 371c76d36256463a54d34e12d6741720.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
371c76d36256463a54d34e12d6741720.exetaskeng.exedescription pid process target process PID 916 wrote to memory of 272 916 371c76d36256463a54d34e12d6741720.exe 371c76d36256463a54d34e12d6741720.exe PID 916 wrote to memory of 272 916 371c76d36256463a54d34e12d6741720.exe 371c76d36256463a54d34e12d6741720.exe PID 916 wrote to memory of 272 916 371c76d36256463a54d34e12d6741720.exe 371c76d36256463a54d34e12d6741720.exe PID 916 wrote to memory of 272 916 371c76d36256463a54d34e12d6741720.exe 371c76d36256463a54d34e12d6741720.exe PID 916 wrote to memory of 272 916 371c76d36256463a54d34e12d6741720.exe 371c76d36256463a54d34e12d6741720.exe PID 916 wrote to memory of 272 916 371c76d36256463a54d34e12d6741720.exe 371c76d36256463a54d34e12d6741720.exe PID 916 wrote to memory of 272 916 371c76d36256463a54d34e12d6741720.exe 371c76d36256463a54d34e12d6741720.exe PID 1416 wrote to memory of 2040 1416 taskeng.exe default-browser-agent.exe PID 1416 wrote to memory of 2040 1416 taskeng.exe default-browser-agent.exe PID 1416 wrote to memory of 2040 1416 taskeng.exe default-browser-agent.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\371c76d36256463a54d34e12d6741720.exe"C:\Users\Admin\AppData\Local\Temp\371c76d36256463a54d34e12d6741720.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\371c76d36256463a54d34e12d6741720.exe"C:\Users\Admin\AppData\Local\Temp\371c76d36256463a54d34e12d6741720.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskeng.exetaskeng.exe {C00E40DC-7216-478C-A2ED-E5DDAA580091} S-1-5-18:NT AUTHORITY\System:Service:1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {185B3051-9BD7-44EA-81CF-0D7B642CAB35} S-1-5-21-2955169046-2371869340-1800780948-1000:UKNHJUQT\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\default-browser-agent.exe"C:\Program Files\Mozilla Firefox\default-browser-agent.exe" do-task2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsdF632.tmp\ztqv.dllMD5
97d84d39bb68b5a29e976b40d7d0a00c
SHA1cf4c09487fffb9ace9ab6b82f33da0d5a851ef1c
SHA2565b29c5ee49d9cdde15d88a9e4f8f6b4bba9e2dc4ec65c02d734726fe0f2952c8
SHA512aab5b8831538f96c00e77f16349065bfaa93e7b25206a6d5fe0871f518f38ae31437f2f9f93f36f488e1869eaf97dd4697a282d726ce9a292cf4276242733546
-
memory/272-57-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/272-58-0x000000000041D4C0-mapping.dmp
-
memory/272-59-0x00000000008A0000-0x0000000000BA3000-memory.dmpFilesize
3.0MB
-
memory/916-55-0x0000000075CB1000-0x0000000075CB3000-memory.dmpFilesize
8KB
-
memory/2040-60-0x0000000000000000-mapping.dmp