Analysis
-
max time kernel
210s -
max time network
376s -
platform
windows11_x64 -
resource
win11 -
submitted
21-10-2021 12:23
Static task
static1
Behavioral task
behavioral1
Sample
371c76d36256463a54d34e12d6741720.exe
Resource
win7-ja-20210920
Behavioral task
behavioral2
Sample
371c76d36256463a54d34e12d6741720.exe
Resource
win7-en-20210920
Behavioral task
behavioral3
Sample
371c76d36256463a54d34e12d6741720.exe
Resource
win7-de-20211014
Behavioral task
behavioral4
Sample
371c76d36256463a54d34e12d6741720.exe
Resource
win11
Behavioral task
behavioral5
Sample
371c76d36256463a54d34e12d6741720.exe
Resource
win10-ja-20211014
Behavioral task
behavioral6
Sample
371c76d36256463a54d34e12d6741720.exe
Resource
win10-en-20210920
Behavioral task
behavioral7
Sample
371c76d36256463a54d34e12d6741720.exe
Resource
win10-de-20210920
General
-
Target
371c76d36256463a54d34e12d6741720.exe
-
Size
251KB
-
MD5
371c76d36256463a54d34e12d6741720
-
SHA1
41843093a5b3a7f5712abd30937004b203851252
-
SHA256
4de35ea5d1f54708e27e4806246a6c9d9b2217cfef24c7b2321a8f6026c5d98c
-
SHA512
f2e87fb4628a8b413ced0d92bcedafc4667e8655ac2c13fa15b7f806ddd19daec919003da80f4157f83e5a24b24a4ccac98c2dfd351227b6a549443c8e7c5759
Malware Config
Extracted
xloader
2.5
m5cw
http://www.art-for-a-cause.com/m5cw/
stolpfabriken.com
aromaessentialco.com
rmcclaincpa.com
wuruixin.com
sidhyanticlasses.com
horilka.store
organic-outlaws.com
customsoftwarelogistics.com
cheryltesting.com
thecompacthomegym.com
the22yards.club
quickloanprovidersservices.com
grippyent.com
guard-usa.com
agircredit.com
classificationmetallurgie.com
quizzesandcode.com
catdanos.com
8676789.rest
gotbestshavlngplansforyou.com
supboarddesign.com
byrdemailplans.xyz
anngola.com
milelefoods.com
runawaypklyau.xyz
redesignyourpain.com
yourtv2ship.info
jxypc.com
lerjighjuij.store
spiruline-shop.com
qarziba-therapy.care
hardayumangosteen.com
freevolttech.com
xiongbaosp.xyz
balanzasdeplataforma.com
johnathanmanney.com
estcequecestgreen.com
france-temps-partage.net
fbiicrc.com
privateairjets.com
xn--5m4a23skoc.group
andrewmurnane.com
exitin90.com
depofmvz.com
bosphorus.website
aragon.store
nrnmuhendislik.com
thesharingcorporation.com
tccraft.online
carjabber.com
limitlesschurchbf.com
dazalogistics.com
x-play.club
bitterbay.net
forwardhcd.com
smance.xyz
netgearcloud.net
wellaspiron.com
heidelay.xyz
qknzutohbtro.mobi
epurhybrid.com
pelitupmukaeksklusif.com
secondave.online
lockdownshowdown.online
Signatures
-
Xloader Payload 1 IoCs
Processes:
resource yara_rule behavioral4/memory/1692-151-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Sets service image path in registry 2 TTPs
-
Loads dropped DLL 1 IoCs
Processes:
371c76d36256463a54d34e12d6741720.exepid process 3300 371c76d36256463a54d34e12d6741720.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
371c76d36256463a54d34e12d6741720.exedescription pid process target process PID 3300 set thread context of 1692 3300 371c76d36256463a54d34e12d6741720.exe 371c76d36256463a54d34e12d6741720.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
WaaSMedicAgent.exeWaaSMedicAgent.exeWaaSMedicAgent.exesvchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
371c76d36256463a54d34e12d6741720.exepid process 1692 371c76d36256463a54d34e12d6741720.exe 1692 371c76d36256463a54d34e12d6741720.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exesvchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 788 svchost.exe Token: SeCreatePagefilePrivilege 788 svchost.exe Token: SeShutdownPrivilege 788 svchost.exe Token: SeCreatePagefilePrivilege 788 svchost.exe Token: SeShutdownPrivilege 788 svchost.exe Token: SeCreatePagefilePrivilege 788 svchost.exe Token: SeShutdownPrivilege 1864 svchost.exe Token: SeCreatePagefilePrivilege 1864 svchost.exe Token: SeSecurityPrivilege 2608 TiWorker.exe Token: SeRestorePrivilege 2608 TiWorker.exe Token: SeBackupPrivilege 2608 TiWorker.exe Token: SeBackupPrivilege 2608 TiWorker.exe Token: SeRestorePrivilege 2608 TiWorker.exe Token: SeSecurityPrivilege 2608 TiWorker.exe Token: SeBackupPrivilege 2608 TiWorker.exe Token: SeRestorePrivilege 2608 TiWorker.exe Token: SeSecurityPrivilege 2608 TiWorker.exe Token: SeBackupPrivilege 2608 TiWorker.exe Token: SeRestorePrivilege 2608 TiWorker.exe Token: SeSecurityPrivilege 2608 TiWorker.exe Token: SeBackupPrivilege 2608 TiWorker.exe Token: SeRestorePrivilege 2608 TiWorker.exe Token: SeSecurityPrivilege 2608 TiWorker.exe Token: SeBackupPrivilege 2608 TiWorker.exe Token: SeRestorePrivilege 2608 TiWorker.exe Token: SeSecurityPrivilege 2608 TiWorker.exe Token: SeBackupPrivilege 2608 TiWorker.exe Token: SeRestorePrivilege 2608 TiWorker.exe Token: SeSecurityPrivilege 2608 TiWorker.exe Token: SeBackupPrivilege 2608 TiWorker.exe Token: SeRestorePrivilege 2608 TiWorker.exe Token: SeSecurityPrivilege 2608 TiWorker.exe Token: SeBackupPrivilege 2608 TiWorker.exe Token: SeRestorePrivilege 2608 TiWorker.exe Token: SeSecurityPrivilege 2608 TiWorker.exe Token: SeBackupPrivilege 2608 TiWorker.exe Token: SeRestorePrivilege 2608 TiWorker.exe Token: SeSecurityPrivilege 2608 TiWorker.exe Token: SeBackupPrivilege 2608 TiWorker.exe Token: SeRestorePrivilege 2608 TiWorker.exe Token: SeSecurityPrivilege 2608 TiWorker.exe Token: SeBackupPrivilege 2608 TiWorker.exe Token: SeRestorePrivilege 2608 TiWorker.exe Token: SeSecurityPrivilege 2608 TiWorker.exe Token: SeBackupPrivilege 2608 TiWorker.exe Token: SeRestorePrivilege 2608 TiWorker.exe Token: SeSecurityPrivilege 2608 TiWorker.exe Token: SeBackupPrivilege 2608 TiWorker.exe Token: SeRestorePrivilege 2608 TiWorker.exe Token: SeSecurityPrivilege 2608 TiWorker.exe Token: SeBackupPrivilege 2608 TiWorker.exe Token: SeRestorePrivilege 2608 TiWorker.exe Token: SeSecurityPrivilege 2608 TiWorker.exe Token: SeBackupPrivilege 2608 TiWorker.exe Token: SeRestorePrivilege 2608 TiWorker.exe Token: SeSecurityPrivilege 2608 TiWorker.exe Token: SeBackupPrivilege 2608 TiWorker.exe Token: SeRestorePrivilege 2608 TiWorker.exe Token: SeSecurityPrivilege 2608 TiWorker.exe Token: SeBackupPrivilege 2608 TiWorker.exe Token: SeRestorePrivilege 2608 TiWorker.exe Token: SeSecurityPrivilege 2608 TiWorker.exe Token: SeBackupPrivilege 2608 TiWorker.exe Token: SeRestorePrivilege 2608 TiWorker.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
371c76d36256463a54d34e12d6741720.exesvchost.exedescription pid process target process PID 3300 wrote to memory of 1692 3300 371c76d36256463a54d34e12d6741720.exe 371c76d36256463a54d34e12d6741720.exe PID 3300 wrote to memory of 1692 3300 371c76d36256463a54d34e12d6741720.exe 371c76d36256463a54d34e12d6741720.exe PID 3300 wrote to memory of 1692 3300 371c76d36256463a54d34e12d6741720.exe 371c76d36256463a54d34e12d6741720.exe PID 3300 wrote to memory of 1692 3300 371c76d36256463a54d34e12d6741720.exe 371c76d36256463a54d34e12d6741720.exe PID 3300 wrote to memory of 1692 3300 371c76d36256463a54d34e12d6741720.exe 371c76d36256463a54d34e12d6741720.exe PID 3300 wrote to memory of 1692 3300 371c76d36256463a54d34e12d6741720.exe 371c76d36256463a54d34e12d6741720.exe PID 1864 wrote to memory of 2164 1864 svchost.exe MoUsoCoreWorker.exe PID 1864 wrote to memory of 2164 1864 svchost.exe MoUsoCoreWorker.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\371c76d36256463a54d34e12d6741720.exe"C:\Users\Admin\AppData\Local\Temp\371c76d36256463a54d34e12d6741720.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\371c76d36256463a54d34e12d6741720.exe"C:\Users\Admin\AppData\Local\Temp\371c76d36256463a54d34e12d6741720.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 8d45c801146088e00e2c8e6ae8cb319a yHPgqmqVy0SwL0XrNvskGw.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe2⤵
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv yHPgqmqVy0SwL0XrNvskGw.0.21⤵
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.100_none_04da31ff4c67c24a\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.100_none_04da31ff4c67c24a\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 8d45c801146088e00e2c8e6ae8cb319a yHPgqmqVy0SwL0XrNvskGw.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 8d45c801146088e00e2c8e6ae8cb319a yHPgqmqVy0SwL0XrNvskGw.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nsqFCAB.tmp\ztqv.dllMD5
97d84d39bb68b5a29e976b40d7d0a00c
SHA1cf4c09487fffb9ace9ab6b82f33da0d5a851ef1c
SHA2565b29c5ee49d9cdde15d88a9e4f8f6b4bba9e2dc4ec65c02d734726fe0f2952c8
SHA512aab5b8831538f96c00e77f16349065bfaa93e7b25206a6d5fe0871f518f38ae31437f2f9f93f36f488e1869eaf97dd4697a282d726ce9a292cf4276242733546
-
memory/788-146-0x000001EB42B20000-0x000001EB42B30000-memory.dmpFilesize
64KB
-
memory/788-147-0x000001EB42BA0000-0x000001EB42BB0000-memory.dmpFilesize
64KB
-
memory/788-148-0x000001EB45290000-0x000001EB45294000-memory.dmpFilesize
16KB
-
memory/1692-150-0x0000000000000000-mapping.dmp
-
memory/1692-151-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1692-152-0x0000000000C20000-0x0000000000F76000-memory.dmpFilesize
3.3MB
-
memory/2164-153-0x0000000000000000-mapping.dmp