Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
22-10-2021 08:08
Static task
static1
Behavioral task
behavioral1
Sample
1.exe
Resource
win7-en-20211014
General
-
Target
1.exe
-
Size
416KB
-
MD5
1a3bcd7f400b0d7a37166c1c5af7f886
-
SHA1
a654cdfc29951ac2e77af3fbbbd7160b5205c8f9
-
SHA256
fe63755f7b7c30e933cb3897136a75a7d1903ca044a04ef9bd91d426596f279d
-
SHA512
47974116e9b5b0cc6407fe7c651619b6fef5af7df0190d3b4e5c906a1520ed66ae7e4e1af6e578bf93af9dbd3625845678fd834aea15db9082dad2abbd77f69f
Malware Config
Extracted
xloader
2.5
iaop
http://www.georgeinnhatherleigh.com/iaop/
oosakichi.com
group1beadles.com
navegadorexclusivo.digital
awefca.xyz
strakerwilliams.com
stone-img.com
radialodge.com
tequesquitengo.net
humanegardens.com
rubberyporqjp.xyz
farazkhak.com
gfsexpornvideos.com
stealth-carrier.com
hemtpi.xyz
tygcj.com
agileiance.com
ioan316.com
kitchendesigns.xyz
shannacarolphotography.com
oheytech88.net
dashiter.com
zijinmenhu.com
dmfiller.com
amberchee.com
farmaciaepspllu.com
help-kmcsupport.com
naxek.com
yuumgo.academy
baopishuizhong.com
appcast-64.com
vpm-vektra.com
privygym.com
texascyclerepair.com
queerstakepool.com
maxicashprokil.xyz
enchantbnuyxc.xyz
heyunshangcheng.info
blockchainsupport.company
consultoriathayanechlad.com
cigreencig.com
enriquelopez.net
ultimateexitstrategy.com
jesuspodcast.biz
wecuxs.com
louroblottoyof2.xyz
12monthmillionairetraining.com
autoecoleamiens.com
kokko-kids.com
uniquecarbonbrush.com
fardaruilen.quest
generalcontractortheodoreal.com
kare-furniture.com
odnglobal.com
rihaltravels.com
jdlpcpa.com
websupportoutlook.com
sonyagivensrealty.com
johnmcnamaraimages.net
fa7777.xyz
northvisiondigital.com
docteurhouyengah.com
contactcenter7.email
lebenohnefleisch.com
sign-egypt.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3816-116-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/3816-117-0x000000000041D4E0-mapping.dmp xloader behavioral2/memory/460-124-0x0000000002F30000-0x0000000002F59000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
1.exepid process 2820 1.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
1.exe1.exeNETSTAT.EXEdescription pid process target process PID 2820 set thread context of 3816 2820 1.exe 1.exe PID 3816 set thread context of 2648 3816 1.exe Explorer.EXE PID 460 set thread context of 2648 460 NETSTAT.EXE Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 460 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
1.exeNETSTAT.EXEpid process 3816 1.exe 3816 1.exe 3816 1.exe 3816 1.exe 460 NETSTAT.EXE 460 NETSTAT.EXE 460 NETSTAT.EXE 460 NETSTAT.EXE 460 NETSTAT.EXE 460 NETSTAT.EXE 460 NETSTAT.EXE 460 NETSTAT.EXE 460 NETSTAT.EXE 460 NETSTAT.EXE 460 NETSTAT.EXE 460 NETSTAT.EXE 460 NETSTAT.EXE 460 NETSTAT.EXE 460 NETSTAT.EXE 460 NETSTAT.EXE 460 NETSTAT.EXE 460 NETSTAT.EXE 460 NETSTAT.EXE 460 NETSTAT.EXE 460 NETSTAT.EXE 460 NETSTAT.EXE 460 NETSTAT.EXE 460 NETSTAT.EXE 460 NETSTAT.EXE 460 NETSTAT.EXE 460 NETSTAT.EXE 460 NETSTAT.EXE 460 NETSTAT.EXE 460 NETSTAT.EXE 460 NETSTAT.EXE 460 NETSTAT.EXE 460 NETSTAT.EXE 460 NETSTAT.EXE 460 NETSTAT.EXE 460 NETSTAT.EXE 460 NETSTAT.EXE 460 NETSTAT.EXE 460 NETSTAT.EXE 460 NETSTAT.EXE 460 NETSTAT.EXE 460 NETSTAT.EXE 460 NETSTAT.EXE 460 NETSTAT.EXE 460 NETSTAT.EXE 460 NETSTAT.EXE 460 NETSTAT.EXE 460 NETSTAT.EXE 460 NETSTAT.EXE 460 NETSTAT.EXE 460 NETSTAT.EXE 460 NETSTAT.EXE 460 NETSTAT.EXE 460 NETSTAT.EXE 460 NETSTAT.EXE 460 NETSTAT.EXE 460 NETSTAT.EXE 460 NETSTAT.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2648 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
1.exeNETSTAT.EXEpid process 3816 1.exe 3816 1.exe 3816 1.exe 460 NETSTAT.EXE 460 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
1.exeNETSTAT.EXEdescription pid process Token: SeDebugPrivilege 3816 1.exe Token: SeDebugPrivilege 460 NETSTAT.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1.exeExplorer.EXENETSTAT.EXEdescription pid process target process PID 2820 wrote to memory of 3816 2820 1.exe 1.exe PID 2820 wrote to memory of 3816 2820 1.exe 1.exe PID 2820 wrote to memory of 3816 2820 1.exe 1.exe PID 2820 wrote to memory of 3816 2820 1.exe 1.exe PID 2820 wrote to memory of 3816 2820 1.exe 1.exe PID 2820 wrote to memory of 3816 2820 1.exe 1.exe PID 2648 wrote to memory of 460 2648 Explorer.EXE NETSTAT.EXE PID 2648 wrote to memory of 460 2648 Explorer.EXE NETSTAT.EXE PID 2648 wrote to memory of 460 2648 Explorer.EXE NETSTAT.EXE PID 460 wrote to memory of 376 460 NETSTAT.EXE cmd.exe PID 460 wrote to memory of 376 460 NETSTAT.EXE cmd.exe PID 460 wrote to memory of 376 460 NETSTAT.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\1.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsmA1A1.tmp\wvhivcwcy.dllMD5
5d0d2589c6c859b43bb0e6c6b88fa767
SHA14085e250109fefddf1a35b3fb3fadc66714effda
SHA2566de76b65e1561c0897a3261b9fe55ac75ef4d1e2456a302a9257dc38dcb81d1e
SHA5128ef33f865ed19fd6779e7520590bbe1aa864cc5f7e3222f314f6953abcbc7537aaf2397f0b91a720db3e220cea1c3da15ec453ea1d5bb82a7d783bf5853b68af
-
memory/376-125-0x0000000000000000-mapping.dmp
-
memory/460-122-0x0000000000000000-mapping.dmp
-
memory/460-123-0x0000000000E60000-0x0000000000E6B000-memory.dmpFilesize
44KB
-
memory/460-124-0x0000000002F30000-0x0000000002F59000-memory.dmpFilesize
164KB
-
memory/460-126-0x00000000038A0000-0x0000000003BC0000-memory.dmpFilesize
3.1MB
-
memory/460-127-0x0000000003700000-0x0000000003790000-memory.dmpFilesize
576KB
-
memory/2648-121-0x0000000005400000-0x0000000005526000-memory.dmpFilesize
1.1MB
-
memory/2648-128-0x0000000005530000-0x0000000005640000-memory.dmpFilesize
1.1MB
-
memory/3816-120-0x00000000004C0000-0x000000000056E000-memory.dmpFilesize
696KB
-
memory/3816-119-0x0000000000A90000-0x0000000000DB0000-memory.dmpFilesize
3.1MB
-
memory/3816-117-0x000000000041D4E0-mapping.dmp
-
memory/3816-116-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB