Analysis
-
max time kernel
120s -
max time network
123s -
submitted
01-01-1970 00:00
Static task
static1
Behavioral task
behavioral1
Sample
0e03abdcfc2280af3abae47683c0368a.exe
Resource
win7-en-20210920
General
-
Target
0e03abdcfc2280af3abae47683c0368a.exe
-
Size
421KB
-
MD5
0e03abdcfc2280af3abae47683c0368a
-
SHA1
8b25868c70d66c3aafc37e400ca3af4d117e7bd5
-
SHA256
9205523ee331f11fbe9fb30fa72a45ed45ed2eb5f92b26f01b9e26774264e9d5
-
SHA512
54affd451f4ff96c85d770c9c65587732f53c6d4a17355e54f6fc2eacfe4584bb3400f7235aa8c2c83619a97b694284a33916f62b9166f137dfcc6cbfb6a1a8b
Malware Config
Extracted
xloader
2.5
dnz9
http://www.mykigey5.xyz/dnz9/
anlefa.com
jelle.graphics
socalsandblasting.com
gamjadog.online
sabanetavirtual.com
serv-blackhawk-net.com
at-markant.com
carbonfiber.cloud
nftmarketfree.com
abcfortis.xyz
44a44.net
alardellyux.com
alle-notdienste.com
dazzletower.com
rsphongrui.com
leasedrillrig.store
cabinetfuid.com
divinelawn.com
baileysepictravel.com
healthwellness.store
yoshiden.info
kmrconsultations.com
ictors.com
thesugarlab.net
nancyfayedesignsclasses.com
discoverbacchusmarsh.com
56sn7xnbiwti.biz
climatecheckin.com
tentenno1.com
inn-oasis.com
campusodontologia.online
orthozayn.com
dreamworthyacademy.com
andrekgeorge.com
dinopuppet.com
jvcenterprise.net
clutchitems.com
privatart.com
animalblog-eggs.com
celestinagallardo.com
bra866.com
region10group.gmbh
duplinwinery.store
micraexrasharp.com
codelowenrangewwwdecimal.com
mentorkepribadian.com
vespina-tour.com
kopidenver.com
larsonscompletewellness.com
razzmatazzapparel.com
excelprintnpack.com
mudanzastech.com
goatpotatobrown.digital
nextgenbinary.com
shivalayaaqua.com
freemiumhost.tech
cwggnpfc.com
into-mena.com
lmoneyl.com
xn--c3c5cwbb6iczd.com
healthtradeusa.com
paristnautoinsurancequote.com
readinfuid.com
altmann-printedelements.com
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/856-56-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/856-57-0x000000000041D490-mapping.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
0e03abdcfc2280af3abae47683c0368a.exepid process 836 0e03abdcfc2280af3abae47683c0368a.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
0e03abdcfc2280af3abae47683c0368a.exedescription pid process target process PID 836 set thread context of 856 836 0e03abdcfc2280af3abae47683c0368a.exe 0e03abdcfc2280af3abae47683c0368a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
0e03abdcfc2280af3abae47683c0368a.exepid process 856 0e03abdcfc2280af3abae47683c0368a.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
0e03abdcfc2280af3abae47683c0368a.exedescription pid process target process PID 836 wrote to memory of 856 836 0e03abdcfc2280af3abae47683c0368a.exe 0e03abdcfc2280af3abae47683c0368a.exe PID 836 wrote to memory of 856 836 0e03abdcfc2280af3abae47683c0368a.exe 0e03abdcfc2280af3abae47683c0368a.exe PID 836 wrote to memory of 856 836 0e03abdcfc2280af3abae47683c0368a.exe 0e03abdcfc2280af3abae47683c0368a.exe PID 836 wrote to memory of 856 836 0e03abdcfc2280af3abae47683c0368a.exe 0e03abdcfc2280af3abae47683c0368a.exe PID 836 wrote to memory of 856 836 0e03abdcfc2280af3abae47683c0368a.exe 0e03abdcfc2280af3abae47683c0368a.exe PID 836 wrote to memory of 856 836 0e03abdcfc2280af3abae47683c0368a.exe 0e03abdcfc2280af3abae47683c0368a.exe PID 836 wrote to memory of 856 836 0e03abdcfc2280af3abae47683c0368a.exe 0e03abdcfc2280af3abae47683c0368a.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e03abdcfc2280af3abae47683c0368a.exe"C:\Users\Admin\AppData\Local\Temp\0e03abdcfc2280af3abae47683c0368a.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\0e03abdcfc2280af3abae47683c0368a.exe"C:\Users\Admin\AppData\Local\Temp\0e03abdcfc2280af3abae47683c0368a.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsyCE77.tmp\fejywy.dllMD5
96ac5399552c74027b0869aa85c04b90
SHA14b499e53790ac158cf3cb6d368d83772f986ea60
SHA25690cdf6d580cbce5bd78813c80da4df0fffb2ec78ffe1829169799812e4b91739
SHA51298b77f682f30f6a842b12bcd74602a8e9fc092c178dfbc0af7038199d403f7adc8125afca3a66b9d3f27d45733e65a86ae87f8012a4439654062615451b0b66d
-
memory/836-54-0x0000000075821000-0x0000000075823000-memory.dmpFilesize
8KB
-
memory/856-56-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/856-57-0x000000000041D490-mapping.dmp
-
memory/856-58-0x00000000008D0000-0x0000000000BD3000-memory.dmpFilesize
3.0MB