Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
29-10-2021 18:23
Static task
static1
Behavioral task
behavioral1
Sample
Rfq#001.exe
Resource
win7-en-20210920
General
-
Target
Rfq#001.exe
-
Size
266KB
-
MD5
8f558dc1338758e9fda83eab8ba9e7a9
-
SHA1
abbc4650a4ba5a91ffa99bbd0c1238d0e6e166a7
-
SHA256
cd89124cf3f0de7157d5f500b1dd20603a19ed890773d9cb9b1d1ea5b5372005
-
SHA512
d67fc009cc4d95f604540927601e9558432940b2bcefc126967f2dca4aefaa52761758c464cbe7ae42b6fb75305d721a814dbfedf48867df54d6cd733f9803df
Malware Config
Extracted
xloader
2.5
unzn
http://www.davanamays.com/unzn/
xiulf.com
highcountrymortar.com
523561.com
marketingagency.tools
ganmovie.net
nationaalcontactpunt.com
sirrbter.com
begizas.xyz
missimi-fashion.com
munixc.info
daas.support
spaceworbc.com
faithtruthresolve.com
gymkub.com
thegrayverse.xyz
artisanmakefurniture.com
029tryy.com
ijuubx.biz
iphone13promax.club
techuniversus.com
samrgov.xyz
grownupcurl.com
sj0755.net
beekeeperkit.com
richessesabondantes.com
xclgjgjh.net
webworkscork.com
vedepviet365.com
bretabeameven.com
cdzsmhw.com
clearperspective.biz
tigrg5g784sh.biz
bbezan011.xyz
mycar.store
mansooralobeidli.com
ascensionmemberszoom.com
unlimitedrehab.com
wozka.top
askylarkgoods.com
rj793.com
prosvalor.com
primetimeexpress.com
boixosnoisperu.com
mmasportgear.com
concertiranian.net
hyponymys.info
maila.one
yti0fyic.xyz
shashiprayag.com
speedprosmotorsports.com
westchestercountyjunkcars.com
patienceinmypocket.com
rausachbaoloc.com
plexregroup.com
outsydercs.com
foodandflour.com
lenacrypto.xyz
homeservicetoday.net
marthaperry.com
vmtcyd4q8.com
shamefulguys.com
loccssol.store
gnarledportra.xyz
042atk.xyz
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3104-116-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/3104-117-0x000000000041D430-mapping.dmp xloader behavioral2/memory/3956-125-0x0000000000BC0000-0x0000000000BE9000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
Rfq#001.exepid process 2724 Rfq#001.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Rfq#001.exeRfq#001.exeNETSTAT.EXEdescription pid process target process PID 2724 set thread context of 3104 2724 Rfq#001.exe Rfq#001.exe PID 3104 set thread context of 3020 3104 Rfq#001.exe Explorer.EXE PID 3956 set thread context of 3020 3956 NETSTAT.EXE Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 3956 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
Rfq#001.exeNETSTAT.EXEpid process 3104 Rfq#001.exe 3104 Rfq#001.exe 3104 Rfq#001.exe 3104 Rfq#001.exe 3956 NETSTAT.EXE 3956 NETSTAT.EXE 3956 NETSTAT.EXE 3956 NETSTAT.EXE 3956 NETSTAT.EXE 3956 NETSTAT.EXE 3956 NETSTAT.EXE 3956 NETSTAT.EXE 3956 NETSTAT.EXE 3956 NETSTAT.EXE 3956 NETSTAT.EXE 3956 NETSTAT.EXE 3956 NETSTAT.EXE 3956 NETSTAT.EXE 3956 NETSTAT.EXE 3956 NETSTAT.EXE 3956 NETSTAT.EXE 3956 NETSTAT.EXE 3956 NETSTAT.EXE 3956 NETSTAT.EXE 3956 NETSTAT.EXE 3956 NETSTAT.EXE 3956 NETSTAT.EXE 3956 NETSTAT.EXE 3956 NETSTAT.EXE 3956 NETSTAT.EXE 3956 NETSTAT.EXE 3956 NETSTAT.EXE 3956 NETSTAT.EXE 3956 NETSTAT.EXE 3956 NETSTAT.EXE 3956 NETSTAT.EXE 3956 NETSTAT.EXE 3956 NETSTAT.EXE 3956 NETSTAT.EXE 3956 NETSTAT.EXE 3956 NETSTAT.EXE 3956 NETSTAT.EXE 3956 NETSTAT.EXE 3956 NETSTAT.EXE 3956 NETSTAT.EXE 3956 NETSTAT.EXE 3956 NETSTAT.EXE 3956 NETSTAT.EXE 3956 NETSTAT.EXE 3956 NETSTAT.EXE 3956 NETSTAT.EXE 3956 NETSTAT.EXE 3956 NETSTAT.EXE 3956 NETSTAT.EXE 3956 NETSTAT.EXE 3956 NETSTAT.EXE 3956 NETSTAT.EXE 3956 NETSTAT.EXE 3956 NETSTAT.EXE 3956 NETSTAT.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3020 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Rfq#001.exeNETSTAT.EXEpid process 3104 Rfq#001.exe 3104 Rfq#001.exe 3104 Rfq#001.exe 3956 NETSTAT.EXE 3956 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Rfq#001.exeNETSTAT.EXEdescription pid process Token: SeDebugPrivilege 3104 Rfq#001.exe Token: SeDebugPrivilege 3956 NETSTAT.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Rfq#001.exeExplorer.EXENETSTAT.EXEdescription pid process target process PID 2724 wrote to memory of 3104 2724 Rfq#001.exe Rfq#001.exe PID 2724 wrote to memory of 3104 2724 Rfq#001.exe Rfq#001.exe PID 2724 wrote to memory of 3104 2724 Rfq#001.exe Rfq#001.exe PID 2724 wrote to memory of 3104 2724 Rfq#001.exe Rfq#001.exe PID 2724 wrote to memory of 3104 2724 Rfq#001.exe Rfq#001.exe PID 2724 wrote to memory of 3104 2724 Rfq#001.exe Rfq#001.exe PID 3020 wrote to memory of 3956 3020 Explorer.EXE NETSTAT.EXE PID 3020 wrote to memory of 3956 3020 Explorer.EXE NETSTAT.EXE PID 3020 wrote to memory of 3956 3020 Explorer.EXE NETSTAT.EXE PID 3956 wrote to memory of 1304 3956 NETSTAT.EXE cmd.exe PID 3956 wrote to memory of 1304 3956 NETSTAT.EXE cmd.exe PID 3956 wrote to memory of 1304 3956 NETSTAT.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Rfq#001.exe"C:\Users\Admin\AppData\Local\Temp\Rfq#001.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Rfq#001.exe"C:\Users\Admin\AppData\Local\Temp\Rfq#001.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Rfq#001.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nskC381.tmp\yaxgxn.dllMD5
b8ecf1e913206c0ecdf268d2b81d4c49
SHA19696ff333c746290b27bc16b54b3fd3d8ee3f4b2
SHA25660e1d0dd0ff15ea6d5c4abcae31e7c6f643dac85d3ac5d2d29c1f8a13e6275a0
SHA51227c6ac947bda457ae6c003aea3b00febdb936bf52f069b418ac67ede4d8a6f11ed1623e84daa4b81d161f0702c07631c3b0f635fb076b48b0486a621b96dec86
-
memory/1304-123-0x0000000000000000-mapping.dmp
-
memory/3020-128-0x00000000067C0000-0x0000000006927000-memory.dmpFilesize
1.4MB
-
memory/3020-121-0x0000000005F40000-0x00000000060A1000-memory.dmpFilesize
1.4MB
-
memory/3104-116-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/3104-117-0x000000000041D430-mapping.dmp
-
memory/3104-120-0x00000000009E0000-0x00000000009F1000-memory.dmpFilesize
68KB
-
memory/3104-119-0x0000000000A20000-0x0000000000D40000-memory.dmpFilesize
3.1MB
-
memory/3956-122-0x0000000000000000-mapping.dmp
-
memory/3956-126-0x00000000034F0000-0x0000000003810000-memory.dmpFilesize
3.1MB
-
memory/3956-125-0x0000000000BC0000-0x0000000000BE9000-memory.dmpFilesize
164KB
-
memory/3956-127-0x0000000003350000-0x00000000033E0000-memory.dmpFilesize
576KB
-
memory/3956-124-0x0000000000E10000-0x0000000000E1B000-memory.dmpFilesize
44KB