Analysis
-
max time kernel
136s -
max time network
138s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
01-11-2021 19:03
Static task
static1
Behavioral task
behavioral1
Sample
PO410.EXE
Resource
win7-en-20210920
General
-
Target
PO410.EXE
-
Size
510KB
-
MD5
ad7186322cdd40e2b1b1611e483f7f3d
-
SHA1
6d21feb43f067ed236788e66c15e7dd0fe80de89
-
SHA256
daeedbdae991fad156f54e821b3bb18763922f0cff3b7331e23ae6bce40a4cc4
-
SHA512
b753101e66b98d6e99318ba958c5accc2dfb98b485d0176cd0d5665149bf732222d6082af4a9bba6f2a3b33d9f97b75fec0300419fe4a7373aac98ec800541fc
Malware Config
Extracted
xloader
2.5
hpin
http://www.smgraphicdesign.com/hpin/
lalashealingplace.com
melaniealdridgephotography.com
ss3369.com
career-bliss.com
handelbabu.quest
larryhover.com
xyz-vr.xyz
telvicedemo.net
aaakk95.com
follow-er.com
thepiwarrior.com
dgltqd.com
dailyswee.com
tonymoney.net
earthsidesoulalchemist.com
meditatieleeuwarden.online
blancorealtor.com
xn--erhardlohmller-psb.gmbh
coachtobetter.info
singpost.agency
cryptovikings.art
abovetherootsgrower.com
steeltoilets.com
ugearup.com
catchotter.com
jamesstewartjr.com
jaysmhp.com
emotionfocusedapproaches.com
asamanagement.xyz
gillbane.com
supremepeak.net
logicalstrength.com
kuaiyicai.net
lappajarvi-info.com
babyfaceskincare86.com
luxuryhomesinpinellas.com
fitnessbymargaret.com
combatcollective.com
tremas25.com
ytfusion.com
les-ptites-pepites.com
gritnail.store
endosstore.com
deeznft.com
bits-clicks.com
reviewercasino.com
bets-bc-pvitt.xyz
mussten-viva.com
vegan-mexican.com
allsystemnow.online
mylimitlesssuccess.com
su458.com
gombc-a02.com
revuedrh.com
presidentfun.com
aragonproductions.com
iphone13.computer
codingnesia.tech
taiycwyb.com
asesoriasfinancieras.xyz
gxystgs.com
brilliantyard.com
mediationmattersgc.com
healingprotection.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/820-56-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/820-57-0x000000000041D480-mapping.dmp xloader behavioral1/memory/820-61-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
PO410.EXEpid process 368 PO410.EXE -
Suspicious use of SetThreadContext 3 IoCs
Processes:
PO410.EXEPO410.EXEdescription pid process target process PID 368 set thread context of 820 368 PO410.EXE PO410.EXE PID 820 set thread context of 1356 820 PO410.EXE Explorer.EXE PID 820 set thread context of 1356 820 PO410.EXE Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
PO410.EXEpid process 820 PO410.EXE 820 PO410.EXE 820 PO410.EXE -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
PO410.EXEpid process 820 PO410.EXE 820 PO410.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
PO410.EXEdescription pid process Token: SeDebugPrivilege 820 PO410.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
PO410.EXEdescription pid process target process PID 368 wrote to memory of 820 368 PO410.EXE PO410.EXE PID 368 wrote to memory of 820 368 PO410.EXE PO410.EXE PID 368 wrote to memory of 820 368 PO410.EXE PO410.EXE PID 368 wrote to memory of 820 368 PO410.EXE PO410.EXE PID 368 wrote to memory of 820 368 PO410.EXE PO410.EXE PID 368 wrote to memory of 820 368 PO410.EXE PO410.EXE PID 368 wrote to memory of 820 368 PO410.EXE PO410.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1356
-
C:\Users\Admin\AppData\Local\Temp\PO410.EXE"C:\Users\Admin\AppData\Local\Temp\PO410.EXE"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:368 -
C:\Users\Admin\AppData\Local\Temp\PO410.EXE"C:\Users\Admin\AppData\Local\Temp\PO410.EXE"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:820
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nso3D9.tmp\wsbrkczsk.dllMD5
099722351dc74e898ecabce1d16a3b64
SHA13dd5c13bec54537e1f2a5081a8ce93d2ac4f0d5a
SHA2561895ecc21ae7170272a3466cfc75ae8e30565155cc301f7a4ea95834f672ea37
SHA512a417bd75ff5b07dbb20db30537491dbcce4562c171a7bfc7a3931e0879d244930f1696d281b0dc0a8ab3802e25edf11cb752788d838e9333010847315caad39b
-
memory/368-54-0x0000000075A71000-0x0000000075A73000-memory.dmpFilesize
8KB
-
memory/820-56-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/820-57-0x000000000041D480-mapping.dmp
-
memory/820-58-0x0000000000890000-0x0000000000B93000-memory.dmpFilesize
3.0MB
-
memory/820-60-0x0000000000340000-0x0000000000351000-memory.dmpFilesize
68KB
-
memory/820-61-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/820-62-0x0000000000390000-0x00000000003A1000-memory.dmpFilesize
68KB