Analysis
-
max time kernel
119s -
max time network
155s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
03-11-2021 19:20
Static task
static1
Behavioral task
behavioral1
Sample
36ca5751b0b2d9321215f223a18aefbf.exe
Resource
win7-en-20210920
General
-
Target
36ca5751b0b2d9321215f223a18aefbf.exe
-
Size
324KB
-
MD5
36ca5751b0b2d9321215f223a18aefbf
-
SHA1
c9661ff48f2eaa2718a46b23a70a02a8461715be
-
SHA256
602c4326ca0aa0a007b10241d7dae3fdbef7705e14231ba85e8635578cfdb0d4
-
SHA512
f698c83167eda1832e90eeed65d39883b6515c0f6c718e3ce6d517e6d230bab14b15a920f90979a2cf55c601688819deec0de2b47278a032103a22fd2fe2774c
Malware Config
Extracted
xloader
2.5
ga6b
http://www.egyptian-museum.com/ga6b/
diasporacospices.com
sd-shenghe.com
onlinewritingjobs.net
greenstreamgroup.store
garageair.agency
idh-bf.com
middenhavendambreskens.com
szkoleniawcag.online
wiremefeelings.com
ottosperformance.com
brothermush.com
weiserpath.com
baohiemtv24h.com
glassgalaxynft.com
spiritualmind.space
18130072012.com
3v0.space
smartgadgetscompare.com
corvusexpeditii.xyz
egcontabilidade.website
find0utnowfy.info
soulwinningministry.com
digitaldreamcloud.net
service-portal-kundendaten.com
theselectdifference.com
burodev.com
mustafacesuryildiz.com
grupodeinvestigacion.com
toyotadisurabaya.com
partnerbenifits.com
belledescontos.com
nobodybutgod.com
bumiths.com
acacave.com
septoctets.xyz
www73w.xyz
afghantattoos.com
interiorsbe.com
ara7z.com
qqcx666888.top
onra.top
sunfucker.net
suhuabo.com
tangerineinit.com
era636.com
lovenft.xyz
maviesurdvd.com
gullatz-consulting.com
duopasteleras.com
mystudentregistration.com
5559913.win
gritzcharlestonluxuryinn.store
themexicanbg.com
senshop.store
woodentoysforkids.store
globalgamelan.com
anjumanmuhibaneabbas.com
seattleinsurancebrokers.com
naiduteja049.info
traction.legal
twisteid.com
necesryaou.com
apan-group.com
infinityrope.store
Signatures
-
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
36ca5751b0b2d9321215f223a18aefbf.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 36ca5751b0b2d9321215f223a18aefbf.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3208-122-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/3208-123-0x000000000041D4E0-mapping.dmp xloader -
Executes dropped EXE 2 IoCs
Processes:
36ca5751b0b2d9321215f223a18aefbf.exe36ca5751b0b2d9321215f223a18aefbf.exepid process 3032 36ca5751b0b2d9321215f223a18aefbf.exe 3208 36ca5751b0b2d9321215f223a18aefbf.exe -
Loads dropped DLL 1 IoCs
Processes:
36ca5751b0b2d9321215f223a18aefbf.exepid process 3032 36ca5751b0b2d9321215f223a18aefbf.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
36ca5751b0b2d9321215f223a18aefbf.exedescription pid process target process PID 3032 set thread context of 3208 3032 36ca5751b0b2d9321215f223a18aefbf.exe 36ca5751b0b2d9321215f223a18aefbf.exe -
Drops file in Program Files directory 53 IoCs
Processes:
36ca5751b0b2d9321215f223a18aefbf.exedescription ioc process File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe 36ca5751b0b2d9321215f223a18aefbf.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE 36ca5751b0b2d9321215f223a18aefbf.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE 36ca5751b0b2d9321215f223a18aefbf.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe 36ca5751b0b2d9321215f223a18aefbf.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe 36ca5751b0b2d9321215f223a18aefbf.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE 36ca5751b0b2d9321215f223a18aefbf.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE 36ca5751b0b2d9321215f223a18aefbf.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE 36ca5751b0b2d9321215f223a18aefbf.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe 36ca5751b0b2d9321215f223a18aefbf.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe 36ca5751b0b2d9321215f223a18aefbf.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe 36ca5751b0b2d9321215f223a18aefbf.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE 36ca5751b0b2d9321215f223a18aefbf.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe 36ca5751b0b2d9321215f223a18aefbf.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe 36ca5751b0b2d9321215f223a18aefbf.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe 36ca5751b0b2d9321215f223a18aefbf.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE 36ca5751b0b2d9321215f223a18aefbf.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe 36ca5751b0b2d9321215f223a18aefbf.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe 36ca5751b0b2d9321215f223a18aefbf.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE 36ca5751b0b2d9321215f223a18aefbf.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe 36ca5751b0b2d9321215f223a18aefbf.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe 36ca5751b0b2d9321215f223a18aefbf.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe 36ca5751b0b2d9321215f223a18aefbf.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE 36ca5751b0b2d9321215f223a18aefbf.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE 36ca5751b0b2d9321215f223a18aefbf.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE 36ca5751b0b2d9321215f223a18aefbf.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE 36ca5751b0b2d9321215f223a18aefbf.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe 36ca5751b0b2d9321215f223a18aefbf.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe 36ca5751b0b2d9321215f223a18aefbf.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE 36ca5751b0b2d9321215f223a18aefbf.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE 36ca5751b0b2d9321215f223a18aefbf.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE 36ca5751b0b2d9321215f223a18aefbf.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 36ca5751b0b2d9321215f223a18aefbf.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE 36ca5751b0b2d9321215f223a18aefbf.exe File opened for modification C:\PROGRA~2\WINDOW~2\WinMail.exe 36ca5751b0b2d9321215f223a18aefbf.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE 36ca5751b0b2d9321215f223a18aefbf.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE 36ca5751b0b2d9321215f223a18aefbf.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe 36ca5751b0b2d9321215f223a18aefbf.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE 36ca5751b0b2d9321215f223a18aefbf.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe 36ca5751b0b2d9321215f223a18aefbf.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe 36ca5751b0b2d9321215f223a18aefbf.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 36ca5751b0b2d9321215f223a18aefbf.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE 36ca5751b0b2d9321215f223a18aefbf.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE 36ca5751b0b2d9321215f223a18aefbf.exe File opened for modification C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe 36ca5751b0b2d9321215f223a18aefbf.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE 36ca5751b0b2d9321215f223a18aefbf.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE 36ca5751b0b2d9321215f223a18aefbf.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 36ca5751b0b2d9321215f223a18aefbf.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe 36ca5751b0b2d9321215f223a18aefbf.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe 36ca5751b0b2d9321215f223a18aefbf.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe 36ca5751b0b2d9321215f223a18aefbf.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe 36ca5751b0b2d9321215f223a18aefbf.exe File opened for modification C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE 36ca5751b0b2d9321215f223a18aefbf.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE 36ca5751b0b2d9321215f223a18aefbf.exe -
Drops file in Windows directory 1 IoCs
Processes:
36ca5751b0b2d9321215f223a18aefbf.exedescription ioc process File opened for modification C:\Windows\svchost.com 36ca5751b0b2d9321215f223a18aefbf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 6 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\3582-490\36ca5751b0b2d9321215f223a18aefbf.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\3582-490\36ca5751b0b2d9321215f223a18aefbf.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\3582-490\36ca5751b0b2d9321215f223a18aefbf.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\3582-490\36ca5751b0b2d9321215f223a18aefbf.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\3582-490\36ca5751b0b2d9321215f223a18aefbf.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\3582-490\36ca5751b0b2d9321215f223a18aefbf.exe nsis_installer_2 -
Modifies registry class 1 IoCs
Processes:
36ca5751b0b2d9321215f223a18aefbf.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 36ca5751b0b2d9321215f223a18aefbf.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
36ca5751b0b2d9321215f223a18aefbf.exepid process 3208 36ca5751b0b2d9321215f223a18aefbf.exe 3208 36ca5751b0b2d9321215f223a18aefbf.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
36ca5751b0b2d9321215f223a18aefbf.exe36ca5751b0b2d9321215f223a18aefbf.exedescription pid process target process PID 3384 wrote to memory of 3032 3384 36ca5751b0b2d9321215f223a18aefbf.exe 36ca5751b0b2d9321215f223a18aefbf.exe PID 3384 wrote to memory of 3032 3384 36ca5751b0b2d9321215f223a18aefbf.exe 36ca5751b0b2d9321215f223a18aefbf.exe PID 3384 wrote to memory of 3032 3384 36ca5751b0b2d9321215f223a18aefbf.exe 36ca5751b0b2d9321215f223a18aefbf.exe PID 3032 wrote to memory of 3208 3032 36ca5751b0b2d9321215f223a18aefbf.exe 36ca5751b0b2d9321215f223a18aefbf.exe PID 3032 wrote to memory of 3208 3032 36ca5751b0b2d9321215f223a18aefbf.exe 36ca5751b0b2d9321215f223a18aefbf.exe PID 3032 wrote to memory of 3208 3032 36ca5751b0b2d9321215f223a18aefbf.exe 36ca5751b0b2d9321215f223a18aefbf.exe PID 3032 wrote to memory of 3208 3032 36ca5751b0b2d9321215f223a18aefbf.exe 36ca5751b0b2d9321215f223a18aefbf.exe PID 3032 wrote to memory of 3208 3032 36ca5751b0b2d9321215f223a18aefbf.exe 36ca5751b0b2d9321215f223a18aefbf.exe PID 3032 wrote to memory of 3208 3032 36ca5751b0b2d9321215f223a18aefbf.exe 36ca5751b0b2d9321215f223a18aefbf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\36ca5751b0b2d9321215f223a18aefbf.exe"C:\Users\Admin\AppData\Local\Temp\36ca5751b0b2d9321215f223a18aefbf.exe"1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3384 -
C:\Users\Admin\AppData\Local\Temp\3582-490\36ca5751b0b2d9321215f223a18aefbf.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\36ca5751b0b2d9321215f223a18aefbf.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Users\Admin\AppData\Local\Temp\3582-490\36ca5751b0b2d9321215f223a18aefbf.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\36ca5751b0b2d9321215f223a18aefbf.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3208
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\36ca5751b0b2d9321215f223a18aefbf.exeMD5
2cdc3d96a11abe92e9869d888d6c1696
SHA1910cb0036b3e9a2834208a2361ca28912ade8f6c
SHA25634957e2abc46b8e90fa220eedbdaedd08b021f54bfbc1155069b1165858b67dd
SHA512dee221ce6e7d3ecc76af588897780b2c7124058e3bc8edb8c50112bde90ef28a7d3dc9557a0d6ccbc85396c748608497a6601fbbf256bd4cb2ba087cc283654b
-
C:\Users\Admin\AppData\Local\Temp\3582-490\36ca5751b0b2d9321215f223a18aefbf.exeMD5
2cdc3d96a11abe92e9869d888d6c1696
SHA1910cb0036b3e9a2834208a2361ca28912ade8f6c
SHA25634957e2abc46b8e90fa220eedbdaedd08b021f54bfbc1155069b1165858b67dd
SHA512dee221ce6e7d3ecc76af588897780b2c7124058e3bc8edb8c50112bde90ef28a7d3dc9557a0d6ccbc85396c748608497a6601fbbf256bd4cb2ba087cc283654b
-
C:\Users\Admin\AppData\Local\Temp\3582-490\36ca5751b0b2d9321215f223a18aefbf.exeMD5
2cdc3d96a11abe92e9869d888d6c1696
SHA1910cb0036b3e9a2834208a2361ca28912ade8f6c
SHA25634957e2abc46b8e90fa220eedbdaedd08b021f54bfbc1155069b1165858b67dd
SHA512dee221ce6e7d3ecc76af588897780b2c7124058e3bc8edb8c50112bde90ef28a7d3dc9557a0d6ccbc85396c748608497a6601fbbf256bd4cb2ba087cc283654b
-
\Users\Admin\AppData\Local\Temp\nsv3862.tmp\tdledysx.dllMD5
ab2962aabbe70e27d355dacf203405e6
SHA1729bb1a7412903e2574ccc129409b70cbd55e01a
SHA256dc3786cc8cbf1abd5261926553b407c82c97eefa6d4cafdb3c7147295a65e450
SHA5123e8c94d585a02f108fd2fd0bfef3a252e196280e03a2e17e3b5d978a6d9ae5652cdfc5bc9ddd5df2f986a1d1e3fe959391be75a49e84d51771dea3d0854f3d40
-
memory/3032-118-0x0000000000000000-mapping.dmp
-
memory/3208-122-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/3208-123-0x000000000041D4E0-mapping.dmp
-
memory/3208-125-0x0000000000A70000-0x0000000000D90000-memory.dmpFilesize
3.1MB