Analysis
-
max time kernel
121s -
max time network
129s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
03-11-2021 19:25
Static task
static1
Behavioral task
behavioral1
Sample
b4c024b530685b4d6624a05969d9997b.exe
Resource
win7-en-20210920
General
-
Target
b4c024b530685b4d6624a05969d9997b.exe
-
Size
327KB
-
MD5
b4c024b530685b4d6624a05969d9997b
-
SHA1
a584891d70ea5cc84d7d2934f3ea70af83b83980
-
SHA256
1b6ff162d06ef0d1df78ada89bc99374b76362c5693b625ef9d46c9ee50e5309
-
SHA512
3c6db8b881da0e6b0ee4b4effea7f1130ec6fec5e603f8617e2365cc4816c837bbca3c38af61015f48d201a20b027d131adac5a2e3df45b71d801b8feee1c4eb
Malware Config
Extracted
xloader
2.5
qw2c
http://www.qhatu-peru.com/qw2c/
tripleincome.trade
theorigins.xyz
codzpays.com
tacocoparker.com
athensbyozanfirat.com
aero-charger.com
mobiushs.com
wealthpatternsllc.net
oneuplord.net
19kaldenbergplace.com
dxalt.com
pageants.xyz
mengyaoke.xyz
xn--80aaudhcmg4b.online
kpmg-grab.com
unsiontv.com
builderclubvn.com
shafara.com
bmwrepairnashville.com
gelgist.com
sauver-uhalas.com
theastonishop.com
ncell-gift.online
versebay.com
victocha.com
anthonylink.top
kemerya.com
entrepreneurbizlife.com
belfamarts.top
everydayhealth.space
gyghw.com
clarkstown65.com
zzjn12.xyz
barber-king.online
narasiforum.club
tokentoto.info
urteuzemni.quest
kmieske.art
dewy-shop.com
pecornwell.com
transactioninsite.com
anta-media.com
duckworthwedding.com
viklsonbas.xyz
cruisebookingsonlineukorg.com
41dgj.xyz
phoenixvirtualstaff.net
golfladys.com
tzkaxh.com
sachitool.com
mirofotografias.com
bumiths.com
noon2f.com
suzukiecuardor.com
ll-safe-keepingtoyof6.xyz
marcosvendasecursos.com
northcoastcedrick.com
eskrimwalls.com
alltimedivine.com
jdnissan.com
atzoom.net
hanseionlinemarketing.com
yanarajoubdesign.com
movieschor.info
Signatures
-
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
b4c024b530685b4d6624a05969d9997b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" b4c024b530685b4d6624a05969d9997b.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4036-120-0x000000000041D430-mapping.dmp xloader behavioral2/memory/4036-119-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Executes dropped EXE 2 IoCs
Processes:
b4c024b530685b4d6624a05969d9997b.exeb4c024b530685b4d6624a05969d9997b.exepid process 2528 b4c024b530685b4d6624a05969d9997b.exe 4036 b4c024b530685b4d6624a05969d9997b.exe -
Loads dropped DLL 1 IoCs
Processes:
b4c024b530685b4d6624a05969d9997b.exepid process 2528 b4c024b530685b4d6624a05969d9997b.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
b4c024b530685b4d6624a05969d9997b.exedescription pid process target process PID 2528 set thread context of 4036 2528 b4c024b530685b4d6624a05969d9997b.exe b4c024b530685b4d6624a05969d9997b.exe -
Drops file in Program Files directory 53 IoCs
Processes:
b4c024b530685b4d6624a05969d9997b.exedescription ioc process File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe b4c024b530685b4d6624a05969d9997b.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe b4c024b530685b4d6624a05969d9997b.exe File opened for modification C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE b4c024b530685b4d6624a05969d9997b.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE b4c024b530685b4d6624a05969d9997b.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE b4c024b530685b4d6624a05969d9997b.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE b4c024b530685b4d6624a05969d9997b.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE b4c024b530685b4d6624a05969d9997b.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE b4c024b530685b4d6624a05969d9997b.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe b4c024b530685b4d6624a05969d9997b.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE b4c024b530685b4d6624a05969d9997b.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe b4c024b530685b4d6624a05969d9997b.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe b4c024b530685b4d6624a05969d9997b.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe b4c024b530685b4d6624a05969d9997b.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE b4c024b530685b4d6624a05969d9997b.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE b4c024b530685b4d6624a05969d9997b.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe b4c024b530685b4d6624a05969d9997b.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe b4c024b530685b4d6624a05969d9997b.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE b4c024b530685b4d6624a05969d9997b.exe File opened for modification C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe b4c024b530685b4d6624a05969d9997b.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE b4c024b530685b4d6624a05969d9997b.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE b4c024b530685b4d6624a05969d9997b.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe b4c024b530685b4d6624a05969d9997b.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE b4c024b530685b4d6624a05969d9997b.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe b4c024b530685b4d6624a05969d9997b.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe b4c024b530685b4d6624a05969d9997b.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE b4c024b530685b4d6624a05969d9997b.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE b4c024b530685b4d6624a05969d9997b.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE b4c024b530685b4d6624a05969d9997b.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE b4c024b530685b4d6624a05969d9997b.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe b4c024b530685b4d6624a05969d9997b.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe b4c024b530685b4d6624a05969d9997b.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE b4c024b530685b4d6624a05969d9997b.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe b4c024b530685b4d6624a05969d9997b.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe b4c024b530685b4d6624a05969d9997b.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe b4c024b530685b4d6624a05969d9997b.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE b4c024b530685b4d6624a05969d9997b.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe b4c024b530685b4d6624a05969d9997b.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe b4c024b530685b4d6624a05969d9997b.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe b4c024b530685b4d6624a05969d9997b.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE b4c024b530685b4d6624a05969d9997b.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe b4c024b530685b4d6624a05969d9997b.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe b4c024b530685b4d6624a05969d9997b.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe b4c024b530685b4d6624a05969d9997b.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE b4c024b530685b4d6624a05969d9997b.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe b4c024b530685b4d6624a05969d9997b.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE b4c024b530685b4d6624a05969d9997b.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE b4c024b530685b4d6624a05969d9997b.exe File opened for modification C:\PROGRA~2\WINDOW~2\WinMail.exe b4c024b530685b4d6624a05969d9997b.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe b4c024b530685b4d6624a05969d9997b.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE b4c024b530685b4d6624a05969d9997b.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE b4c024b530685b4d6624a05969d9997b.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe b4c024b530685b4d6624a05969d9997b.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE b4c024b530685b4d6624a05969d9997b.exe -
Drops file in Windows directory 1 IoCs
Processes:
b4c024b530685b4d6624a05969d9997b.exedescription ioc process File opened for modification C:\Windows\svchost.com b4c024b530685b4d6624a05969d9997b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 6 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\3582-490\b4c024b530685b4d6624a05969d9997b.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\3582-490\b4c024b530685b4d6624a05969d9997b.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\3582-490\b4c024b530685b4d6624a05969d9997b.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\3582-490\b4c024b530685b4d6624a05969d9997b.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\3582-490\b4c024b530685b4d6624a05969d9997b.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\3582-490\b4c024b530685b4d6624a05969d9997b.exe nsis_installer_2 -
Modifies registry class 1 IoCs
Processes:
b4c024b530685b4d6624a05969d9997b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" b4c024b530685b4d6624a05969d9997b.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
b4c024b530685b4d6624a05969d9997b.exepid process 4036 b4c024b530685b4d6624a05969d9997b.exe 4036 b4c024b530685b4d6624a05969d9997b.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
b4c024b530685b4d6624a05969d9997b.exeb4c024b530685b4d6624a05969d9997b.exedescription pid process target process PID 3632 wrote to memory of 2528 3632 b4c024b530685b4d6624a05969d9997b.exe b4c024b530685b4d6624a05969d9997b.exe PID 3632 wrote to memory of 2528 3632 b4c024b530685b4d6624a05969d9997b.exe b4c024b530685b4d6624a05969d9997b.exe PID 3632 wrote to memory of 2528 3632 b4c024b530685b4d6624a05969d9997b.exe b4c024b530685b4d6624a05969d9997b.exe PID 2528 wrote to memory of 4036 2528 b4c024b530685b4d6624a05969d9997b.exe b4c024b530685b4d6624a05969d9997b.exe PID 2528 wrote to memory of 4036 2528 b4c024b530685b4d6624a05969d9997b.exe b4c024b530685b4d6624a05969d9997b.exe PID 2528 wrote to memory of 4036 2528 b4c024b530685b4d6624a05969d9997b.exe b4c024b530685b4d6624a05969d9997b.exe PID 2528 wrote to memory of 4036 2528 b4c024b530685b4d6624a05969d9997b.exe b4c024b530685b4d6624a05969d9997b.exe PID 2528 wrote to memory of 4036 2528 b4c024b530685b4d6624a05969d9997b.exe b4c024b530685b4d6624a05969d9997b.exe PID 2528 wrote to memory of 4036 2528 b4c024b530685b4d6624a05969d9997b.exe b4c024b530685b4d6624a05969d9997b.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4c024b530685b4d6624a05969d9997b.exe"C:\Users\Admin\AppData\Local\Temp\b4c024b530685b4d6624a05969d9997b.exe"1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Users\Admin\AppData\Local\Temp\3582-490\b4c024b530685b4d6624a05969d9997b.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\b4c024b530685b4d6624a05969d9997b.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Users\Admin\AppData\Local\Temp\3582-490\b4c024b530685b4d6624a05969d9997b.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\b4c024b530685b4d6624a05969d9997b.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4036
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\b4c024b530685b4d6624a05969d9997b.exeMD5
de8e61b685a34ebc90995c66b83c0f3a
SHA1f34d2b14e5135c335fee089f9a756ad6a64ac983
SHA256115a084d9aa48d9bb0f37d760c8997e3ec905a5b4adad3eeba9c8b18e44e9408
SHA5125185c0bf87d613d291a3461485fe9a6419136b3405d79f516351c193329f4ea0d33b634d08ce2e6acd77fd0f0d35e29423c0198d8abb991abd5ae4bf4d59cd09
-
C:\Users\Admin\AppData\Local\Temp\3582-490\b4c024b530685b4d6624a05969d9997b.exeMD5
de8e61b685a34ebc90995c66b83c0f3a
SHA1f34d2b14e5135c335fee089f9a756ad6a64ac983
SHA256115a084d9aa48d9bb0f37d760c8997e3ec905a5b4adad3eeba9c8b18e44e9408
SHA5125185c0bf87d613d291a3461485fe9a6419136b3405d79f516351c193329f4ea0d33b634d08ce2e6acd77fd0f0d35e29423c0198d8abb991abd5ae4bf4d59cd09
-
C:\Users\Admin\AppData\Local\Temp\3582-490\b4c024b530685b4d6624a05969d9997b.exeMD5
de8e61b685a34ebc90995c66b83c0f3a
SHA1f34d2b14e5135c335fee089f9a756ad6a64ac983
SHA256115a084d9aa48d9bb0f37d760c8997e3ec905a5b4adad3eeba9c8b18e44e9408
SHA5125185c0bf87d613d291a3461485fe9a6419136b3405d79f516351c193329f4ea0d33b634d08ce2e6acd77fd0f0d35e29423c0198d8abb991abd5ae4bf4d59cd09
-
\Users\Admin\AppData\Local\Temp\nseA903.tmp\cxtlhbh.dllMD5
dde219a520a9ac69fb5adbee41837289
SHA1876dc986102accb053b3955901a1bc4712926bc8
SHA2560f7ba704c8bb650ea5b224b169246ce2702438b8bc1cb1c75826867306e7d9c3
SHA5120b91c950600c445ca8f3d10a464fdda497b0db5b986c57f0d8ffedbffc12e52b5238fc334c276ee64dc2657bcd737f2f309d1fe022760d286a1aa1f527b3d149
-
memory/2528-115-0x0000000000000000-mapping.dmp
-
memory/4036-120-0x000000000041D430-mapping.dmp
-
memory/4036-119-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4036-122-0x00000000009F0000-0x0000000000D10000-memory.dmpFilesize
3.1MB