Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
04-11-2021 13:13
Static task
static1
Behavioral task
behavioral1
Sample
ZT2468.exe
Resource
win7-en-20210920
General
-
Target
ZT2468.exe
-
Size
288KB
-
MD5
fab8e59e983d01fc0693c15309576f7a
-
SHA1
7237e7d63f241d7785e638edf05a71064574659c
-
SHA256
272447b597810afe392f24b2fbcab08cd76224f54251e009742ed350595fe54d
-
SHA512
0eb51bc407abb70cabe32081b9e073505a761048e399a69a7857775974454b29d7fe46f46b12296f58e33e0feca5488adf399979b7ff9ead9e1e3ea24cd75120
Malware Config
Extracted
xloader
2.5
u5eh
http://www.retonamoss.com/u5eh/
tryafaq.com
bobcathntshop.com
oglead.com
026skz.xyz
brasbux.com
adna17.com
noveltyrofjiy.xyz
realestatecompanys.com
leman-web.com
df5686.com
jonathonhawkins.com
juliedominyfloralartistry.com
classyeventsco.com
aquaticatt.com
iotworld.xyz
hoc8.com
disposablediapers.store
peregovorim.online
advancebits.club
getaburialplan.com
tiger-trails.com
dnbaba.com
492981.com
eclipse-electrical-euless.com
cassandracchase.com
healthrightmeds.club
permkray.club
tawazoun-dz.com
extrabladet.com
offmanage.com
peoplexplants.com
mumkungiyim.com
personal-email-office-mgt.com
bjmysa.com
hopshomes.com
cnj-power.com
trendproduct.tech
chauffeuredaustralia.online
176ssjp0033.xyz
52juns.com
rewriringcanada.com
seabourneboats.com
sevensummittrek.com
retalent.agency
lz4ios.cloud
mindandbodyalignment.com
bedrijfmail-trk.com
bashmoney.net
xc3654.com
infiteltech.com
sh-hywz.com
huataiqche.com
grannyh.com
devinwithani.com
kingstons.info
fakedocshyundaigiveaway.com
bigsyncmusic.info
predstavnuk.com
frontiervalley8.com
timdpr.com
smartgymadmin.com
brsgeniusschool.com
tuckertractorworks.com
espchange.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3720-116-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/3720-117-0x000000000041D3E0-mapping.dmp xloader behavioral2/memory/4092-124-0x0000000003020000-0x0000000003049000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
ZT2468.exepid process 2440 ZT2468.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
ZT2468.exeZT2468.exewlanext.exedescription pid process target process PID 2440 set thread context of 3720 2440 ZT2468.exe ZT2468.exe PID 3720 set thread context of 3020 3720 ZT2468.exe Explorer.EXE PID 4092 set thread context of 3020 4092 wlanext.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
ZT2468.exewlanext.exepid process 3720 ZT2468.exe 3720 ZT2468.exe 3720 ZT2468.exe 3720 ZT2468.exe 4092 wlanext.exe 4092 wlanext.exe 4092 wlanext.exe 4092 wlanext.exe 4092 wlanext.exe 4092 wlanext.exe 4092 wlanext.exe 4092 wlanext.exe 4092 wlanext.exe 4092 wlanext.exe 4092 wlanext.exe 4092 wlanext.exe 4092 wlanext.exe 4092 wlanext.exe 4092 wlanext.exe 4092 wlanext.exe 4092 wlanext.exe 4092 wlanext.exe 4092 wlanext.exe 4092 wlanext.exe 4092 wlanext.exe 4092 wlanext.exe 4092 wlanext.exe 4092 wlanext.exe 4092 wlanext.exe 4092 wlanext.exe 4092 wlanext.exe 4092 wlanext.exe 4092 wlanext.exe 4092 wlanext.exe 4092 wlanext.exe 4092 wlanext.exe 4092 wlanext.exe 4092 wlanext.exe 4092 wlanext.exe 4092 wlanext.exe 4092 wlanext.exe 4092 wlanext.exe 4092 wlanext.exe 4092 wlanext.exe 4092 wlanext.exe 4092 wlanext.exe 4092 wlanext.exe 4092 wlanext.exe 4092 wlanext.exe 4092 wlanext.exe 4092 wlanext.exe 4092 wlanext.exe 4092 wlanext.exe 4092 wlanext.exe 4092 wlanext.exe 4092 wlanext.exe 4092 wlanext.exe 4092 wlanext.exe 4092 wlanext.exe 4092 wlanext.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3020 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
ZT2468.exewlanext.exepid process 3720 ZT2468.exe 3720 ZT2468.exe 3720 ZT2468.exe 4092 wlanext.exe 4092 wlanext.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ZT2468.exewlanext.exedescription pid process Token: SeDebugPrivilege 3720 ZT2468.exe Token: SeDebugPrivilege 4092 wlanext.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
ZT2468.exeExplorer.EXEwlanext.exedescription pid process target process PID 2440 wrote to memory of 3720 2440 ZT2468.exe ZT2468.exe PID 2440 wrote to memory of 3720 2440 ZT2468.exe ZT2468.exe PID 2440 wrote to memory of 3720 2440 ZT2468.exe ZT2468.exe PID 2440 wrote to memory of 3720 2440 ZT2468.exe ZT2468.exe PID 2440 wrote to memory of 3720 2440 ZT2468.exe ZT2468.exe PID 2440 wrote to memory of 3720 2440 ZT2468.exe ZT2468.exe PID 3020 wrote to memory of 4092 3020 Explorer.EXE wlanext.exe PID 3020 wrote to memory of 4092 3020 Explorer.EXE wlanext.exe PID 3020 wrote to memory of 4092 3020 Explorer.EXE wlanext.exe PID 4092 wrote to memory of 4052 4092 wlanext.exe cmd.exe PID 4092 wrote to memory of 4052 4092 wlanext.exe cmd.exe PID 4092 wrote to memory of 4052 4092 wlanext.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ZT2468.exe"C:\Users\Admin\AppData\Local\Temp\ZT2468.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ZT2468.exe"C:\Users\Admin\AppData\Local\Temp\ZT2468.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\wlanext.exe"C:\Windows\SysWOW64\wlanext.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\ZT2468.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsbBB14.tmp\jarjiypg.dllMD5
6f34375ab63f8e726809b4ba0fbac265
SHA14ae027f2810893240dddbb08d50e81565d578035
SHA25607001303d1031888767e46c324fb943967b1e3298f65f5a1c5053a344f2467aa
SHA5120995a19e2582657dfb1e56ce53b280d3a817a154a6057a99b6b3329fa18203db3d5b8b97f76d5ab65822368d36c08d9c243183cd37c62648245d82e60f416791
-
memory/3020-121-0x0000000005E40000-0x0000000005FCA000-memory.dmpFilesize
1.5MB
-
memory/3020-128-0x00000000064E0000-0x0000000006610000-memory.dmpFilesize
1.2MB
-
memory/3720-116-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/3720-117-0x000000000041D3E0-mapping.dmp
-
memory/3720-120-0x00000000005C0000-0x00000000005D1000-memory.dmpFilesize
68KB
-
memory/3720-119-0x0000000000B40000-0x0000000000E60000-memory.dmpFilesize
3.1MB
-
memory/4052-126-0x0000000000000000-mapping.dmp
-
memory/4092-122-0x0000000000000000-mapping.dmp
-
memory/4092-125-0x0000000003050000-0x00000000030FE000-memory.dmpFilesize
696KB
-
memory/4092-124-0x0000000003020000-0x0000000003049000-memory.dmpFilesize
164KB
-
memory/4092-127-0x0000000003500000-0x0000000003590000-memory.dmpFilesize
576KB
-
memory/4092-123-0x00000000001D0000-0x00000000001E7000-memory.dmpFilesize
92KB