Analysis
-
max time kernel
147s -
max time network
146s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
16-11-2021 21:13
Static task
static1
Behavioral task
behavioral1
Sample
soa#2021011015.exe
Resource
win7-en-20211014
General
-
Target
soa#2021011015.exe
-
Size
286KB
-
MD5
77f19e38f4e1eeb655d01114be0e710c
-
SHA1
a7bbc2ed7b159f441107d43dcceca5be98623556
-
SHA256
f9744d616627a9e5640bfb7cc0c88b03e52b53141f1647c57a3b3d77766d510d
-
SHA512
1c0f548fe3cc9e4a7ac16d7365b7f11f475b9e78daff61b548d1a7f45b7c5b633d82fdb770b079dfd51bbb0d5ee85a8891c411d1de925720184385071101db5f
Malware Config
Extracted
xloader
2.5
e8ia
http://www.helpfromjames.com/e8ia/
le-hameau-enchanteur.com
quantumsystem-au.club
engravedeeply.com
yesrecompensas.lat
cavallitowerofficials.com
800seaspray.com
skifun-jetski.com
thouartafoot.com
nft2dollar.com
petrestore.online
cjcutthecord2.com
tippimccullough.com
gadget198.xyz
djmiriam.com
bitbasepay.com
cukierniawz.com
mcclureic.xyz
inthekitchenshakinandbakin.com
busy-clicks.com
melaniemorris.online
elysiangp.com
7bkj.com
wakeanddraw.com
ascalar.com
iteraxon.com
henleygirlscricket.com
torresflooringdecorllc.com
helgquieta.quest
xesteem.com
graffity-aws.com
bolerparts.com
andriylysenko.com
bestinvest-4-you.com
frelsicycling.com
airductcleaningindianapolis.net
nlproperties.net
alkoora.xyz
sakiyaman.com
wwwsmyrnaschooldistrict.com
unitedsafetyassociation.com
fiveallianceapparel.com
edgelordkids.com
herhauling.com
intelldat.com
weprepareamerica-planet.com
webartsolution.net
yiquge.com
marraasociados.com
dentalimplantnearyou-ca.space
linemanbible.com
dunamisdispatchservicellc.com
latamoperationalinstitute.com
stpaulsschoolbagidora.com
groupninemed.com
solar-tribe.com
footairdz.com
blttsperma.quest
xfeuio.xyz
sahodyafbdchapter.com
0934800.com
dandftrading.com
gladway.net
mineriasinmercurio.com
inaampm.com
Signatures
-
Xloader Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/916-57-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/916-58-0x000000000041D4D0-mapping.dmp xloader behavioral1/memory/916-63-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1112-69-0x0000000000080000-0x00000000000A9000-memory.dmp xloader -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 288 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
soa#2021011015.exepid process 1116 soa#2021011015.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
soa#2021011015.exesoa#2021011015.exehelp.exedescription pid process target process PID 1116 set thread context of 916 1116 soa#2021011015.exe soa#2021011015.exe PID 916 set thread context of 1380 916 soa#2021011015.exe Explorer.EXE PID 916 set thread context of 1380 916 soa#2021011015.exe Explorer.EXE PID 1112 set thread context of 1380 1112 help.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
soa#2021011015.exehelp.exepid process 916 soa#2021011015.exe 916 soa#2021011015.exe 916 soa#2021011015.exe 1112 help.exe 1112 help.exe 1112 help.exe 1112 help.exe 1112 help.exe 1112 help.exe 1112 help.exe 1112 help.exe 1112 help.exe 1112 help.exe 1112 help.exe 1112 help.exe 1112 help.exe 1112 help.exe 1112 help.exe 1112 help.exe 1112 help.exe 1112 help.exe 1112 help.exe 1112 help.exe 1112 help.exe 1112 help.exe 1112 help.exe 1112 help.exe 1112 help.exe 1112 help.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1380 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
soa#2021011015.exehelp.exepid process 916 soa#2021011015.exe 916 soa#2021011015.exe 916 soa#2021011015.exe 916 soa#2021011015.exe 1112 help.exe 1112 help.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
soa#2021011015.exehelp.exedescription pid process Token: SeDebugPrivilege 916 soa#2021011015.exe Token: SeDebugPrivilege 1112 help.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1380 Explorer.EXE 1380 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1380 Explorer.EXE 1380 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
soa#2021011015.exesoa#2021011015.exehelp.exedescription pid process target process PID 1116 wrote to memory of 916 1116 soa#2021011015.exe soa#2021011015.exe PID 1116 wrote to memory of 916 1116 soa#2021011015.exe soa#2021011015.exe PID 1116 wrote to memory of 916 1116 soa#2021011015.exe soa#2021011015.exe PID 1116 wrote to memory of 916 1116 soa#2021011015.exe soa#2021011015.exe PID 1116 wrote to memory of 916 1116 soa#2021011015.exe soa#2021011015.exe PID 1116 wrote to memory of 916 1116 soa#2021011015.exe soa#2021011015.exe PID 1116 wrote to memory of 916 1116 soa#2021011015.exe soa#2021011015.exe PID 916 wrote to memory of 1112 916 soa#2021011015.exe help.exe PID 916 wrote to memory of 1112 916 soa#2021011015.exe help.exe PID 916 wrote to memory of 1112 916 soa#2021011015.exe help.exe PID 916 wrote to memory of 1112 916 soa#2021011015.exe help.exe PID 1112 wrote to memory of 288 1112 help.exe cmd.exe PID 1112 wrote to memory of 288 1112 help.exe cmd.exe PID 1112 wrote to memory of 288 1112 help.exe cmd.exe PID 1112 wrote to memory of 288 1112 help.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\soa#2021011015.exe"C:\Users\Admin\AppData\Local\Temp\soa#2021011015.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\soa#2021011015.exe"C:\Users\Admin\AppData\Local\Temp\soa#2021011015.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\soa#2021011015.exe"5⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nstD470.tmp\hiib.dllMD5
0aecec56e3ae0fb3d77c3c2c35d2a147
SHA1f6478611f5048e9f7d6b79c29e4e187ae15b2ada
SHA256d22526223a8d35f173f0704477783bbe564d69babbef43aa2133b8ca4172dd27
SHA5125009e773fee22b766edb902b850864b062cdf01b77bdf5ada7f9cf8b889b788b0aefc73be5e6f2af0d2b252a229001b8f3aa64989cdcf917561916dd3fbae0ae
-
memory/288-67-0x0000000000000000-mapping.dmp
-
memory/916-64-0x00000000003A0000-0x00000000003B1000-memory.dmpFilesize
68KB
-
memory/916-57-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/916-58-0x000000000041D4D0-mapping.dmp
-
memory/916-60-0x0000000000800000-0x0000000000B03000-memory.dmpFilesize
3.0MB
-
memory/916-61-0x00000000002C0000-0x00000000002D1000-memory.dmpFilesize
68KB
-
memory/916-63-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1112-68-0x0000000000500000-0x0000000000506000-memory.dmpFilesize
24KB
-
memory/1112-66-0x0000000000000000-mapping.dmp
-
memory/1112-69-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/1112-70-0x0000000000990000-0x0000000000C93000-memory.dmpFilesize
3.0MB
-
memory/1112-71-0x0000000000390000-0x0000000000420000-memory.dmpFilesize
576KB
-
memory/1116-55-0x00000000762D1000-0x00000000762D3000-memory.dmpFilesize
8KB
-
memory/1380-65-0x00000000070C0000-0x0000000007239000-memory.dmpFilesize
1.5MB
-
memory/1380-62-0x0000000005E90000-0x0000000005F5A000-memory.dmpFilesize
808KB
-
memory/1380-72-0x00000000064A0000-0x0000000006554000-memory.dmpFilesize
720KB