Analysis
-
max time kernel
74s -
max time network
124s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
17-11-2021 22:11
Static task
static1
General
-
Target
c3732a4c293740632956474cb15e9f25f77cd96b6a40366c137f29b5df1d819e.exe
-
Size
304KB
-
MD5
e0c09b7302a96d737a7573a7938ea389
-
SHA1
2d064fc357be869f8bf7d57f099b5edd1aeaa0a8
-
SHA256
c3732a4c293740632956474cb15e9f25f77cd96b6a40366c137f29b5df1d819e
-
SHA512
830c1b59658a9f744f59e39281a0102cbfef538b03f93154b1310dfab017768095d0aec2688ee464f87cff41ca9e13400c3cefde681e1d171ad2c9525abb592e
Malware Config
Extracted
xloader
2.5
unzn
http://www.davanamays.com/unzn/
xiulf.com
highcountrymortar.com
523561.com
marketingagency.tools
ganmovie.net
nationaalcontactpunt.com
sirrbter.com
begizas.xyz
missimi-fashion.com
munixc.info
daas.support
spaceworbc.com
faithtruthresolve.com
gymkub.com
thegrayverse.xyz
artisanmakefurniture.com
029tryy.com
ijuubx.biz
iphone13promax.club
techuniversus.com
samrgov.xyz
grownupcurl.com
sj0755.net
beekeeperkit.com
richessesabondantes.com
xclgjgjh.net
webworkscork.com
vedepviet365.com
bretabeameven.com
cdzsmhw.com
clearperspective.biz
tigrg5g784sh.biz
bbezan011.xyz
mycar.store
mansooralobeidli.com
ascensionmemberszoom.com
unlimitedrehab.com
wozka.top
askylarkgoods.com
rj793.com
prosvalor.com
primetimeexpress.com
boixosnoisperu.com
mmasportgear.com
concertiranian.net
hyponymys.info
maila.one
yti0fyic.xyz
shashiprayag.com
speedprosmotorsports.com
westchestercountyjunkcars.com
patienceinmypocket.com
rausachbaoloc.com
plexregroup.com
outsydercs.com
foodandflour.com
lenacrypto.xyz
homeservicetoday.net
marthaperry.com
vmtcyd4q8.com
shamefulguys.com
loccssol.store
gnarledportra.xyz
042atk.xyz
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/4312-116-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/4312-117-0x000000000041D430-mapping.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
c3732a4c293740632956474cb15e9f25f77cd96b6a40366c137f29b5df1d819e.exepid process 3048 c3732a4c293740632956474cb15e9f25f77cd96b6a40366c137f29b5df1d819e.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
c3732a4c293740632956474cb15e9f25f77cd96b6a40366c137f29b5df1d819e.exedescription pid process target process PID 3048 set thread context of 4312 3048 c3732a4c293740632956474cb15e9f25f77cd96b6a40366c137f29b5df1d819e.exe c3732a4c293740632956474cb15e9f25f77cd96b6a40366c137f29b5df1d819e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
c3732a4c293740632956474cb15e9f25f77cd96b6a40366c137f29b5df1d819e.exepid process 4312 c3732a4c293740632956474cb15e9f25f77cd96b6a40366c137f29b5df1d819e.exe 4312 c3732a4c293740632956474cb15e9f25f77cd96b6a40366c137f29b5df1d819e.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
c3732a4c293740632956474cb15e9f25f77cd96b6a40366c137f29b5df1d819e.exedescription pid process target process PID 3048 wrote to memory of 4312 3048 c3732a4c293740632956474cb15e9f25f77cd96b6a40366c137f29b5df1d819e.exe c3732a4c293740632956474cb15e9f25f77cd96b6a40366c137f29b5df1d819e.exe PID 3048 wrote to memory of 4312 3048 c3732a4c293740632956474cb15e9f25f77cd96b6a40366c137f29b5df1d819e.exe c3732a4c293740632956474cb15e9f25f77cd96b6a40366c137f29b5df1d819e.exe PID 3048 wrote to memory of 4312 3048 c3732a4c293740632956474cb15e9f25f77cd96b6a40366c137f29b5df1d819e.exe c3732a4c293740632956474cb15e9f25f77cd96b6a40366c137f29b5df1d819e.exe PID 3048 wrote to memory of 4312 3048 c3732a4c293740632956474cb15e9f25f77cd96b6a40366c137f29b5df1d819e.exe c3732a4c293740632956474cb15e9f25f77cd96b6a40366c137f29b5df1d819e.exe PID 3048 wrote to memory of 4312 3048 c3732a4c293740632956474cb15e9f25f77cd96b6a40366c137f29b5df1d819e.exe c3732a4c293740632956474cb15e9f25f77cd96b6a40366c137f29b5df1d819e.exe PID 3048 wrote to memory of 4312 3048 c3732a4c293740632956474cb15e9f25f77cd96b6a40366c137f29b5df1d819e.exe c3732a4c293740632956474cb15e9f25f77cd96b6a40366c137f29b5df1d819e.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c3732a4c293740632956474cb15e9f25f77cd96b6a40366c137f29b5df1d819e.exe"C:\Users\Admin\AppData\Local\Temp\c3732a4c293740632956474cb15e9f25f77cd96b6a40366c137f29b5df1d819e.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c3732a4c293740632956474cb15e9f25f77cd96b6a40366c137f29b5df1d819e.exe"C:\Users\Admin\AppData\Local\Temp\c3732a4c293740632956474cb15e9f25f77cd96b6a40366c137f29b5df1d819e.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nseC093.tmp\ijlcycjncm.dllMD5
83ae51e0c78e6465e7651edc636dc4f8
SHA18783785ba6a0afdeed649363245c4fcddaf27583
SHA25614140ac568aec8b9e8c6593f4807a3616f3b3080b156967a3c5d275e87a38e89
SHA512c6a2cd8a363e8d8efd295e1cf77066c91878dfddd13959061ab788e944f7b5c793fbe4ae620d04b2234d828d5a7ad042f43803cff4a54347dd4a101fef561c03
-
memory/4312-116-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4312-117-0x000000000041D430-mapping.dmp
-
memory/4312-118-0x00000000009F0000-0x0000000000D10000-memory.dmpFilesize
3.1MB