Analysis
-
max time kernel
148s -
max time network
143s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
17-11-2021 14:43
Static task
static1
Behavioral task
behavioral1
Sample
Quotation - Urgent.exe
Resource
win7-en-20211104
General
-
Target
Quotation - Urgent.exe
-
Size
847KB
-
MD5
ba72b878c2663e3f76de3d4ed7dfc8d2
-
SHA1
e5a908d5a4ffeb873f176346c60663d575c8007f
-
SHA256
ffba1e049d0da0a9f880a0f7e0b84a17699362ad87a1198cec937250c66587fd
-
SHA512
9536239139c2f082767c4c03317a62aaf34e1f5a0a721063885919bb9e526ac3cbe13e1b5c56b6aab8722d3ad597b35f340636988565e8503c18092c58750471
Malware Config
Extracted
xloader
2.5
ea0r
http://www.asiapubz-hk.com/ea0r/
lionheartcreativestudios.com
konzertmanagement.com
blackpanther.online
broychim-int.com
takut18.com
txstarsolar.com
herdsherpa.com
igorshestakov.com
shinesbox.com
reflectpkljlt.xyz
oiltoolshub.com
viralmoneychallenge.com
changingalphastrategies.com
mecitiris.com
rdadmin.online
miniambiente.com
kominarcine.com
pino-almond.com
heihit.xyz
junqi888.com
metalumber.com
sclvfu.com
macanostore.online
projecturs.com
ahcprp.com
gztyfnrj.com
lospacenos.com
tak-etranger.com
dingermail.com
skiin.club
ystops.com
tnboxes.com
ccafgz.com
info1337.xyz
platinum24.top
hothess.com
novelfinancewhite.xyz
theselectdifference.com
flufca.com
giftcodefreefirevns.com
kgv-lachswehr.com
report-alfarabilabs.com
skeetones.com
4bcinc.com
americamr.com
wewonacademy.com
evrazavto.store
true-fanbox.com
greencofiji.com
threecommaspartners.com
hgtradingcoltd.com
xihe1919.com
241mk.com
helplockedout.com
wefundprojects.com
neosecure.store
purenewsworldwide.com
luckylottovip999.com
lottidobler.com
proyectohaciendohistoria.com
raintm.com
theproducerformula.com
trademarkitforyourself.com
ottaweed.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3468-125-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/3468-126-0x000000000041D410-mapping.dmp xloader behavioral2/memory/2936-133-0x0000000000E70000-0x0000000000E99000-memory.dmp xloader -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Quotation - Urgent.exeQuotation - Urgent.exerundll32.exedescription pid process target process PID 2768 set thread context of 3468 2768 Quotation - Urgent.exe Quotation - Urgent.exe PID 3468 set thread context of 2920 3468 Quotation - Urgent.exe Explorer.EXE PID 2936 set thread context of 2920 2936 rundll32.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 46 IoCs
Processes:
Quotation - Urgent.exeQuotation - Urgent.exerundll32.exepid process 2768 Quotation - Urgent.exe 2768 Quotation - Urgent.exe 3468 Quotation - Urgent.exe 3468 Quotation - Urgent.exe 3468 Quotation - Urgent.exe 3468 Quotation - Urgent.exe 2936 rundll32.exe 2936 rundll32.exe 2936 rundll32.exe 2936 rundll32.exe 2936 rundll32.exe 2936 rundll32.exe 2936 rundll32.exe 2936 rundll32.exe 2936 rundll32.exe 2936 rundll32.exe 2936 rundll32.exe 2936 rundll32.exe 2936 rundll32.exe 2936 rundll32.exe 2936 rundll32.exe 2936 rundll32.exe 2936 rundll32.exe 2936 rundll32.exe 2936 rundll32.exe 2936 rundll32.exe 2936 rundll32.exe 2936 rundll32.exe 2936 rundll32.exe 2936 rundll32.exe 2936 rundll32.exe 2936 rundll32.exe 2936 rundll32.exe 2936 rundll32.exe 2936 rundll32.exe 2936 rundll32.exe 2936 rundll32.exe 2936 rundll32.exe 2936 rundll32.exe 2936 rundll32.exe 2936 rundll32.exe 2936 rundll32.exe 2936 rundll32.exe 2936 rundll32.exe 2936 rundll32.exe 2936 rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2920 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Quotation - Urgent.exerundll32.exepid process 3468 Quotation - Urgent.exe 3468 Quotation - Urgent.exe 3468 Quotation - Urgent.exe 2936 rundll32.exe 2936 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Quotation - Urgent.exeQuotation - Urgent.exerundll32.exedescription pid process Token: SeDebugPrivilege 2768 Quotation - Urgent.exe Token: SeDebugPrivilege 3468 Quotation - Urgent.exe Token: SeDebugPrivilege 2936 rundll32.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Quotation - Urgent.exeExplorer.EXErundll32.exedescription pid process target process PID 2768 wrote to memory of 3288 2768 Quotation - Urgent.exe Quotation - Urgent.exe PID 2768 wrote to memory of 3288 2768 Quotation - Urgent.exe Quotation - Urgent.exe PID 2768 wrote to memory of 3288 2768 Quotation - Urgent.exe Quotation - Urgent.exe PID 2768 wrote to memory of 3468 2768 Quotation - Urgent.exe Quotation - Urgent.exe PID 2768 wrote to memory of 3468 2768 Quotation - Urgent.exe Quotation - Urgent.exe PID 2768 wrote to memory of 3468 2768 Quotation - Urgent.exe Quotation - Urgent.exe PID 2768 wrote to memory of 3468 2768 Quotation - Urgent.exe Quotation - Urgent.exe PID 2768 wrote to memory of 3468 2768 Quotation - Urgent.exe Quotation - Urgent.exe PID 2768 wrote to memory of 3468 2768 Quotation - Urgent.exe Quotation - Urgent.exe PID 2920 wrote to memory of 2936 2920 Explorer.EXE rundll32.exe PID 2920 wrote to memory of 2936 2920 Explorer.EXE rundll32.exe PID 2920 wrote to memory of 2936 2920 Explorer.EXE rundll32.exe PID 2936 wrote to memory of 1624 2936 rundll32.exe cmd.exe PID 2936 wrote to memory of 1624 2936 rundll32.exe cmd.exe PID 2936 wrote to memory of 1624 2936 rundll32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Quotation - Urgent.exe"C:\Users\Admin\AppData\Local\Temp\Quotation - Urgent.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Quotation - Urgent.exe"C:\Users\Admin\AppData\Local\Temp\Quotation - Urgent.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Quotation - Urgent.exe"C:\Users\Admin\AppData\Local\Temp\Quotation - Urgent.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Quotation - Urgent.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1624-134-0x0000000000000000-mapping.dmp
-
memory/2768-117-0x0000000005980000-0x0000000005981000-memory.dmpFilesize
4KB
-
memory/2768-118-0x0000000005560000-0x0000000005561000-memory.dmpFilesize
4KB
-
memory/2768-119-0x0000000005480000-0x000000000597E000-memory.dmpFilesize
5.0MB
-
memory/2768-120-0x00000000056D0000-0x00000000056D1000-memory.dmpFilesize
4KB
-
memory/2768-121-0x0000000005810000-0x0000000005817000-memory.dmpFilesize
28KB
-
memory/2768-122-0x0000000007D00000-0x0000000007D01000-memory.dmpFilesize
4KB
-
memory/2768-123-0x0000000007CB0000-0x0000000007CFE000-memory.dmpFilesize
312KB
-
memory/2768-124-0x0000000007ED0000-0x0000000007EFC000-memory.dmpFilesize
176KB
-
memory/2768-115-0x0000000000B10000-0x0000000000B11000-memory.dmpFilesize
4KB
-
memory/2920-130-0x0000000002640000-0x0000000002718000-memory.dmpFilesize
864KB
-
memory/2920-137-0x0000000004760000-0x000000000487D000-memory.dmpFilesize
1.1MB
-
memory/2936-133-0x0000000000E70000-0x0000000000E99000-memory.dmpFilesize
164KB
-
memory/2936-131-0x0000000000000000-mapping.dmp
-
memory/2936-132-0x0000000000FB0000-0x0000000000FC3000-memory.dmpFilesize
76KB
-
memory/2936-135-0x0000000004DB0000-0x00000000050D0000-memory.dmpFilesize
3.1MB
-
memory/2936-136-0x0000000004C20000-0x0000000004CB0000-memory.dmpFilesize
576KB
-
memory/3468-128-0x0000000001360000-0x0000000001680000-memory.dmpFilesize
3.1MB
-
memory/3468-129-0x0000000000EB0000-0x0000000000EC1000-memory.dmpFilesize
68KB
-
memory/3468-126-0x000000000041D410-mapping.dmp
-
memory/3468-125-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB