Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
25-11-2021 16:48
Static task
static1
Behavioral task
behavioral1
Sample
STATEMENT Oct-Nov 25-11-2021.com.exe
Resource
win7-en-20211014
General
-
Target
STATEMENT Oct-Nov 25-11-2021.com.exe
-
Size
301KB
-
MD5
02e738dd13974ab64a472f6aa2f065a8
-
SHA1
6134aee9ceffce4d6ed1777739493def77b62533
-
SHA256
9acf8fb51cab55a01a74cb84ca9958862b29b8909408e87412700e63a4f578ae
-
SHA512
90ce5711d1f3abd07398c38706f5dc48da02676a86331115b5c7724fd98b1b41606f3d80763d3c03663c1c1bf7864609d65eae183b73f5df2db8e73a49bccf09
Malware Config
Extracted
xloader
2.5
unzn
http://www.davanamays.com/unzn/
xiulf.com
highcountrymortar.com
523561.com
marketingagency.tools
ganmovie.net
nationaalcontactpunt.com
sirrbter.com
begizas.xyz
missimi-fashion.com
munixc.info
daas.support
spaceworbc.com
faithtruthresolve.com
gymkub.com
thegrayverse.xyz
artisanmakefurniture.com
029tryy.com
ijuubx.biz
iphone13promax.club
techuniversus.com
samrgov.xyz
grownupcurl.com
sj0755.net
beekeeperkit.com
richessesabondantes.com
xclgjgjh.net
webworkscork.com
vedepviet365.com
bretabeameven.com
cdzsmhw.com
clearperspective.biz
tigrg5g784sh.biz
bbezan011.xyz
mycar.store
mansooralobeidli.com
ascensionmemberszoom.com
unlimitedrehab.com
wozka.top
askylarkgoods.com
rj793.com
prosvalor.com
primetimeexpress.com
boixosnoisperu.com
mmasportgear.com
concertiranian.net
hyponymys.info
maila.one
yti0fyic.xyz
shashiprayag.com
speedprosmotorsports.com
westchestercountyjunkcars.com
patienceinmypocket.com
rausachbaoloc.com
plexregroup.com
outsydercs.com
foodandflour.com
lenacrypto.xyz
homeservicetoday.net
marthaperry.com
vmtcyd4q8.com
shamefulguys.com
loccssol.store
gnarledportra.xyz
042atk.xyz
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4064-119-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/4064-120-0x000000000041D430-mapping.dmp xloader behavioral2/memory/4280-127-0x0000000000C20000-0x0000000000C49000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
STATEMENT Oct-Nov 25-11-2021.com.exepid process 396 STATEMENT Oct-Nov 25-11-2021.com.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
STATEMENT Oct-Nov 25-11-2021.com.exeSTATEMENT Oct-Nov 25-11-2021.com.exewscript.exedescription pid process target process PID 396 set thread context of 4064 396 STATEMENT Oct-Nov 25-11-2021.com.exe STATEMENT Oct-Nov 25-11-2021.com.exe PID 4064 set thread context of 2416 4064 STATEMENT Oct-Nov 25-11-2021.com.exe Explorer.EXE PID 4280 set thread context of 2416 4280 wscript.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
STATEMENT Oct-Nov 25-11-2021.com.exewscript.exepid process 4064 STATEMENT Oct-Nov 25-11-2021.com.exe 4064 STATEMENT Oct-Nov 25-11-2021.com.exe 4064 STATEMENT Oct-Nov 25-11-2021.com.exe 4064 STATEMENT Oct-Nov 25-11-2021.com.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2416 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
STATEMENT Oct-Nov 25-11-2021.com.exewscript.exepid process 4064 STATEMENT Oct-Nov 25-11-2021.com.exe 4064 STATEMENT Oct-Nov 25-11-2021.com.exe 4064 STATEMENT Oct-Nov 25-11-2021.com.exe 4280 wscript.exe 4280 wscript.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
STATEMENT Oct-Nov 25-11-2021.com.exewscript.exedescription pid process Token: SeDebugPrivilege 4064 STATEMENT Oct-Nov 25-11-2021.com.exe Token: SeDebugPrivilege 4280 wscript.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
STATEMENT Oct-Nov 25-11-2021.com.exeExplorer.EXEwscript.exedescription pid process target process PID 396 wrote to memory of 4064 396 STATEMENT Oct-Nov 25-11-2021.com.exe STATEMENT Oct-Nov 25-11-2021.com.exe PID 396 wrote to memory of 4064 396 STATEMENT Oct-Nov 25-11-2021.com.exe STATEMENT Oct-Nov 25-11-2021.com.exe PID 396 wrote to memory of 4064 396 STATEMENT Oct-Nov 25-11-2021.com.exe STATEMENT Oct-Nov 25-11-2021.com.exe PID 396 wrote to memory of 4064 396 STATEMENT Oct-Nov 25-11-2021.com.exe STATEMENT Oct-Nov 25-11-2021.com.exe PID 396 wrote to memory of 4064 396 STATEMENT Oct-Nov 25-11-2021.com.exe STATEMENT Oct-Nov 25-11-2021.com.exe PID 396 wrote to memory of 4064 396 STATEMENT Oct-Nov 25-11-2021.com.exe STATEMENT Oct-Nov 25-11-2021.com.exe PID 2416 wrote to memory of 4280 2416 Explorer.EXE wscript.exe PID 2416 wrote to memory of 4280 2416 Explorer.EXE wscript.exe PID 2416 wrote to memory of 4280 2416 Explorer.EXE wscript.exe PID 4280 wrote to memory of 4156 4280 wscript.exe cmd.exe PID 4280 wrote to memory of 4156 4280 wscript.exe cmd.exe PID 4280 wrote to memory of 4156 4280 wscript.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\STATEMENT Oct-Nov 25-11-2021.com.exe"C:\Users\Admin\AppData\Local\Temp\STATEMENT Oct-Nov 25-11-2021.com.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\STATEMENT Oct-Nov 25-11-2021.com.exe"C:\Users\Admin\AppData\Local\Temp\STATEMENT Oct-Nov 25-11-2021.com.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\STATEMENT Oct-Nov 25-11-2021.com.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsv9F7E.tmp\ncpszgn.dllMD5
c3678c74295ff18273f177d3058bcc9d
SHA1619a2fbfb1f1512e96af74733345e5539786e789
SHA256d6cb2032b903d1820cc840659d655877cba6d1e6746ebf366696aed3d9dc0c65
SHA5123542b7dfeea67460f52fd40f212831ebc33a7831b3b05770ce619c0e25f030129028e5e96c3291fc578d39075107e7ef8bf5883ea79a38c69a0edee9df72056c
-
memory/2416-124-0x0000000004F80000-0x0000000005101000-memory.dmpFilesize
1.5MB
-
memory/2416-131-0x0000000002440000-0x000000000253E000-memory.dmpFilesize
1016KB
-
memory/4064-119-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4064-120-0x000000000041D430-mapping.dmp
-
memory/4064-122-0x00000000009B0000-0x0000000000CD0000-memory.dmpFilesize
3.1MB
-
memory/4064-123-0x00000000008F0000-0x0000000000901000-memory.dmpFilesize
68KB
-
memory/4156-128-0x0000000000000000-mapping.dmp
-
memory/4280-126-0x0000000000D80000-0x0000000000DA7000-memory.dmpFilesize
156KB
-
memory/4280-127-0x0000000000C20000-0x0000000000C49000-memory.dmpFilesize
164KB
-
memory/4280-129-0x0000000004E40000-0x0000000005160000-memory.dmpFilesize
3.1MB
-
memory/4280-130-0x0000000004B90000-0x0000000004C20000-memory.dmpFilesize
576KB
-
memory/4280-125-0x0000000000000000-mapping.dmp