STATEMENT Oct-Nov 25-11-2021.com
STATEMENT Oct-Nov 25-11-2021.com.exe
301KB
25-11-2021 16:50
02e738dd13974ab64a472f6aa2f065a8
6134aee9ceffce4d6ed1777739493def77b62533
9acf8fb51cab55a01a74cb84ca9958862b29b8909408e87412700e63a4f578ae
Extracted
Family | xloader |
Version | 2.5 |
Campaign | unzn |
C2 |
http://www.davanamays.com/unzn/ |
Decoy |
xiulf.com highcountrymortar.com 523561.com marketingagency.tools ganmovie.net nationaalcontactpunt.com sirrbter.com begizas.xyz missimi-fashion.com munixc.info daas.support spaceworbc.com faithtruthresolve.com gymkub.com thegrayverse.xyz artisanmakefurniture.com 029tryy.com ijuubx.biz iphone13promax.club techuniversus.com samrgov.xyz grownupcurl.com sj0755.net beekeeperkit.com richessesabondantes.com xclgjgjh.net webworkscork.com vedepviet365.com bretabeameven.com cdzsmhw.com clearperspective.biz tigrg5g784sh.biz bbezan011.xyz mycar.store mansooralobeidli.com ascensionmemberszoom.com unlimitedrehab.com wozka.top askylarkgoods.com rj793.com prosvalor.com primetimeexpress.com boixosnoisperu.com mmasportgear.com concertiranian.net hyponymys.info maila.one yti0fyic.xyz shashiprayag.com speedprosmotorsports.com |
Filter: none
-
Xloader
Description
Xloader is a rebranded version of Formbook malware.
Tags
-
Xloader Payload
Tags
Reported IOCs
resource yara_rule behavioral2/memory/4064-119-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/4064-120-0x000000000041D430-mapping.dmp xloader behavioral2/memory/4280-127-0x0000000000C20000-0x0000000000C49000-memory.dmp xloader -
Loads dropped DLLSTATEMENT Oct-Nov 25-11-2021.com.exe
Reported IOCs
pid process 396 STATEMENT Oct-Nov 25-11-2021.com.exe -
Suspicious use of SetThreadContextSTATEMENT Oct-Nov 25-11-2021.com.exeSTATEMENT Oct-Nov 25-11-2021.com.exewscript.exe
Reported IOCs
description pid process target process PID 396 set thread context of 4064 396 STATEMENT Oct-Nov 25-11-2021.com.exe STATEMENT Oct-Nov 25-11-2021.com.exe PID 4064 set thread context of 2416 4064 STATEMENT Oct-Nov 25-11-2021.com.exe Explorer.EXE PID 4280 set thread context of 2416 4280 wscript.exe Explorer.EXE -
Enumerates physical storage devices
Description
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
TTPs
-
Suspicious behavior: EnumeratesProcessesSTATEMENT Oct-Nov 25-11-2021.com.exewscript.exe
Reported IOCs
pid process 4064 STATEMENT Oct-Nov 25-11-2021.com.exe 4064 STATEMENT Oct-Nov 25-11-2021.com.exe 4064 STATEMENT Oct-Nov 25-11-2021.com.exe 4064 STATEMENT Oct-Nov 25-11-2021.com.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe 4280 wscript.exe -
Suspicious behavior: GetForegroundWindowSpamExplorer.EXE
Reported IOCs
pid process 2416 Explorer.EXE -
Suspicious behavior: MapViewOfSectionSTATEMENT Oct-Nov 25-11-2021.com.exewscript.exe
Reported IOCs
pid process 4064 STATEMENT Oct-Nov 25-11-2021.com.exe 4064 STATEMENT Oct-Nov 25-11-2021.com.exe 4064 STATEMENT Oct-Nov 25-11-2021.com.exe 4280 wscript.exe 4280 wscript.exe -
Suspicious use of AdjustPrivilegeTokenSTATEMENT Oct-Nov 25-11-2021.com.exewscript.exe
Reported IOCs
description pid process Token: SeDebugPrivilege 4064 STATEMENT Oct-Nov 25-11-2021.com.exe Token: SeDebugPrivilege 4280 wscript.exe -
Suspicious use of WriteProcessMemorySTATEMENT Oct-Nov 25-11-2021.com.exeExplorer.EXEwscript.exe
Reported IOCs
description pid process target process PID 396 wrote to memory of 4064 396 STATEMENT Oct-Nov 25-11-2021.com.exe STATEMENT Oct-Nov 25-11-2021.com.exe PID 396 wrote to memory of 4064 396 STATEMENT Oct-Nov 25-11-2021.com.exe STATEMENT Oct-Nov 25-11-2021.com.exe PID 396 wrote to memory of 4064 396 STATEMENT Oct-Nov 25-11-2021.com.exe STATEMENT Oct-Nov 25-11-2021.com.exe PID 396 wrote to memory of 4064 396 STATEMENT Oct-Nov 25-11-2021.com.exe STATEMENT Oct-Nov 25-11-2021.com.exe PID 396 wrote to memory of 4064 396 STATEMENT Oct-Nov 25-11-2021.com.exe STATEMENT Oct-Nov 25-11-2021.com.exe PID 396 wrote to memory of 4064 396 STATEMENT Oct-Nov 25-11-2021.com.exe STATEMENT Oct-Nov 25-11-2021.com.exe PID 2416 wrote to memory of 4280 2416 Explorer.EXE wscript.exe PID 2416 wrote to memory of 4280 2416 Explorer.EXE wscript.exe PID 2416 wrote to memory of 4280 2416 Explorer.EXE wscript.exe PID 4280 wrote to memory of 4156 4280 wscript.exe cmd.exe PID 4280 wrote to memory of 4156 4280 wscript.exe cmd.exe PID 4280 wrote to memory of 4156 4280 wscript.exe cmd.exe
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXESuspicious behavior: GetForegroundWindowSpamSuspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\STATEMENT Oct-Nov 25-11-2021.com.exe"C:\Users\Admin\AppData\Local\Temp\STATEMENT Oct-Nov 25-11-2021.com.exe"Loads dropped DLLSuspicious use of SetThreadContextSuspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\STATEMENT Oct-Nov 25-11-2021.com.exe"C:\Users\Admin\AppData\Local\Temp\STATEMENT Oct-Nov 25-11-2021.com.exe"Suspicious use of SetThreadContextSuspicious behavior: EnumeratesProcessesSuspicious behavior: MapViewOfSectionSuspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe"Suspicious use of SetThreadContextSuspicious behavior: EnumeratesProcessesSuspicious behavior: MapViewOfSectionSuspicious use of AdjustPrivilegeTokenSuspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\STATEMENT Oct-Nov 25-11-2021.com.exe"
-
\Users\Admin\AppData\Local\Temp\nsv9F7E.tmp\ncpszgn.dll
MD5c3678c74295ff18273f177d3058bcc9d
SHA1619a2fbfb1f1512e96af74733345e5539786e789
SHA256d6cb2032b903d1820cc840659d655877cba6d1e6746ebf366696aed3d9dc0c65
SHA5123542b7dfeea67460f52fd40f212831ebc33a7831b3b05770ce619c0e25f030129028e5e96c3291fc578d39075107e7ef8bf5883ea79a38c69a0edee9df72056c
-
memory/2416-124-0x0000000004F80000-0x0000000005101000-memory.dmp
-
memory/2416-131-0x0000000002440000-0x000000000253E000-memory.dmp
-
memory/4064-122-0x00000000009B0000-0x0000000000CD0000-memory.dmp
-
memory/4064-123-0x00000000008F0000-0x0000000000901000-memory.dmp
-
memory/4064-120-0x000000000041D430-mapping.dmp
-
memory/4064-119-0x0000000000400000-0x0000000000429000-memory.dmp
-
memory/4156-128-0x0000000000000000-mapping.dmp
-
memory/4280-127-0x0000000000C20000-0x0000000000C49000-memory.dmp
-
memory/4280-126-0x0000000000D80000-0x0000000000DA7000-memory.dmp
-
memory/4280-129-0x0000000004E40000-0x0000000005160000-memory.dmp
-
memory/4280-130-0x0000000004B90000-0x0000000004C20000-memory.dmp
-
memory/4280-125-0x0000000000000000-mapping.dmp