Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
25-11-2021 16:47
Static task
static1
Behavioral task
behavioral1
Sample
TT COPY_02101011.exe
Resource
win7-en-20211104
General
-
Target
TT COPY_02101011.exe
-
Size
302KB
-
MD5
ebabc0d66a9e01cc0926f3b311feff5f
-
SHA1
83a44664135a7255045becde754dae29be496c8f
-
SHA256
ea8733d0ea6248e2f522487d09e7854230a648e67f1a5e90fea31f6305a1ff7b
-
SHA512
b9f9c3ec7080bf31e0ab43b68f8183d75a59ae262e7320e846883f7ec91695e5e01d70432a163252712fc7bdb6e27b6e5fb6b5589e31eb8779f3b2b5586eeeeb
Malware Config
Extracted
xloader
2.5
e8ia
http://www.helpfromjames.com/e8ia/
le-hameau-enchanteur.com
quantumsystem-au.club
engravedeeply.com
yesrecompensas.lat
cavallitowerofficials.com
800seaspray.com
skifun-jetski.com
thouartafoot.com
nft2dollar.com
petrestore.online
cjcutthecord2.com
tippimccullough.com
gadget198.xyz
djmiriam.com
bitbasepay.com
cukierniawz.com
mcclureic.xyz
inthekitchenshakinandbakin.com
busy-clicks.com
melaniemorris.online
elysiangp.com
7bkj.com
wakeanddraw.com
ascalar.com
iteraxon.com
henleygirlscricket.com
torresflooringdecorllc.com
helgquieta.quest
xesteem.com
graffity-aws.com
bolerparts.com
andriylysenko.com
bestinvest-4-you.com
frelsicycling.com
airductcleaningindianapolis.net
nlproperties.net
alkoora.xyz
sakiyaman.com
wwwsmyrnaschooldistrict.com
unitedsafetyassociation.com
fiveallianceapparel.com
edgelordkids.com
herhauling.com
intelldat.com
weprepareamerica-planet.com
webartsolution.net
yiquge.com
marraasociados.com
dentalimplantnearyou-ca.space
linemanbible.com
dunamisdispatchservicellc.com
latamoperationalinstitute.com
stpaulsschoolbagidora.com
groupninemed.com
solar-tribe.com
footairdz.com
blttsperma.quest
xfeuio.xyz
sahodyafbdchapter.com
0934800.com
dandftrading.com
gladway.net
mineriasinmercurio.com
inaampm.com
Signatures
-
Xloader Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/3740-116-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/3740-117-0x000000000041D4D0-mapping.dmp xloader behavioral2/memory/3012-124-0x0000000002340000-0x0000000002369000-memory.dmp xloader behavioral2/memory/3456-137-0x000000000041D4D0-mapping.dmp xloader -
Executes dropped EXE 2 IoCs
Processes:
qxlh8tbpylmdi6ex.exeqxlh8tbpylmdi6ex.exepid process 1880 qxlh8tbpylmdi6ex.exe 3456 qxlh8tbpylmdi6ex.exe -
Loads dropped DLL 2 IoCs
Processes:
TT COPY_02101011.exeqxlh8tbpylmdi6ex.exepid process 2636 TT COPY_02101011.exe 1880 qxlh8tbpylmdi6ex.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
cmd.exedescription ioc process Key created \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\5J3DUFWXGH = "C:\\Program Files (x86)\\Isxxxv4vp\\qxlh8tbpylmdi6ex.exe" cmd.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
TT COPY_02101011.exeTT COPY_02101011.execmd.exeqxlh8tbpylmdi6ex.exedescription pid process target process PID 2636 set thread context of 3740 2636 TT COPY_02101011.exe TT COPY_02101011.exe PID 3740 set thread context of 3020 3740 TT COPY_02101011.exe Explorer.EXE PID 3012 set thread context of 3020 3012 cmd.exe Explorer.EXE PID 1880 set thread context of 3456 1880 qxlh8tbpylmdi6ex.exe qxlh8tbpylmdi6ex.exe -
Drops file in Program Files directory 4 IoCs
Processes:
Explorer.EXEcmd.exedescription ioc process File created C:\Program Files (x86)\Isxxxv4vp\qxlh8tbpylmdi6ex.exe Explorer.EXE File opened for modification C:\Program Files (x86)\Isxxxv4vp\qxlh8tbpylmdi6ex.exe Explorer.EXE File opened for modification C:\Program Files (x86)\Isxxxv4vp\qxlh8tbpylmdi6ex.exe cmd.exe File opened for modification C:\Program Files (x86)\Isxxxv4vp Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 6 IoCs
Processes:
resource yara_rule C:\Program Files (x86)\Isxxxv4vp\qxlh8tbpylmdi6ex.exe nsis_installer_1 C:\Program Files (x86)\Isxxxv4vp\qxlh8tbpylmdi6ex.exe nsis_installer_2 C:\Program Files (x86)\Isxxxv4vp\qxlh8tbpylmdi6ex.exe nsis_installer_1 C:\Program Files (x86)\Isxxxv4vp\qxlh8tbpylmdi6ex.exe nsis_installer_2 C:\Program Files (x86)\Isxxxv4vp\qxlh8tbpylmdi6ex.exe nsis_installer_1 C:\Program Files (x86)\Isxxxv4vp\qxlh8tbpylmdi6ex.exe nsis_installer_2 -
Processes:
cmd.exedescription ioc process Key created \Registry\User\S-1-5-21-941723256-3451054534-3089625102-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cmd.exe -
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
TT COPY_02101011.execmd.exeqxlh8tbpylmdi6ex.exepid process 3740 TT COPY_02101011.exe 3740 TT COPY_02101011.exe 3740 TT COPY_02101011.exe 3740 TT COPY_02101011.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3456 qxlh8tbpylmdi6ex.exe 3456 qxlh8tbpylmdi6ex.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3020 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
TT COPY_02101011.execmd.exepid process 3740 TT COPY_02101011.exe 3740 TT COPY_02101011.exe 3740 TT COPY_02101011.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
TT COPY_02101011.execmd.exeExplorer.EXEqxlh8tbpylmdi6ex.exedescription pid process Token: SeDebugPrivilege 3740 TT COPY_02101011.exe Token: SeDebugPrivilege 3012 cmd.exe Token: SeShutdownPrivilege 3020 Explorer.EXE Token: SeCreatePagefilePrivilege 3020 Explorer.EXE Token: SeDebugPrivilege 3456 qxlh8tbpylmdi6ex.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
TT COPY_02101011.exeExplorer.EXEcmd.exeqxlh8tbpylmdi6ex.exedescription pid process target process PID 2636 wrote to memory of 3740 2636 TT COPY_02101011.exe TT COPY_02101011.exe PID 2636 wrote to memory of 3740 2636 TT COPY_02101011.exe TT COPY_02101011.exe PID 2636 wrote to memory of 3740 2636 TT COPY_02101011.exe TT COPY_02101011.exe PID 2636 wrote to memory of 3740 2636 TT COPY_02101011.exe TT COPY_02101011.exe PID 2636 wrote to memory of 3740 2636 TT COPY_02101011.exe TT COPY_02101011.exe PID 2636 wrote to memory of 3740 2636 TT COPY_02101011.exe TT COPY_02101011.exe PID 3020 wrote to memory of 3012 3020 Explorer.EXE cmd.exe PID 3020 wrote to memory of 3012 3020 Explorer.EXE cmd.exe PID 3020 wrote to memory of 3012 3020 Explorer.EXE cmd.exe PID 3012 wrote to memory of 4072 3012 cmd.exe cmd.exe PID 3012 wrote to memory of 4072 3012 cmd.exe cmd.exe PID 3012 wrote to memory of 4072 3012 cmd.exe cmd.exe PID 3012 wrote to memory of 2596 3012 cmd.exe cmd.exe PID 3012 wrote to memory of 2596 3012 cmd.exe cmd.exe PID 3012 wrote to memory of 2596 3012 cmd.exe cmd.exe PID 3012 wrote to memory of 1688 3012 cmd.exe Firefox.exe PID 3012 wrote to memory of 1688 3012 cmd.exe Firefox.exe PID 3012 wrote to memory of 1688 3012 cmd.exe Firefox.exe PID 3020 wrote to memory of 1880 3020 Explorer.EXE qxlh8tbpylmdi6ex.exe PID 3020 wrote to memory of 1880 3020 Explorer.EXE qxlh8tbpylmdi6ex.exe PID 3020 wrote to memory of 1880 3020 Explorer.EXE qxlh8tbpylmdi6ex.exe PID 1880 wrote to memory of 3456 1880 qxlh8tbpylmdi6ex.exe qxlh8tbpylmdi6ex.exe PID 1880 wrote to memory of 3456 1880 qxlh8tbpylmdi6ex.exe qxlh8tbpylmdi6ex.exe PID 1880 wrote to memory of 3456 1880 qxlh8tbpylmdi6ex.exe qxlh8tbpylmdi6ex.exe PID 1880 wrote to memory of 3456 1880 qxlh8tbpylmdi6ex.exe qxlh8tbpylmdi6ex.exe PID 1880 wrote to memory of 3456 1880 qxlh8tbpylmdi6ex.exe qxlh8tbpylmdi6ex.exe PID 1880 wrote to memory of 3456 1880 qxlh8tbpylmdi6ex.exe qxlh8tbpylmdi6ex.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\TT COPY_02101011.exe"C:\Users\Admin\AppData\Local\Temp\TT COPY_02101011.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\TT COPY_02101011.exe"C:\Users\Admin\AppData\Local\Temp\TT COPY_02101011.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\TT COPY_02101011.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Program Files (x86)\Isxxxv4vp\qxlh8tbpylmdi6ex.exe"C:\Program Files (x86)\Isxxxv4vp\qxlh8tbpylmdi6ex.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Isxxxv4vp\qxlh8tbpylmdi6ex.exe"C:\Program Files (x86)\Isxxxv4vp\qxlh8tbpylmdi6ex.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Isxxxv4vp\qxlh8tbpylmdi6ex.exeMD5
ebabc0d66a9e01cc0926f3b311feff5f
SHA183a44664135a7255045becde754dae29be496c8f
SHA256ea8733d0ea6248e2f522487d09e7854230a648e67f1a5e90fea31f6305a1ff7b
SHA512b9f9c3ec7080bf31e0ab43b68f8183d75a59ae262e7320e846883f7ec91695e5e01d70432a163252712fc7bdb6e27b6e5fb6b5589e31eb8779f3b2b5586eeeeb
-
C:\Program Files (x86)\Isxxxv4vp\qxlh8tbpylmdi6ex.exeMD5
ebabc0d66a9e01cc0926f3b311feff5f
SHA183a44664135a7255045becde754dae29be496c8f
SHA256ea8733d0ea6248e2f522487d09e7854230a648e67f1a5e90fea31f6305a1ff7b
SHA512b9f9c3ec7080bf31e0ab43b68f8183d75a59ae262e7320e846883f7ec91695e5e01d70432a163252712fc7bdb6e27b6e5fb6b5589e31eb8779f3b2b5586eeeeb
-
C:\Program Files (x86)\Isxxxv4vp\qxlh8tbpylmdi6ex.exeMD5
ebabc0d66a9e01cc0926f3b311feff5f
SHA183a44664135a7255045becde754dae29be496c8f
SHA256ea8733d0ea6248e2f522487d09e7854230a648e67f1a5e90fea31f6305a1ff7b
SHA512b9f9c3ec7080bf31e0ab43b68f8183d75a59ae262e7320e846883f7ec91695e5e01d70432a163252712fc7bdb6e27b6e5fb6b5589e31eb8779f3b2b5586eeeeb
-
C:\Users\Admin\AppData\Local\Temp\5itxry81kuzl8up3MD5
7cfbccd72474438d7fc638703213241c
SHA145da096b227587739be2cfd1fd216a7a0fc40a9a
SHA25602e9f10a4673cf06dc6ded72098e6d37e6162b5c88937eb67ebbfc0c0ee39d58
SHA51266b38fd3c6a4a9c85338e13776204a65a4be9323357c7758472946f2cc21ece513d4df4790cf232d109083365360046be38732725f09b56d5fc0bf4b0cc0629b
-
C:\Users\Admin\AppData\Local\Temp\DB1MD5
b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
\Users\Admin\AppData\Local\Temp\nssCA47.tmp\wdtzbwxasut.dllMD5
54c860c5cd0476d353802753c7bbfb06
SHA1f3fac4c8e96cbb528944fe76c7f74fda8171a597
SHA25619fbfdb247a76a54351902926c309fd6d3e7be25c6dca0062fc781215680913e
SHA51283dd85d9a54a1fa688c7776a15e48d70b8ec12ed789f4ac2054fa3affaed3fdaa375a5bd3d542c7b1831810a4825ee518a14f2390c50bfb65d9b774bceb6b183
-
\Users\Admin\AppData\Local\Temp\nswC461.tmp\wdtzbwxasut.dllMD5
54c860c5cd0476d353802753c7bbfb06
SHA1f3fac4c8e96cbb528944fe76c7f74fda8171a597
SHA25619fbfdb247a76a54351902926c309fd6d3e7be25c6dca0062fc781215680913e
SHA51283dd85d9a54a1fa688c7776a15e48d70b8ec12ed789f4ac2054fa3affaed3fdaa375a5bd3d542c7b1831810a4825ee518a14f2390c50bfb65d9b774bceb6b183
-
memory/1880-131-0x0000000000000000-mapping.dmp
-
memory/2596-129-0x0000000000000000-mapping.dmp
-
memory/3012-126-0x0000000002D70000-0x0000000003090000-memory.dmpFilesize
3.1MB
-
memory/3012-123-0x00000000001E0000-0x0000000000239000-memory.dmpFilesize
356KB
-
memory/3012-127-0x0000000003090000-0x0000000003120000-memory.dmpFilesize
576KB
-
memory/3012-122-0x0000000000000000-mapping.dmp
-
memory/3012-124-0x0000000002340000-0x0000000002369000-memory.dmpFilesize
164KB
-
memory/3020-121-0x00000000061D0000-0x0000000006375000-memory.dmpFilesize
1.6MB
-
memory/3020-128-0x00000000064E0000-0x0000000006666000-memory.dmpFilesize
1.5MB
-
memory/3456-137-0x000000000041D4D0-mapping.dmp
-
memory/3456-139-0x0000000000A30000-0x0000000000D50000-memory.dmpFilesize
3.1MB
-
memory/3740-120-0x00000000005E0000-0x00000000005F1000-memory.dmpFilesize
68KB
-
memory/3740-119-0x0000000000A50000-0x0000000000D70000-memory.dmpFilesize
3.1MB
-
memory/3740-117-0x000000000041D4D0-mapping.dmp
-
memory/3740-116-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4072-125-0x0000000000000000-mapping.dmp