Analysis
-
max time kernel
152s -
max time network
146s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
01-12-2021 06:52
Static task
static1
Behavioral task
behavioral1
Sample
Statement 12-01-2021.com.exe
Resource
win7-en-20211014
General
-
Target
Statement 12-01-2021.com.exe
-
Size
552KB
-
MD5
d84165c69252af24ac6a92da452b4eb2
-
SHA1
5ca05c20d6240e1ab18c4204cfe3a8d85b5fede4
-
SHA256
99e122686461defed546b28e1b3461a92cc5a3e0fe46cac917f5e130d5941f1f
-
SHA512
ada97e517e7678ad971c73395d282d84c1b35493f7cd012ac226a08549757ec756d147ccc404620cd655804c24d1ed5f8e68390478fc3a5b6f134d326c78b3f5
Malware Config
Extracted
xloader
2.5
unzn
http://www.davanamays.com/unzn/
xiulf.com
highcountrymortar.com
523561.com
marketingagency.tools
ganmovie.net
nationaalcontactpunt.com
sirrbter.com
begizas.xyz
missimi-fashion.com
munixc.info
daas.support
spaceworbc.com
faithtruthresolve.com
gymkub.com
thegrayverse.xyz
artisanmakefurniture.com
029tryy.com
ijuubx.biz
iphone13promax.club
techuniversus.com
samrgov.xyz
grownupcurl.com
sj0755.net
beekeeperkit.com
richessesabondantes.com
xclgjgjh.net
webworkscork.com
vedepviet365.com
bretabeameven.com
cdzsmhw.com
clearperspective.biz
tigrg5g784sh.biz
bbezan011.xyz
mycar.store
mansooralobeidli.com
ascensionmemberszoom.com
unlimitedrehab.com
wozka.top
askylarkgoods.com
rj793.com
prosvalor.com
primetimeexpress.com
boixosnoisperu.com
mmasportgear.com
concertiranian.net
hyponymys.info
maila.one
yti0fyic.xyz
shashiprayag.com
speedprosmotorsports.com
westchestercountyjunkcars.com
patienceinmypocket.com
rausachbaoloc.com
plexregroup.com
outsydercs.com
foodandflour.com
lenacrypto.xyz
homeservicetoday.net
marthaperry.com
vmtcyd4q8.com
shamefulguys.com
loccssol.store
gnarledportra.xyz
042atk.xyz
Signatures
-
Xloader Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4100-119-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/4100-120-0x000000000041D430-mapping.dmp xloader behavioral2/memory/4100-125-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/3988-130-0x0000000000740000-0x0000000000769000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
Statement 12-01-2021.com.exepid process 3620 Statement 12-01-2021.com.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
Statement 12-01-2021.com.exeStatement 12-01-2021.com.execmd.exedescription pid process target process PID 3620 set thread context of 4100 3620 Statement 12-01-2021.com.exe Statement 12-01-2021.com.exe PID 4100 set thread context of 2716 4100 Statement 12-01-2021.com.exe Explorer.EXE PID 4100 set thread context of 2716 4100 Statement 12-01-2021.com.exe Explorer.EXE PID 3988 set thread context of 2716 3988 cmd.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
Statement 12-01-2021.com.execmd.exepid process 4100 Statement 12-01-2021.com.exe 4100 Statement 12-01-2021.com.exe 4100 Statement 12-01-2021.com.exe 4100 Statement 12-01-2021.com.exe 4100 Statement 12-01-2021.com.exe 4100 Statement 12-01-2021.com.exe 3988 cmd.exe 3988 cmd.exe 3988 cmd.exe 3988 cmd.exe 3988 cmd.exe 3988 cmd.exe 3988 cmd.exe 3988 cmd.exe 3988 cmd.exe 3988 cmd.exe 3988 cmd.exe 3988 cmd.exe 3988 cmd.exe 3988 cmd.exe 3988 cmd.exe 3988 cmd.exe 3988 cmd.exe 3988 cmd.exe 3988 cmd.exe 3988 cmd.exe 3988 cmd.exe 3988 cmd.exe 3988 cmd.exe 3988 cmd.exe 3988 cmd.exe 3988 cmd.exe 3988 cmd.exe 3988 cmd.exe 3988 cmd.exe 3988 cmd.exe 3988 cmd.exe 3988 cmd.exe 3988 cmd.exe 3988 cmd.exe 3988 cmd.exe 3988 cmd.exe 3988 cmd.exe 3988 cmd.exe 3988 cmd.exe 3988 cmd.exe 3988 cmd.exe 3988 cmd.exe 3988 cmd.exe 3988 cmd.exe 3988 cmd.exe 3988 cmd.exe 3988 cmd.exe 3988 cmd.exe 3988 cmd.exe 3988 cmd.exe 3988 cmd.exe 3988 cmd.exe 3988 cmd.exe 3988 cmd.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2716 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
Statement 12-01-2021.com.execmd.exepid process 4100 Statement 12-01-2021.com.exe 4100 Statement 12-01-2021.com.exe 4100 Statement 12-01-2021.com.exe 4100 Statement 12-01-2021.com.exe 3988 cmd.exe 3988 cmd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Statement 12-01-2021.com.execmd.exedescription pid process Token: SeDebugPrivilege 4100 Statement 12-01-2021.com.exe Token: SeDebugPrivilege 3988 cmd.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Statement 12-01-2021.com.exeExplorer.EXEcmd.exedescription pid process target process PID 3620 wrote to memory of 4100 3620 Statement 12-01-2021.com.exe Statement 12-01-2021.com.exe PID 3620 wrote to memory of 4100 3620 Statement 12-01-2021.com.exe Statement 12-01-2021.com.exe PID 3620 wrote to memory of 4100 3620 Statement 12-01-2021.com.exe Statement 12-01-2021.com.exe PID 3620 wrote to memory of 4100 3620 Statement 12-01-2021.com.exe Statement 12-01-2021.com.exe PID 3620 wrote to memory of 4100 3620 Statement 12-01-2021.com.exe Statement 12-01-2021.com.exe PID 3620 wrote to memory of 4100 3620 Statement 12-01-2021.com.exe Statement 12-01-2021.com.exe PID 2716 wrote to memory of 3988 2716 Explorer.EXE cmd.exe PID 2716 wrote to memory of 3988 2716 Explorer.EXE cmd.exe PID 2716 wrote to memory of 3988 2716 Explorer.EXE cmd.exe PID 3988 wrote to memory of 4224 3988 cmd.exe cmd.exe PID 3988 wrote to memory of 4224 3988 cmd.exe cmd.exe PID 3988 wrote to memory of 4224 3988 cmd.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Statement 12-01-2021.com.exe"C:\Users\Admin\AppData\Local\Temp\Statement 12-01-2021.com.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Statement 12-01-2021.com.exe"C:\Users\Admin\AppData\Local\Temp\Statement 12-01-2021.com.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Statement 12-01-2021.com.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nstA606.tmp\flfxltt.dllMD5
41986140e388b8d37885dce52f32306f
SHA11e89e16a2f2d68f6d5af6519ce0e61d28c1f7c26
SHA2563d63725dd035a901cadb74b2f0a6942f91462bd79b72ccc2d8196a5e72885748
SHA512e0d2a09e92c4805b99864703df41bd7f71a1c40d0ad8b209e679b6029ee75a7a80d11472ffaf63d2ce3c8f353a515c56321f14cb17b36b6be431a9173f692971
-
memory/2716-134-0x0000000005020000-0x00000000051A1000-memory.dmpFilesize
1.5MB
-
memory/2716-124-0x0000000004EA0000-0x0000000005013000-memory.dmpFilesize
1.4MB
-
memory/2716-127-0x0000000002510000-0x00000000025F2000-memory.dmpFilesize
904KB
-
memory/3988-128-0x0000000000000000-mapping.dmp
-
memory/3988-133-0x0000000000ED0000-0x0000000000F60000-memory.dmpFilesize
576KB
-
memory/3988-132-0x0000000000FE0000-0x0000000001300000-memory.dmpFilesize
3.1MB
-
memory/3988-129-0x0000000001360000-0x00000000013B9000-memory.dmpFilesize
356KB
-
memory/3988-130-0x0000000000740000-0x0000000000769000-memory.dmpFilesize
164KB
-
memory/4100-126-0x0000000002770000-0x0000000002781000-memory.dmpFilesize
68KB
-
memory/4100-125-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4100-122-0x0000000000A00000-0x0000000000D20000-memory.dmpFilesize
3.1MB
-
memory/4100-123-0x00000000009E0000-0x00000000009F1000-memory.dmpFilesize
68KB
-
memory/4100-120-0x000000000041D430-mapping.dmp
-
memory/4100-119-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4224-131-0x0000000000000000-mapping.dmp