Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
03-12-2021 10:52
Static task
static1
Behavioral task
behavioral1
Sample
9ec07103c052555c630c02674ceff8d8.exe
Resource
win7-en-20211104
General
-
Target
9ec07103c052555c630c02674ceff8d8.exe
-
Size
654KB
-
MD5
9ec07103c052555c630c02674ceff8d8
-
SHA1
ebde834f4e440a9f560a5ef41831832e5396f82d
-
SHA256
99ce2e68255b2f3b1ee1934af1eacd280a096adaedcaa2df1f03e8d9ee01e860
-
SHA512
c21b211407903c8bbb3e492adaf155c1751b180efc1de7dcc6cd65194f0ba32c5271c7e0a49b5634d8a376831149f912d7bc18d5965465a6a68c42e3e1ba86e8
Malware Config
Extracted
xloader
2.5
ea0r
http://www.asiapubz-hk.com/ea0r/
lionheartcreativestudios.com
konzertmanagement.com
blackpanther.online
broychim-int.com
takut18.com
txstarsolar.com
herdsherpa.com
igorshestakov.com
shinesbox.com
reflectpkljlt.xyz
oiltoolshub.com
viralmoneychallenge.com
changingalphastrategies.com
mecitiris.com
rdadmin.online
miniambiente.com
kominarcine.com
pino-almond.com
heihit.xyz
junqi888.com
metalumber.com
sclvfu.com
macanostore.online
projecturs.com
ahcprp.com
gztyfnrj.com
lospacenos.com
tak-etranger.com
dingermail.com
skiin.club
ystops.com
tnboxes.com
ccafgz.com
info1337.xyz
platinum24.top
hothess.com
novelfinancewhite.xyz
theselectdifference.com
flufca.com
giftcodefreefirevns.com
kgv-lachswehr.com
report-alfarabilabs.com
skeetones.com
4bcinc.com
americamr.com
wewonacademy.com
evrazavto.store
true-fanbox.com
greencofiji.com
threecommaspartners.com
hgtradingcoltd.com
xihe1919.com
241mk.com
helplockedout.com
wefundprojects.com
neosecure.store
purenewsworldwide.com
luckylottovip999.com
lottidobler.com
proyectohaciendohistoria.com
raintm.com
theproducerformula.com
trademarkitforyourself.com
ottaweed.com
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/432-57-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/432-58-0x000000000041D410-mapping.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
9ec07103c052555c630c02674ceff8d8.exepid process 1368 9ec07103c052555c630c02674ceff8d8.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
9ec07103c052555c630c02674ceff8d8.exedescription pid process target process PID 1368 set thread context of 432 1368 9ec07103c052555c630c02674ceff8d8.exe 9ec07103c052555c630c02674ceff8d8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
9ec07103c052555c630c02674ceff8d8.exepid process 432 9ec07103c052555c630c02674ceff8d8.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
9ec07103c052555c630c02674ceff8d8.exedescription pid process target process PID 1368 wrote to memory of 432 1368 9ec07103c052555c630c02674ceff8d8.exe 9ec07103c052555c630c02674ceff8d8.exe PID 1368 wrote to memory of 432 1368 9ec07103c052555c630c02674ceff8d8.exe 9ec07103c052555c630c02674ceff8d8.exe PID 1368 wrote to memory of 432 1368 9ec07103c052555c630c02674ceff8d8.exe 9ec07103c052555c630c02674ceff8d8.exe PID 1368 wrote to memory of 432 1368 9ec07103c052555c630c02674ceff8d8.exe 9ec07103c052555c630c02674ceff8d8.exe PID 1368 wrote to memory of 432 1368 9ec07103c052555c630c02674ceff8d8.exe 9ec07103c052555c630c02674ceff8d8.exe PID 1368 wrote to memory of 432 1368 9ec07103c052555c630c02674ceff8d8.exe 9ec07103c052555c630c02674ceff8d8.exe PID 1368 wrote to memory of 432 1368 9ec07103c052555c630c02674ceff8d8.exe 9ec07103c052555c630c02674ceff8d8.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ec07103c052555c630c02674ceff8d8.exe"C:\Users\Admin\AppData\Local\Temp\9ec07103c052555c630c02674ceff8d8.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9ec07103c052555c630c02674ceff8d8.exe"C:\Users\Admin\AppData\Local\Temp\9ec07103c052555c630c02674ceff8d8.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsyCB6B.tmp\abuzfzrzkg.dllMD5
62c704f52892ef91ba52080a3840fdc9
SHA1110eb4c9b6dbe5c37a5a8e1f86d71d96c45a6a82
SHA2568f92430d41cbbaf0cedec9eec04101fe6b047532448110d4e4c9babb63a55cfc
SHA51260f853f5be7996f7dd5daa00a6c80abb576307f8cf60600e2162d4761e122bb3bb5422b9b946971852439b0b50865412dc0039c24c2ff773201238bc0dcbfe7b
-
memory/432-57-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/432-58-0x000000000041D410-mapping.dmp
-
memory/432-59-0x0000000000770000-0x0000000000A73000-memory.dmpFilesize
3.0MB
-
memory/1368-55-0x0000000074F01000-0x0000000074F03000-memory.dmpFilesize
8KB