Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
10-12-2021 10:18
Static task
static1
Behavioral task
behavioral1
Sample
PENDING SOA.exe
Resource
win7-en-20211208
General
-
Target
PENDING SOA.exe
-
Size
510KB
-
MD5
02f70a35c51b230bd5e71a1eb4c6ab1a
-
SHA1
6d462c2499c0061761a60a269110b4397d50ad97
-
SHA256
9eb83b030fff6874a3a944d6f8c97f8e9930075891cfa0a62e01625c89396c1b
-
SHA512
fa7119e692eaf2b0a0e7db8ca474a1525ce7c368fb7b2c135e97b1ff58a46039619f7e9f80b4fa3174d27d86c20b684387f45dd313aafdbf0cbf0e4cff6b5b71
Malware Config
Extracted
xloader
2.5
ea0r
http://www.asiapubz-hk.com/ea0r/
lionheartcreativestudios.com
konzertmanagement.com
blackpanther.online
broychim-int.com
takut18.com
txstarsolar.com
herdsherpa.com
igorshestakov.com
shinesbox.com
reflectpkljlt.xyz
oiltoolshub.com
viralmoneychallenge.com
changingalphastrategies.com
mecitiris.com
rdadmin.online
miniambiente.com
kominarcine.com
pino-almond.com
heihit.xyz
junqi888.com
metalumber.com
sclvfu.com
macanostore.online
projecturs.com
ahcprp.com
gztyfnrj.com
lospacenos.com
tak-etranger.com
dingermail.com
skiin.club
ystops.com
tnboxes.com
ccafgz.com
info1337.xyz
platinum24.top
hothess.com
novelfinancewhite.xyz
theselectdifference.com
flufca.com
giftcodefreefirevns.com
kgv-lachswehr.com
report-alfarabilabs.com
skeetones.com
4bcinc.com
americamr.com
wewonacademy.com
evrazavto.store
true-fanbox.com
greencofiji.com
threecommaspartners.com
hgtradingcoltd.com
xihe1919.com
241mk.com
helplockedout.com
wefundprojects.com
neosecure.store
purenewsworldwide.com
luckylottovip999.com
lottidobler.com
proyectohaciendohistoria.com
raintm.com
theproducerformula.com
trademarkitforyourself.com
ottaweed.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/784-116-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/784-117-0x000000000041D410-mapping.dmp xloader behavioral2/memory/4024-125-0x0000000002E00000-0x0000000002E29000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
PENDING SOA.exepid process 3800 PENDING SOA.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
PENDING SOA.exePENDING SOA.exesvchost.exedescription pid process target process PID 3800 set thread context of 784 3800 PENDING SOA.exe PENDING SOA.exe PID 784 set thread context of 2612 784 PENDING SOA.exe Explorer.EXE PID 4024 set thread context of 2612 4024 svchost.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
PENDING SOA.exesvchost.exepid process 784 PENDING SOA.exe 784 PENDING SOA.exe 784 PENDING SOA.exe 784 PENDING SOA.exe 4024 svchost.exe 4024 svchost.exe 4024 svchost.exe 4024 svchost.exe 4024 svchost.exe 4024 svchost.exe 4024 svchost.exe 4024 svchost.exe 4024 svchost.exe 4024 svchost.exe 4024 svchost.exe 4024 svchost.exe 4024 svchost.exe 4024 svchost.exe 4024 svchost.exe 4024 svchost.exe 4024 svchost.exe 4024 svchost.exe 4024 svchost.exe 4024 svchost.exe 4024 svchost.exe 4024 svchost.exe 4024 svchost.exe 4024 svchost.exe 4024 svchost.exe 4024 svchost.exe 4024 svchost.exe 4024 svchost.exe 4024 svchost.exe 4024 svchost.exe 4024 svchost.exe 4024 svchost.exe 4024 svchost.exe 4024 svchost.exe 4024 svchost.exe 4024 svchost.exe 4024 svchost.exe 4024 svchost.exe 4024 svchost.exe 4024 svchost.exe 4024 svchost.exe 4024 svchost.exe 4024 svchost.exe 4024 svchost.exe 4024 svchost.exe 4024 svchost.exe 4024 svchost.exe 4024 svchost.exe 4024 svchost.exe 4024 svchost.exe 4024 svchost.exe 4024 svchost.exe 4024 svchost.exe 4024 svchost.exe 4024 svchost.exe 4024 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2612 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
PENDING SOA.exesvchost.exepid process 784 PENDING SOA.exe 784 PENDING SOA.exe 784 PENDING SOA.exe 4024 svchost.exe 4024 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PENDING SOA.exesvchost.exedescription pid process Token: SeDebugPrivilege 784 PENDING SOA.exe Token: SeDebugPrivilege 4024 svchost.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
PENDING SOA.exeExplorer.EXEsvchost.exedescription pid process target process PID 3800 wrote to memory of 784 3800 PENDING SOA.exe PENDING SOA.exe PID 3800 wrote to memory of 784 3800 PENDING SOA.exe PENDING SOA.exe PID 3800 wrote to memory of 784 3800 PENDING SOA.exe PENDING SOA.exe PID 3800 wrote to memory of 784 3800 PENDING SOA.exe PENDING SOA.exe PID 3800 wrote to memory of 784 3800 PENDING SOA.exe PENDING SOA.exe PID 3800 wrote to memory of 784 3800 PENDING SOA.exe PENDING SOA.exe PID 2612 wrote to memory of 4024 2612 Explorer.EXE svchost.exe PID 2612 wrote to memory of 4024 2612 Explorer.EXE svchost.exe PID 2612 wrote to memory of 4024 2612 Explorer.EXE svchost.exe PID 4024 wrote to memory of 4056 4024 svchost.exe cmd.exe PID 4024 wrote to memory of 4056 4024 svchost.exe cmd.exe PID 4024 wrote to memory of 4056 4024 svchost.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PENDING SOA.exe"C:\Users\Admin\AppData\Local\Temp\PENDING SOA.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PENDING SOA.exe"C:\Users\Admin\AppData\Local\Temp\PENDING SOA.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\PENDING SOA.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nstA654.tmp\pviksgmp.dllMD5
515939f29b306526ef6dc808efa3e424
SHA1c910914e3b56ca1ef9adae9329937294eb519d91
SHA256d6f9a8f51e28a1f018494e71b362fd092e847a421ba2807cd5de8669ded68dcc
SHA512e62c5a450cab8c794fa921f467ed2491fe15588372a2b5f9502d8c02da9e8944fd5ece0cceeb29075ed34c657f796926a3c72b38f74af573b10a00079e1a114c
-
memory/784-116-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/784-117-0x000000000041D410-mapping.dmp
-
memory/784-119-0x0000000000A20000-0x0000000000D40000-memory.dmpFilesize
3.1MB
-
memory/784-120-0x00000000006F0000-0x0000000000701000-memory.dmpFilesize
68KB
-
memory/2612-128-0x0000000000EB0000-0x0000000000F48000-memory.dmpFilesize
608KB
-
memory/2612-121-0x00000000069D0000-0x0000000006B0A000-memory.dmpFilesize
1.2MB
-
memory/4024-122-0x0000000000000000-mapping.dmp
-
memory/4024-125-0x0000000002E00000-0x0000000002E29000-memory.dmpFilesize
164KB
-
memory/4024-124-0x0000000000940000-0x000000000094C000-memory.dmpFilesize
48KB
-
memory/4024-126-0x0000000002E30000-0x0000000002F7A000-memory.dmpFilesize
1.3MB
-
memory/4024-127-0x00000000032E0000-0x0000000003370000-memory.dmpFilesize
576KB
-
memory/4056-123-0x0000000000000000-mapping.dmp