Analysis
-
max time kernel
123s -
max time network
124s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
17-12-2021 15:59
Static task
static1
Behavioral task
behavioral1
Sample
cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe
Resource
win7-en-20211208
General
-
Target
cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe
-
Size
939KB
-
MD5
cd1f4fa4338ae35dc3e24b7d4fdd2c36
-
SHA1
35585771c3637ad3df287166a5873f1587003194
-
SHA256
85bccf48bd69110456515b5b1fc35fc21c6d983e67c162ab14fb7d8f66616e71
-
SHA512
629cbd4806d4aa68c7f4223180d5c2a06378c9a5f1b7c3587f6e3f375ce5fdbc7eff20b0e9f24458d6c0eaa41c79ef786bd54b0e7c7eebf3a1c103b4eff4c669
Malware Config
Extracted
xloader
2.5
ea0r
lionheartcreativestudios.com
konzertmanagement.com
blackpanther.online
broychim-int.com
takut18.com
txstarsolar.com
herdsherpa.com
igorshestakov.com
shinesbox.com
reflectpkljlt.xyz
oiltoolshub.com
viralmoneychallenge.com
changingalphastrategies.com
mecitiris.com
rdadmin.online
miniambiente.com
kominarcine.com
pino-almond.com
heihit.xyz
junqi888.com
metalumber.com
sclvfu.com
macanostore.online
projecturs.com
ahcprp.com
gztyfnrj.com
lospacenos.com
tak-etranger.com
dingermail.com
skiin.club
ystops.com
tnboxes.com
ccafgz.com
info1337.xyz
platinum24.top
hothess.com
novelfinancewhite.xyz
theselectdifference.com
flufca.com
giftcodefreefirevns.com
kgv-lachswehr.com
report-alfarabilabs.com
skeetones.com
4bcinc.com
americamr.com
wewonacademy.com
evrazavto.store
true-fanbox.com
greencofiji.com
threecommaspartners.com
hgtradingcoltd.com
xihe1919.com
241mk.com
helplockedout.com
wefundprojects.com
neosecure.store
purenewsworldwide.com
luckylottovip999.com
lottidobler.com
proyectohaciendohistoria.com
raintm.com
theproducerformula.com
trademarkitforyourself.com
ottaweed.com
asiapubz-hk.com
Signatures
-
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
cd1f4fa4338ae35dc3e24b7d4fdd2c36.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/756-119-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/756-120-0x000000000041D410-mapping.dmp xloader -
Executes dropped EXE 2 IoCs
Processes:
cd1f4fa4338ae35dc3e24b7d4fdd2c36.execd1f4fa4338ae35dc3e24b7d4fdd2c36.exepid process 3028 cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe 756 cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe -
Loads dropped DLL 1 IoCs
Processes:
cd1f4fa4338ae35dc3e24b7d4fdd2c36.exepid process 3028 cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
cd1f4fa4338ae35dc3e24b7d4fdd2c36.exedescription pid process target process PID 3028 set thread context of 756 3028 cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe -
Drops file in Program Files directory 53 IoCs
Processes:
cd1f4fa4338ae35dc3e24b7d4fdd2c36.exedescription ioc process File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe File opened for modification C:\PROGRA~2\WINDOW~2\WinMail.exe cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe File opened for modification C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe File opened for modification C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe -
Drops file in Windows directory 1 IoCs
Processes:
cd1f4fa4338ae35dc3e24b7d4fdd2c36.exedescription ioc process File opened for modification C:\Windows\svchost.com cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 6 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\3582-490\cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\3582-490\cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\3582-490\cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\3582-490\cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\3582-490\cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\3582-490\cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe nsis_installer_2 -
Modifies registry class 1 IoCs
Processes:
cd1f4fa4338ae35dc3e24b7d4fdd2c36.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
cd1f4fa4338ae35dc3e24b7d4fdd2c36.exepid process 756 cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe 756 cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
cd1f4fa4338ae35dc3e24b7d4fdd2c36.execd1f4fa4338ae35dc3e24b7d4fdd2c36.exedescription pid process target process PID 3828 wrote to memory of 3028 3828 cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe PID 3828 wrote to memory of 3028 3828 cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe PID 3828 wrote to memory of 3028 3828 cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe PID 3028 wrote to memory of 756 3028 cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe PID 3028 wrote to memory of 756 3028 cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe PID 3028 wrote to memory of 756 3028 cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe PID 3028 wrote to memory of 756 3028 cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe PID 3028 wrote to memory of 756 3028 cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe PID 3028 wrote to memory of 756 3028 cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe"C:\Users\Admin\AppData\Local\Temp\cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe"1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\cd1f4fa4338ae35dc3e24b7d4fdd2c36.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3582-490\cd1f4fa4338ae35dc3e24b7d4fdd2c36.exeMD5
b85c005de5b04c0ba376f72cc932f26b
SHA104441b6a52530284bdeaa3c4ac4504d71c14101c
SHA2567dfac85dbd9ce80d656f5cd2b657705975023c370a3f9ddd4fd63cb244862c40
SHA512b450731148a32b503471dec833203fc434d07eaf6ae28c1cef0814a5115ddfb64a5028d1519484df0652c83732b1e6290094b5c3bd28e6e53710fcf9c3802574
-
C:\Users\Admin\AppData\Local\Temp\3582-490\cd1f4fa4338ae35dc3e24b7d4fdd2c36.exeMD5
b85c005de5b04c0ba376f72cc932f26b
SHA104441b6a52530284bdeaa3c4ac4504d71c14101c
SHA2567dfac85dbd9ce80d656f5cd2b657705975023c370a3f9ddd4fd63cb244862c40
SHA512b450731148a32b503471dec833203fc434d07eaf6ae28c1cef0814a5115ddfb64a5028d1519484df0652c83732b1e6290094b5c3bd28e6e53710fcf9c3802574
-
C:\Users\Admin\AppData\Local\Temp\3582-490\cd1f4fa4338ae35dc3e24b7d4fdd2c36.exeMD5
b85c005de5b04c0ba376f72cc932f26b
SHA104441b6a52530284bdeaa3c4ac4504d71c14101c
SHA2567dfac85dbd9ce80d656f5cd2b657705975023c370a3f9ddd4fd63cb244862c40
SHA512b450731148a32b503471dec833203fc434d07eaf6ae28c1cef0814a5115ddfb64a5028d1519484df0652c83732b1e6290094b5c3bd28e6e53710fcf9c3802574
-
\Users\Admin\AppData\Local\Temp\nsxBD18.tmp\ptinspeue.dllMD5
5457aaa44c13127b579f7529bfb97777
SHA1d24af0e9239ce8b5324774aae5e88bf5fbdaad7c
SHA256073036bc85bc012b4ed70b9a469708f5b2a9744bd4a943b4c9e3d2d3d48b0c99
SHA512b0808c68815e090c3420614bfd6e81cb05d349e5bf5bc4edff6e1d3ff1df18ceb7d8a9f2c5cbb7a244fd387051b5143cf16903d94385c0c72451e17bcccba3a0
-
memory/756-119-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/756-120-0x000000000041D410-mapping.dmp
-
memory/756-122-0x0000000000A30000-0x0000000000D50000-memory.dmpFilesize
3.1MB
-
memory/3028-115-0x0000000000000000-mapping.dmp