Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
17-12-2021 16:02
Static task
static1
General
-
Target
b30e2fa345e02eecf58f3672cab4f07b4c6f84712c7dee9a64ca3005ac7bf255.exe
-
Size
457KB
-
MD5
e4133afba26efde5b01959df65c3eeb4
-
SHA1
ea2b48d0f50918e47b4657fd5774c2766c640f0a
-
SHA256
b30e2fa345e02eecf58f3672cab4f07b4c6f84712c7dee9a64ca3005ac7bf255
-
SHA512
563b0a1c9663c7c8a768ca6a50e8a27aa775a15282bf9dc00dc03d24ce8114a4c521d250e8ca49dea05549b791806dcd91bb856f8aa725155b2d52c19f7392ba
Malware Config
Extracted
xloader
2.5
fqiq
driventow.com
ipatchwork.today
bolder.equipment
seal-brother.com
mountlaketerraceapartments.com
weeden.xyz
sanlifalan.com
athafood.com
isshinn1.com
creationslazzaroni.com
eclecticrenaissancewoman.com
satellitephonstore.com
cotchildcare.com
yamacorp.digital
ff4cuno43.xyz
quicksticks.community
govindfinance.com
farmersfirstseed.com
megacinema.club
tablescaperendezvous4two.com
ecarehomes.com
floaterslaser.com
benisano.com
saint444.com
thedusi.com
avafxtrade.online
hanenosuke.com
suntioil4u.com
healthyweekendtips.com
24000words.com
ofbchina.net
begukiu0.info
wolmoda.com
mask60.com
4bellemaison.com
mambacustomboats.com
sedsn.com
doggycc.com
kangrungao.com
pharmacistcharisma.com
passiverewardssystems.com
qywyfeo8.xyz
shenjiclass.com
rdoi.top
lavishbynovell.com
fleetton.com
hillcresthomegroup.com
hartfulcleaning.com
srofkansas.com
applebroog.industries
phillytrainers.com
dmc--llc.com
sosoon.store
daysyou.com
controldatasa.com
markarge.com
hirayaawards.com
clinicscluster.com
sophiagunterman.art
kirtansangeet.com
residential.insure
ribbonofficial.com
qianhaijcc.com
fytvankin.quest
esyscoloradosprings.com
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/3476-116-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/3476-117-0x000000000041D4B0-mapping.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
b30e2fa345e02eecf58f3672cab4f07b4c6f84712c7dee9a64ca3005ac7bf255.exepid process 2636 b30e2fa345e02eecf58f3672cab4f07b4c6f84712c7dee9a64ca3005ac7bf255.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
b30e2fa345e02eecf58f3672cab4f07b4c6f84712c7dee9a64ca3005ac7bf255.exedescription pid process target process PID 2636 set thread context of 3476 2636 b30e2fa345e02eecf58f3672cab4f07b4c6f84712c7dee9a64ca3005ac7bf255.exe b30e2fa345e02eecf58f3672cab4f07b4c6f84712c7dee9a64ca3005ac7bf255.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
b30e2fa345e02eecf58f3672cab4f07b4c6f84712c7dee9a64ca3005ac7bf255.exepid process 3476 b30e2fa345e02eecf58f3672cab4f07b4c6f84712c7dee9a64ca3005ac7bf255.exe 3476 b30e2fa345e02eecf58f3672cab4f07b4c6f84712c7dee9a64ca3005ac7bf255.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
b30e2fa345e02eecf58f3672cab4f07b4c6f84712c7dee9a64ca3005ac7bf255.exedescription pid process target process PID 2636 wrote to memory of 3476 2636 b30e2fa345e02eecf58f3672cab4f07b4c6f84712c7dee9a64ca3005ac7bf255.exe b30e2fa345e02eecf58f3672cab4f07b4c6f84712c7dee9a64ca3005ac7bf255.exe PID 2636 wrote to memory of 3476 2636 b30e2fa345e02eecf58f3672cab4f07b4c6f84712c7dee9a64ca3005ac7bf255.exe b30e2fa345e02eecf58f3672cab4f07b4c6f84712c7dee9a64ca3005ac7bf255.exe PID 2636 wrote to memory of 3476 2636 b30e2fa345e02eecf58f3672cab4f07b4c6f84712c7dee9a64ca3005ac7bf255.exe b30e2fa345e02eecf58f3672cab4f07b4c6f84712c7dee9a64ca3005ac7bf255.exe PID 2636 wrote to memory of 3476 2636 b30e2fa345e02eecf58f3672cab4f07b4c6f84712c7dee9a64ca3005ac7bf255.exe b30e2fa345e02eecf58f3672cab4f07b4c6f84712c7dee9a64ca3005ac7bf255.exe PID 2636 wrote to memory of 3476 2636 b30e2fa345e02eecf58f3672cab4f07b4c6f84712c7dee9a64ca3005ac7bf255.exe b30e2fa345e02eecf58f3672cab4f07b4c6f84712c7dee9a64ca3005ac7bf255.exe PID 2636 wrote to memory of 3476 2636 b30e2fa345e02eecf58f3672cab4f07b4c6f84712c7dee9a64ca3005ac7bf255.exe b30e2fa345e02eecf58f3672cab4f07b4c6f84712c7dee9a64ca3005ac7bf255.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b30e2fa345e02eecf58f3672cab4f07b4c6f84712c7dee9a64ca3005ac7bf255.exe"C:\Users\Admin\AppData\Local\Temp\b30e2fa345e02eecf58f3672cab4f07b4c6f84712c7dee9a64ca3005ac7bf255.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b30e2fa345e02eecf58f3672cab4f07b4c6f84712c7dee9a64ca3005ac7bf255.exe"C:\Users\Admin\AppData\Local\Temp\b30e2fa345e02eecf58f3672cab4f07b4c6f84712c7dee9a64ca3005ac7bf255.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsiA48F.tmp\uaxqabeequz.dllMD5
75e4e911b7ec3a7450d28fd843205b8c
SHA117751bcad2cebfad753d5f5b9c6ffd6b72cc5871
SHA256c260f3c548190ad93420471811c98aaa3b482a4362ebf6defbedb098386d4c0f
SHA512f5786b90f002caa0646e1eff955192f1f8686b9c63e783f6a312f01585c09660fbf2b6e46fa47cdf10e369938b732cc32dbfc5c6ffb9be3f6a57411f7c14e73d
-
memory/3476-116-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/3476-117-0x000000000041D4B0-mapping.dmp
-
memory/3476-118-0x0000000000A70000-0x0000000000D90000-memory.dmpFilesize
3.1MB