Analysis
-
max time kernel
81s -
max time network
124s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
11-01-2022 01:06
Static task
static1
General
-
Target
1b167aee9b70233663c28c1ed5ea099369f17b83b8f619dc0cf7925cfbb3b83d.exe
-
Size
594KB
-
MD5
3307bd369cf29789bc0e4a28a60212bc
-
SHA1
a3427db83936cd9e5af6c98019945833680c007a
-
SHA256
1b167aee9b70233663c28c1ed5ea099369f17b83b8f619dc0cf7925cfbb3b83d
-
SHA512
bde682298b8c8ea82529ee07e4f3c68b18a8e1b8b9f94f3c119452341d4802f029a09f4a2e94dbf71a7e37c3aec769c3e6cacbf2633cb4f503fe8788a2b37c8f
Malware Config
Extracted
xloader
2.5
pnug
natureate.com
ita-pots.website
sucohansmushroom.com
produrielrosen.com
gosystemupdatenow.online
jiskra.art
janwiench.com
norfolkfoodhall.com
iloveaddictss.com
pogozip.com
buyinstapva.com
teardirectionfreedom.xyz
0205168.com
apaixonadosporpugs.online
jawscoinc.com
crafter.quest
wikipedianow.com
radiopuls.net
kendama-co.com
goodstudycanada.com
huzhoucs.com
asinment.com
fuchsundrudolph.com
arthurenathalia.com
globalcosmeticsstudios.com
brandrackley.com
freemanhub.one
utserver.online
fullspecter.com
wshowcase.com
airjordanshoes-retro.com
linguimatics.com
app-verlengen.icu
singpost.red
j4.claims
inoteapp.net
jrdautomotivellc.com
xn--beaupre-6xa.com
mypolicyportal.net
wdgjdhpg.com
anshulindla.com
m981070.com
vertentebike.com
claim-available.com
buyfudgybombs.com
adfnapoli.com
blackfuid.com
clambakedelivered.info
marketingworksonhold.com
xvyj.top
richardsonsfinest.com
gurimix.com
dorhop.com
mauigrowngreencoffee.net
juzytuu.xyz
pokorny.industries
floridapermitsolutions.com
right-on-target-store.com
ynaire.com
nextpar.com
disdrone.com
fruitfulvinebirth.com
africanfairytale.com
leisuresabah.com
safetyeats.asia
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2744-116-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/2744-117-0x000000000041D400-mapping.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
1b167aee9b70233663c28c1ed5ea099369f17b83b8f619dc0cf7925cfbb3b83d.exepid process 2420 1b167aee9b70233663c28c1ed5ea099369f17b83b8f619dc0cf7925cfbb3b83d.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
1b167aee9b70233663c28c1ed5ea099369f17b83b8f619dc0cf7925cfbb3b83d.exedescription pid process target process PID 2420 set thread context of 2744 2420 1b167aee9b70233663c28c1ed5ea099369f17b83b8f619dc0cf7925cfbb3b83d.exe 1b167aee9b70233663c28c1ed5ea099369f17b83b8f619dc0cf7925cfbb3b83d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
1b167aee9b70233663c28c1ed5ea099369f17b83b8f619dc0cf7925cfbb3b83d.exepid process 2744 1b167aee9b70233663c28c1ed5ea099369f17b83b8f619dc0cf7925cfbb3b83d.exe 2744 1b167aee9b70233663c28c1ed5ea099369f17b83b8f619dc0cf7925cfbb3b83d.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
1b167aee9b70233663c28c1ed5ea099369f17b83b8f619dc0cf7925cfbb3b83d.exedescription pid process target process PID 2420 wrote to memory of 2744 2420 1b167aee9b70233663c28c1ed5ea099369f17b83b8f619dc0cf7925cfbb3b83d.exe 1b167aee9b70233663c28c1ed5ea099369f17b83b8f619dc0cf7925cfbb3b83d.exe PID 2420 wrote to memory of 2744 2420 1b167aee9b70233663c28c1ed5ea099369f17b83b8f619dc0cf7925cfbb3b83d.exe 1b167aee9b70233663c28c1ed5ea099369f17b83b8f619dc0cf7925cfbb3b83d.exe PID 2420 wrote to memory of 2744 2420 1b167aee9b70233663c28c1ed5ea099369f17b83b8f619dc0cf7925cfbb3b83d.exe 1b167aee9b70233663c28c1ed5ea099369f17b83b8f619dc0cf7925cfbb3b83d.exe PID 2420 wrote to memory of 2744 2420 1b167aee9b70233663c28c1ed5ea099369f17b83b8f619dc0cf7925cfbb3b83d.exe 1b167aee9b70233663c28c1ed5ea099369f17b83b8f619dc0cf7925cfbb3b83d.exe PID 2420 wrote to memory of 2744 2420 1b167aee9b70233663c28c1ed5ea099369f17b83b8f619dc0cf7925cfbb3b83d.exe 1b167aee9b70233663c28c1ed5ea099369f17b83b8f619dc0cf7925cfbb3b83d.exe PID 2420 wrote to memory of 2744 2420 1b167aee9b70233663c28c1ed5ea099369f17b83b8f619dc0cf7925cfbb3b83d.exe 1b167aee9b70233663c28c1ed5ea099369f17b83b8f619dc0cf7925cfbb3b83d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b167aee9b70233663c28c1ed5ea099369f17b83b8f619dc0cf7925cfbb3b83d.exe"C:\Users\Admin\AppData\Local\Temp\1b167aee9b70233663c28c1ed5ea099369f17b83b8f619dc0cf7925cfbb3b83d.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1b167aee9b70233663c28c1ed5ea099369f17b83b8f619dc0cf7925cfbb3b83d.exe"C:\Users\Admin\AppData\Local\Temp\1b167aee9b70233663c28c1ed5ea099369f17b83b8f619dc0cf7925cfbb3b83d.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsj9A4F.tmp\yiinyuiygtr.dllMD5
d4ad23215639a5f19713244b43b9436b
SHA190aac5a4f115241015b0b2e2635accf4b8dffded
SHA256b854dfeef6729df501459ff0599d87d9bbc0201cb822d121376481910bb767b9
SHA51282a1a850c96f14d266052bd403001e3c4df5b879bfeed795202746d0e854c41ef9f4d4a40529b04d90771514d72bb973d3c0d79a55b81f791ab88ef7df64afd2
-
memory/2744-116-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2744-117-0x000000000041D400-mapping.dmp
-
memory/2744-118-0x00000000009E0000-0x0000000000D00000-memory.dmpFilesize
3.1MB