Analysis
-
max time kernel
117s -
max time network
122s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
12-01-2022 11:02
Static task
static1
Behavioral task
behavioral1
Sample
886375fa6ecb64fa31dd20b8688216cc.exe
Resource
win7-en-20211208
General
-
Target
886375fa6ecb64fa31dd20b8688216cc.exe
-
Size
545KB
-
MD5
886375fa6ecb64fa31dd20b8688216cc
-
SHA1
5b23e5b6fbe5add5b7a891288c66ac2df05dd52a
-
SHA256
4f64511b423d79682dfad8f6b516516d32e801f0031f07b7e3c6c19798a64b95
-
SHA512
5a9065efc8ea242a3efb66e809de949e13f214660d1f79a66a86cfee32f966ae838b5fd6d34aacb7d82d4ebc8682f44364ba917b43d5770c3d7260a99c80a849
Malware Config
Extracted
xloader
2.5
pnug
natureate.com
ita-pots.website
sucohansmushroom.com
produrielrosen.com
gosystemupdatenow.online
jiskra.art
janwiench.com
norfolkfoodhall.com
iloveaddictss.com
pogozip.com
buyinstapva.com
teardirectionfreedom.xyz
0205168.com
apaixonadosporpugs.online
jawscoinc.com
crafter.quest
wikipedianow.com
radiopuls.net
kendama-co.com
goodstudycanada.com
huzhoucs.com
asinment.com
fuchsundrudolph.com
arthurenathalia.com
globalcosmeticsstudios.com
brandrackley.com
freemanhub.one
utserver.online
fullspecter.com
wshowcase.com
airjordanshoes-retro.com
linguimatics.com
app-verlengen.icu
singpost.red
j4.claims
inoteapp.net
jrdautomotivellc.com
xn--beaupre-6xa.com
mypolicyportal.net
wdgjdhpg.com
anshulindla.com
m981070.com
vertentebike.com
claim-available.com
buyfudgybombs.com
adfnapoli.com
blackfuid.com
clambakedelivered.info
marketingworksonhold.com
xvyj.top
richardsonsfinest.com
gurimix.com
dorhop.com
mauigrowngreencoffee.net
juzytuu.xyz
pokorny.industries
floridapermitsolutions.com
right-on-target-store.com
ynaire.com
nextpar.com
disdrone.com
fruitfulvinebirth.com
africanfairytale.com
leisuresabah.com
safetyeats.asia
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3808-116-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/3808-117-0x000000000041D400-mapping.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
886375fa6ecb64fa31dd20b8688216cc.exepid process 344 886375fa6ecb64fa31dd20b8688216cc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
886375fa6ecb64fa31dd20b8688216cc.exedescription pid process target process PID 344 set thread context of 3808 344 886375fa6ecb64fa31dd20b8688216cc.exe 886375fa6ecb64fa31dd20b8688216cc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
886375fa6ecb64fa31dd20b8688216cc.exepid process 3808 886375fa6ecb64fa31dd20b8688216cc.exe 3808 886375fa6ecb64fa31dd20b8688216cc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
886375fa6ecb64fa31dd20b8688216cc.exedescription pid process target process PID 344 wrote to memory of 3808 344 886375fa6ecb64fa31dd20b8688216cc.exe 886375fa6ecb64fa31dd20b8688216cc.exe PID 344 wrote to memory of 3808 344 886375fa6ecb64fa31dd20b8688216cc.exe 886375fa6ecb64fa31dd20b8688216cc.exe PID 344 wrote to memory of 3808 344 886375fa6ecb64fa31dd20b8688216cc.exe 886375fa6ecb64fa31dd20b8688216cc.exe PID 344 wrote to memory of 3808 344 886375fa6ecb64fa31dd20b8688216cc.exe 886375fa6ecb64fa31dd20b8688216cc.exe PID 344 wrote to memory of 3808 344 886375fa6ecb64fa31dd20b8688216cc.exe 886375fa6ecb64fa31dd20b8688216cc.exe PID 344 wrote to memory of 3808 344 886375fa6ecb64fa31dd20b8688216cc.exe 886375fa6ecb64fa31dd20b8688216cc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\886375fa6ecb64fa31dd20b8688216cc.exe"C:\Users\Admin\AppData\Local\Temp\886375fa6ecb64fa31dd20b8688216cc.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:344 -
C:\Users\Admin\AppData\Local\Temp\886375fa6ecb64fa31dd20b8688216cc.exe"C:\Users\Admin\AppData\Local\Temp\886375fa6ecb64fa31dd20b8688216cc.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3808
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsnA54B.tmp\dzqcmmok.dllMD5
26cc8ace0ba0757e74668322ad6c988c
SHA1b6c03df73c62d5cae48365856031bb15be5f30ea
SHA2567602dd51d81cac5ea4f9c90e326bcaf2c445bc4f43a382645a99a2a4b391b836
SHA512ecc36935593ee4ef0092d7ae7e445c2d2665779a7a97a4fe4235f68cfe34a29040a16a343dc9a1ca93ad7f1905f9658349c1bc6768c91822a72eeaa277c7ffac
-
memory/3808-116-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/3808-117-0x000000000041D400-mapping.dmp
-
memory/3808-118-0x0000000000A40000-0x0000000000D60000-memory.dmpFilesize
3.1MB