Analysis
-
max time kernel
121s -
max time network
129s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
13-01-2022 15:56
Static task
static1
Behavioral task
behavioral1
Sample
918947e35d3442dc73fcc228dbf7cf43.exe
Resource
win7-en-20211208
General
-
Target
918947e35d3442dc73fcc228dbf7cf43.exe
-
Size
421KB
-
MD5
918947e35d3442dc73fcc228dbf7cf43
-
SHA1
1b3765c0fa533014d3e7f076cac9807d739e2cb9
-
SHA256
6846492babd6809fcbf6d1a30ebd47db29061bc23237069ff85a86b406b1abb0
-
SHA512
a31962a610ac3bdf977a64b1ead63abcbd6868822a36ceb7ae68a9fc8c5c0180211931cfba7f159b763d83d4af9e2f49ab8a657ed9a7dfea3734a6cce2ad93ad
Malware Config
Extracted
xloader
2.5
pnug
natureate.com
ita-pots.website
sucohansmushroom.com
produrielrosen.com
gosystemupdatenow.online
jiskra.art
janwiench.com
norfolkfoodhall.com
iloveaddictss.com
pogozip.com
buyinstapva.com
teardirectionfreedom.xyz
0205168.com
apaixonadosporpugs.online
jawscoinc.com
crafter.quest
wikipedianow.com
radiopuls.net
kendama-co.com
goodstudycanada.com
huzhoucs.com
asinment.com
fuchsundrudolph.com
arthurenathalia.com
globalcosmeticsstudios.com
brandrackley.com
freemanhub.one
utserver.online
fullspecter.com
wshowcase.com
airjordanshoes-retro.com
linguimatics.com
app-verlengen.icu
singpost.red
j4.claims
inoteapp.net
jrdautomotivellc.com
xn--beaupre-6xa.com
mypolicyportal.net
wdgjdhpg.com
anshulindla.com
m981070.com
vertentebike.com
claim-available.com
buyfudgybombs.com
adfnapoli.com
blackfuid.com
clambakedelivered.info
marketingworksonhold.com
xvyj.top
richardsonsfinest.com
gurimix.com
dorhop.com
mauigrowngreencoffee.net
juzytuu.xyz
pokorny.industries
floridapermitsolutions.com
right-on-target-store.com
ynaire.com
nextpar.com
disdrone.com
fruitfulvinebirth.com
africanfairytale.com
leisuresabah.com
safetyeats.asia
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3380-116-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/3380-117-0x000000000041D400-mapping.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
918947e35d3442dc73fcc228dbf7cf43.exepid process 2608 918947e35d3442dc73fcc228dbf7cf43.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
918947e35d3442dc73fcc228dbf7cf43.exedescription pid process target process PID 2608 set thread context of 3380 2608 918947e35d3442dc73fcc228dbf7cf43.exe 918947e35d3442dc73fcc228dbf7cf43.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
918947e35d3442dc73fcc228dbf7cf43.exepid process 3380 918947e35d3442dc73fcc228dbf7cf43.exe 3380 918947e35d3442dc73fcc228dbf7cf43.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
918947e35d3442dc73fcc228dbf7cf43.exedescription pid process target process PID 2608 wrote to memory of 3380 2608 918947e35d3442dc73fcc228dbf7cf43.exe 918947e35d3442dc73fcc228dbf7cf43.exe PID 2608 wrote to memory of 3380 2608 918947e35d3442dc73fcc228dbf7cf43.exe 918947e35d3442dc73fcc228dbf7cf43.exe PID 2608 wrote to memory of 3380 2608 918947e35d3442dc73fcc228dbf7cf43.exe 918947e35d3442dc73fcc228dbf7cf43.exe PID 2608 wrote to memory of 3380 2608 918947e35d3442dc73fcc228dbf7cf43.exe 918947e35d3442dc73fcc228dbf7cf43.exe PID 2608 wrote to memory of 3380 2608 918947e35d3442dc73fcc228dbf7cf43.exe 918947e35d3442dc73fcc228dbf7cf43.exe PID 2608 wrote to memory of 3380 2608 918947e35d3442dc73fcc228dbf7cf43.exe 918947e35d3442dc73fcc228dbf7cf43.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\918947e35d3442dc73fcc228dbf7cf43.exe"C:\Users\Admin\AppData\Local\Temp\918947e35d3442dc73fcc228dbf7cf43.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Users\Admin\AppData\Local\Temp\918947e35d3442dc73fcc228dbf7cf43.exe"C:\Users\Admin\AppData\Local\Temp\918947e35d3442dc73fcc228dbf7cf43.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3380
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nseA730.tmp\ewtfhdvsv.dllMD5
4c13f67a6a1fa8e3fdb9957c2cd46342
SHA1ca09f401f913d85167eea31982cec23e9a04b700
SHA2568ec960d5b105aa4b3e0e4b0e44518eaea6d56c7b2ad376d28a6c26b074bce6b8
SHA51233ee35c97d212a065d07529cd89522d8a745c238a7ee22f7a03d6b284654b353968350d102b51c4ac5f4713c6f02bc3b42b95b0973ae1fc2fb8129d1405e18ba
-
memory/3380-116-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/3380-117-0x000000000041D400-mapping.dmp
-
memory/3380-118-0x0000000000980000-0x0000000000CA0000-memory.dmpFilesize
3.1MB