Analysis
-
max time kernel
82s -
max time network
126s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
14-01-2022 00:53
Static task
static1
General
-
Target
d7dc43fd6d64d75b9cf206ee3960055bc4f5b5db2ad0e7902eb2cef32c7d9e8c.exe
-
Size
421KB
-
MD5
b04341cdd8fcb8aacd379147601df24b
-
SHA1
81c880a09e94267ee6c65c239d80d0b853828cd7
-
SHA256
d7dc43fd6d64d75b9cf206ee3960055bc4f5b5db2ad0e7902eb2cef32c7d9e8c
-
SHA512
434c912533ea9c41971ff15325ead2d14b5171368640b8563f846387897944845f273451c2bb131a4baf0bde862c8dda487a346004a66d91ed1c4fd00b7ce438
Malware Config
Extracted
xloader
2.5
pnug
natureate.com
ita-pots.website
sucohansmushroom.com
produrielrosen.com
gosystemupdatenow.online
jiskra.art
janwiench.com
norfolkfoodhall.com
iloveaddictss.com
pogozip.com
buyinstapva.com
teardirectionfreedom.xyz
0205168.com
apaixonadosporpugs.online
jawscoinc.com
crafter.quest
wikipedianow.com
radiopuls.net
kendama-co.com
goodstudycanada.com
huzhoucs.com
asinment.com
fuchsundrudolph.com
arthurenathalia.com
globalcosmeticsstudios.com
brandrackley.com
freemanhub.one
utserver.online
fullspecter.com
wshowcase.com
airjordanshoes-retro.com
linguimatics.com
app-verlengen.icu
singpost.red
j4.claims
inoteapp.net
jrdautomotivellc.com
xn--beaupre-6xa.com
mypolicyportal.net
wdgjdhpg.com
anshulindla.com
m981070.com
vertentebike.com
claim-available.com
buyfudgybombs.com
adfnapoli.com
blackfuid.com
clambakedelivered.info
marketingworksonhold.com
xvyj.top
richardsonsfinest.com
gurimix.com
dorhop.com
mauigrowngreencoffee.net
juzytuu.xyz
pokorny.industries
floridapermitsolutions.com
right-on-target-store.com
ynaire.com
nextpar.com
disdrone.com
fruitfulvinebirth.com
africanfairytale.com
leisuresabah.com
safetyeats.asia
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/3604-116-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/3604-117-0x000000000041D400-mapping.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
d7dc43fd6d64d75b9cf206ee3960055bc4f5b5db2ad0e7902eb2cef32c7d9e8c.exepid process 3336 d7dc43fd6d64d75b9cf206ee3960055bc4f5b5db2ad0e7902eb2cef32c7d9e8c.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
d7dc43fd6d64d75b9cf206ee3960055bc4f5b5db2ad0e7902eb2cef32c7d9e8c.exedescription pid process target process PID 3336 set thread context of 3604 3336 d7dc43fd6d64d75b9cf206ee3960055bc4f5b5db2ad0e7902eb2cef32c7d9e8c.exe d7dc43fd6d64d75b9cf206ee3960055bc4f5b5db2ad0e7902eb2cef32c7d9e8c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
d7dc43fd6d64d75b9cf206ee3960055bc4f5b5db2ad0e7902eb2cef32c7d9e8c.exepid process 3604 d7dc43fd6d64d75b9cf206ee3960055bc4f5b5db2ad0e7902eb2cef32c7d9e8c.exe 3604 d7dc43fd6d64d75b9cf206ee3960055bc4f5b5db2ad0e7902eb2cef32c7d9e8c.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
d7dc43fd6d64d75b9cf206ee3960055bc4f5b5db2ad0e7902eb2cef32c7d9e8c.exedescription pid process target process PID 3336 wrote to memory of 3604 3336 d7dc43fd6d64d75b9cf206ee3960055bc4f5b5db2ad0e7902eb2cef32c7d9e8c.exe d7dc43fd6d64d75b9cf206ee3960055bc4f5b5db2ad0e7902eb2cef32c7d9e8c.exe PID 3336 wrote to memory of 3604 3336 d7dc43fd6d64d75b9cf206ee3960055bc4f5b5db2ad0e7902eb2cef32c7d9e8c.exe d7dc43fd6d64d75b9cf206ee3960055bc4f5b5db2ad0e7902eb2cef32c7d9e8c.exe PID 3336 wrote to memory of 3604 3336 d7dc43fd6d64d75b9cf206ee3960055bc4f5b5db2ad0e7902eb2cef32c7d9e8c.exe d7dc43fd6d64d75b9cf206ee3960055bc4f5b5db2ad0e7902eb2cef32c7d9e8c.exe PID 3336 wrote to memory of 3604 3336 d7dc43fd6d64d75b9cf206ee3960055bc4f5b5db2ad0e7902eb2cef32c7d9e8c.exe d7dc43fd6d64d75b9cf206ee3960055bc4f5b5db2ad0e7902eb2cef32c7d9e8c.exe PID 3336 wrote to memory of 3604 3336 d7dc43fd6d64d75b9cf206ee3960055bc4f5b5db2ad0e7902eb2cef32c7d9e8c.exe d7dc43fd6d64d75b9cf206ee3960055bc4f5b5db2ad0e7902eb2cef32c7d9e8c.exe PID 3336 wrote to memory of 3604 3336 d7dc43fd6d64d75b9cf206ee3960055bc4f5b5db2ad0e7902eb2cef32c7d9e8c.exe d7dc43fd6d64d75b9cf206ee3960055bc4f5b5db2ad0e7902eb2cef32c7d9e8c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d7dc43fd6d64d75b9cf206ee3960055bc4f5b5db2ad0e7902eb2cef32c7d9e8c.exe"C:\Users\Admin\AppData\Local\Temp\d7dc43fd6d64d75b9cf206ee3960055bc4f5b5db2ad0e7902eb2cef32c7d9e8c.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\d7dc43fd6d64d75b9cf206ee3960055bc4f5b5db2ad0e7902eb2cef32c7d9e8c.exe"C:\Users\Admin\AppData\Local\Temp\d7dc43fd6d64d75b9cf206ee3960055bc4f5b5db2ad0e7902eb2cef32c7d9e8c.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nst99F1.tmp\iywtruju.dllMD5
bbcef7b7d86c688d371e6c757c6f64a2
SHA142995c07af93819961b249c58d2d5a6821c19c36
SHA256399706950a5002ab572857467a585342132dbbff7ea6b0d2a50f8f1b38291654
SHA512dfe41bd756aa921d5ba2f2dd8483ef0475752c42443047883016ae3c24ba42413eb90aa494b7871fd7b098f022634b1ea09c3c57e0e9d86f1a12e8724efe861f
-
memory/3604-116-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/3604-117-0x000000000041D400-mapping.dmp
-
memory/3604-118-0x00000000009C0000-0x0000000000CE0000-memory.dmpFilesize
3.1MB