Analysis
-
max time kernel
15s -
max time network
77s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
20-01-2022 11:07
Static task
static1
Behavioral task
behavioral1
Sample
SKM-973116391_PDF.pif.exe
Resource
win7-en-20211208
General
-
Target
SKM-973116391_PDF.pif.exe
-
Size
297KB
-
MD5
aefc9702ff5d6d9064ec8e5ea82e4870
-
SHA1
716ad70dc07a6b7d3c46209de8627bf3f3535361
-
SHA256
ef986fa9ac50432d1fc1be8e0ace872cbf28cf51d967d6d35647aa3f77acf94e
-
SHA512
e5180f0d131111627300dd3b61abae59cf77e0d2a4aa50d9b22dec1c270a865caed5fa4130174930ae2810584c4169e9bf56a0b597401014737d60b250580b55
Malware Config
Extracted
xloader
2.5
uar3
sgadvocats.com
mjscannabus.com
hilldaley.com
ksdollhouse.com
hotgiftboutique.com
purebloodsmeet.com
relaunched.info
cap-glove.com
productcollection.store
fulikyy.xyz
remoteaviationjobs.com
bestcleancrystal.com
virtualorganizationpartner.com
bookgocar.com
hattuafhv.quest
makonigroup.com
officecom-myaccount.com
malgorzata-lac.com
e-learningeducators.com
hygilaur.com
kgv-lachswehr.com
salazarcomunicacion.com
robopython.com
corporateequity.online
complianceservicegroup.com
aperza-ex.com
webflowusa.com
asesoriasfinancieras.xyz
missolivesbranches.com
numiquest.com
criskconsultancy.com
gotemup.com
themaptalk.com
lakebalboahalf.com
cateringfrenchcroissant.com
paddocklakerealestate.com
lojaquerosurprezza.store
courtneywhitearmusic.com
geovannimaquinadevendas.online
pricklypairjazz.com
engagedigi.com
conduitforthespirit.com
anaheimaletrail.com
wholesalemall.store
alertsbecu.com
gestion-kayfra.com
youcanstores.com
qsuo.net
formadv.info
dihesia.xyz
carrreir.com
twenteeminuteswithtee.com
realliferenewal.com
officialprokodsukses.icu
stanfordgrouploscabos.com
maxicashpromir.xyz
zysqshjs.com
trc-clicks.com
chsclbd.com
amdproduce.net
republicoflies.com
beaux-parents.com
lucrativeapp.com
milbombas.com
alexanderplaywear.com
Signatures
-
Xloader Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3392-131-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
SKM-973116391_PDF.pif.exepid process 1284 SKM-973116391_PDF.pif.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SKM-973116391_PDF.pif.exedescription pid process target process PID 1284 set thread context of 3392 1284 SKM-973116391_PDF.pif.exe SKM-973116391_PDF.pif.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
SKM-973116391_PDF.pif.exedescription pid process target process PID 1284 wrote to memory of 3392 1284 SKM-973116391_PDF.pif.exe SKM-973116391_PDF.pif.exe PID 1284 wrote to memory of 3392 1284 SKM-973116391_PDF.pif.exe SKM-973116391_PDF.pif.exe PID 1284 wrote to memory of 3392 1284 SKM-973116391_PDF.pif.exe SKM-973116391_PDF.pif.exe PID 1284 wrote to memory of 3392 1284 SKM-973116391_PDF.pif.exe SKM-973116391_PDF.pif.exe PID 1284 wrote to memory of 3392 1284 SKM-973116391_PDF.pif.exe SKM-973116391_PDF.pif.exe PID 1284 wrote to memory of 3392 1284 SKM-973116391_PDF.pif.exe SKM-973116391_PDF.pif.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SKM-973116391_PDF.pif.exe"C:\Users\Admin\AppData\Local\Temp\SKM-973116391_PDF.pif.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SKM-973116391_PDF.pif.exe"C:\Users\Admin\AppData\Local\Temp\SKM-973116391_PDF.pif.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nsy94FC.tmp\qhkurpf.dllMD5
4b585786f7c4954b6ec5fa47486c3e01
SHA1def671ab058b9db6bb436c57be2ed88b8f80580c
SHA256c553442735f0cf507ae1db7e5beb9dfd91e6e26759ba4b064cb284a684ed8aa9
SHA51238585b0152d9a2d74ce47caaf1d2eb83e314e2930268ca607ad40352b10b5669fbb2fc4700d653e19273f01e66f54a71b0e543f5e707d94913ec92a69633c29a
-
memory/3392-131-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB