Analysis
-
max time kernel
23s -
max time network
72s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
20-01-2022 11:07
Static task
static1
Behavioral task
behavioral1
Sample
scan doc_o1022111234.exe
Resource
win7-en-20211208
General
-
Target
scan doc_o1022111234.exe
-
Size
285KB
-
MD5
69ee93123716e7d21e0e527be980c22b
-
SHA1
bb4b074dda0d143d36a6c4c572bd669be67fe0e5
-
SHA256
3866d4f2f3fa6a3cdedd0b3e4704b438881b0a147e75eeddacaeea85e52c669a
-
SHA512
36925cddedff3acb9a217ce35e8d676a46d76f5873471daf9e9cf512f2df5934fe263532b0ba789573fdc887eb211eee6cbe0988b8e22306d16ff211509c1edc
Malware Config
Extracted
xloader
2.5
cxep
estateglobal.info
loransstore.com
loginofy.com
fjallravenz.online
cefseguranca-app.com
safontadiestramiento.com
bubbleteapro.com
morethanmummies.com
serviciopersonalizadoweb.com
headerbidder.info
skworkforce.com
heightsorthodontics.com
chulavistapd.com
southjerseyautobody.net
chargedbygratitude.com
meltingpotspot.com
gdjiachen.com
luckdrawprogram.com
vintagepaseo.com
bequestslojyh.xyz
layeredrofbes.xyz
com-weekly.email
suddisaddu.com
jnlord.com
outerverse.ventures
terraroyale.com
hairclub.info
rent2owninusa.com
pmaonline.xyz
wearecampo.com
multiplezonesplit.com
angry-mandala.com
ikigaiofficial.store
princewoodwork.store
moviesaver24.com
btec-solutions.com
valurgrayenterprises.com
homesofsilverspur.com
leysy-y-nazareno.com
grade8.tech
ammarus.com
researchjournal.net
nicolaslacasse.com
khukhuantainha.com
resultlv.com
toraportal.com
wickedhunterworld.com
clickspromolp.com
b148tlrnd09ustnnaku2721.com
high-low-ga.info
norcalfirewoodllc.com
fatima2021.com
aaronsmathquest.com
decal-mania.com
spitfiredefenceindustries.com
mireyita.com
simonhaidomous.com
roofingcontractorhickory.com
mgav69.xyz
spacebymeghan.com
hot144.com
mmfirewood.net
akshayaasri.com
bilgisayarimnekadar.com
littlesportsacademy.com
Signatures
-
Xloader Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1316-131-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
scan doc_o1022111234.exepid process 3996 scan doc_o1022111234.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
scan doc_o1022111234.exedescription pid process target process PID 3996 set thread context of 1316 3996 scan doc_o1022111234.exe scan doc_o1022111234.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
scan doc_o1022111234.exedescription pid process target process PID 3996 wrote to memory of 1316 3996 scan doc_o1022111234.exe scan doc_o1022111234.exe PID 3996 wrote to memory of 1316 3996 scan doc_o1022111234.exe scan doc_o1022111234.exe PID 3996 wrote to memory of 1316 3996 scan doc_o1022111234.exe scan doc_o1022111234.exe PID 3996 wrote to memory of 1316 3996 scan doc_o1022111234.exe scan doc_o1022111234.exe PID 3996 wrote to memory of 1316 3996 scan doc_o1022111234.exe scan doc_o1022111234.exe PID 3996 wrote to memory of 1316 3996 scan doc_o1022111234.exe scan doc_o1022111234.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\scan doc_o1022111234.exe"C:\Users\Admin\AppData\Local\Temp\scan doc_o1022111234.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\scan doc_o1022111234.exe"C:\Users\Admin\AppData\Local\Temp\scan doc_o1022111234.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nsxD0CC.tmp\uyhlelrjb.dllMD5
3b2bf8df341ac6f0edfe50a1ae7ff555
SHA1e9bdd7cbf9426b710c9ea60c36ee0b2183ebb602
SHA256eace00923a15331adc6214d609b21328047a13ffdd4e14cc5e2e142241c156ad
SHA512a127e8a748d8fa78b54e3cfbae47d147d93586f566b3d1a8a6cbc6e06df5f6ffdcc6abd61c4bf96d69b332f0646b90935fa2231d7be3cbfdd68975d387c9a6f1
-
memory/1316-131-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB