Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
25-01-2022 10:13
Static task
static1
General
-
Target
a58fa4c9cd9960a9b7c8fbab4942b3d1f28035ce37b68b4835afa9e728cbdc0a.exe
-
Size
245KB
-
MD5
de0aa0304f6880c7263d35fc7d487278
-
SHA1
e392b2e0163130093d1b4afddbd318266a02a386
-
SHA256
a58fa4c9cd9960a9b7c8fbab4942b3d1f28035ce37b68b4835afa9e728cbdc0a
-
SHA512
f8f8b94e4dc99524210487daf9a273a9ce44328a249afd372c72b360bfc3905cf034c713fb1052e9a3e51e58ad844fa18dd7ac12cbe183c1c998dfd5b4376d6e
Malware Config
Extracted
xloader
2.5
jdo2
adopte-un-per.com
lmandarin.com
shonemurawni.quest
bantasis.com
jsdigitalekuns.net
hiddenroom.net
arungjerampangalengan.com
yinghongxw.com
buzzcupid.com
lattent.digital
faxtoemailguide.com
romanticfriryrose.com
ruleaou.com
mochiko-blog.com
sekireixploit.com
bcx-wiremesh.com
jobportalsg.com
wysspirit.com
iflycny.com
sh-cy17.com
kryptolaunches.com
studio-levanah.com
iotnews.xyz
scznjt.com
puppizy.com
sportax.store
musicnjoy.art
thenerdyarkade.com
prelacies.info
eastwebdesign.com
clients-schwab.com
freemsw.com
propertytaxtt.com
camelammo.com
udidactica.com
nutriorlando.com
logichome.store
brickge.com
gnews24.press
cryptofuelcars.com
giftcodefreefirevns.com
xn--wnys27c.xyz
123sabi.com
drnxskop.xyz
guiadescontopromocional.com
traderro.com
oilsandsresources.com
dosmed.store
bullmediamarketing.com
brainnwave-uk.com
situspokergames.club
lowestfars.com
x99av2.xyz
bungaauraprediction.com
companyintel.direct
netzastronaut.com
abouttofeast.com
roleplaysaga.com
postkz.host
sobheweb.com
exit-10-exodus.com
oxanger.com
onehundredwomennash.com
decamento.com
remover-erro.com
Signatures
-
Xloader Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/3556-116-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
a58fa4c9cd9960a9b7c8fbab4942b3d1f28035ce37b68b4835afa9e728cbdc0a.exepid process 3080 a58fa4c9cd9960a9b7c8fbab4942b3d1f28035ce37b68b4835afa9e728cbdc0a.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
a58fa4c9cd9960a9b7c8fbab4942b3d1f28035ce37b68b4835afa9e728cbdc0a.exedescription pid process target process PID 3080 set thread context of 3556 3080 a58fa4c9cd9960a9b7c8fbab4942b3d1f28035ce37b68b4835afa9e728cbdc0a.exe a58fa4c9cd9960a9b7c8fbab4942b3d1f28035ce37b68b4835afa9e728cbdc0a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
a58fa4c9cd9960a9b7c8fbab4942b3d1f28035ce37b68b4835afa9e728cbdc0a.exepid process 3556 a58fa4c9cd9960a9b7c8fbab4942b3d1f28035ce37b68b4835afa9e728cbdc0a.exe 3556 a58fa4c9cd9960a9b7c8fbab4942b3d1f28035ce37b68b4835afa9e728cbdc0a.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
a58fa4c9cd9960a9b7c8fbab4942b3d1f28035ce37b68b4835afa9e728cbdc0a.exedescription pid process target process PID 3080 wrote to memory of 3556 3080 a58fa4c9cd9960a9b7c8fbab4942b3d1f28035ce37b68b4835afa9e728cbdc0a.exe a58fa4c9cd9960a9b7c8fbab4942b3d1f28035ce37b68b4835afa9e728cbdc0a.exe PID 3080 wrote to memory of 3556 3080 a58fa4c9cd9960a9b7c8fbab4942b3d1f28035ce37b68b4835afa9e728cbdc0a.exe a58fa4c9cd9960a9b7c8fbab4942b3d1f28035ce37b68b4835afa9e728cbdc0a.exe PID 3080 wrote to memory of 3556 3080 a58fa4c9cd9960a9b7c8fbab4942b3d1f28035ce37b68b4835afa9e728cbdc0a.exe a58fa4c9cd9960a9b7c8fbab4942b3d1f28035ce37b68b4835afa9e728cbdc0a.exe PID 3080 wrote to memory of 3556 3080 a58fa4c9cd9960a9b7c8fbab4942b3d1f28035ce37b68b4835afa9e728cbdc0a.exe a58fa4c9cd9960a9b7c8fbab4942b3d1f28035ce37b68b4835afa9e728cbdc0a.exe PID 3080 wrote to memory of 3556 3080 a58fa4c9cd9960a9b7c8fbab4942b3d1f28035ce37b68b4835afa9e728cbdc0a.exe a58fa4c9cd9960a9b7c8fbab4942b3d1f28035ce37b68b4835afa9e728cbdc0a.exe PID 3080 wrote to memory of 3556 3080 a58fa4c9cd9960a9b7c8fbab4942b3d1f28035ce37b68b4835afa9e728cbdc0a.exe a58fa4c9cd9960a9b7c8fbab4942b3d1f28035ce37b68b4835afa9e728cbdc0a.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a58fa4c9cd9960a9b7c8fbab4942b3d1f28035ce37b68b4835afa9e728cbdc0a.exe"C:\Users\Admin\AppData\Local\Temp\a58fa4c9cd9960a9b7c8fbab4942b3d1f28035ce37b68b4835afa9e728cbdc0a.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a58fa4c9cd9960a9b7c8fbab4942b3d1f28035ce37b68b4835afa9e728cbdc0a.exe"C:\Users\Admin\AppData\Local\Temp\a58fa4c9cd9960a9b7c8fbab4942b3d1f28035ce37b68b4835afa9e728cbdc0a.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsk4F76.tmp\esuhbnkmi.dllMD5
0b413fd318116a350c284756fd075656
SHA1e89886c492c5183a9e1fa5e5af0ce08c5b6b0f2f
SHA2565db476cb59fd2f92f113ee07523cf1f9dd620e2f17557ac6914a58cab23e9d07
SHA512566ae6e7b8a0882954f801028614d741aec451aa9477132528b016cc0e7581090aa3d575b4c7eda0c1ca54a7f8cbd0717df800fabef3a64675ca4a38d23e1299
-
memory/3556-116-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/3556-117-0x00000000009B0000-0x0000000000CD0000-memory.dmpFilesize
3.1MB