Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
25-01-2022 11:59
Static task
static1
Behavioral task
behavioral1
Sample
a3eddc5e0885b4be2b72e3e2f24eed7c.exe
Resource
win7-en-20211208
General
-
Target
a3eddc5e0885b4be2b72e3e2f24eed7c.exe
-
Size
251KB
-
MD5
a3eddc5e0885b4be2b72e3e2f24eed7c
-
SHA1
a561c6eb59d66ac7d0a89b586fc38f1fd88d1623
-
SHA256
9f35e751b58fdca3b7156eba1bf2a56c88d3d5ce5e35de6b2797e6c8ba6ec0d8
-
SHA512
19b12ddc4c0979eeb15d13d230a5d72d97a0899414c6b2d5393ee119719dc2c7684beb7fccff8838a4b69951359808ff81b2a68e8111334eb53ba6d1fc4ec5a4
Malware Config
Extracted
xloader
2.5
u6vb
blendedmatter.com
piquinmarketing.com
dubkirelax.online
optimumotoaksesuar.com
bendisle.com
islamicgeometricpatterns.net
cheesebox.online
lh-coaching.com
buildingmaterial.info
backwoods72.com
goodtreetee.com
zknqqpvsypx.mobi
phukienstreaming.com
turkistick.com
cbd-shop-portugal.com
imherllc.com
krallechols.quest
ttmmb.com
pornmodelsworld.com
weakyummy.space
profitablemechanic.com
arthahomehealth.com
xllbyte.top
enthrallingmagazine.com
letgoboss.com
twaroggrodkowski.com
2027bet365.com
viveecom.com
rachelzrileybeauty.com
jadablond.com
mypasscodekeycard.com
sectionpor.xyz
hypotheque.xyz
matryoshkatechspec.online
newspaper.tax
jm0513.com
barringtonmediaqroup.com
mot-associates.com
mahomeslistings.com
henrywrench.com
anita.digital
leyouxx.com
icetherapy.net
nft-premium.design
vulcanrussia23.xyz
cvbintangkaryacipta.com
ballerapeclub.digital
coralarray.com
quoteshtx.com
thebestgpstracker.com
onlinepricehk.com
mountainvillagecondos.com
thenudefactory.com
rubarombic.net
theroycom1.com
drinkabit.art
maymakita.com
pickvector.net
online-be.xyz
monkendodge.com
successsynergyemail.com
cuahangyodykimthanh.com
love-shoppy.com
gebaeudetechnik-burscheid.com
officejava.store
Signatures
-
Xloader Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/472-56-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
a3eddc5e0885b4be2b72e3e2f24eed7c.exepid process 1172 a3eddc5e0885b4be2b72e3e2f24eed7c.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
a3eddc5e0885b4be2b72e3e2f24eed7c.exedescription pid process target process PID 1172 set thread context of 472 1172 a3eddc5e0885b4be2b72e3e2f24eed7c.exe a3eddc5e0885b4be2b72e3e2f24eed7c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
a3eddc5e0885b4be2b72e3e2f24eed7c.exepid process 472 a3eddc5e0885b4be2b72e3e2f24eed7c.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
a3eddc5e0885b4be2b72e3e2f24eed7c.exedescription pid process target process PID 1172 wrote to memory of 472 1172 a3eddc5e0885b4be2b72e3e2f24eed7c.exe a3eddc5e0885b4be2b72e3e2f24eed7c.exe PID 1172 wrote to memory of 472 1172 a3eddc5e0885b4be2b72e3e2f24eed7c.exe a3eddc5e0885b4be2b72e3e2f24eed7c.exe PID 1172 wrote to memory of 472 1172 a3eddc5e0885b4be2b72e3e2f24eed7c.exe a3eddc5e0885b4be2b72e3e2f24eed7c.exe PID 1172 wrote to memory of 472 1172 a3eddc5e0885b4be2b72e3e2f24eed7c.exe a3eddc5e0885b4be2b72e3e2f24eed7c.exe PID 1172 wrote to memory of 472 1172 a3eddc5e0885b4be2b72e3e2f24eed7c.exe a3eddc5e0885b4be2b72e3e2f24eed7c.exe PID 1172 wrote to memory of 472 1172 a3eddc5e0885b4be2b72e3e2f24eed7c.exe a3eddc5e0885b4be2b72e3e2f24eed7c.exe PID 1172 wrote to memory of 472 1172 a3eddc5e0885b4be2b72e3e2f24eed7c.exe a3eddc5e0885b4be2b72e3e2f24eed7c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3eddc5e0885b4be2b72e3e2f24eed7c.exe"C:\Users\Admin\AppData\Local\Temp\a3eddc5e0885b4be2b72e3e2f24eed7c.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a3eddc5e0885b4be2b72e3e2f24eed7c.exe"C:\Users\Admin\AppData\Local\Temp\a3eddc5e0885b4be2b72e3e2f24eed7c.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsdC3ED.tmp\idwqocteck.dllMD5
edf8a41b45e466e3f2c159c64ad7b302
SHA178c5b7e53469e1f10c504b06d78caa125a85a7e1
SHA2569a02eb66227db973b5cdf911111ea2411b3c89b91c98dd50a20897c53a798842
SHA5127ce1c7d4abeacc4f59da7928e09a1f3c494ded352643d359e10a1f6cc00667e9d9704ecc7a18e7a556b033b439136f09c310b08ddcb64e4cd58af804390ccf1b
-
memory/472-56-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1172-54-0x0000000074F01000-0x0000000074F03000-memory.dmpFilesize
8KB