Analysis
-
max time kernel
118s -
max time network
132s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
25-01-2022 11:14
Static task
static1
Behavioral task
behavioral1
Sample
c351e71c1b6e1cefb2ee8e8695c83efb.exe
Resource
win7-en-20211208
General
-
Target
c351e71c1b6e1cefb2ee8e8695c83efb.exe
-
Size
480KB
-
MD5
c351e71c1b6e1cefb2ee8e8695c83efb
-
SHA1
3d10b631ccb836b33975d2a4a9ea23c1f6ff8449
-
SHA256
0d42799a7602de1d76ef3b39ceff5075b95dd1e3891332987d525a07ef5c5f0f
-
SHA512
b3e9ab3c3beaddd4cb2b0270049512b78ddf4920fd96bb25865faf33ce4f1e01dc736a7e9ee6b6981634e21c8a1681cd8275df3970be319280f72f444ae01acd
Malware Config
Extracted
xloader
2.5
pnug
natureate.com
ita-pots.website
sucohansmushroom.com
produrielrosen.com
gosystemupdatenow.online
jiskra.art
janwiench.com
norfolkfoodhall.com
iloveaddictss.com
pogozip.com
buyinstapva.com
teardirectionfreedom.xyz
0205168.com
apaixonadosporpugs.online
jawscoinc.com
crafter.quest
wikipedianow.com
radiopuls.net
kendama-co.com
goodstudycanada.com
huzhoucs.com
asinment.com
fuchsundrudolph.com
arthurenathalia.com
globalcosmeticsstudios.com
brandrackley.com
freemanhub.one
utserver.online
fullspecter.com
wshowcase.com
airjordanshoes-retro.com
linguimatics.com
app-verlengen.icu
singpost.red
j4.claims
inoteapp.net
jrdautomotivellc.com
xn--beaupre-6xa.com
mypolicyportal.net
wdgjdhpg.com
anshulindla.com
m981070.com
vertentebike.com
claim-available.com
buyfudgybombs.com
adfnapoli.com
blackfuid.com
clambakedelivered.info
marketingworksonhold.com
xvyj.top
richardsonsfinest.com
gurimix.com
dorhop.com
mauigrowngreencoffee.net
juzytuu.xyz
pokorny.industries
floridapermitsolutions.com
right-on-target-store.com
ynaire.com
nextpar.com
disdrone.com
fruitfulvinebirth.com
africanfairytale.com
leisuresabah.com
safetyeats.asia
Signatures
-
Xloader Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2812-118-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
c351e71c1b6e1cefb2ee8e8695c83efb.exepid process 2384 c351e71c1b6e1cefb2ee8e8695c83efb.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
c351e71c1b6e1cefb2ee8e8695c83efb.exedescription pid process target process PID 2384 set thread context of 2812 2384 c351e71c1b6e1cefb2ee8e8695c83efb.exe c351e71c1b6e1cefb2ee8e8695c83efb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
c351e71c1b6e1cefb2ee8e8695c83efb.exepid process 2812 c351e71c1b6e1cefb2ee8e8695c83efb.exe 2812 c351e71c1b6e1cefb2ee8e8695c83efb.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
c351e71c1b6e1cefb2ee8e8695c83efb.exedescription pid process target process PID 2384 wrote to memory of 2812 2384 c351e71c1b6e1cefb2ee8e8695c83efb.exe c351e71c1b6e1cefb2ee8e8695c83efb.exe PID 2384 wrote to memory of 2812 2384 c351e71c1b6e1cefb2ee8e8695c83efb.exe c351e71c1b6e1cefb2ee8e8695c83efb.exe PID 2384 wrote to memory of 2812 2384 c351e71c1b6e1cefb2ee8e8695c83efb.exe c351e71c1b6e1cefb2ee8e8695c83efb.exe PID 2384 wrote to memory of 2812 2384 c351e71c1b6e1cefb2ee8e8695c83efb.exe c351e71c1b6e1cefb2ee8e8695c83efb.exe PID 2384 wrote to memory of 2812 2384 c351e71c1b6e1cefb2ee8e8695c83efb.exe c351e71c1b6e1cefb2ee8e8695c83efb.exe PID 2384 wrote to memory of 2812 2384 c351e71c1b6e1cefb2ee8e8695c83efb.exe c351e71c1b6e1cefb2ee8e8695c83efb.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c351e71c1b6e1cefb2ee8e8695c83efb.exe"C:\Users\Admin\AppData\Local\Temp\c351e71c1b6e1cefb2ee8e8695c83efb.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c351e71c1b6e1cefb2ee8e8695c83efb.exe"C:\Users\Admin\AppData\Local\Temp\c351e71c1b6e1cefb2ee8e8695c83efb.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nskB624.tmp\aptadt.dllMD5
5cf1ec7c33dcb8d0ad47c4729f6a17d5
SHA1d3af7acc440f312830b5b36b4cb3925c7aa0ff75
SHA256c6223791ed7ca60bca47b53e961aaaf7d5c8354b3df3e6c64df6fc3518f2c529
SHA512dbbb343f06eb1f28b9baccbcd275036c6c4690b3af128587dbbf07882aa575f6df2f28513cfc465fce176b20d006fd76b0ca5b1bd53803a2a29898b587fe38b4
-
memory/2812-118-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2812-119-0x00000000009F0000-0x0000000000D10000-memory.dmpFilesize
3.1MB