Analysis
-
max time kernel
118s -
max time network
125s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
25-01-2022 11:16
Static task
static1
Behavioral task
behavioral1
Sample
de0aa0304f6880c7263d35fc7d487278.exe
Resource
win7-en-20211208
General
-
Target
de0aa0304f6880c7263d35fc7d487278.exe
-
Size
245KB
-
MD5
de0aa0304f6880c7263d35fc7d487278
-
SHA1
e392b2e0163130093d1b4afddbd318266a02a386
-
SHA256
a58fa4c9cd9960a9b7c8fbab4942b3d1f28035ce37b68b4835afa9e728cbdc0a
-
SHA512
f8f8b94e4dc99524210487daf9a273a9ce44328a249afd372c72b360bfc3905cf034c713fb1052e9a3e51e58ad844fa18dd7ac12cbe183c1c998dfd5b4376d6e
Malware Config
Extracted
xloader
2.5
jdo2
adopte-un-per.com
lmandarin.com
shonemurawni.quest
bantasis.com
jsdigitalekuns.net
hiddenroom.net
arungjerampangalengan.com
yinghongxw.com
buzzcupid.com
lattent.digital
faxtoemailguide.com
romanticfriryrose.com
ruleaou.com
mochiko-blog.com
sekireixploit.com
bcx-wiremesh.com
jobportalsg.com
wysspirit.com
iflycny.com
sh-cy17.com
kryptolaunches.com
studio-levanah.com
iotnews.xyz
scznjt.com
puppizy.com
sportax.store
musicnjoy.art
thenerdyarkade.com
prelacies.info
eastwebdesign.com
clients-schwab.com
freemsw.com
propertytaxtt.com
camelammo.com
udidactica.com
nutriorlando.com
logichome.store
brickge.com
gnews24.press
cryptofuelcars.com
giftcodefreefirevns.com
xn--wnys27c.xyz
123sabi.com
drnxskop.xyz
guiadescontopromocional.com
traderro.com
oilsandsresources.com
dosmed.store
bullmediamarketing.com
brainnwave-uk.com
situspokergames.club
lowestfars.com
x99av2.xyz
bungaauraprediction.com
companyintel.direct
netzastronaut.com
abouttofeast.com
roleplaysaga.com
postkz.host
sobheweb.com
exit-10-exodus.com
oxanger.com
onehundredwomennash.com
decamento.com
remover-erro.com
Signatures
-
Xloader Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/768-56-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
de0aa0304f6880c7263d35fc7d487278.exepid process 1480 de0aa0304f6880c7263d35fc7d487278.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
de0aa0304f6880c7263d35fc7d487278.exedescription pid process target process PID 1480 set thread context of 768 1480 de0aa0304f6880c7263d35fc7d487278.exe de0aa0304f6880c7263d35fc7d487278.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
de0aa0304f6880c7263d35fc7d487278.exepid process 768 de0aa0304f6880c7263d35fc7d487278.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
de0aa0304f6880c7263d35fc7d487278.exedescription pid process target process PID 1480 wrote to memory of 768 1480 de0aa0304f6880c7263d35fc7d487278.exe de0aa0304f6880c7263d35fc7d487278.exe PID 1480 wrote to memory of 768 1480 de0aa0304f6880c7263d35fc7d487278.exe de0aa0304f6880c7263d35fc7d487278.exe PID 1480 wrote to memory of 768 1480 de0aa0304f6880c7263d35fc7d487278.exe de0aa0304f6880c7263d35fc7d487278.exe PID 1480 wrote to memory of 768 1480 de0aa0304f6880c7263d35fc7d487278.exe de0aa0304f6880c7263d35fc7d487278.exe PID 1480 wrote to memory of 768 1480 de0aa0304f6880c7263d35fc7d487278.exe de0aa0304f6880c7263d35fc7d487278.exe PID 1480 wrote to memory of 768 1480 de0aa0304f6880c7263d35fc7d487278.exe de0aa0304f6880c7263d35fc7d487278.exe PID 1480 wrote to memory of 768 1480 de0aa0304f6880c7263d35fc7d487278.exe de0aa0304f6880c7263d35fc7d487278.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\de0aa0304f6880c7263d35fc7d487278.exe"C:\Users\Admin\AppData\Local\Temp\de0aa0304f6880c7263d35fc7d487278.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\de0aa0304f6880c7263d35fc7d487278.exe"C:\Users\Admin\AppData\Local\Temp\de0aa0304f6880c7263d35fc7d487278.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nstDECD.tmp\esuhbnkmi.dllMD5
0b413fd318116a350c284756fd075656
SHA1e89886c492c5183a9e1fa5e5af0ce08c5b6b0f2f
SHA2565db476cb59fd2f92f113ee07523cf1f9dd620e2f17557ac6914a58cab23e9d07
SHA512566ae6e7b8a0882954f801028614d741aec451aa9477132528b016cc0e7581090aa3d575b4c7eda0c1ca54a7f8cbd0717df800fabef3a64675ca4a38d23e1299
-
memory/768-56-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/768-57-0x0000000000770000-0x0000000000A73000-memory.dmpFilesize
3.0MB
-
memory/1480-54-0x0000000075D51000-0x0000000075D53000-memory.dmpFilesize
8KB