Analysis
-
max time kernel
123s -
max time network
142s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
26-01-2022 14:55
Static task
static1
General
-
Target
f0d703d5576faa3ab83d1a7b6cc08ab55599565c64ec97bb59e05449f3a2efce.exe
-
Size
250KB
-
MD5
6a4fc759c24fad7472caae24be49eab9
-
SHA1
698a5efcbcafe01ba8214eb6255803f193981716
-
SHA256
f0d703d5576faa3ab83d1a7b6cc08ab55599565c64ec97bb59e05449f3a2efce
-
SHA512
9013add08fda34a917e9ecdb389361a1e390fc48515b9d76558cb3160add9e3873995f17546616c375d091aa63b7f8e691045918938639471fadae977425ccda
Malware Config
Extracted
xloader
2.5
p2a5
gorillaslovebananas.com
zonaextasis.com
digitalpravin.online
memorialdoors.com
departmenteindhoven.com
vipulb.com
ruyibao365.com
ynpzz.com
matthewandjessica.com
winfrey2024.com
janetride.com
arairazur.xyz
alltheheads.com
amayawebdesigns.com
califunder.com
blacksource.xyz
farmasi.agency
ilmkibahar.com
thinkcentury.net
eskortclub.com
trc-clicks.com
negc-inc.com
knightfy.com
rentalsinkendall.com
semikron1688.com
755xy.xyz
primespot-shop.com
securetravel.group
luxehairbyjen.com
augpropertygroup.com
xinlishiqiaoqiao.xyz
naggingvmkqmn.online
pynch2.com
awarco.net
booyademy.com
244.house
574761.com
haoshanzhai.com
dubaiforlife.com
acidiccatlsd.com
amotekuntv.com
runfreeco.com
iamaka.net
599-63rdstreet.com
cakeshares.com
evengl.com
joinlever.com
cyberaised.online
genrage.com
walterjliveharder.com
northbayavs.com
spajoo.com
ypkp-com37qq.com
dautucamlam.com
installslostp.xyz
bisbenefits.solutions
espchange.com
exteches.com
utilitytrace.com
468max.com
835391.com
shoptomst.com
pingerton.online
avpxshnibd.mobi
cupboarddi.com
Signatures
-
Xloader Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1284-119-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
f0d703d5576faa3ab83d1a7b6cc08ab55599565c64ec97bb59e05449f3a2efce.exepid process 2224 f0d703d5576faa3ab83d1a7b6cc08ab55599565c64ec97bb59e05449f3a2efce.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
f0d703d5576faa3ab83d1a7b6cc08ab55599565c64ec97bb59e05449f3a2efce.exedescription pid process target process PID 2224 set thread context of 1284 2224 f0d703d5576faa3ab83d1a7b6cc08ab55599565c64ec97bb59e05449f3a2efce.exe f0d703d5576faa3ab83d1a7b6cc08ab55599565c64ec97bb59e05449f3a2efce.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
f0d703d5576faa3ab83d1a7b6cc08ab55599565c64ec97bb59e05449f3a2efce.exepid process 1284 f0d703d5576faa3ab83d1a7b6cc08ab55599565c64ec97bb59e05449f3a2efce.exe 1284 f0d703d5576faa3ab83d1a7b6cc08ab55599565c64ec97bb59e05449f3a2efce.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
f0d703d5576faa3ab83d1a7b6cc08ab55599565c64ec97bb59e05449f3a2efce.exedescription pid process target process PID 2224 wrote to memory of 1284 2224 f0d703d5576faa3ab83d1a7b6cc08ab55599565c64ec97bb59e05449f3a2efce.exe f0d703d5576faa3ab83d1a7b6cc08ab55599565c64ec97bb59e05449f3a2efce.exe PID 2224 wrote to memory of 1284 2224 f0d703d5576faa3ab83d1a7b6cc08ab55599565c64ec97bb59e05449f3a2efce.exe f0d703d5576faa3ab83d1a7b6cc08ab55599565c64ec97bb59e05449f3a2efce.exe PID 2224 wrote to memory of 1284 2224 f0d703d5576faa3ab83d1a7b6cc08ab55599565c64ec97bb59e05449f3a2efce.exe f0d703d5576faa3ab83d1a7b6cc08ab55599565c64ec97bb59e05449f3a2efce.exe PID 2224 wrote to memory of 1284 2224 f0d703d5576faa3ab83d1a7b6cc08ab55599565c64ec97bb59e05449f3a2efce.exe f0d703d5576faa3ab83d1a7b6cc08ab55599565c64ec97bb59e05449f3a2efce.exe PID 2224 wrote to memory of 1284 2224 f0d703d5576faa3ab83d1a7b6cc08ab55599565c64ec97bb59e05449f3a2efce.exe f0d703d5576faa3ab83d1a7b6cc08ab55599565c64ec97bb59e05449f3a2efce.exe PID 2224 wrote to memory of 1284 2224 f0d703d5576faa3ab83d1a7b6cc08ab55599565c64ec97bb59e05449f3a2efce.exe f0d703d5576faa3ab83d1a7b6cc08ab55599565c64ec97bb59e05449f3a2efce.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f0d703d5576faa3ab83d1a7b6cc08ab55599565c64ec97bb59e05449f3a2efce.exe"C:\Users\Admin\AppData\Local\Temp\f0d703d5576faa3ab83d1a7b6cc08ab55599565c64ec97bb59e05449f3a2efce.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f0d703d5576faa3ab83d1a7b6cc08ab55599565c64ec97bb59e05449f3a2efce.exe"C:\Users\Admin\AppData\Local\Temp\f0d703d5576faa3ab83d1a7b6cc08ab55599565c64ec97bb59e05449f3a2efce.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nso32C6.tmp\ikagqucw.dllMD5
403fb1aa3c56887b803180dbebfd7833
SHA13e7e706b0df3fe0953e7671ecb082bc00f7d99ee
SHA2560f4a87ceff52441a082768a4809d306f0906d8700e6ef7aab0146ad442d8c2e8
SHA5123a9eca03abcfa488e1ee6edc1fa96a011b7c89fdd609ee5a3f8759fdc3deb56c737665a367ada5317d89016f106c4f6cfd2fa7a5943603056444297f21cba1ae
-
memory/1284-119-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1284-120-0x0000000000B80000-0x0000000000EA0000-memory.dmpFilesize
3.1MB