Analysis
-
max time kernel
123s -
max time network
127s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
27-01-2022 13:32
Static task
static1
General
-
Target
7bc209b35e0f0838c03f3a67be9e3f362a440ad2c8a3434dd52c4a16c4a72135.exe
-
Size
248KB
-
MD5
8dea3dfc88c81629eda9299c7031ed9e
-
SHA1
14cb4a4e1d5ca4a715a06df641933f7d50cd40b6
-
SHA256
7bc209b35e0f0838c03f3a67be9e3f362a440ad2c8a3434dd52c4a16c4a72135
-
SHA512
4f688839482e354bd6b4a622a3464c19b6f92cb2500b5b9f8687e209324efa415cb1e8ae56031a5144b445176c23a638cb580f43accdb462278990ada12d9f53
Malware Config
Extracted
xloader
2.5
u6vb
blendedmatter.com
piquinmarketing.com
dubkirelax.online
optimumotoaksesuar.com
bendisle.com
islamicgeometricpatterns.net
cheesebox.online
lh-coaching.com
buildingmaterial.info
backwoods72.com
goodtreetee.com
zknqqpvsypx.mobi
phukienstreaming.com
turkistick.com
cbd-shop-portugal.com
imherllc.com
krallechols.quest
ttmmb.com
pornmodelsworld.com
weakyummy.space
profitablemechanic.com
arthahomehealth.com
xllbyte.top
enthrallingmagazine.com
letgoboss.com
twaroggrodkowski.com
2027bet365.com
viveecom.com
rachelzrileybeauty.com
jadablond.com
mypasscodekeycard.com
sectionpor.xyz
hypotheque.xyz
matryoshkatechspec.online
newspaper.tax
jm0513.com
barringtonmediaqroup.com
mot-associates.com
mahomeslistings.com
henrywrench.com
anita.digital
leyouxx.com
icetherapy.net
nft-premium.design
vulcanrussia23.xyz
cvbintangkaryacipta.com
ballerapeclub.digital
coralarray.com
quoteshtx.com
thebestgpstracker.com
onlinepricehk.com
mountainvillagecondos.com
thenudefactory.com
rubarombic.net
theroycom1.com
drinkabit.art
maymakita.com
pickvector.net
online-be.xyz
monkendodge.com
successsynergyemail.com
cuahangyodykimthanh.com
love-shoppy.com
gebaeudetechnik-burscheid.com
officejava.store
Signatures
-
Xloader Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1908-116-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
7bc209b35e0f0838c03f3a67be9e3f362a440ad2c8a3434dd52c4a16c4a72135.exepid process 2492 7bc209b35e0f0838c03f3a67be9e3f362a440ad2c8a3434dd52c4a16c4a72135.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
7bc209b35e0f0838c03f3a67be9e3f362a440ad2c8a3434dd52c4a16c4a72135.exedescription pid process target process PID 2492 set thread context of 1908 2492 7bc209b35e0f0838c03f3a67be9e3f362a440ad2c8a3434dd52c4a16c4a72135.exe 7bc209b35e0f0838c03f3a67be9e3f362a440ad2c8a3434dd52c4a16c4a72135.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
7bc209b35e0f0838c03f3a67be9e3f362a440ad2c8a3434dd52c4a16c4a72135.exepid process 1908 7bc209b35e0f0838c03f3a67be9e3f362a440ad2c8a3434dd52c4a16c4a72135.exe 1908 7bc209b35e0f0838c03f3a67be9e3f362a440ad2c8a3434dd52c4a16c4a72135.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
7bc209b35e0f0838c03f3a67be9e3f362a440ad2c8a3434dd52c4a16c4a72135.exedescription pid process target process PID 2492 wrote to memory of 1908 2492 7bc209b35e0f0838c03f3a67be9e3f362a440ad2c8a3434dd52c4a16c4a72135.exe 7bc209b35e0f0838c03f3a67be9e3f362a440ad2c8a3434dd52c4a16c4a72135.exe PID 2492 wrote to memory of 1908 2492 7bc209b35e0f0838c03f3a67be9e3f362a440ad2c8a3434dd52c4a16c4a72135.exe 7bc209b35e0f0838c03f3a67be9e3f362a440ad2c8a3434dd52c4a16c4a72135.exe PID 2492 wrote to memory of 1908 2492 7bc209b35e0f0838c03f3a67be9e3f362a440ad2c8a3434dd52c4a16c4a72135.exe 7bc209b35e0f0838c03f3a67be9e3f362a440ad2c8a3434dd52c4a16c4a72135.exe PID 2492 wrote to memory of 1908 2492 7bc209b35e0f0838c03f3a67be9e3f362a440ad2c8a3434dd52c4a16c4a72135.exe 7bc209b35e0f0838c03f3a67be9e3f362a440ad2c8a3434dd52c4a16c4a72135.exe PID 2492 wrote to memory of 1908 2492 7bc209b35e0f0838c03f3a67be9e3f362a440ad2c8a3434dd52c4a16c4a72135.exe 7bc209b35e0f0838c03f3a67be9e3f362a440ad2c8a3434dd52c4a16c4a72135.exe PID 2492 wrote to memory of 1908 2492 7bc209b35e0f0838c03f3a67be9e3f362a440ad2c8a3434dd52c4a16c4a72135.exe 7bc209b35e0f0838c03f3a67be9e3f362a440ad2c8a3434dd52c4a16c4a72135.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7bc209b35e0f0838c03f3a67be9e3f362a440ad2c8a3434dd52c4a16c4a72135.exe"C:\Users\Admin\AppData\Local\Temp\7bc209b35e0f0838c03f3a67be9e3f362a440ad2c8a3434dd52c4a16c4a72135.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7bc209b35e0f0838c03f3a67be9e3f362a440ad2c8a3434dd52c4a16c4a72135.exe"C:\Users\Admin\AppData\Local\Temp\7bc209b35e0f0838c03f3a67be9e3f362a440ad2c8a3434dd52c4a16c4a72135.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsfDDA1.tmp\bekoa.dllMD5
d4cea9ae27fa5d8fbb99e6bd3f62902a
SHA1e3579b380f95afa22f7d60ce23cd3cda3bc94b90
SHA2564a9316fabebef3467c9229c81238cbbb0bcf784c95de8e1c69b3e7d75ebc0916
SHA512246b5e816f39e8628f00142a820f00ef779e93cbec64b379f5a8049a81b4408122596b88c9c37d4544dc5440d8aaac8f6633312bbb9aa7a6ba22c2e19e96a57a
-
memory/1908-116-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1908-117-0x00000000009D0000-0x0000000000CF0000-memory.dmpFilesize
3.1MB