Analysis
-
max time kernel
122s -
max time network
127s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
28-01-2022 08:45
Static task
static1
Behavioral task
behavioral1
Sample
c2ca2ba9c38eb02217588662717ba6c3.exe
Resource
win7-en-20211208
General
-
Target
c2ca2ba9c38eb02217588662717ba6c3.exe
-
Size
248KB
-
MD5
c2ca2ba9c38eb02217588662717ba6c3
-
SHA1
8a897f24d2e564af2c2fcc272ab0cfbef10611b5
-
SHA256
9af4d9ef8b2a850854ae23411d44d3603147c26898bca1010fd2f9b16f6d456e
-
SHA512
7c7a80f37013b8b5fe27e0c9c3144884abde6ca49484c3e8c6cc78daa9f3b6ac890577247223e7d4875b865244e8732840c6a47170fbe2c7f27406ba4c8f52a6
Malware Config
Extracted
xloader
2.5
b80i
yixuan5.com
jiazheng369.com
danielleefelipe.net
micorgas.com
uvywah.com
nbjcgl.com
streets4suites.com
hempgotas.com
postmoon.xyz
gaboshoes.com
pastodwes.com
libes.asia
damusalama.com
youngliving1.com
mollyagee.com
branchwallet.com
seebuehnegoerlitz.com
inventors.community
teentykarm.quest
927291.com
wohn-union.info
rvmservices.com
cuanquotex.online
buysubarus.com
360e.group
markham.condos
carriewilliamsinc.com
ennitec.com
wildberryhair.com
trulyrun.com
pinkandgrey.info
mnselfservice.com
gabtomenice.com
2thpolis.com
standardcrypro.com
58lif.com
ir-hasnol.com
ggsega.xyz
tipslowclever.rest
atlasgrpltdgh.com
4338agnes.com
hillsncreeks.com
pentest.ink
cevichiles.com
evodoge.com
gooooooo.xyz
ehaszthecarpetbagger.com
finanes.xyz
zoharfine.com
viperiastudios.com
sjljtzsls.com
frentags.art
mediafyagency.com
faydergayremezdayener.net
freelance-rse.com
quickmovecourierservices.com
lexingtonprochoice.com
farmacymerchants.com
inkland-tattoo.com
aloebiotics.com
rampi6.com
bookinggroningen.com
wilkinsutotint.com
inslidr.com
dreamschools.online
Signatures
-
Xloader Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2856-117-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
c2ca2ba9c38eb02217588662717ba6c3.exepid process 2572 c2ca2ba9c38eb02217588662717ba6c3.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
c2ca2ba9c38eb02217588662717ba6c3.exedescription pid process target process PID 2572 set thread context of 2856 2572 c2ca2ba9c38eb02217588662717ba6c3.exe c2ca2ba9c38eb02217588662717ba6c3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
c2ca2ba9c38eb02217588662717ba6c3.exepid process 2856 c2ca2ba9c38eb02217588662717ba6c3.exe 2856 c2ca2ba9c38eb02217588662717ba6c3.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
c2ca2ba9c38eb02217588662717ba6c3.exedescription pid process target process PID 2572 wrote to memory of 2856 2572 c2ca2ba9c38eb02217588662717ba6c3.exe c2ca2ba9c38eb02217588662717ba6c3.exe PID 2572 wrote to memory of 2856 2572 c2ca2ba9c38eb02217588662717ba6c3.exe c2ca2ba9c38eb02217588662717ba6c3.exe PID 2572 wrote to memory of 2856 2572 c2ca2ba9c38eb02217588662717ba6c3.exe c2ca2ba9c38eb02217588662717ba6c3.exe PID 2572 wrote to memory of 2856 2572 c2ca2ba9c38eb02217588662717ba6c3.exe c2ca2ba9c38eb02217588662717ba6c3.exe PID 2572 wrote to memory of 2856 2572 c2ca2ba9c38eb02217588662717ba6c3.exe c2ca2ba9c38eb02217588662717ba6c3.exe PID 2572 wrote to memory of 2856 2572 c2ca2ba9c38eb02217588662717ba6c3.exe c2ca2ba9c38eb02217588662717ba6c3.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c2ca2ba9c38eb02217588662717ba6c3.exe"C:\Users\Admin\AppData\Local\Temp\c2ca2ba9c38eb02217588662717ba6c3.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c2ca2ba9c38eb02217588662717ba6c3.exe"C:\Users\Admin\AppData\Local\Temp\c2ca2ba9c38eb02217588662717ba6c3.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsv9E46.tmp\npsx.dllMD5
ff94ac3a49e4c0bcdf0c1fe9730293d9
SHA12f81d5b8ec6515fbdfa099eabb0babf9d6c40b97
SHA2564d2a5f508e4d6a54d71af82fcea978527cdd216423fb050457dfeb4db581178f
SHA51201f8bc3ac735473c60e842d76d282f4859fd9fecada580bffc629a8127a821a0839ed832143c7034b3a1e3dfca9561841626f0b8fbe582cb6a0e7dab453a5a16
-
memory/2572-116-0x0000000002270000-0x0000000002294000-memory.dmpFilesize
144KB
-
memory/2856-117-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2856-118-0x0000000000A60000-0x0000000000D80000-memory.dmpFilesize
3.1MB