Analysis
-
max time kernel
159s -
max time network
155s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
28-01-2022 12:38
Static task
static1
Behavioral task
behavioral1
Sample
HIRE SOA FOR DEC_2021.exe
Resource
win7-en-20211208
General
-
Target
HIRE SOA FOR DEC_2021.exe
-
Size
247KB
-
MD5
d8af2363d5a46336733b6121c0b4cf0e
-
SHA1
fcb0ee44436230d924b2550fc9935ee76f2498fe
-
SHA256
2a4415721925c12ce8a80719697ffbda5daf88fe34804b0549bc5d5605790cdb
-
SHA512
e34f724dc4a7837ff86ed5d5214e1ed22e5643bbd45f881066b05b4ae4766a6330a48db8e4ef8dcee9ca8bf5ace43d987a667f62ea086992d2ff1ee24875889d
Malware Config
Extracted
xloader
2.5
cxep
estateglobal.info
loransstore.com
loginofy.com
fjallravenz.online
cefseguranca-app.com
safontadiestramiento.com
bubbleteapro.com
morethanmummies.com
serviciopersonalizadoweb.com
headerbidder.info
skworkforce.com
heightsorthodontics.com
chulavistapd.com
southjerseyautobody.net
chargedbygratitude.com
meltingpotspot.com
gdjiachen.com
luckdrawprogram.com
vintagepaseo.com
bequestslojyh.xyz
layeredrofbes.xyz
com-weekly.email
suddisaddu.com
jnlord.com
outerverse.ventures
terraroyale.com
hairclub.info
rent2owninusa.com
pmaonline.xyz
wearecampo.com
multiplezonesplit.com
angry-mandala.com
ikigaiofficial.store
princewoodwork.store
moviesaver24.com
btec-solutions.com
valurgrayenterprises.com
homesofsilverspur.com
leysy-y-nazareno.com
grade8.tech
ammarus.com
researchjournal.net
nicolaslacasse.com
khukhuantainha.com
resultlv.com
toraportal.com
wickedhunterworld.com
clickspromolp.com
b148tlrnd09ustnnaku2721.com
high-low-ga.info
norcalfirewoodllc.com
fatima2021.com
aaronsmathquest.com
decal-mania.com
spitfiredefenceindustries.com
mireyita.com
simonhaidomous.com
roofingcontractorhickory.com
mgav69.xyz
spacebymeghan.com
hot144.com
mmfirewood.net
akshayaasri.com
bilgisayarimnekadar.com
littlesportsacademy.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/760-119-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/760-122-0x00000000004F0000-0x000000000063A000-memory.dmp xloader behavioral2/memory/3792-125-0x0000000002630000-0x0000000002659000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
HIRE SOA FOR DEC_2021.exepid process 2764 HIRE SOA FOR DEC_2021.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
HIRE SOA FOR DEC_2021.exeHIRE SOA FOR DEC_2021.execontrol.exedescription pid process target process PID 2764 set thread context of 760 2764 HIRE SOA FOR DEC_2021.exe HIRE SOA FOR DEC_2021.exe PID 760 set thread context of 2892 760 HIRE SOA FOR DEC_2021.exe Explorer.EXE PID 3792 set thread context of 2892 3792 control.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
HIRE SOA FOR DEC_2021.execontrol.exepid process 760 HIRE SOA FOR DEC_2021.exe 760 HIRE SOA FOR DEC_2021.exe 760 HIRE SOA FOR DEC_2021.exe 760 HIRE SOA FOR DEC_2021.exe 3792 control.exe 3792 control.exe 3792 control.exe 3792 control.exe 3792 control.exe 3792 control.exe 3792 control.exe 3792 control.exe 3792 control.exe 3792 control.exe 3792 control.exe 3792 control.exe 3792 control.exe 3792 control.exe 3792 control.exe 3792 control.exe 3792 control.exe 3792 control.exe 3792 control.exe 3792 control.exe 3792 control.exe 3792 control.exe 3792 control.exe 3792 control.exe 3792 control.exe 3792 control.exe 3792 control.exe 3792 control.exe 3792 control.exe 3792 control.exe 3792 control.exe 3792 control.exe 3792 control.exe 3792 control.exe 3792 control.exe 3792 control.exe 3792 control.exe 3792 control.exe 3792 control.exe 3792 control.exe 3792 control.exe 3792 control.exe 3792 control.exe 3792 control.exe 3792 control.exe 3792 control.exe 3792 control.exe 3792 control.exe 3792 control.exe 3792 control.exe 3792 control.exe 3792 control.exe 3792 control.exe 3792 control.exe 3792 control.exe 3792 control.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2892 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
HIRE SOA FOR DEC_2021.execontrol.exepid process 760 HIRE SOA FOR DEC_2021.exe 760 HIRE SOA FOR DEC_2021.exe 760 HIRE SOA FOR DEC_2021.exe 3792 control.exe 3792 control.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
HIRE SOA FOR DEC_2021.execontrol.exedescription pid process Token: SeDebugPrivilege 760 HIRE SOA FOR DEC_2021.exe Token: SeDebugPrivilege 3792 control.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
HIRE SOA FOR DEC_2021.exeExplorer.EXEcontrol.exedescription pid process target process PID 2764 wrote to memory of 760 2764 HIRE SOA FOR DEC_2021.exe HIRE SOA FOR DEC_2021.exe PID 2764 wrote to memory of 760 2764 HIRE SOA FOR DEC_2021.exe HIRE SOA FOR DEC_2021.exe PID 2764 wrote to memory of 760 2764 HIRE SOA FOR DEC_2021.exe HIRE SOA FOR DEC_2021.exe PID 2764 wrote to memory of 760 2764 HIRE SOA FOR DEC_2021.exe HIRE SOA FOR DEC_2021.exe PID 2764 wrote to memory of 760 2764 HIRE SOA FOR DEC_2021.exe HIRE SOA FOR DEC_2021.exe PID 2764 wrote to memory of 760 2764 HIRE SOA FOR DEC_2021.exe HIRE SOA FOR DEC_2021.exe PID 2892 wrote to memory of 3792 2892 Explorer.EXE control.exe PID 2892 wrote to memory of 3792 2892 Explorer.EXE control.exe PID 2892 wrote to memory of 3792 2892 Explorer.EXE control.exe PID 3792 wrote to memory of 540 3792 control.exe cmd.exe PID 3792 wrote to memory of 540 3792 control.exe cmd.exe PID 3792 wrote to memory of 540 3792 control.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\HIRE SOA FOR DEC_2021.exe"C:\Users\Admin\AppData\Local\Temp\HIRE SOA FOR DEC_2021.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\HIRE SOA FOR DEC_2021.exe"C:\Users\Admin\AppData\Local\Temp\HIRE SOA FOR DEC_2021.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\control.exe"C:\Windows\SysWOW64\control.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\HIRE SOA FOR DEC_2021.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nscD5B2.tmp\sdxajjgxerh.dllMD5
0bccdbf53def482e16174cd6488e0ced
SHA1b33612410abdbc5644292052c943ef5cc21f73a2
SHA256da9cdfe0680a235bc1ef297eaa6cf5723f34b95a043700e8ace1bd8c24ce974c
SHA51268b4d0fe21b58486fc07b53f57b75fe509e858fafdd79b300dfb93e521cb2400693a3f18ae8ad941bfddca88fa6941abf0b83d373ca7da8c530254d8e9905846
-
memory/760-119-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/760-121-0x0000000000A60000-0x0000000000D80000-memory.dmpFilesize
3.1MB
-
memory/760-122-0x00000000004F0000-0x000000000063A000-memory.dmpFilesize
1.3MB
-
memory/2892-123-0x00000000031A0000-0x0000000003267000-memory.dmpFilesize
796KB
-
memory/2892-128-0x0000000005510000-0x00000000055A5000-memory.dmpFilesize
596KB
-
memory/3792-124-0x0000000000240000-0x0000000000260000-memory.dmpFilesize
128KB
-
memory/3792-125-0x0000000002630000-0x0000000002659000-memory.dmpFilesize
164KB
-
memory/3792-126-0x0000000004480000-0x00000000047A0000-memory.dmpFilesize
3.1MB
-
memory/3792-127-0x0000000004140000-0x00000000042D3000-memory.dmpFilesize
1.6MB