Analysis
-
max time kernel
119s -
max time network
135s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
30-01-2022 00:19
Static task
static1
Behavioral task
behavioral1
Sample
9fe9d14b0dfe4fd0006b432eb8acb4bbba782da6071fb4ca50676a1ebb73958f.exe
Resource
win7-en-20211208
General
-
Target
9fe9d14b0dfe4fd0006b432eb8acb4bbba782da6071fb4ca50676a1ebb73958f.exe
-
Size
286KB
-
MD5
6dca73a65b62eb5f40cc45ec4085f695
-
SHA1
5a478b2dd4ba1bcfaeec8cde0d5ff7f6e8bd9798
-
SHA256
9fe9d14b0dfe4fd0006b432eb8acb4bbba782da6071fb4ca50676a1ebb73958f
-
SHA512
9a23ab54b531436b52f870ad80241eefa843f66f18279dfdf1f263a4008b98aba2f30f37d55e497d4b2de9259217687feef5f59c0d978d969f4b7509d8d44800
Malware Config
Extracted
xloader
2.5
hpin
lalashealingplace.com
melaniealdridgephotography.com
ss3369.com
career-bliss.com
handelbabu.quest
larryhover.com
xyz-vr.xyz
telvicedemo.net
aaakk95.com
follow-er.com
thepiwarrior.com
dgltqd.com
dailyswee.com
tonymoney.net
earthsidesoulalchemist.com
meditatieleeuwarden.online
blancorealtor.com
xn--erhardlohmller-psb.gmbh
coachtobetter.info
singpost.agency
cryptovikings.art
abovetherootsgrower.com
steeltoilets.com
ugearup.com
catchotter.com
jamesstewartjr.com
jaysmhp.com
emotionfocusedapproaches.com
asamanagement.xyz
gillbane.com
supremepeak.net
logicalstrength.com
kuaiyicai.net
lappajarvi-info.com
babyfaceskincare86.com
luxuryhomesinpinellas.com
fitnessbymargaret.com
combatcollective.com
tremas25.com
ytfusion.com
les-ptites-pepites.com
gritnail.store
endosstore.com
deeznft.com
bits-clicks.com
reviewercasino.com
bets-bc-pvitt.xyz
mussten-viva.com
vegan-mexican.com
allsystemnow.online
mylimitlesssuccess.com
su458.com
gombc-a02.com
revuedrh.com
presidentfun.com
aragonproductions.com
iphone13.computer
codingnesia.tech
taiycwyb.com
asesoriasfinancieras.xyz
gxystgs.com
brilliantyard.com
mediationmattersgc.com
healingprotection.com
smgraphicdesign.com
Signatures
-
Xloader Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/996-57-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
9fe9d14b0dfe4fd0006b432eb8acb4bbba782da6071fb4ca50676a1ebb73958f.exepid process 1612 9fe9d14b0dfe4fd0006b432eb8acb4bbba782da6071fb4ca50676a1ebb73958f.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
9fe9d14b0dfe4fd0006b432eb8acb4bbba782da6071fb4ca50676a1ebb73958f.exedescription pid process target process PID 1612 set thread context of 996 1612 9fe9d14b0dfe4fd0006b432eb8acb4bbba782da6071fb4ca50676a1ebb73958f.exe 9fe9d14b0dfe4fd0006b432eb8acb4bbba782da6071fb4ca50676a1ebb73958f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
9fe9d14b0dfe4fd0006b432eb8acb4bbba782da6071fb4ca50676a1ebb73958f.exepid process 996 9fe9d14b0dfe4fd0006b432eb8acb4bbba782da6071fb4ca50676a1ebb73958f.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
9fe9d14b0dfe4fd0006b432eb8acb4bbba782da6071fb4ca50676a1ebb73958f.exedescription pid process target process PID 1612 wrote to memory of 996 1612 9fe9d14b0dfe4fd0006b432eb8acb4bbba782da6071fb4ca50676a1ebb73958f.exe 9fe9d14b0dfe4fd0006b432eb8acb4bbba782da6071fb4ca50676a1ebb73958f.exe PID 1612 wrote to memory of 996 1612 9fe9d14b0dfe4fd0006b432eb8acb4bbba782da6071fb4ca50676a1ebb73958f.exe 9fe9d14b0dfe4fd0006b432eb8acb4bbba782da6071fb4ca50676a1ebb73958f.exe PID 1612 wrote to memory of 996 1612 9fe9d14b0dfe4fd0006b432eb8acb4bbba782da6071fb4ca50676a1ebb73958f.exe 9fe9d14b0dfe4fd0006b432eb8acb4bbba782da6071fb4ca50676a1ebb73958f.exe PID 1612 wrote to memory of 996 1612 9fe9d14b0dfe4fd0006b432eb8acb4bbba782da6071fb4ca50676a1ebb73958f.exe 9fe9d14b0dfe4fd0006b432eb8acb4bbba782da6071fb4ca50676a1ebb73958f.exe PID 1612 wrote to memory of 996 1612 9fe9d14b0dfe4fd0006b432eb8acb4bbba782da6071fb4ca50676a1ebb73958f.exe 9fe9d14b0dfe4fd0006b432eb8acb4bbba782da6071fb4ca50676a1ebb73958f.exe PID 1612 wrote to memory of 996 1612 9fe9d14b0dfe4fd0006b432eb8acb4bbba782da6071fb4ca50676a1ebb73958f.exe 9fe9d14b0dfe4fd0006b432eb8acb4bbba782da6071fb4ca50676a1ebb73958f.exe PID 1612 wrote to memory of 996 1612 9fe9d14b0dfe4fd0006b432eb8acb4bbba782da6071fb4ca50676a1ebb73958f.exe 9fe9d14b0dfe4fd0006b432eb8acb4bbba782da6071fb4ca50676a1ebb73958f.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9fe9d14b0dfe4fd0006b432eb8acb4bbba782da6071fb4ca50676a1ebb73958f.exe"C:\Users\Admin\AppData\Local\Temp\9fe9d14b0dfe4fd0006b432eb8acb4bbba782da6071fb4ca50676a1ebb73958f.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9fe9d14b0dfe4fd0006b432eb8acb4bbba782da6071fb4ca50676a1ebb73958f.exe"C:\Users\Admin\AppData\Local\Temp\9fe9d14b0dfe4fd0006b432eb8acb4bbba782da6071fb4ca50676a1ebb73958f.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsi3959.tmp\ibwyftbm.dllMD5
93ce7ab994c53abf143cbef9bfa7b1d7
SHA1f3ea2dfb85164c5250569d30d49a73630c4077a1
SHA25612b6aacfc7ef2ad9053d0d936fa75553d7a2081dbb61fdd33c78f75db3a0fe28
SHA5128c212e68878587b1181cd94e333ebd4de77b26ff4fff0ae2fe71e1cc77fce90b05e8edbda3fe049d60cd4d0bff53e0ba35e2869e304c541f4553a1ed353a6a3a
-
memory/996-57-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/996-58-0x00000000008D0000-0x0000000000BD3000-memory.dmpFilesize
3.0MB
-
memory/1612-55-0x0000000075F81000-0x0000000075F83000-memory.dmpFilesize
8KB