Analysis
-
max time kernel
165s -
max time network
171s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-01-2022 00:19
Static task
static1
Behavioral task
behavioral1
Sample
PO6312.exe
Resource
win7-en-20211208
General
-
Target
PO6312.exe
-
Size
286KB
-
MD5
6dca73a65b62eb5f40cc45ec4085f695
-
SHA1
5a478b2dd4ba1bcfaeec8cde0d5ff7f6e8bd9798
-
SHA256
9fe9d14b0dfe4fd0006b432eb8acb4bbba782da6071fb4ca50676a1ebb73958f
-
SHA512
9a23ab54b531436b52f870ad80241eefa843f66f18279dfdf1f263a4008b98aba2f30f37d55e497d4b2de9259217687feef5f59c0d978d969f4b7509d8d44800
Malware Config
Extracted
xloader
2.5
hpin
lalashealingplace.com
melaniealdridgephotography.com
ss3369.com
career-bliss.com
handelbabu.quest
larryhover.com
xyz-vr.xyz
telvicedemo.net
aaakk95.com
follow-er.com
thepiwarrior.com
dgltqd.com
dailyswee.com
tonymoney.net
earthsidesoulalchemist.com
meditatieleeuwarden.online
blancorealtor.com
xn--erhardlohmller-psb.gmbh
coachtobetter.info
singpost.agency
cryptovikings.art
abovetherootsgrower.com
steeltoilets.com
ugearup.com
catchotter.com
jamesstewartjr.com
jaysmhp.com
emotionfocusedapproaches.com
asamanagement.xyz
gillbane.com
supremepeak.net
logicalstrength.com
kuaiyicai.net
lappajarvi-info.com
babyfaceskincare86.com
luxuryhomesinpinellas.com
fitnessbymargaret.com
combatcollective.com
tremas25.com
ytfusion.com
les-ptites-pepites.com
gritnail.store
endosstore.com
deeznft.com
bits-clicks.com
reviewercasino.com
bets-bc-pvitt.xyz
mussten-viva.com
vegan-mexican.com
allsystemnow.online
mylimitlesssuccess.com
su458.com
gombc-a02.com
revuedrh.com
presidentfun.com
aragonproductions.com
iphone13.computer
codingnesia.tech
taiycwyb.com
asesoriasfinancieras.xyz
gxystgs.com
brilliantyard.com
mediationmattersgc.com
healingprotection.com
smgraphicdesign.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/988-119-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/988-122-0x00000000004F0000-0x000000000063A000-memory.dmp xloader behavioral2/memory/2220-125-0x0000000002830000-0x0000000002859000-memory.dmp xloader behavioral2/memory/2220-127-0x00000000042B0000-0x000000000444C000-memory.dmp xloader -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 52 2220 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
PO6312.exepid process 3296 PO6312.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
PO6312.exePO6312.exerundll32.exedescription pid process target process PID 3296 set thread context of 988 3296 PO6312.exe PO6312.exe PID 988 set thread context of 3040 988 PO6312.exe Explorer.EXE PID 2220 set thread context of 3040 2220 rundll32.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
PO6312.exerundll32.exepid process 988 PO6312.exe 988 PO6312.exe 988 PO6312.exe 988 PO6312.exe 2220 rundll32.exe 2220 rundll32.exe 2220 rundll32.exe 2220 rundll32.exe 2220 rundll32.exe 2220 rundll32.exe 2220 rundll32.exe 2220 rundll32.exe 2220 rundll32.exe 2220 rundll32.exe 2220 rundll32.exe 2220 rundll32.exe 2220 rundll32.exe 2220 rundll32.exe 2220 rundll32.exe 2220 rundll32.exe 2220 rundll32.exe 2220 rundll32.exe 2220 rundll32.exe 2220 rundll32.exe 2220 rundll32.exe 2220 rundll32.exe 2220 rundll32.exe 2220 rundll32.exe 2220 rundll32.exe 2220 rundll32.exe 2220 rundll32.exe 2220 rundll32.exe 2220 rundll32.exe 2220 rundll32.exe 2220 rundll32.exe 2220 rundll32.exe 2220 rundll32.exe 2220 rundll32.exe 2220 rundll32.exe 2220 rundll32.exe 2220 rundll32.exe 2220 rundll32.exe 2220 rundll32.exe 2220 rundll32.exe 2220 rundll32.exe 2220 rundll32.exe 2220 rundll32.exe 2220 rundll32.exe 2220 rundll32.exe 2220 rundll32.exe 2220 rundll32.exe 2220 rundll32.exe 2220 rundll32.exe 2220 rundll32.exe 2220 rundll32.exe 2220 rundll32.exe 2220 rundll32.exe 2220 rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3040 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
PO6312.exerundll32.exepid process 988 PO6312.exe 988 PO6312.exe 988 PO6312.exe 2220 rundll32.exe 2220 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PO6312.exerundll32.exedescription pid process Token: SeDebugPrivilege 988 PO6312.exe Token: SeDebugPrivilege 2220 rundll32.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
PO6312.exeExplorer.EXErundll32.exedescription pid process target process PID 3296 wrote to memory of 988 3296 PO6312.exe PO6312.exe PID 3296 wrote to memory of 988 3296 PO6312.exe PO6312.exe PID 3296 wrote to memory of 988 3296 PO6312.exe PO6312.exe PID 3296 wrote to memory of 988 3296 PO6312.exe PO6312.exe PID 3296 wrote to memory of 988 3296 PO6312.exe PO6312.exe PID 3296 wrote to memory of 988 3296 PO6312.exe PO6312.exe PID 3040 wrote to memory of 2220 3040 Explorer.EXE rundll32.exe PID 3040 wrote to memory of 2220 3040 Explorer.EXE rundll32.exe PID 3040 wrote to memory of 2220 3040 Explorer.EXE rundll32.exe PID 2220 wrote to memory of 728 2220 rundll32.exe cmd.exe PID 2220 wrote to memory of 728 2220 rundll32.exe cmd.exe PID 2220 wrote to memory of 728 2220 rundll32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PO6312.exe"C:\Users\Admin\AppData\Local\Temp\PO6312.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PO6312.exe"C:\Users\Admin\AppData\Local\Temp\PO6312.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\PO6312.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsx15A8.tmp\ibwyftbm.dllMD5
93ce7ab994c53abf143cbef9bfa7b1d7
SHA1f3ea2dfb85164c5250569d30d49a73630c4077a1
SHA25612b6aacfc7ef2ad9053d0d936fa75553d7a2081dbb61fdd33c78f75db3a0fe28
SHA5128c212e68878587b1181cd94e333ebd4de77b26ff4fff0ae2fe71e1cc77fce90b05e8edbda3fe049d60cd4d0bff53e0ba35e2869e304c541f4553a1ed353a6a3a
-
memory/988-119-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/988-121-0x0000000000AB0000-0x0000000000DD0000-memory.dmpFilesize
3.1MB
-
memory/988-122-0x00000000004F0000-0x000000000063A000-memory.dmpFilesize
1.3MB
-
memory/2220-124-0x0000000000340000-0x0000000000353000-memory.dmpFilesize
76KB
-
memory/2220-125-0x0000000002830000-0x0000000002859000-memory.dmpFilesize
164KB
-
memory/2220-126-0x00000000045E0000-0x0000000004900000-memory.dmpFilesize
3.1MB
-
memory/2220-127-0x00000000042B0000-0x000000000444C000-memory.dmpFilesize
1.6MB
-
memory/3040-123-0x0000000005410000-0x0000000005560000-memory.dmpFilesize
1.3MB
-
memory/3040-128-0x0000000002E00000-0x0000000002EF8000-memory.dmpFilesize
992KB