Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
30-01-2022 12:46
Static task
static1
Behavioral task
behavioral1
Sample
b95b2708e33befda87ea5e9970f51f8fb92741b4ccf59ba6e0e81bca5a10aa1b.exe
Resource
win7-en-20211208
General
-
Target
b95b2708e33befda87ea5e9970f51f8fb92741b4ccf59ba6e0e81bca5a10aa1b.exe
-
Size
470KB
-
MD5
b3dfff5713cd5c14b318b5e8d03f165f
-
SHA1
1086c8695b1475bdefced78b602fab5c684e03e6
-
SHA256
b95b2708e33befda87ea5e9970f51f8fb92741b4ccf59ba6e0e81bca5a10aa1b
-
SHA512
690768d0fe8ec516530df185dd263097ad3657673c21bd3d7547f90b9061443bd650ff88336b162612390705b9364666e4192c081a465d138ad2239489889cbb
Malware Config
Extracted
xloader
2.5
quc5
writerpilotpublishing.com
journeywands.com
madacambo.com
boreslirealestate.com
drillshear.com
urbanmastic.com
focalbunk.com
ghpgroupinc.xyz
rfgmhnvf.com
241mk.com
mandolinzen.com
thenorthstarbets.com
oggperformancehorses.com
webuywholesalerhouses.com
cinreyyy.com
theyoungwedding.com
neuro-ai-web-ru.digital
zavienniky.xyz
kin-school.com
lowratepersonalloans.com
reddindesignco.com
w-planning21.com
contactcenter2.email
bizarrefuid.com
pngok.net
trasportocargo.com
litecoinpricescam.com
klovaperon.quest
ericpcensi.com
gra68.net
bmsr.mobi
phukienstreaming.com
spojed.store
gesips.com
andrewarchitect.com
sifangktv.info
xd16880.com
tudineroenvenezuela.com
scakw.com
sittingysxtfy.xyz
suckit-ice.com
spryget.com
servionexpress.com
dobuncou.xyz
williswear.com
alvinceremiaam.xyz
kashmanltd.com
thebeautydisruptor.com
sherrilyndale.com
edn-by-fges.net
megaverse.estate
albatrosstextile.com
isabel-mirandol.com
jaawo.com
digitalrajputsamaj.com
capital11.store
bortovoycomputezzerkalo.online
tamankertamukti.com
targethic.tech
1006e.com
sahin.business
gosecure.info
spasalonsuite.com
kasko-sigorta.com
augiesautopainting.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/648-56-0x0000000000400000-0x000000000044A000-memory.dmp xloader behavioral1/memory/648-58-0x0000000004410000-0x0000000004439000-memory.dmp xloader behavioral1/memory/648-59-0x0000000000400000-0x000000000044A000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
b95b2708e33befda87ea5e9970f51f8fb92741b4ccf59ba6e0e81bca5a10aa1b.exepid process 1688 b95b2708e33befda87ea5e9970f51f8fb92741b4ccf59ba6e0e81bca5a10aa1b.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
b95b2708e33befda87ea5e9970f51f8fb92741b4ccf59ba6e0e81bca5a10aa1b.exedescription pid process target process PID 1688 set thread context of 648 1688 b95b2708e33befda87ea5e9970f51f8fb92741b4ccf59ba6e0e81bca5a10aa1b.exe b95b2708e33befda87ea5e9970f51f8fb92741b4ccf59ba6e0e81bca5a10aa1b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1220 648 WerFault.exe b95b2708e33befda87ea5e9970f51f8fb92741b4ccf59ba6e0e81bca5a10aa1b.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 1220 WerFault.exe 1220 WerFault.exe 1220 WerFault.exe 1220 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1220 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1220 WerFault.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
b95b2708e33befda87ea5e9970f51f8fb92741b4ccf59ba6e0e81bca5a10aa1b.exeb95b2708e33befda87ea5e9970f51f8fb92741b4ccf59ba6e0e81bca5a10aa1b.exedescription pid process target process PID 1688 wrote to memory of 648 1688 b95b2708e33befda87ea5e9970f51f8fb92741b4ccf59ba6e0e81bca5a10aa1b.exe b95b2708e33befda87ea5e9970f51f8fb92741b4ccf59ba6e0e81bca5a10aa1b.exe PID 1688 wrote to memory of 648 1688 b95b2708e33befda87ea5e9970f51f8fb92741b4ccf59ba6e0e81bca5a10aa1b.exe b95b2708e33befda87ea5e9970f51f8fb92741b4ccf59ba6e0e81bca5a10aa1b.exe PID 1688 wrote to memory of 648 1688 b95b2708e33befda87ea5e9970f51f8fb92741b4ccf59ba6e0e81bca5a10aa1b.exe b95b2708e33befda87ea5e9970f51f8fb92741b4ccf59ba6e0e81bca5a10aa1b.exe PID 1688 wrote to memory of 648 1688 b95b2708e33befda87ea5e9970f51f8fb92741b4ccf59ba6e0e81bca5a10aa1b.exe b95b2708e33befda87ea5e9970f51f8fb92741b4ccf59ba6e0e81bca5a10aa1b.exe PID 1688 wrote to memory of 648 1688 b95b2708e33befda87ea5e9970f51f8fb92741b4ccf59ba6e0e81bca5a10aa1b.exe b95b2708e33befda87ea5e9970f51f8fb92741b4ccf59ba6e0e81bca5a10aa1b.exe PID 1688 wrote to memory of 648 1688 b95b2708e33befda87ea5e9970f51f8fb92741b4ccf59ba6e0e81bca5a10aa1b.exe b95b2708e33befda87ea5e9970f51f8fb92741b4ccf59ba6e0e81bca5a10aa1b.exe PID 1688 wrote to memory of 648 1688 b95b2708e33befda87ea5e9970f51f8fb92741b4ccf59ba6e0e81bca5a10aa1b.exe b95b2708e33befda87ea5e9970f51f8fb92741b4ccf59ba6e0e81bca5a10aa1b.exe PID 1688 wrote to memory of 648 1688 b95b2708e33befda87ea5e9970f51f8fb92741b4ccf59ba6e0e81bca5a10aa1b.exe b95b2708e33befda87ea5e9970f51f8fb92741b4ccf59ba6e0e81bca5a10aa1b.exe PID 1688 wrote to memory of 648 1688 b95b2708e33befda87ea5e9970f51f8fb92741b4ccf59ba6e0e81bca5a10aa1b.exe b95b2708e33befda87ea5e9970f51f8fb92741b4ccf59ba6e0e81bca5a10aa1b.exe PID 1688 wrote to memory of 648 1688 b95b2708e33befda87ea5e9970f51f8fb92741b4ccf59ba6e0e81bca5a10aa1b.exe b95b2708e33befda87ea5e9970f51f8fb92741b4ccf59ba6e0e81bca5a10aa1b.exe PID 1688 wrote to memory of 648 1688 b95b2708e33befda87ea5e9970f51f8fb92741b4ccf59ba6e0e81bca5a10aa1b.exe b95b2708e33befda87ea5e9970f51f8fb92741b4ccf59ba6e0e81bca5a10aa1b.exe PID 648 wrote to memory of 1220 648 b95b2708e33befda87ea5e9970f51f8fb92741b4ccf59ba6e0e81bca5a10aa1b.exe WerFault.exe PID 648 wrote to memory of 1220 648 b95b2708e33befda87ea5e9970f51f8fb92741b4ccf59ba6e0e81bca5a10aa1b.exe WerFault.exe PID 648 wrote to memory of 1220 648 b95b2708e33befda87ea5e9970f51f8fb92741b4ccf59ba6e0e81bca5a10aa1b.exe WerFault.exe PID 648 wrote to memory of 1220 648 b95b2708e33befda87ea5e9970f51f8fb92741b4ccf59ba6e0e81bca5a10aa1b.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b95b2708e33befda87ea5e9970f51f8fb92741b4ccf59ba6e0e81bca5a10aa1b.exe"C:\Users\Admin\AppData\Local\Temp\b95b2708e33befda87ea5e9970f51f8fb92741b4ccf59ba6e0e81bca5a10aa1b.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b95b2708e33befda87ea5e9970f51f8fb92741b4ccf59ba6e0e81bca5a10aa1b.exe"C:\Users\Admin\AppData\Local\Temp\b95b2708e33befda87ea5e9970f51f8fb92741b4ccf59ba6e0e81bca5a10aa1b.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 5243⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsoE84.tmp\ekow.dllMD5
4255f992dca6609afe2290b6e31d7e7b
SHA1462ebc74c1078dc04460d4e0403a8adf74d11adb
SHA256f774b50cdcf20dbf9515d6051776e4d7fb7ca4afd2ddb60028d72510f7575a7f
SHA51252ab06e60955cd56e0c15fbcb571f0e08ca96038322e87a4938e9701e1f23a1b52b1286f189c92b564cca38e1371ed181c99d2bdee092dabd3341b42304e0006
-
memory/648-56-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/648-58-0x0000000004410000-0x0000000004439000-memory.dmpFilesize
164KB
-
memory/648-59-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/648-60-0x0000000004511000-0x0000000004512000-memory.dmpFilesize
4KB
-
memory/1220-62-0x0000000000270000-0x00000000002D0000-memory.dmpFilesize
384KB
-
memory/1688-54-0x0000000075AB1000-0x0000000075AB3000-memory.dmpFilesize
8KB