Analysis
-
max time kernel
112s -
max time network
130s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
31-01-2022 12:31
Static task
static1
General
-
Target
ba46838d8445539ef9360355459abfdf8d0932d80f26cd8682fbaf2a236461da.exe
-
Size
412KB
-
MD5
a75c88bdafcead6c2096d01dc8f2f052
-
SHA1
d36d981a34f591eada1df8ea230bbfbdcbd6bf97
-
SHA256
ba46838d8445539ef9360355459abfdf8d0932d80f26cd8682fbaf2a236461da
-
SHA512
b8d3d14112e5910d906c74c63d0208ac02e8e29b230d92bef1d7c6098a65c0b7660841a5fcefebaf96edf969cdeda62282cd642d56c63fe711a23ea0112edd41
Malware Config
Extracted
xloader
2.5
nt3f
tricyclee.com
kxsw999.com
wisteria-pavilion.com
bellaclancy.com
promissioskincare.com
hzy001.xyz
checkouthomehd.com
soladere.com
point4sales.com
socalmafia.com
libertadysarmiento.online
nftthirty.com
digitalgoldcryptostock.net
tulekiloscaird.com
austinfishandchicken.com
wlxxch.com
mgav51.xyz
landbanking.global
saprove.com
babyfaces.skin
elainemaxwellcoaching.com
1388xc.com
juveniscloud.com
bsauksjon.com
the-waterkooler.com
comment-changer-sa-vie.com
psmcnd.top
rhodesleadingedge.com
mccuelawfirm.com
skinnscience.club
hype-clicks.com
liaojinc.xyz
okmakers.com
ramblertour.online
wickedhunterworld.com
fit-threads.com
cookidoo.website
magentabin.com
pynch1.com
best-paper-to-know-today.info
allmight.net
monicraftsprintables.com
avataroasis.com
10dian-4.com
cozastore.net
capitalcased.com
spacezanome.xyz
feiyangmi.com
11opus.com
getinteriorsolution.com
tidyhutstore.com
amazingpomskyfamily.com
tfcvintage.com
halfanape.com
rotakb.com
martinasfood.com
the-thanks.com
mithilmehta.com
em-photo.art
primerepro.com
lankasirinspa.com
gtbaibang.com
zealandiatobacco.com
deepikatransportpackers.com
eagle-meter.com
Signatures
-
Xloader Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2204-119-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
ba46838d8445539ef9360355459abfdf8d0932d80f26cd8682fbaf2a236461da.exepid process 2712 ba46838d8445539ef9360355459abfdf8d0932d80f26cd8682fbaf2a236461da.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ba46838d8445539ef9360355459abfdf8d0932d80f26cd8682fbaf2a236461da.exedescription pid process target process PID 2712 set thread context of 2204 2712 ba46838d8445539ef9360355459abfdf8d0932d80f26cd8682fbaf2a236461da.exe ba46838d8445539ef9360355459abfdf8d0932d80f26cd8682fbaf2a236461da.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
ba46838d8445539ef9360355459abfdf8d0932d80f26cd8682fbaf2a236461da.exepid process 2204 ba46838d8445539ef9360355459abfdf8d0932d80f26cd8682fbaf2a236461da.exe 2204 ba46838d8445539ef9360355459abfdf8d0932d80f26cd8682fbaf2a236461da.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
ba46838d8445539ef9360355459abfdf8d0932d80f26cd8682fbaf2a236461da.exedescription pid process target process PID 2712 wrote to memory of 2204 2712 ba46838d8445539ef9360355459abfdf8d0932d80f26cd8682fbaf2a236461da.exe ba46838d8445539ef9360355459abfdf8d0932d80f26cd8682fbaf2a236461da.exe PID 2712 wrote to memory of 2204 2712 ba46838d8445539ef9360355459abfdf8d0932d80f26cd8682fbaf2a236461da.exe ba46838d8445539ef9360355459abfdf8d0932d80f26cd8682fbaf2a236461da.exe PID 2712 wrote to memory of 2204 2712 ba46838d8445539ef9360355459abfdf8d0932d80f26cd8682fbaf2a236461da.exe ba46838d8445539ef9360355459abfdf8d0932d80f26cd8682fbaf2a236461da.exe PID 2712 wrote to memory of 2204 2712 ba46838d8445539ef9360355459abfdf8d0932d80f26cd8682fbaf2a236461da.exe ba46838d8445539ef9360355459abfdf8d0932d80f26cd8682fbaf2a236461da.exe PID 2712 wrote to memory of 2204 2712 ba46838d8445539ef9360355459abfdf8d0932d80f26cd8682fbaf2a236461da.exe ba46838d8445539ef9360355459abfdf8d0932d80f26cd8682fbaf2a236461da.exe PID 2712 wrote to memory of 2204 2712 ba46838d8445539ef9360355459abfdf8d0932d80f26cd8682fbaf2a236461da.exe ba46838d8445539ef9360355459abfdf8d0932d80f26cd8682fbaf2a236461da.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba46838d8445539ef9360355459abfdf8d0932d80f26cd8682fbaf2a236461da.exe"C:\Users\Admin\AppData\Local\Temp\ba46838d8445539ef9360355459abfdf8d0932d80f26cd8682fbaf2a236461da.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ba46838d8445539ef9360355459abfdf8d0932d80f26cd8682fbaf2a236461da.exe"C:\Users\Admin\AppData\Local\Temp\ba46838d8445539ef9360355459abfdf8d0932d80f26cd8682fbaf2a236461da.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nslD2E3.tmp\pxitlcdz.dllMD5
606d2bcc416fc37c03e554be57b99395
SHA11ef604a21f62cbd9039b5b7dec49d74fcc69aa4c
SHA25611b98384fa90009836cbbf1798b535759bb166278dd0e855dcef2e851720832b
SHA51263cea78cece3875a839ca62e82db4d9caef7071af6964421f4cfbcb18299c1a7636c69d759f8e134ad74ab968f98be15b6939a660e3299417276a13dcae5ddde
-
memory/2204-119-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2204-120-0x0000000000A30000-0x0000000000D50000-memory.dmpFilesize
3.1MB