Analysis
-
max time kernel
154s -
max time network
142s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
08-02-2022 01:25
Static task
static1
Behavioral task
behavioral1
Sample
2021_036,pdf.exe
Resource
win7-en-20211208
General
-
Target
2021_036,pdf.exe
-
Size
220KB
-
MD5
251729c3c3a66cb76aab3fe702145906
-
SHA1
19ecdee079a7abb02a82781af0e14d5a7f54705f
-
SHA256
5f3be7bf52d0617f50d8dcf095edc606854a589a94f2ac8186d6b9406960aa86
-
SHA512
e2d7af9a4be4b86cd1fd08e40f297b8cf417f8977986ce7832bf73f797cca7a05da5ea5398df8ff155d3a8087ed5c8a00ce5b2676509a8c667c081b7db77b9a0
Malware Config
Extracted
xloader
2.3
gh6n
cpschoolsschoology.com
thestocksforum.com
pixiewish.com
sopressd.com
muktokontha.com
tiejiabang.net
fdo.technology
kuringnl.com
barbarapastor.com
21stcenturytrading.com
digiwarung.com
canvafynyc.com
forfaitinghouse.com
3704368.com
mymonwero.com
ponpow.com
fringe.golf
heartfeltindonesia.com
defensivedrivercpc.com
allaboutgt.com
truerootsgroups.com
thatsfreakinridiculous.net
soulmohal.com
socalyardspotter.com
pmpts.com
ypb.xyz
tecs777.com
coimpexp-fab.com
romulusphotographer.com
spaceoffsexs.space
eatingdisordersnutrition.com
crackedappel.net
fore-all-llc.com
satishkasetty.com
itallcomesdown.com
ireneverda.com
mylenenadon.com
xn--zrz537c.com
treemuebles.com
iseyararbilgiler.com
mypinnacledesign.com
opvine.com
fenixcartagena.com
schiffrealty.net
lumbuy.com
seanwidmier.com
bondarizati.com
a1bulkemail.com
beuatifulbigwomen.website
nadyadheshop.com
clasificadosvallarta.com
magestosopneus.online
klub65.com
sexrobocabs.com
titanshop.info
valuecaptain.com
bostonm.info
standonir.com
acrellp.xyz
miyumiyuchancosplay.com
victorcarvalhooficial.com
bidaitosou.com
timership.com
cathbilson.com
aslionlinestore.com
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/460-59-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral1/memory/1412-65-0x0000000000090000-0x00000000000B8000-memory.dmp xloader -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1392 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
2021_036,pdf.exepid process 1568 2021_036,pdf.exe 1568 2021_036,pdf.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
2021_036,pdf.exe2021_036,pdf.exemsiexec.exedescription pid process target process PID 1568 set thread context of 460 1568 2021_036,pdf.exe 2021_036,pdf.exe PID 460 set thread context of 1372 460 2021_036,pdf.exe Explorer.EXE PID 1412 set thread context of 1372 1412 msiexec.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
2021_036,pdf.exe2021_036,pdf.exemsiexec.exepid process 1568 2021_036,pdf.exe 1568 2021_036,pdf.exe 1568 2021_036,pdf.exe 1568 2021_036,pdf.exe 460 2021_036,pdf.exe 460 2021_036,pdf.exe 1412 msiexec.exe 1412 msiexec.exe 1412 msiexec.exe 1412 msiexec.exe 1412 msiexec.exe 1412 msiexec.exe 1412 msiexec.exe 1412 msiexec.exe 1412 msiexec.exe 1412 msiexec.exe 1412 msiexec.exe 1412 msiexec.exe 1412 msiexec.exe 1412 msiexec.exe 1412 msiexec.exe 1412 msiexec.exe 1412 msiexec.exe 1412 msiexec.exe 1412 msiexec.exe 1412 msiexec.exe 1412 msiexec.exe 1412 msiexec.exe 1412 msiexec.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
2021_036,pdf.exe2021_036,pdf.exemsiexec.exepid process 1568 2021_036,pdf.exe 460 2021_036,pdf.exe 460 2021_036,pdf.exe 460 2021_036,pdf.exe 1412 msiexec.exe 1412 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2021_036,pdf.exemsiexec.exedescription pid process Token: SeDebugPrivilege 460 2021_036,pdf.exe Token: SeDebugPrivilege 1412 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1372 Explorer.EXE 1372 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1372 Explorer.EXE 1372 Explorer.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
2021_036,pdf.exeExplorer.EXEmsiexec.exedescription pid process target process PID 1568 wrote to memory of 460 1568 2021_036,pdf.exe 2021_036,pdf.exe PID 1568 wrote to memory of 460 1568 2021_036,pdf.exe 2021_036,pdf.exe PID 1568 wrote to memory of 460 1568 2021_036,pdf.exe 2021_036,pdf.exe PID 1568 wrote to memory of 460 1568 2021_036,pdf.exe 2021_036,pdf.exe PID 1568 wrote to memory of 460 1568 2021_036,pdf.exe 2021_036,pdf.exe PID 1372 wrote to memory of 1412 1372 Explorer.EXE msiexec.exe PID 1372 wrote to memory of 1412 1372 Explorer.EXE msiexec.exe PID 1372 wrote to memory of 1412 1372 Explorer.EXE msiexec.exe PID 1372 wrote to memory of 1412 1372 Explorer.EXE msiexec.exe PID 1372 wrote to memory of 1412 1372 Explorer.EXE msiexec.exe PID 1372 wrote to memory of 1412 1372 Explorer.EXE msiexec.exe PID 1372 wrote to memory of 1412 1372 Explorer.EXE msiexec.exe PID 1412 wrote to memory of 1392 1412 msiexec.exe cmd.exe PID 1412 wrote to memory of 1392 1412 msiexec.exe cmd.exe PID 1412 wrote to memory of 1392 1412 msiexec.exe cmd.exe PID 1412 wrote to memory of 1392 1412 msiexec.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2021_036,pdf.exe"C:\Users\Admin\AppData\Local\Temp\2021_036,pdf.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2021_036,pdf.exe"C:\Users\Admin\AppData\Local\Temp\2021_036,pdf.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\2021_036,pdf.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\Isdjek.dllMD5
7183a8b8bb7e8b4712ffa8720476909c
SHA10819caf4c801c7877832442b47d6149143e1ebc4
SHA2569d254261d58e3d155775c785039ecc7afa053c1e0b1d7eed2ff203101da48ddc
SHA51221e7242f7f80d390a1f930594df78797340d8178a90da59ed9f0ee78f9b7b9cac0bc379637b25d5ca059fe0f2ff26b1e40926fb5597da4fe23dcbbb5b2ab254e
-
\Users\Admin\AppData\Local\Temp\nsy401D.tmp\System.dllMD5
fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
memory/460-59-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/460-60-0x0000000000770000-0x0000000000A73000-memory.dmpFilesize
3.0MB
-
memory/460-61-0x0000000000200000-0x0000000000210000-memory.dmpFilesize
64KB
-
memory/1372-62-0x0000000003A00000-0x0000000003AEC000-memory.dmpFilesize
944KB
-
memory/1372-68-0x0000000008D00000-0x0000000008E43000-memory.dmpFilesize
1.3MB
-
memory/1412-64-0x0000000000200000-0x0000000000214000-memory.dmpFilesize
80KB
-
memory/1412-65-0x0000000000090000-0x00000000000B8000-memory.dmpFilesize
160KB
-
memory/1412-66-0x0000000002270000-0x0000000002573000-memory.dmpFilesize
3.0MB
-
memory/1412-67-0x0000000001FA0000-0x000000000202F000-memory.dmpFilesize
572KB
-
memory/1568-55-0x0000000076371000-0x0000000076373000-memory.dmpFilesize
8KB