Analysis
-
max time kernel
181s -
max time network
190s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
08-02-2022 01:25
Static task
static1
Behavioral task
behavioral1
Sample
2021_036,pdf.exe
Resource
win7-en-20211208
General
-
Target
2021_036,pdf.exe
-
Size
220KB
-
MD5
251729c3c3a66cb76aab3fe702145906
-
SHA1
19ecdee079a7abb02a82781af0e14d5a7f54705f
-
SHA256
5f3be7bf52d0617f50d8dcf095edc606854a589a94f2ac8186d6b9406960aa86
-
SHA512
e2d7af9a4be4b86cd1fd08e40f297b8cf417f8977986ce7832bf73f797cca7a05da5ea5398df8ff155d3a8087ed5c8a00ce5b2676509a8c667c081b7db77b9a0
Malware Config
Extracted
xloader
2.3
gh6n
cpschoolsschoology.com
thestocksforum.com
pixiewish.com
sopressd.com
muktokontha.com
tiejiabang.net
fdo.technology
kuringnl.com
barbarapastor.com
21stcenturytrading.com
digiwarung.com
canvafynyc.com
forfaitinghouse.com
3704368.com
mymonwero.com
ponpow.com
fringe.golf
heartfeltindonesia.com
defensivedrivercpc.com
allaboutgt.com
truerootsgroups.com
thatsfreakinridiculous.net
soulmohal.com
socalyardspotter.com
pmpts.com
ypb.xyz
tecs777.com
coimpexp-fab.com
romulusphotographer.com
spaceoffsexs.space
eatingdisordersnutrition.com
crackedappel.net
fore-all-llc.com
satishkasetty.com
itallcomesdown.com
ireneverda.com
mylenenadon.com
xn--zrz537c.com
treemuebles.com
iseyararbilgiler.com
mypinnacledesign.com
opvine.com
fenixcartagena.com
schiffrealty.net
lumbuy.com
seanwidmier.com
bondarizati.com
a1bulkemail.com
beuatifulbigwomen.website
nadyadheshop.com
clasificadosvallarta.com
magestosopneus.online
klub65.com
sexrobocabs.com
titanshop.info
valuecaptain.com
bostonm.info
standonir.com
acrellp.xyz
miyumiyuchancosplay.com
victorcarvalhooficial.com
bidaitosou.com
timership.com
cathbilson.com
aslionlinestore.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1284-132-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral2/memory/1284-134-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral2/memory/1680-138-0x00000000001B0000-0x00000000001D8000-memory.dmp xloader -
Loads dropped DLL 2 IoCs
Processes:
2021_036,pdf.exepid process 3772 2021_036,pdf.exe 3772 2021_036,pdf.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
2021_036,pdf.exe2021_036,pdf.execmstp.exedescription pid process target process PID 3772 set thread context of 1284 3772 2021_036,pdf.exe 2021_036,pdf.exe PID 1284 set thread context of 2328 1284 2021_036,pdf.exe Explorer.EXE PID 1680 set thread context of 2328 1680 cmstp.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 47 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4068" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3928" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.006579" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "3.448225" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132889485244051979" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe -
Suspicious behavior: EnumeratesProcesses 56 IoCs
Processes:
2021_036,pdf.exe2021_036,pdf.execmstp.exepid process 3772 2021_036,pdf.exe 3772 2021_036,pdf.exe 3772 2021_036,pdf.exe 3772 2021_036,pdf.exe 3772 2021_036,pdf.exe 3772 2021_036,pdf.exe 3772 2021_036,pdf.exe 3772 2021_036,pdf.exe 1284 2021_036,pdf.exe 1284 2021_036,pdf.exe 1284 2021_036,pdf.exe 1284 2021_036,pdf.exe 1680 cmstp.exe 1680 cmstp.exe 1680 cmstp.exe 1680 cmstp.exe 1680 cmstp.exe 1680 cmstp.exe 1680 cmstp.exe 1680 cmstp.exe 1680 cmstp.exe 1680 cmstp.exe 1680 cmstp.exe 1680 cmstp.exe 1680 cmstp.exe 1680 cmstp.exe 1680 cmstp.exe 1680 cmstp.exe 1680 cmstp.exe 1680 cmstp.exe 1680 cmstp.exe 1680 cmstp.exe 1680 cmstp.exe 1680 cmstp.exe 1680 cmstp.exe 1680 cmstp.exe 1680 cmstp.exe 1680 cmstp.exe 1680 cmstp.exe 1680 cmstp.exe 1680 cmstp.exe 1680 cmstp.exe 1680 cmstp.exe 1680 cmstp.exe 1680 cmstp.exe 1680 cmstp.exe 1680 cmstp.exe 1680 cmstp.exe 1680 cmstp.exe 1680 cmstp.exe 1680 cmstp.exe 1680 cmstp.exe 1680 cmstp.exe 1680 cmstp.exe 1680 cmstp.exe 1680 cmstp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2328 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
2021_036,pdf.exe2021_036,pdf.execmstp.exepid process 3772 2021_036,pdf.exe 1284 2021_036,pdf.exe 1284 2021_036,pdf.exe 1284 2021_036,pdf.exe 1680 cmstp.exe 1680 cmstp.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
2021_036,pdf.execmstp.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1284 2021_036,pdf.exe Token: SeDebugPrivilege 1680 cmstp.exe Token: SeShutdownPrivilege 2328 Explorer.EXE Token: SeCreatePagefilePrivilege 2328 Explorer.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
2021_036,pdf.exeExplorer.EXEcmstp.exedescription pid process target process PID 3772 wrote to memory of 1284 3772 2021_036,pdf.exe 2021_036,pdf.exe PID 3772 wrote to memory of 1284 3772 2021_036,pdf.exe 2021_036,pdf.exe PID 3772 wrote to memory of 1284 3772 2021_036,pdf.exe 2021_036,pdf.exe PID 3772 wrote to memory of 1284 3772 2021_036,pdf.exe 2021_036,pdf.exe PID 2328 wrote to memory of 1680 2328 Explorer.EXE cmstp.exe PID 2328 wrote to memory of 1680 2328 Explorer.EXE cmstp.exe PID 2328 wrote to memory of 1680 2328 Explorer.EXE cmstp.exe PID 1680 wrote to memory of 4060 1680 cmstp.exe cmd.exe PID 1680 wrote to memory of 4060 1680 cmstp.exe cmd.exe PID 1680 wrote to memory of 4060 1680 cmstp.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Users\Admin\AppData\Local\Temp\2021_036,pdf.exe"C:\Users\Admin\AppData\Local\Temp\2021_036,pdf.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Users\Admin\AppData\Local\Temp\2021_036,pdf.exe"C:\Users\Admin\AppData\Local\Temp\2021_036,pdf.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1284 -
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\2021_036,pdf.exe"3⤵PID:4060
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:2780
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2076
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Isdjek.dllMD5
7183a8b8bb7e8b4712ffa8720476909c
SHA10819caf4c801c7877832442b47d6149143e1ebc4
SHA2569d254261d58e3d155775c785039ecc7afa053c1e0b1d7eed2ff203101da48ddc
SHA51221e7242f7f80d390a1f930594df78797340d8178a90da59ed9f0ee78f9b7b9cac0bc379637b25d5ca059fe0f2ff26b1e40926fb5597da4fe23dcbbb5b2ab254e
-
C:\Users\Admin\AppData\Local\Temp\nstD3A5.tmp\System.dllMD5
fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
memory/1284-132-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1284-133-0x00000000005C0000-0x0000000000D6A000-memory.dmpFilesize
7.7MB
-
memory/1284-134-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1284-135-0x00000000005B0000-0x00000000005C0000-memory.dmpFilesize
64KB
-
memory/1680-137-0x00000000009C0000-0x00000000009D6000-memory.dmpFilesize
88KB
-
memory/1680-138-0x00000000001B0000-0x00000000001D8000-memory.dmpFilesize
160KB
-
memory/1680-139-0x0000000004350000-0x000000000469A000-memory.dmpFilesize
3.3MB
-
memory/1680-140-0x0000000004180000-0x000000000420F000-memory.dmpFilesize
572KB
-
memory/2328-136-0x0000000008350000-0x000000000844F000-memory.dmpFilesize
1020KB
-
memory/2328-141-0x0000000008450000-0x00000000084FA000-memory.dmpFilesize
680KB