Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
08-02-2022 08:05
Static task
static1
Behavioral task
behavioral1
Sample
e14ed8b967fa04080952f514ffedb3e7.exe
Resource
win7-en-20211208
General
-
Target
e14ed8b967fa04080952f514ffedb3e7.exe
-
Size
241KB
-
MD5
e14ed8b967fa04080952f514ffedb3e7
-
SHA1
5b68d7a5e7eda9a258a33c44a654057910807ec9
-
SHA256
872baceca1bd29e5ea4a12884f62464b17abd4508371201fb7f4080e92713d59
-
SHA512
0f9a9a3d934aecedb2b7a4bbb94392ff0690f292665d60b365817a0963e031acd9df7e19c1803ac7998e0ae2cf2e9b2391654781a379c958eea62872872b48e1
Malware Config
Extracted
xloader
2.5
uar3
sgadvocats.com
mjscannabus.com
hilldaley.com
ksdollhouse.com
hotgiftboutique.com
purebloodsmeet.com
relaunched.info
cap-glove.com
productcollection.store
fulikyy.xyz
remoteaviationjobs.com
bestcleancrystal.com
virtualorganizationpartner.com
bookgocar.com
hattuafhv.quest
makonigroup.com
officecom-myaccount.com
malgorzata-lac.com
e-learningeducators.com
hygilaur.com
kgv-lachswehr.com
salazarcomunicacion.com
robopython.com
corporateequity.online
complianceservicegroup.com
aperza-ex.com
webflowusa.com
asesoriasfinancieras.xyz
missolivesbranches.com
numiquest.com
criskconsultancy.com
gotemup.com
themaptalk.com
lakebalboahalf.com
cateringfrenchcroissant.com
paddocklakerealestate.com
lojaquerosurprezza.store
courtneywhitearmusic.com
geovannimaquinadevendas.online
pricklypairjazz.com
engagedigi.com
conduitforthespirit.com
anaheimaletrail.com
wholesalemall.store
alertsbecu.com
gestion-kayfra.com
youcanstores.com
qsuo.net
formadv.info
dihesia.xyz
carrreir.com
twenteeminuteswithtee.com
realliferenewal.com
officialprokodsukses.icu
stanfordgrouploscabos.com
maxicashpromir.xyz
zysqshjs.com
trc-clicks.com
chsclbd.com
amdproduce.net
republicoflies.com
beaux-parents.com
lucrativeapp.com
milbombas.com
alexanderplaywear.com
Signatures
-
Xloader Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/592-56-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
e14ed8b967fa04080952f514ffedb3e7.exepid process 1532 e14ed8b967fa04080952f514ffedb3e7.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
e14ed8b967fa04080952f514ffedb3e7.exedescription pid process target process PID 1532 set thread context of 592 1532 e14ed8b967fa04080952f514ffedb3e7.exe e14ed8b967fa04080952f514ffedb3e7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
e14ed8b967fa04080952f514ffedb3e7.exepid process 592 e14ed8b967fa04080952f514ffedb3e7.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
e14ed8b967fa04080952f514ffedb3e7.exedescription pid process target process PID 1532 wrote to memory of 592 1532 e14ed8b967fa04080952f514ffedb3e7.exe e14ed8b967fa04080952f514ffedb3e7.exe PID 1532 wrote to memory of 592 1532 e14ed8b967fa04080952f514ffedb3e7.exe e14ed8b967fa04080952f514ffedb3e7.exe PID 1532 wrote to memory of 592 1532 e14ed8b967fa04080952f514ffedb3e7.exe e14ed8b967fa04080952f514ffedb3e7.exe PID 1532 wrote to memory of 592 1532 e14ed8b967fa04080952f514ffedb3e7.exe e14ed8b967fa04080952f514ffedb3e7.exe PID 1532 wrote to memory of 592 1532 e14ed8b967fa04080952f514ffedb3e7.exe e14ed8b967fa04080952f514ffedb3e7.exe PID 1532 wrote to memory of 592 1532 e14ed8b967fa04080952f514ffedb3e7.exe e14ed8b967fa04080952f514ffedb3e7.exe PID 1532 wrote to memory of 592 1532 e14ed8b967fa04080952f514ffedb3e7.exe e14ed8b967fa04080952f514ffedb3e7.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e14ed8b967fa04080952f514ffedb3e7.exe"C:\Users\Admin\AppData\Local\Temp\e14ed8b967fa04080952f514ffedb3e7.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e14ed8b967fa04080952f514ffedb3e7.exe"C:\Users\Admin\AppData\Local\Temp\e14ed8b967fa04080952f514ffedb3e7.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsd3989.tmp\ccmdrcgcfeq.dllMD5
8209136d79c12eff107e73f9903037c9
SHA15a1796eb1fa9ed63b336bc1abf528fa7fe08ca7b
SHA2564b5a690e7fdfb5da648947ce1ac2054d221ef0edfcc1ee1176771d28e1ebfb4a
SHA512ea7fa3ec663a60dfdf472a25a98dc113f220a178787498d1d3096a366c2e041cf9a975435c2f0cccce94b73b4dace02f696971232c27d724595516276abe7802
-
memory/592-56-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/592-57-0x0000000000700000-0x0000000000A03000-memory.dmpFilesize
3.0MB
-
memory/1532-54-0x00000000766D1000-0x00000000766D3000-memory.dmpFilesize
8KB