Analysis
-
max time kernel
173s -
max time network
194s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
08-02-2022 19:54
Static task
static1
Behavioral task
behavioral1
Sample
38aed2534480c27c816c57ee6a369f87.exe
Resource
win7-en-20211208
General
-
Target
38aed2534480c27c816c57ee6a369f87.exe
-
Size
489KB
-
MD5
38aed2534480c27c816c57ee6a369f87
-
SHA1
3a1d97bffba30b52704e8787af93cf1d6a56e16c
-
SHA256
0418190aadd19ac9ea51c98d516f178ce5378a5d4354d44a9b49ac814b49325e
-
SHA512
aa3a23b9ac43b2cde9e29a87067a5729d0246e367f4656fe58be3371bb846d2e2d681fcdd2cbf2e4841513b6f3ff677cff75167aab79cbb003d62da1b614f3fa
Malware Config
Extracted
xloader
2.5
nt3f
tricyclee.com
kxsw999.com
wisteria-pavilion.com
bellaclancy.com
promissioskincare.com
hzy001.xyz
checkouthomehd.com
soladere.com
point4sales.com
socalmafia.com
libertadysarmiento.online
nftthirty.com
digitalgoldcryptostock.net
tulekiloscaird.com
austinfishandchicken.com
wlxxch.com
mgav51.xyz
landbanking.global
saprove.com
babyfaces.skin
elainemaxwellcoaching.com
1388xc.com
juveniscloud.com
bsauksjon.com
the-waterkooler.com
comment-changer-sa-vie.com
psmcnd.top
rhodesleadingedge.com
mccuelawfirm.com
skinnscience.club
hype-clicks.com
liaojinc.xyz
okmakers.com
ramblertour.online
wickedhunterworld.com
fit-threads.com
cookidoo.website
magentabin.com
pynch1.com
best-paper-to-know-today.info
allmight.net
monicraftsprintables.com
avataroasis.com
10dian-4.com
cozastore.net
capitalcased.com
spacezanome.xyz
feiyangmi.com
11opus.com
getinteriorsolution.com
tidyhutstore.com
amazingpomskyfamily.com
tfcvintage.com
halfanape.com
rotakb.com
martinasfood.com
the-thanks.com
mithilmehta.com
em-photo.art
primerepro.com
lankasirinspa.com
gtbaibang.com
zealandiatobacco.com
deepikatransportpackers.com
eagle-meter.com
Signatures
-
Xloader Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4568-131-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
38aed2534480c27c816c57ee6a369f87.exepid process 3840 38aed2534480c27c816c57ee6a369f87.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
38aed2534480c27c816c57ee6a369f87.exedescription pid process target process PID 3840 set thread context of 4568 3840 38aed2534480c27c816c57ee6a369f87.exe 38aed2534480c27c816c57ee6a369f87.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
38aed2534480c27c816c57ee6a369f87.exepid process 4568 38aed2534480c27c816c57ee6a369f87.exe 4568 38aed2534480c27c816c57ee6a369f87.exe -
Suspicious use of AdjustPrivilegeToken 54 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 4148 svchost.exe Token: SeCreatePagefilePrivilege 4148 svchost.exe Token: SeShutdownPrivilege 4148 svchost.exe Token: SeCreatePagefilePrivilege 4148 svchost.exe Token: SeShutdownPrivilege 4148 svchost.exe Token: SeCreatePagefilePrivilege 4148 svchost.exe Token: SeSecurityPrivilege 1284 TiWorker.exe Token: SeRestorePrivilege 1284 TiWorker.exe Token: SeBackupPrivilege 1284 TiWorker.exe Token: SeBackupPrivilege 1284 TiWorker.exe Token: SeRestorePrivilege 1284 TiWorker.exe Token: SeSecurityPrivilege 1284 TiWorker.exe Token: SeBackupPrivilege 1284 TiWorker.exe Token: SeRestorePrivilege 1284 TiWorker.exe Token: SeSecurityPrivilege 1284 TiWorker.exe Token: SeBackupPrivilege 1284 TiWorker.exe Token: SeRestorePrivilege 1284 TiWorker.exe Token: SeSecurityPrivilege 1284 TiWorker.exe Token: SeBackupPrivilege 1284 TiWorker.exe Token: SeRestorePrivilege 1284 TiWorker.exe Token: SeSecurityPrivilege 1284 TiWorker.exe Token: SeBackupPrivilege 1284 TiWorker.exe Token: SeRestorePrivilege 1284 TiWorker.exe Token: SeSecurityPrivilege 1284 TiWorker.exe Token: SeBackupPrivilege 1284 TiWorker.exe Token: SeRestorePrivilege 1284 TiWorker.exe Token: SeSecurityPrivilege 1284 TiWorker.exe Token: SeBackupPrivilege 1284 TiWorker.exe Token: SeRestorePrivilege 1284 TiWorker.exe Token: SeSecurityPrivilege 1284 TiWorker.exe Token: SeBackupPrivilege 1284 TiWorker.exe Token: SeRestorePrivilege 1284 TiWorker.exe Token: SeSecurityPrivilege 1284 TiWorker.exe Token: SeBackupPrivilege 1284 TiWorker.exe Token: SeRestorePrivilege 1284 TiWorker.exe Token: SeSecurityPrivilege 1284 TiWorker.exe Token: SeBackupPrivilege 1284 TiWorker.exe Token: SeRestorePrivilege 1284 TiWorker.exe Token: SeSecurityPrivilege 1284 TiWorker.exe Token: SeBackupPrivilege 1284 TiWorker.exe Token: SeRestorePrivilege 1284 TiWorker.exe Token: SeSecurityPrivilege 1284 TiWorker.exe Token: SeBackupPrivilege 1284 TiWorker.exe Token: SeRestorePrivilege 1284 TiWorker.exe Token: SeSecurityPrivilege 1284 TiWorker.exe Token: SeBackupPrivilege 1284 TiWorker.exe Token: SeRestorePrivilege 1284 TiWorker.exe Token: SeSecurityPrivilege 1284 TiWorker.exe Token: SeBackupPrivilege 1284 TiWorker.exe Token: SeRestorePrivilege 1284 TiWorker.exe Token: SeSecurityPrivilege 1284 TiWorker.exe Token: SeBackupPrivilege 1284 TiWorker.exe Token: SeRestorePrivilege 1284 TiWorker.exe Token: SeSecurityPrivilege 1284 TiWorker.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
38aed2534480c27c816c57ee6a369f87.exedescription pid process target process PID 3840 wrote to memory of 4568 3840 38aed2534480c27c816c57ee6a369f87.exe 38aed2534480c27c816c57ee6a369f87.exe PID 3840 wrote to memory of 4568 3840 38aed2534480c27c816c57ee6a369f87.exe 38aed2534480c27c816c57ee6a369f87.exe PID 3840 wrote to memory of 4568 3840 38aed2534480c27c816c57ee6a369f87.exe 38aed2534480c27c816c57ee6a369f87.exe PID 3840 wrote to memory of 4568 3840 38aed2534480c27c816c57ee6a369f87.exe 38aed2534480c27c816c57ee6a369f87.exe PID 3840 wrote to memory of 4568 3840 38aed2534480c27c816c57ee6a369f87.exe 38aed2534480c27c816c57ee6a369f87.exe PID 3840 wrote to memory of 4568 3840 38aed2534480c27c816c57ee6a369f87.exe 38aed2534480c27c816c57ee6a369f87.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\38aed2534480c27c816c57ee6a369f87.exe"C:\Users\Admin\AppData\Local\Temp\38aed2534480c27c816c57ee6a369f87.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\38aed2534480c27c816c57ee6a369f87.exe"C:\Users\Admin\AppData\Local\Temp\38aed2534480c27c816c57ee6a369f87.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nsx299B.tmp\qtevjlboywc.dllMD5
7ab1f960243256a5a844b4e6d60572f5
SHA1d1d0da605c3f65a1d9e2f60f3ea2eb5aa602d27b
SHA2565255231c384c64a605d5a1c828df7375455ccb844d4ed2519ae9f656c65b007c
SHA5123ce50ab0041d414ebb9056495eec74053f5ef0b448bed6caf039c650f2c42ed97e01aa8ba293a7134195bcab6de12f04dacad904e5d59c58c777e8a8ee5acb5f
-
memory/4148-133-0x0000024E04F30000-0x0000024E04F40000-memory.dmpFilesize
64KB
-
memory/4148-134-0x0000024E04F90000-0x0000024E04FA0000-memory.dmpFilesize
64KB
-
memory/4148-135-0x0000024E07C90000-0x0000024E07C94000-memory.dmpFilesize
16KB
-
memory/4568-131-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4568-132-0x0000000000A50000-0x0000000000D9A000-memory.dmpFilesize
3.3MB