Analysis
-
max time kernel
155s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
11-02-2022 11:28
Static task
static1
Behavioral task
behavioral1
Sample
ada88465652140cfa9ae8955370fc40f.exe
Resource
win7-en-20211208
General
-
Target
ada88465652140cfa9ae8955370fc40f.exe
-
Size
656KB
-
MD5
ada88465652140cfa9ae8955370fc40f
-
SHA1
e13c0564f3662230c11537366d1568c5c3825513
-
SHA256
6e6e18a85c523bfffd1b5293b978832f7387fda9b9eee87d3d8e98666fe020c9
-
SHA512
2e288e1d465c0babe87f52417dea9822dafe0aa21448468c2a38c1d72e9b933ed38b06a1cb1a0ea34ac9100b8faa9603117f01697c22c0ab25156787cb8ca51f
Malware Config
Extracted
xloader
2.5
w6ot
zerodawnprime.com
chunhejingming.com
estrellafiamma.biz
meetbotique.com
westernghatsstudyabroad.com
madysenlenihancoaching.com
c2batlrjm05uzzjnamm8627.com
sasamamai.com
softcherry.club
iputtbetter.store
sointuboete.quest
mahadevwardrobe.online
goedkope-ladegeleiders.online
g3taquotea.info
987vna.club
justdodge.net
b95202.com
dwabiegunyfotografii.com
entrustqlxorx.online
busineschatcom.com
roseevision.com
xn--trigendatynohjaus-8zb.com
aplintec.com
ormetaverse.com
plick-click.com
esd66.com
thgn6.xyz
blazenest.com
monosemic.com
simplesbrand.com
heritagehousehotels.com
cialisactivesupers.com
scottatcomma.com
sgadvocats.com
fuqotechs.xyz
immets.com
middenhavendambreskens.com
fountainsmilford.online
heroesjourneynft.com
dynamo-coaching.com
rinconmadera.com
66p19.xyz
growwgrowth.biz
everydaymagic.kiwi
woruke.online
flamingorattan.com
xn--oprationmyopie-aix-cwb.com
supplementstoreryp.com
shadyoakpress.com
caraygesa.com
dochoismart.com
fl0ki.xyz
khoashop.com
lubi-med.store
carlym.com
modern-elementz.com
blksixtysix.com
ecritcompleanno.com
sharaleesvintageflames.com
merzo.store
lavishlifeplanner.com
castmomo.com
theconflictpost.com
767841.com
gas-fire-distributors.xyz
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1428-135-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/4256-146-0x0000000000F10000-0x0000000000F39000-memory.dmp xloader -
Executes dropped EXE 2 IoCs
Processes:
xcsjhnbx.exexcsjhnbx.exepid process 1524 xcsjhnbx.exe 1428 xcsjhnbx.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
xcsjhnbx.exexcsjhnbx.exewscript.exedescription pid process target process PID 1524 set thread context of 1428 1524 xcsjhnbx.exe xcsjhnbx.exe PID 1428 set thread context of 2600 1428 xcsjhnbx.exe Explorer.EXE PID 4256 set thread context of 2600 4256 wscript.exe Explorer.EXE -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
xcsjhnbx.exewscript.exepid process 1428 xcsjhnbx.exe 1428 xcsjhnbx.exe 1428 xcsjhnbx.exe 1428 xcsjhnbx.exe 4256 wscript.exe 4256 wscript.exe 4256 wscript.exe 4256 wscript.exe 4256 wscript.exe 4256 wscript.exe 4256 wscript.exe 4256 wscript.exe 4256 wscript.exe 4256 wscript.exe 4256 wscript.exe 4256 wscript.exe 4256 wscript.exe 4256 wscript.exe 4256 wscript.exe 4256 wscript.exe 4256 wscript.exe 4256 wscript.exe 4256 wscript.exe 4256 wscript.exe 4256 wscript.exe 4256 wscript.exe 4256 wscript.exe 4256 wscript.exe 4256 wscript.exe 4256 wscript.exe 4256 wscript.exe 4256 wscript.exe 4256 wscript.exe 4256 wscript.exe 4256 wscript.exe 4256 wscript.exe 4256 wscript.exe 4256 wscript.exe 4256 wscript.exe 4256 wscript.exe 4256 wscript.exe 4256 wscript.exe 4256 wscript.exe 4256 wscript.exe 4256 wscript.exe 4256 wscript.exe 4256 wscript.exe 4256 wscript.exe 4256 wscript.exe 4256 wscript.exe 4256 wscript.exe 4256 wscript.exe 4256 wscript.exe 4256 wscript.exe 4256 wscript.exe 4256 wscript.exe 4256 wscript.exe 4256 wscript.exe 4256 wscript.exe 4256 wscript.exe 4256 wscript.exe 4256 wscript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2600 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
xcsjhnbx.exewscript.exepid process 1428 xcsjhnbx.exe 1428 xcsjhnbx.exe 1428 xcsjhnbx.exe 4256 wscript.exe 4256 wscript.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
xcsjhnbx.exesvchost.exewscript.exeTiWorker.exedescription pid process Token: SeDebugPrivilege 1428 xcsjhnbx.exe Token: SeShutdownPrivilege 3176 svchost.exe Token: SeCreatePagefilePrivilege 3176 svchost.exe Token: SeShutdownPrivilege 3176 svchost.exe Token: SeCreatePagefilePrivilege 3176 svchost.exe Token: SeShutdownPrivilege 3176 svchost.exe Token: SeCreatePagefilePrivilege 3176 svchost.exe Token: SeDebugPrivilege 4256 wscript.exe Token: SeSecurityPrivilege 4236 TiWorker.exe Token: SeRestorePrivilege 4236 TiWorker.exe Token: SeBackupPrivilege 4236 TiWorker.exe Token: SeBackupPrivilege 4236 TiWorker.exe Token: SeRestorePrivilege 4236 TiWorker.exe Token: SeSecurityPrivilege 4236 TiWorker.exe Token: SeBackupPrivilege 4236 TiWorker.exe Token: SeRestorePrivilege 4236 TiWorker.exe Token: SeSecurityPrivilege 4236 TiWorker.exe Token: SeBackupPrivilege 4236 TiWorker.exe Token: SeRestorePrivilege 4236 TiWorker.exe Token: SeSecurityPrivilege 4236 TiWorker.exe Token: SeBackupPrivilege 4236 TiWorker.exe Token: SeRestorePrivilege 4236 TiWorker.exe Token: SeSecurityPrivilege 4236 TiWorker.exe Token: SeBackupPrivilege 4236 TiWorker.exe Token: SeRestorePrivilege 4236 TiWorker.exe Token: SeSecurityPrivilege 4236 TiWorker.exe Token: SeBackupPrivilege 4236 TiWorker.exe Token: SeRestorePrivilege 4236 TiWorker.exe Token: SeSecurityPrivilege 4236 TiWorker.exe Token: SeBackupPrivilege 4236 TiWorker.exe Token: SeRestorePrivilege 4236 TiWorker.exe Token: SeSecurityPrivilege 4236 TiWorker.exe Token: SeBackupPrivilege 4236 TiWorker.exe Token: SeRestorePrivilege 4236 TiWorker.exe Token: SeSecurityPrivilege 4236 TiWorker.exe Token: SeBackupPrivilege 4236 TiWorker.exe Token: SeRestorePrivilege 4236 TiWorker.exe Token: SeSecurityPrivilege 4236 TiWorker.exe Token: SeBackupPrivilege 4236 TiWorker.exe Token: SeRestorePrivilege 4236 TiWorker.exe Token: SeSecurityPrivilege 4236 TiWorker.exe Token: SeBackupPrivilege 4236 TiWorker.exe Token: SeRestorePrivilege 4236 TiWorker.exe Token: SeSecurityPrivilege 4236 TiWorker.exe Token: SeBackupPrivilege 4236 TiWorker.exe Token: SeRestorePrivilege 4236 TiWorker.exe Token: SeSecurityPrivilege 4236 TiWorker.exe Token: SeBackupPrivilege 4236 TiWorker.exe Token: SeRestorePrivilege 4236 TiWorker.exe Token: SeSecurityPrivilege 4236 TiWorker.exe Token: SeBackupPrivilege 4236 TiWorker.exe Token: SeRestorePrivilege 4236 TiWorker.exe Token: SeSecurityPrivilege 4236 TiWorker.exe Token: SeBackupPrivilege 4236 TiWorker.exe Token: SeRestorePrivilege 4236 TiWorker.exe Token: SeSecurityPrivilege 4236 TiWorker.exe Token: SeBackupPrivilege 4236 TiWorker.exe Token: SeRestorePrivilege 4236 TiWorker.exe Token: SeSecurityPrivilege 4236 TiWorker.exe Token: SeBackupPrivilege 4236 TiWorker.exe Token: SeRestorePrivilege 4236 TiWorker.exe Token: SeSecurityPrivilege 4236 TiWorker.exe Token: SeBackupPrivilege 4236 TiWorker.exe Token: SeRestorePrivilege 4236 TiWorker.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
ada88465652140cfa9ae8955370fc40f.exexcsjhnbx.exeExplorer.EXEwscript.exedescription pid process target process PID 4592 wrote to memory of 1524 4592 ada88465652140cfa9ae8955370fc40f.exe xcsjhnbx.exe PID 4592 wrote to memory of 1524 4592 ada88465652140cfa9ae8955370fc40f.exe xcsjhnbx.exe PID 4592 wrote to memory of 1524 4592 ada88465652140cfa9ae8955370fc40f.exe xcsjhnbx.exe PID 1524 wrote to memory of 1428 1524 xcsjhnbx.exe xcsjhnbx.exe PID 1524 wrote to memory of 1428 1524 xcsjhnbx.exe xcsjhnbx.exe PID 1524 wrote to memory of 1428 1524 xcsjhnbx.exe xcsjhnbx.exe PID 1524 wrote to memory of 1428 1524 xcsjhnbx.exe xcsjhnbx.exe PID 1524 wrote to memory of 1428 1524 xcsjhnbx.exe xcsjhnbx.exe PID 1524 wrote to memory of 1428 1524 xcsjhnbx.exe xcsjhnbx.exe PID 2600 wrote to memory of 4256 2600 Explorer.EXE wscript.exe PID 2600 wrote to memory of 4256 2600 Explorer.EXE wscript.exe PID 2600 wrote to memory of 4256 2600 Explorer.EXE wscript.exe PID 4256 wrote to memory of 320 4256 wscript.exe cmd.exe PID 4256 wrote to memory of 320 4256 wscript.exe cmd.exe PID 4256 wrote to memory of 320 4256 wscript.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Users\Admin\AppData\Local\Temp\ada88465652140cfa9ae8955370fc40f.exe"C:\Users\Admin\AppData\Local\Temp\ada88465652140cfa9ae8955370fc40f.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Users\Admin\AppData\Local\Temp\xcsjhnbx.exeC:\Users\Admin\AppData\Local\Temp\xcsjhnbx.exe C:\Users\Admin\AppData\Local\Temp\klsqys3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Users\Admin\AppData\Local\Temp\xcsjhnbx.exeC:\Users\Admin\AppData\Local\Temp\xcsjhnbx.exe C:\Users\Admin\AppData\Local\Temp\klsqys4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1428 -
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\xcsjhnbx.exe"3⤵PID:320
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3176
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4236
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
74894acf2f92497a4112350086628a69
SHA1d89bbaa9815a9dab1bb78b9caa0e59102af14007
SHA256ed3cd1384a99d8bf6689d7da1da1caeec9aca71f969da688bbe8c4207128a813
SHA512cdd4452e2b23be76d3fbebd1433d59142a5559bdc4aa34dd9c173251f98da02ccbfa9e9319a2ada9b58dcbce5c470edbf75a25f0cf5b13eb071b758befb6573c
-
MD5
6f9be1ba8b37123e0fac76fa9efab260
SHA18eedb1159c8b44333a9d46502405458ed798bce6
SHA25659c3e8cf49539188344653ce44a43b1138b27fd31ad375bb90f87a41a73abd67
SHA512c999becfaf06c51e44f63b752d8e7bc0496d8e24233a858af016234dd0357e8d4c90d78ffb9b49f6e4849480bb4215f19f0aa835e527fd5db35ce97fd6876e9e
-
MD5
faac8659b70789bbc4d0bf78dc566fad
SHA1ffa98396d0a61efa1ed7213b74c2c8e05a97c40f
SHA2562a53b351cb91b40c76c2cf95f7cd43650b355fbf77bbe9e249c136367181140b
SHA51246e62ba555f1eae412f6a304d013897699412d8555137812de24928a236c49f6e4c33096499d1824c68097d9cc88853c786c2afd6ad6dbe34ab3acf0d81b3049
-
MD5
faac8659b70789bbc4d0bf78dc566fad
SHA1ffa98396d0a61efa1ed7213b74c2c8e05a97c40f
SHA2562a53b351cb91b40c76c2cf95f7cd43650b355fbf77bbe9e249c136367181140b
SHA51246e62ba555f1eae412f6a304d013897699412d8555137812de24928a236c49f6e4c33096499d1824c68097d9cc88853c786c2afd6ad6dbe34ab3acf0d81b3049
-
MD5
faac8659b70789bbc4d0bf78dc566fad
SHA1ffa98396d0a61efa1ed7213b74c2c8e05a97c40f
SHA2562a53b351cb91b40c76c2cf95f7cd43650b355fbf77bbe9e249c136367181140b
SHA51246e62ba555f1eae412f6a304d013897699412d8555137812de24928a236c49f6e4c33096499d1824c68097d9cc88853c786c2afd6ad6dbe34ab3acf0d81b3049