Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-02-2022 10:11
Static task
static1
Behavioral task
behavioral1
Sample
win32.exe
Resource
win7-en-20211208
General
-
Target
win32.exe
-
Size
656KB
-
MD5
ada88465652140cfa9ae8955370fc40f
-
SHA1
e13c0564f3662230c11537366d1568c5c3825513
-
SHA256
6e6e18a85c523bfffd1b5293b978832f7387fda9b9eee87d3d8e98666fe020c9
-
SHA512
2e288e1d465c0babe87f52417dea9822dafe0aa21448468c2a38c1d72e9b933ed38b06a1cb1a0ea34ac9100b8faa9603117f01697c22c0ab25156787cb8ca51f
Malware Config
Extracted
xloader
2.5
w6ot
zerodawnprime.com
chunhejingming.com
estrellafiamma.biz
meetbotique.com
westernghatsstudyabroad.com
madysenlenihancoaching.com
c2batlrjm05uzzjnamm8627.com
sasamamai.com
softcherry.club
iputtbetter.store
sointuboete.quest
mahadevwardrobe.online
goedkope-ladegeleiders.online
g3taquotea.info
987vna.club
justdodge.net
b95202.com
dwabiegunyfotografii.com
entrustqlxorx.online
busineschatcom.com
roseevision.com
xn--trigendatynohjaus-8zb.com
aplintec.com
ormetaverse.com
plick-click.com
esd66.com
thgn6.xyz
blazenest.com
monosemic.com
simplesbrand.com
heritagehousehotels.com
cialisactivesupers.com
scottatcomma.com
sgadvocats.com
fuqotechs.xyz
immets.com
middenhavendambreskens.com
fountainsmilford.online
heroesjourneynft.com
dynamo-coaching.com
rinconmadera.com
66p19.xyz
growwgrowth.biz
everydaymagic.kiwi
woruke.online
flamingorattan.com
xn--oprationmyopie-aix-cwb.com
supplementstoreryp.com
shadyoakpress.com
caraygesa.com
dochoismart.com
fl0ki.xyz
khoashop.com
lubi-med.store
carlym.com
modern-elementz.com
blksixtysix.com
ecritcompleanno.com
sharaleesvintageflames.com
merzo.store
lavishlifeplanner.com
castmomo.com
theconflictpost.com
767841.com
gas-fire-distributors.xyz
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/484-61-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/576-69-0x0000000000080000-0x00000000000A9000-memory.dmp xloader -
Executes dropped EXE 2 IoCs
Processes:
xcsjhnbx.exexcsjhnbx.exepid process 320 xcsjhnbx.exe 484 xcsjhnbx.exe -
Loads dropped DLL 2 IoCs
Processes:
win32.exexcsjhnbx.exepid process 800 win32.exe 320 xcsjhnbx.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
xcsjhnbx.exexcsjhnbx.exewininit.exedescription pid process target process PID 320 set thread context of 484 320 xcsjhnbx.exe xcsjhnbx.exe PID 484 set thread context of 1436 484 xcsjhnbx.exe Explorer.EXE PID 576 set thread context of 1436 576 wininit.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
xcsjhnbx.exewininit.exepid process 484 xcsjhnbx.exe 484 xcsjhnbx.exe 576 wininit.exe 576 wininit.exe 576 wininit.exe 576 wininit.exe 576 wininit.exe 576 wininit.exe 576 wininit.exe 576 wininit.exe 576 wininit.exe 576 wininit.exe 576 wininit.exe 576 wininit.exe 576 wininit.exe 576 wininit.exe 576 wininit.exe 576 wininit.exe 576 wininit.exe 576 wininit.exe 576 wininit.exe 576 wininit.exe 576 wininit.exe 576 wininit.exe 576 wininit.exe 576 wininit.exe 576 wininit.exe 576 wininit.exe 576 wininit.exe 576 wininit.exe 576 wininit.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1436 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
xcsjhnbx.exewininit.exepid process 484 xcsjhnbx.exe 484 xcsjhnbx.exe 484 xcsjhnbx.exe 576 wininit.exe 576 wininit.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
xcsjhnbx.exewininit.exedescription pid process Token: SeDebugPrivilege 484 xcsjhnbx.exe Token: SeDebugPrivilege 576 wininit.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1436 Explorer.EXE 1436 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1436 Explorer.EXE 1436 Explorer.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
win32.exexcsjhnbx.exeExplorer.EXEwininit.exedescription pid process target process PID 800 wrote to memory of 320 800 win32.exe xcsjhnbx.exe PID 800 wrote to memory of 320 800 win32.exe xcsjhnbx.exe PID 800 wrote to memory of 320 800 win32.exe xcsjhnbx.exe PID 800 wrote to memory of 320 800 win32.exe xcsjhnbx.exe PID 320 wrote to memory of 484 320 xcsjhnbx.exe xcsjhnbx.exe PID 320 wrote to memory of 484 320 xcsjhnbx.exe xcsjhnbx.exe PID 320 wrote to memory of 484 320 xcsjhnbx.exe xcsjhnbx.exe PID 320 wrote to memory of 484 320 xcsjhnbx.exe xcsjhnbx.exe PID 320 wrote to memory of 484 320 xcsjhnbx.exe xcsjhnbx.exe PID 320 wrote to memory of 484 320 xcsjhnbx.exe xcsjhnbx.exe PID 320 wrote to memory of 484 320 xcsjhnbx.exe xcsjhnbx.exe PID 1436 wrote to memory of 576 1436 Explorer.EXE wininit.exe PID 1436 wrote to memory of 576 1436 Explorer.EXE wininit.exe PID 1436 wrote to memory of 576 1436 Explorer.EXE wininit.exe PID 1436 wrote to memory of 576 1436 Explorer.EXE wininit.exe PID 576 wrote to memory of 836 576 wininit.exe cmd.exe PID 576 wrote to memory of 836 576 wininit.exe cmd.exe PID 576 wrote to memory of 836 576 wininit.exe cmd.exe PID 576 wrote to memory of 836 576 wininit.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Users\Admin\AppData\Local\Temp\win32.exe"C:\Users\Admin\AppData\Local\Temp\win32.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Users\Admin\AppData\Local\Temp\xcsjhnbx.exeC:\Users\Admin\AppData\Local\Temp\xcsjhnbx.exe C:\Users\Admin\AppData\Local\Temp\klsqys3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Users\Admin\AppData\Local\Temp\xcsjhnbx.exeC:\Users\Admin\AppData\Local\Temp\xcsjhnbx.exe C:\Users\Admin\AppData\Local\Temp\klsqys4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:484 -
C:\Windows\SysWOW64\wininit.exe"C:\Windows\SysWOW64\wininit.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\xcsjhnbx.exe"3⤵PID:836
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
74894acf2f92497a4112350086628a69
SHA1d89bbaa9815a9dab1bb78b9caa0e59102af14007
SHA256ed3cd1384a99d8bf6689d7da1da1caeec9aca71f969da688bbe8c4207128a813
SHA512cdd4452e2b23be76d3fbebd1433d59142a5559bdc4aa34dd9c173251f98da02ccbfa9e9319a2ada9b58dcbce5c470edbf75a25f0cf5b13eb071b758befb6573c
-
MD5
6f9be1ba8b37123e0fac76fa9efab260
SHA18eedb1159c8b44333a9d46502405458ed798bce6
SHA25659c3e8cf49539188344653ce44a43b1138b27fd31ad375bb90f87a41a73abd67
SHA512c999becfaf06c51e44f63b752d8e7bc0496d8e24233a858af016234dd0357e8d4c90d78ffb9b49f6e4849480bb4215f19f0aa835e527fd5db35ce97fd6876e9e
-
MD5
faac8659b70789bbc4d0bf78dc566fad
SHA1ffa98396d0a61efa1ed7213b74c2c8e05a97c40f
SHA2562a53b351cb91b40c76c2cf95f7cd43650b355fbf77bbe9e249c136367181140b
SHA51246e62ba555f1eae412f6a304d013897699412d8555137812de24928a236c49f6e4c33096499d1824c68097d9cc88853c786c2afd6ad6dbe34ab3acf0d81b3049
-
MD5
faac8659b70789bbc4d0bf78dc566fad
SHA1ffa98396d0a61efa1ed7213b74c2c8e05a97c40f
SHA2562a53b351cb91b40c76c2cf95f7cd43650b355fbf77bbe9e249c136367181140b
SHA51246e62ba555f1eae412f6a304d013897699412d8555137812de24928a236c49f6e4c33096499d1824c68097d9cc88853c786c2afd6ad6dbe34ab3acf0d81b3049
-
MD5
faac8659b70789bbc4d0bf78dc566fad
SHA1ffa98396d0a61efa1ed7213b74c2c8e05a97c40f
SHA2562a53b351cb91b40c76c2cf95f7cd43650b355fbf77bbe9e249c136367181140b
SHA51246e62ba555f1eae412f6a304d013897699412d8555137812de24928a236c49f6e4c33096499d1824c68097d9cc88853c786c2afd6ad6dbe34ab3acf0d81b3049
-
MD5
faac8659b70789bbc4d0bf78dc566fad
SHA1ffa98396d0a61efa1ed7213b74c2c8e05a97c40f
SHA2562a53b351cb91b40c76c2cf95f7cd43650b355fbf77bbe9e249c136367181140b
SHA51246e62ba555f1eae412f6a304d013897699412d8555137812de24928a236c49f6e4c33096499d1824c68097d9cc88853c786c2afd6ad6dbe34ab3acf0d81b3049
-
MD5
faac8659b70789bbc4d0bf78dc566fad
SHA1ffa98396d0a61efa1ed7213b74c2c8e05a97c40f
SHA2562a53b351cb91b40c76c2cf95f7cd43650b355fbf77bbe9e249c136367181140b
SHA51246e62ba555f1eae412f6a304d013897699412d8555137812de24928a236c49f6e4c33096499d1824c68097d9cc88853c786c2afd6ad6dbe34ab3acf0d81b3049