Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
16-02-2022 09:28
Static task
static1
Behavioral task
behavioral1
Sample
918d148a95ceffbf6cf619106cbbc49f.exe
Resource
win7-en-20211208
General
-
Target
918d148a95ceffbf6cf619106cbbc49f.exe
-
Size
456KB
-
MD5
918d148a95ceffbf6cf619106cbbc49f
-
SHA1
32075f31064cbd71e820f9c5a9b1c41e357b17ea
-
SHA256
826837df6dde8385f31f1a25df7ebdf946b9519af3142bfb87d4b9196f3822f1
-
SHA512
25d415e45b326d5db660326124fdc189fb1d17198159197ad2ab953bed979116fd743f49d122a7ef70c9735fdef3dc89893ddebe10b950dc88152d75578f2fb7
Malware Config
Extracted
xloader
2.5
ahc8
192451.com
wwwripostes.net
sirikhalsalaw.com
bitterbaybay.com
stella-scrubs.com
almanecermezcal.com
goodgood.online
translate-now.online
sincerefilm.com
quadrantforensics.com
johnfrenchart.com
plick-click.com
alnileen.com
tghi.xyz
172711.com
maymakita.com
punnyaseva.com
ukash-online.com
sho-yururi-blog.com
hebergement-solidaire.com
civicinfluencers.net
gzhf8888.com
kuleallstar.com
palisadeslodgecondos.com
holyhirschsprungs.com
azalearoseuk.com
jaggllc.com
italianrofrow.xyz
ioewur.xyz
3a5hlv.icu
kitcycle.com
estate.xyz
ankaraescortvip.xyz
richclubsite2001.xyz
kastore.website
515pleasantvalleyway.com
sittlermd.com
mytemple.group
tiny-wagen.com
sharaleesvintageflames.com
mentalesteem.com
sport-newss.online
fbve.space
lovingtruebloodindallas.com
eaglehospitality.biz
roofrepairnow.info
mcrosfts-updata.digital
cimpactinc.com
greatnotleyeast.com
lovely-tics.com
douglas-enterprise.com
dayannalima.online
ksodl.com
rainbowlampro.com
theinteriorsfurniture.com
eidmueller.email
cg020.online
gta6fuzhu.com
cinemaocity.com
hopeitivity.com
savageequipment.biz
groceriesbazaar.com
hempgotas.com
casino-pharaon-play.xyz
ralfrassendnk-login.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/396-134-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/396-144-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/2812-149-0x00000000007C0000-0x00000000007E9000-memory.dmp xloader -
Blocklisted process makes network request 1 IoCs
Processes:
cmstp.exeflow pid process 83 2812 cmstp.exe -
Executes dropped EXE 2 IoCs
Processes:
hhdaghixs.exehhdaghixs.exepid process 1544 hhdaghixs.exe 396 hhdaghixs.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
hhdaghixs.exehhdaghixs.execmstp.exedescription pid process target process PID 1544 set thread context of 396 1544 hhdaghixs.exe hhdaghixs.exe PID 396 set thread context of 3020 396 hhdaghixs.exe Explorer.EXE PID 396 set thread context of 3020 396 hhdaghixs.exe Explorer.EXE PID 2812 set thread context of 3020 2812 cmstp.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
cmstp.exedescription ioc process File opened for modification C:\Program Files (x86)\Wchnlgtbp\helpz0pp.exe cmstp.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
hhdaghixs.execmstp.exepid process 396 hhdaghixs.exe 396 hhdaghixs.exe 396 hhdaghixs.exe 396 hhdaghixs.exe 396 hhdaghixs.exe 396 hhdaghixs.exe 2812 cmstp.exe 2812 cmstp.exe 2812 cmstp.exe 2812 cmstp.exe 2812 cmstp.exe 2812 cmstp.exe 2812 cmstp.exe 2812 cmstp.exe 2812 cmstp.exe 2812 cmstp.exe 2812 cmstp.exe 2812 cmstp.exe 2812 cmstp.exe 2812 cmstp.exe 2812 cmstp.exe 2812 cmstp.exe 2812 cmstp.exe 2812 cmstp.exe 2812 cmstp.exe 2812 cmstp.exe 2812 cmstp.exe 2812 cmstp.exe 2812 cmstp.exe 2812 cmstp.exe 2812 cmstp.exe 2812 cmstp.exe 2812 cmstp.exe 2812 cmstp.exe 2812 cmstp.exe 2812 cmstp.exe 2812 cmstp.exe 2812 cmstp.exe 2812 cmstp.exe 2812 cmstp.exe 2812 cmstp.exe 2812 cmstp.exe 2812 cmstp.exe 2812 cmstp.exe 2812 cmstp.exe 2812 cmstp.exe 2812 cmstp.exe 2812 cmstp.exe 2812 cmstp.exe 2812 cmstp.exe 2812 cmstp.exe 2812 cmstp.exe 2812 cmstp.exe 2812 cmstp.exe 2812 cmstp.exe 2812 cmstp.exe 2812 cmstp.exe 2812 cmstp.exe 2812 cmstp.exe 2812 cmstp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3020 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
hhdaghixs.execmstp.exepid process 396 hhdaghixs.exe 396 hhdaghixs.exe 396 hhdaghixs.exe 396 hhdaghixs.exe 2812 cmstp.exe 2812 cmstp.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
hhdaghixs.exesvchost.exeExplorer.EXEcmstp.exeTiWorker.exedescription pid process Token: SeDebugPrivilege 396 hhdaghixs.exe Token: SeShutdownPrivilege 3176 svchost.exe Token: SeCreatePagefilePrivilege 3176 svchost.exe Token: SeShutdownPrivilege 3176 svchost.exe Token: SeCreatePagefilePrivilege 3176 svchost.exe Token: SeShutdownPrivilege 3176 svchost.exe Token: SeCreatePagefilePrivilege 3176 svchost.exe Token: SeShutdownPrivilege 3020 Explorer.EXE Token: SeCreatePagefilePrivilege 3020 Explorer.EXE Token: SeShutdownPrivilege 3020 Explorer.EXE Token: SeCreatePagefilePrivilege 3020 Explorer.EXE Token: SeShutdownPrivilege 3020 Explorer.EXE Token: SeCreatePagefilePrivilege 3020 Explorer.EXE Token: SeShutdownPrivilege 3020 Explorer.EXE Token: SeCreatePagefilePrivilege 3020 Explorer.EXE Token: SeShutdownPrivilege 3020 Explorer.EXE Token: SeCreatePagefilePrivilege 3020 Explorer.EXE Token: SeShutdownPrivilege 3020 Explorer.EXE Token: SeCreatePagefilePrivilege 3020 Explorer.EXE Token: SeShutdownPrivilege 3020 Explorer.EXE Token: SeCreatePagefilePrivilege 3020 Explorer.EXE Token: SeShutdownPrivilege 3020 Explorer.EXE Token: SeCreatePagefilePrivilege 3020 Explorer.EXE Token: SeShutdownPrivilege 3020 Explorer.EXE Token: SeCreatePagefilePrivilege 3020 Explorer.EXE Token: SeShutdownPrivilege 3020 Explorer.EXE Token: SeCreatePagefilePrivilege 3020 Explorer.EXE Token: SeShutdownPrivilege 3020 Explorer.EXE Token: SeCreatePagefilePrivilege 3020 Explorer.EXE Token: SeShutdownPrivilege 3020 Explorer.EXE Token: SeCreatePagefilePrivilege 3020 Explorer.EXE Token: SeShutdownPrivilege 3020 Explorer.EXE Token: SeCreatePagefilePrivilege 3020 Explorer.EXE Token: SeShutdownPrivilege 3020 Explorer.EXE Token: SeCreatePagefilePrivilege 3020 Explorer.EXE Token: SeDebugPrivilege 2812 cmstp.exe Token: SeSecurityPrivilege 3112 TiWorker.exe Token: SeRestorePrivilege 3112 TiWorker.exe Token: SeBackupPrivilege 3112 TiWorker.exe Token: SeBackupPrivilege 3112 TiWorker.exe Token: SeRestorePrivilege 3112 TiWorker.exe Token: SeSecurityPrivilege 3112 TiWorker.exe Token: SeBackupPrivilege 3112 TiWorker.exe Token: SeRestorePrivilege 3112 TiWorker.exe Token: SeSecurityPrivilege 3112 TiWorker.exe Token: SeBackupPrivilege 3112 TiWorker.exe Token: SeRestorePrivilege 3112 TiWorker.exe Token: SeSecurityPrivilege 3112 TiWorker.exe Token: SeBackupPrivilege 3112 TiWorker.exe Token: SeRestorePrivilege 3112 TiWorker.exe Token: SeSecurityPrivilege 3112 TiWorker.exe Token: SeBackupPrivilege 3112 TiWorker.exe Token: SeRestorePrivilege 3112 TiWorker.exe Token: SeSecurityPrivilege 3112 TiWorker.exe Token: SeBackupPrivilege 3112 TiWorker.exe Token: SeRestorePrivilege 3112 TiWorker.exe Token: SeSecurityPrivilege 3112 TiWorker.exe Token: SeBackupPrivilege 3112 TiWorker.exe Token: SeRestorePrivilege 3112 TiWorker.exe Token: SeSecurityPrivilege 3112 TiWorker.exe Token: SeBackupPrivilege 3112 TiWorker.exe Token: SeRestorePrivilege 3112 TiWorker.exe Token: SeSecurityPrivilege 3112 TiWorker.exe Token: SeBackupPrivilege 3112 TiWorker.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3020 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
918d148a95ceffbf6cf619106cbbc49f.exehhdaghixs.exeExplorer.EXEcmstp.exedescription pid process target process PID 1608 wrote to memory of 1544 1608 918d148a95ceffbf6cf619106cbbc49f.exe hhdaghixs.exe PID 1608 wrote to memory of 1544 1608 918d148a95ceffbf6cf619106cbbc49f.exe hhdaghixs.exe PID 1608 wrote to memory of 1544 1608 918d148a95ceffbf6cf619106cbbc49f.exe hhdaghixs.exe PID 1544 wrote to memory of 396 1544 hhdaghixs.exe hhdaghixs.exe PID 1544 wrote to memory of 396 1544 hhdaghixs.exe hhdaghixs.exe PID 1544 wrote to memory of 396 1544 hhdaghixs.exe hhdaghixs.exe PID 1544 wrote to memory of 396 1544 hhdaghixs.exe hhdaghixs.exe PID 1544 wrote to memory of 396 1544 hhdaghixs.exe hhdaghixs.exe PID 1544 wrote to memory of 396 1544 hhdaghixs.exe hhdaghixs.exe PID 3020 wrote to memory of 2812 3020 Explorer.EXE cmstp.exe PID 3020 wrote to memory of 2812 3020 Explorer.EXE cmstp.exe PID 3020 wrote to memory of 2812 3020 Explorer.EXE cmstp.exe PID 2812 wrote to memory of 3048 2812 cmstp.exe cmd.exe PID 2812 wrote to memory of 3048 2812 cmstp.exe cmd.exe PID 2812 wrote to memory of 3048 2812 cmstp.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\918d148a95ceffbf6cf619106cbbc49f.exe"C:\Users\Admin\AppData\Local\Temp\918d148a95ceffbf6cf619106cbbc49f.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\hhdaghixs.exeC:\Users\Admin\AppData\Local\Temp\hhdaghixs.exe C:\Users\Admin\AppData\Local\Temp\tuxdcz3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\hhdaghixs.exeC:\Users\Admin\AppData\Local\Temp\hhdaghixs.exe C:\Users\Admin\AppData\Local\Temp\tuxdcz4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\hhdaghixs.exe"3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2j798lhbkkt8oMD5
5897b68ea51360f25b31986115a60c72
SHA1386a004a13238e3b53c3da1c81bd384cde7d2d90
SHA256dea8c97f4b58274c9570973c711827c5fef1532fed038ca257b9fab11539b6b9
SHA5127227d24cc4b94734174ba4a02e7a0121f741b59bcbdca7472ac65eb5ee2b22c9ed197012c9788494a4176b78bfcfaaebd5e2c595395f0f8a539a76d6863461b8
-
C:\Users\Admin\AppData\Local\Temp\hhdaghixs.exeMD5
955edc4ecea413644f41bf421dd4a028
SHA12e1d9ed0913b4322dd75fd105797e0db71257348
SHA2564223aca1a531e0afa67b04d04cfc5b9669c2be413963ae525204ec0dc607bd5b
SHA512953753141654b22c877ab7a383a458d72803ee3437e19ba5f54249b7247e80ce34a318d48d1992e298ee18d8a8204146da26c1ffb91ba200f3e1813dfd003c51
-
C:\Users\Admin\AppData\Local\Temp\hhdaghixs.exeMD5
955edc4ecea413644f41bf421dd4a028
SHA12e1d9ed0913b4322dd75fd105797e0db71257348
SHA2564223aca1a531e0afa67b04d04cfc5b9669c2be413963ae525204ec0dc607bd5b
SHA512953753141654b22c877ab7a383a458d72803ee3437e19ba5f54249b7247e80ce34a318d48d1992e298ee18d8a8204146da26c1ffb91ba200f3e1813dfd003c51
-
C:\Users\Admin\AppData\Local\Temp\hhdaghixs.exeMD5
955edc4ecea413644f41bf421dd4a028
SHA12e1d9ed0913b4322dd75fd105797e0db71257348
SHA2564223aca1a531e0afa67b04d04cfc5b9669c2be413963ae525204ec0dc607bd5b
SHA512953753141654b22c877ab7a383a458d72803ee3437e19ba5f54249b7247e80ce34a318d48d1992e298ee18d8a8204146da26c1ffb91ba200f3e1813dfd003c51
-
C:\Users\Admin\AppData\Local\Temp\tuxdczMD5
492c9af9536eb9f00d2d0624d018a235
SHA107247a0540a7853c1d93a36534f689ac74f3f366
SHA25636a9d2e4f8e91485db0499be77931a5cfaf622d55c2ef2b0b22c992d777298a9
SHA5121a21f99ff5cbe97a4e819f18d22e97651fc4e5cf0f88ee8a1cb19d51695bb312bf063628afdbf0e24b59aa00143226c6e3fb1a795110dbcfdae6b61c73c39492
-
memory/396-146-0x0000000001400000-0x0000000001411000-memory.dmpFilesize
68KB
-
memory/396-144-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/396-137-0x00000000018F0000-0x0000000001C3A000-memory.dmpFilesize
3.3MB
-
memory/396-139-0x00000000013A0000-0x00000000013B1000-memory.dmpFilesize
68KB
-
memory/396-138-0x000000000041D000-0x000000000041E000-memory.dmpFilesize
4KB
-
memory/396-134-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/396-145-0x000000000041D000-0x000000000041E000-memory.dmpFilesize
4KB
-
memory/2812-149-0x00000000007C0000-0x00000000007E9000-memory.dmpFilesize
164KB
-
memory/2812-148-0x0000000000570000-0x0000000000586000-memory.dmpFilesize
88KB
-
memory/2812-150-0x00000000029F0000-0x0000000002D3A000-memory.dmpFilesize
3.3MB
-
memory/2812-151-0x0000000002740000-0x00000000027D0000-memory.dmpFilesize
576KB
-
memory/3020-147-0x0000000009240000-0x00000000093AD000-memory.dmpFilesize
1.4MB
-
memory/3020-140-0x0000000008A70000-0x0000000008B77000-memory.dmpFilesize
1.0MB
-
memory/3020-152-0x000000000AAF0000-0x000000000AC34000-memory.dmpFilesize
1.3MB
-
memory/3176-143-0x0000022789600000-0x0000022789604000-memory.dmpFilesize
16KB
-
memory/3176-142-0x0000022786F20000-0x0000022786F30000-memory.dmpFilesize
64KB
-
memory/3176-141-0x0000022786980000-0x0000022786990000-memory.dmpFilesize
64KB