Analysis
-
max time kernel
155s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
17-02-2022 10:59
Static task
static1
General
-
Target
6e6e18a85c523bfffd1b5293b978832f7387fda9b9eee87d3d8e98666fe020c9.exe
-
Size
656KB
-
MD5
ada88465652140cfa9ae8955370fc40f
-
SHA1
e13c0564f3662230c11537366d1568c5c3825513
-
SHA256
6e6e18a85c523bfffd1b5293b978832f7387fda9b9eee87d3d8e98666fe020c9
-
SHA512
2e288e1d465c0babe87f52417dea9822dafe0aa21448468c2a38c1d72e9b933ed38b06a1cb1a0ea34ac9100b8faa9603117f01697c22c0ab25156787cb8ca51f
Malware Config
Extracted
xloader
2.5
w6ot
zerodawnprime.com
chunhejingming.com
estrellafiamma.biz
meetbotique.com
westernghatsstudyabroad.com
madysenlenihancoaching.com
c2batlrjm05uzzjnamm8627.com
sasamamai.com
softcherry.club
iputtbetter.store
sointuboete.quest
mahadevwardrobe.online
goedkope-ladegeleiders.online
g3taquotea.info
987vna.club
justdodge.net
b95202.com
dwabiegunyfotografii.com
entrustqlxorx.online
busineschatcom.com
roseevision.com
xn--trigendatynohjaus-8zb.com
aplintec.com
ormetaverse.com
plick-click.com
esd66.com
thgn6.xyz
blazenest.com
monosemic.com
simplesbrand.com
heritagehousehotels.com
cialisactivesupers.com
scottatcomma.com
sgadvocats.com
fuqotechs.xyz
immets.com
middenhavendambreskens.com
fountainsmilford.online
heroesjourneynft.com
dynamo-coaching.com
rinconmadera.com
66p19.xyz
growwgrowth.biz
everydaymagic.kiwi
woruke.online
flamingorattan.com
xn--oprationmyopie-aix-cwb.com
supplementstoreryp.com
shadyoakpress.com
caraygesa.com
dochoismart.com
fl0ki.xyz
khoashop.com
lubi-med.store
carlym.com
modern-elementz.com
blksixtysix.com
ecritcompleanno.com
sharaleesvintageflames.com
merzo.store
lavishlifeplanner.com
castmomo.com
theconflictpost.com
767841.com
gas-fire-distributors.xyz
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/532-134-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/532-139-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/4376-143-0x0000000000160000-0x0000000000189000-memory.dmp xloader -
Executes dropped EXE 2 IoCs
Processes:
xcsjhnbx.exexcsjhnbx.exepid process 4532 xcsjhnbx.exe 532 xcsjhnbx.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
xcsjhnbx.exexcsjhnbx.exeipconfig.exedescription pid process target process PID 4532 set thread context of 532 4532 xcsjhnbx.exe xcsjhnbx.exe PID 532 set thread context of 2620 532 xcsjhnbx.exe Explorer.EXE PID 4376 set thread context of 2620 4376 ipconfig.exe Explorer.EXE -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 4376 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
xcsjhnbx.exeipconfig.exepid process 532 xcsjhnbx.exe 532 xcsjhnbx.exe 532 xcsjhnbx.exe 532 xcsjhnbx.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe 4376 ipconfig.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2620 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
xcsjhnbx.exeipconfig.exepid process 532 xcsjhnbx.exe 532 xcsjhnbx.exe 532 xcsjhnbx.exe 4376 ipconfig.exe 4376 ipconfig.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
xcsjhnbx.exeipconfig.exesvchost.exeTiWorker.exedescription pid process Token: SeDebugPrivilege 532 xcsjhnbx.exe Token: SeDebugPrivilege 4376 ipconfig.exe Token: SeShutdownPrivilege 1668 svchost.exe Token: SeCreatePagefilePrivilege 1668 svchost.exe Token: SeShutdownPrivilege 1668 svchost.exe Token: SeCreatePagefilePrivilege 1668 svchost.exe Token: SeShutdownPrivilege 1668 svchost.exe Token: SeCreatePagefilePrivilege 1668 svchost.exe Token: SeSecurityPrivilege 1144 TiWorker.exe Token: SeRestorePrivilege 1144 TiWorker.exe Token: SeBackupPrivilege 1144 TiWorker.exe Token: SeBackupPrivilege 1144 TiWorker.exe Token: SeRestorePrivilege 1144 TiWorker.exe Token: SeSecurityPrivilege 1144 TiWorker.exe Token: SeBackupPrivilege 1144 TiWorker.exe Token: SeRestorePrivilege 1144 TiWorker.exe Token: SeSecurityPrivilege 1144 TiWorker.exe Token: SeBackupPrivilege 1144 TiWorker.exe Token: SeRestorePrivilege 1144 TiWorker.exe Token: SeSecurityPrivilege 1144 TiWorker.exe Token: SeBackupPrivilege 1144 TiWorker.exe Token: SeRestorePrivilege 1144 TiWorker.exe Token: SeSecurityPrivilege 1144 TiWorker.exe Token: SeBackupPrivilege 1144 TiWorker.exe Token: SeRestorePrivilege 1144 TiWorker.exe Token: SeSecurityPrivilege 1144 TiWorker.exe Token: SeBackupPrivilege 1144 TiWorker.exe Token: SeRestorePrivilege 1144 TiWorker.exe Token: SeSecurityPrivilege 1144 TiWorker.exe Token: SeBackupPrivilege 1144 TiWorker.exe Token: SeRestorePrivilege 1144 TiWorker.exe Token: SeSecurityPrivilege 1144 TiWorker.exe Token: SeBackupPrivilege 1144 TiWorker.exe Token: SeRestorePrivilege 1144 TiWorker.exe Token: SeSecurityPrivilege 1144 TiWorker.exe Token: SeBackupPrivilege 1144 TiWorker.exe Token: SeRestorePrivilege 1144 TiWorker.exe Token: SeSecurityPrivilege 1144 TiWorker.exe Token: SeBackupPrivilege 1144 TiWorker.exe Token: SeRestorePrivilege 1144 TiWorker.exe Token: SeSecurityPrivilege 1144 TiWorker.exe Token: SeBackupPrivilege 1144 TiWorker.exe Token: SeRestorePrivilege 1144 TiWorker.exe Token: SeSecurityPrivilege 1144 TiWorker.exe Token: SeBackupPrivilege 1144 TiWorker.exe Token: SeRestorePrivilege 1144 TiWorker.exe Token: SeSecurityPrivilege 1144 TiWorker.exe Token: SeBackupPrivilege 1144 TiWorker.exe Token: SeRestorePrivilege 1144 TiWorker.exe Token: SeSecurityPrivilege 1144 TiWorker.exe Token: SeBackupPrivilege 1144 TiWorker.exe Token: SeRestorePrivilege 1144 TiWorker.exe Token: SeSecurityPrivilege 1144 TiWorker.exe Token: SeBackupPrivilege 1144 TiWorker.exe Token: SeRestorePrivilege 1144 TiWorker.exe Token: SeSecurityPrivilege 1144 TiWorker.exe Token: SeBackupPrivilege 1144 TiWorker.exe Token: SeRestorePrivilege 1144 TiWorker.exe Token: SeSecurityPrivilege 1144 TiWorker.exe Token: SeBackupPrivilege 1144 TiWorker.exe Token: SeRestorePrivilege 1144 TiWorker.exe Token: SeSecurityPrivilege 1144 TiWorker.exe Token: SeBackupPrivilege 1144 TiWorker.exe Token: SeRestorePrivilege 1144 TiWorker.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
6e6e18a85c523bfffd1b5293b978832f7387fda9b9eee87d3d8e98666fe020c9.exexcsjhnbx.exeExplorer.EXEipconfig.exedescription pid process target process PID 4060 wrote to memory of 4532 4060 6e6e18a85c523bfffd1b5293b978832f7387fda9b9eee87d3d8e98666fe020c9.exe xcsjhnbx.exe PID 4060 wrote to memory of 4532 4060 6e6e18a85c523bfffd1b5293b978832f7387fda9b9eee87d3d8e98666fe020c9.exe xcsjhnbx.exe PID 4060 wrote to memory of 4532 4060 6e6e18a85c523bfffd1b5293b978832f7387fda9b9eee87d3d8e98666fe020c9.exe xcsjhnbx.exe PID 4532 wrote to memory of 532 4532 xcsjhnbx.exe xcsjhnbx.exe PID 4532 wrote to memory of 532 4532 xcsjhnbx.exe xcsjhnbx.exe PID 4532 wrote to memory of 532 4532 xcsjhnbx.exe xcsjhnbx.exe PID 4532 wrote to memory of 532 4532 xcsjhnbx.exe xcsjhnbx.exe PID 4532 wrote to memory of 532 4532 xcsjhnbx.exe xcsjhnbx.exe PID 4532 wrote to memory of 532 4532 xcsjhnbx.exe xcsjhnbx.exe PID 2620 wrote to memory of 4376 2620 Explorer.EXE ipconfig.exe PID 2620 wrote to memory of 4376 2620 Explorer.EXE ipconfig.exe PID 2620 wrote to memory of 4376 2620 Explorer.EXE ipconfig.exe PID 4376 wrote to memory of 1504 4376 ipconfig.exe cmd.exe PID 4376 wrote to memory of 1504 4376 ipconfig.exe cmd.exe PID 4376 wrote to memory of 1504 4376 ipconfig.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Users\Admin\AppData\Local\Temp\6e6e18a85c523bfffd1b5293b978832f7387fda9b9eee87d3d8e98666fe020c9.exe"C:\Users\Admin\AppData\Local\Temp\6e6e18a85c523bfffd1b5293b978832f7387fda9b9eee87d3d8e98666fe020c9.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Users\Admin\AppData\Local\Temp\xcsjhnbx.exeC:\Users\Admin\AppData\Local\Temp\xcsjhnbx.exe C:\Users\Admin\AppData\Local\Temp\klsqys3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Users\Admin\AppData\Local\Temp\xcsjhnbx.exeC:\Users\Admin\AppData\Local\Temp\xcsjhnbx.exe C:\Users\Admin\AppData\Local\Temp\klsqys4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:532 -
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\SysWOW64\ipconfig.exe"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\xcsjhnbx.exe"3⤵PID:1504
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1668
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1144
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
74894acf2f92497a4112350086628a69
SHA1d89bbaa9815a9dab1bb78b9caa0e59102af14007
SHA256ed3cd1384a99d8bf6689d7da1da1caeec9aca71f969da688bbe8c4207128a813
SHA512cdd4452e2b23be76d3fbebd1433d59142a5559bdc4aa34dd9c173251f98da02ccbfa9e9319a2ada9b58dcbce5c470edbf75a25f0cf5b13eb071b758befb6573c
-
MD5
6f9be1ba8b37123e0fac76fa9efab260
SHA18eedb1159c8b44333a9d46502405458ed798bce6
SHA25659c3e8cf49539188344653ce44a43b1138b27fd31ad375bb90f87a41a73abd67
SHA512c999becfaf06c51e44f63b752d8e7bc0496d8e24233a858af016234dd0357e8d4c90d78ffb9b49f6e4849480bb4215f19f0aa835e527fd5db35ce97fd6876e9e
-
MD5
faac8659b70789bbc4d0bf78dc566fad
SHA1ffa98396d0a61efa1ed7213b74c2c8e05a97c40f
SHA2562a53b351cb91b40c76c2cf95f7cd43650b355fbf77bbe9e249c136367181140b
SHA51246e62ba555f1eae412f6a304d013897699412d8555137812de24928a236c49f6e4c33096499d1824c68097d9cc88853c786c2afd6ad6dbe34ab3acf0d81b3049
-
MD5
faac8659b70789bbc4d0bf78dc566fad
SHA1ffa98396d0a61efa1ed7213b74c2c8e05a97c40f
SHA2562a53b351cb91b40c76c2cf95f7cd43650b355fbf77bbe9e249c136367181140b
SHA51246e62ba555f1eae412f6a304d013897699412d8555137812de24928a236c49f6e4c33096499d1824c68097d9cc88853c786c2afd6ad6dbe34ab3acf0d81b3049
-
MD5
faac8659b70789bbc4d0bf78dc566fad
SHA1ffa98396d0a61efa1ed7213b74c2c8e05a97c40f
SHA2562a53b351cb91b40c76c2cf95f7cd43650b355fbf77bbe9e249c136367181140b
SHA51246e62ba555f1eae412f6a304d013897699412d8555137812de24928a236c49f6e4c33096499d1824c68097d9cc88853c786c2afd6ad6dbe34ab3acf0d81b3049