Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
19-02-2022 23:48
Static task
static1
Behavioral task
behavioral1
Sample
68521717.exe
Resource
win7-en-20211208
General
-
Target
68521717.exe
-
Size
291KB
-
MD5
c3e495a5457d35b55ebb9a6d69b69f40
-
SHA1
270dcc86f4d1c7765380fc3920c73893a34e7633
-
SHA256
3cba15742d927df8dacc3b41005dfa1f8e66fbae71135782befd3e55d5aceeae
-
SHA512
17922f514c2b674c9e2a3db713a84eeb7237fd9b590ac24ff5463de4365853b5843cc114ac7fede237c2fce533cf96e67a87b0b998a2fd2569e7873dcec64fc8
Malware Config
Extracted
xloader
2.5
uar3
sgadvocats.com
mjscannabus.com
hilldaley.com
ksdollhouse.com
hotgiftboutique.com
purebloodsmeet.com
relaunched.info
cap-glove.com
productcollection.store
fulikyy.xyz
remoteaviationjobs.com
bestcleancrystal.com
virtualorganizationpartner.com
bookgocar.com
hattuafhv.quest
makonigroup.com
officecom-myaccount.com
malgorzata-lac.com
e-learningeducators.com
hygilaur.com
kgv-lachswehr.com
salazarcomunicacion.com
robopython.com
corporateequity.online
complianceservicegroup.com
aperza-ex.com
webflowusa.com
asesoriasfinancieras.xyz
missolivesbranches.com
numiquest.com
criskconsultancy.com
gotemup.com
themaptalk.com
lakebalboahalf.com
cateringfrenchcroissant.com
paddocklakerealestate.com
lojaquerosurprezza.store
courtneywhitearmusic.com
geovannimaquinadevendas.online
pricklypairjazz.com
engagedigi.com
conduitforthespirit.com
anaheimaletrail.com
wholesalemall.store
alertsbecu.com
gestion-kayfra.com
youcanstores.com
qsuo.net
formadv.info
dihesia.xyz
carrreir.com
twenteeminuteswithtee.com
realliferenewal.com
officialprokodsukses.icu
stanfordgrouploscabos.com
maxicashpromir.xyz
zysqshjs.com
trc-clicks.com
chsclbd.com
amdproduce.net
republicoflies.com
beaux-parents.com
lucrativeapp.com
milbombas.com
alexanderplaywear.com
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/5036-134-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/1176-143-0x0000000000E90000-0x0000000000EB9000-memory.dmp xloader -
Executes dropped EXE 2 IoCs
Processes:
ieyjyt.exeieyjyt.exepid process 1480 ieyjyt.exe 5036 ieyjyt.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
ieyjyt.exeieyjyt.exerundll32.exedescription pid process target process PID 1480 set thread context of 5036 1480 ieyjyt.exe ieyjyt.exe PID 5036 set thread context of 3044 5036 ieyjyt.exe Explorer.EXE PID 1176 set thread context of 3044 1176 rundll32.exe Explorer.EXE -
Drops file in Windows directory 6 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
ieyjyt.exerundll32.exepid process 5036 ieyjyt.exe 5036 ieyjyt.exe 5036 ieyjyt.exe 5036 ieyjyt.exe 1176 rundll32.exe 1176 rundll32.exe 1176 rundll32.exe 1176 rundll32.exe 1176 rundll32.exe 1176 rundll32.exe 1176 rundll32.exe 1176 rundll32.exe 1176 rundll32.exe 1176 rundll32.exe 1176 rundll32.exe 1176 rundll32.exe 1176 rundll32.exe 1176 rundll32.exe 1176 rundll32.exe 1176 rundll32.exe 1176 rundll32.exe 1176 rundll32.exe 1176 rundll32.exe 1176 rundll32.exe 1176 rundll32.exe 1176 rundll32.exe 1176 rundll32.exe 1176 rundll32.exe 1176 rundll32.exe 1176 rundll32.exe 1176 rundll32.exe 1176 rundll32.exe 1176 rundll32.exe 1176 rundll32.exe 1176 rundll32.exe 1176 rundll32.exe 1176 rundll32.exe 1176 rundll32.exe 1176 rundll32.exe 1176 rundll32.exe 1176 rundll32.exe 1176 rundll32.exe 1176 rundll32.exe 1176 rundll32.exe 1176 rundll32.exe 1176 rundll32.exe 1176 rundll32.exe 1176 rundll32.exe 1176 rundll32.exe 1176 rundll32.exe 1176 rundll32.exe 1176 rundll32.exe 1176 rundll32.exe 1176 rundll32.exe 1176 rundll32.exe 1176 rundll32.exe 1176 rundll32.exe 1176 rundll32.exe 1176 rundll32.exe 1176 rundll32.exe 1176 rundll32.exe 1176 rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3044 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
ieyjyt.exerundll32.exepid process 5036 ieyjyt.exe 5036 ieyjyt.exe 5036 ieyjyt.exe 1176 rundll32.exe 1176 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
ieyjyt.exerundll32.exesvchost.exedescription pid process Token: SeDebugPrivilege 5036 ieyjyt.exe Token: SeDebugPrivilege 1176 rundll32.exe Token: SeShutdownPrivilege 4684 svchost.exe Token: SeCreatePagefilePrivilege 4684 svchost.exe Token: SeShutdownPrivilege 4684 svchost.exe Token: SeCreatePagefilePrivilege 4684 svchost.exe Token: SeShutdownPrivilege 4684 svchost.exe Token: SeCreatePagefilePrivilege 4684 svchost.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
68521717.exeieyjyt.exeExplorer.EXErundll32.exedescription pid process target process PID 4784 wrote to memory of 1480 4784 68521717.exe ieyjyt.exe PID 4784 wrote to memory of 1480 4784 68521717.exe ieyjyt.exe PID 4784 wrote to memory of 1480 4784 68521717.exe ieyjyt.exe PID 1480 wrote to memory of 5036 1480 ieyjyt.exe ieyjyt.exe PID 1480 wrote to memory of 5036 1480 ieyjyt.exe ieyjyt.exe PID 1480 wrote to memory of 5036 1480 ieyjyt.exe ieyjyt.exe PID 1480 wrote to memory of 5036 1480 ieyjyt.exe ieyjyt.exe PID 1480 wrote to memory of 5036 1480 ieyjyt.exe ieyjyt.exe PID 1480 wrote to memory of 5036 1480 ieyjyt.exe ieyjyt.exe PID 3044 wrote to memory of 1176 3044 Explorer.EXE rundll32.exe PID 3044 wrote to memory of 1176 3044 Explorer.EXE rundll32.exe PID 3044 wrote to memory of 1176 3044 Explorer.EXE rundll32.exe PID 1176 wrote to memory of 3468 1176 rundll32.exe cmd.exe PID 1176 wrote to memory of 3468 1176 rundll32.exe cmd.exe PID 1176 wrote to memory of 3468 1176 rundll32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\68521717.exe"C:\Users\Admin\AppData\Local\Temp\68521717.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ieyjyt.exeC:\Users\Admin\AppData\Local\Temp\ieyjyt.exe C:\Users\Admin\AppData\Local\Temp\eixmavz3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ieyjyt.exeC:\Users\Admin\AppData\Local\Temp\ieyjyt.exe C:\Users\Admin\AppData\Local\Temp\eixmavz4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\ieyjyt.exe"3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1kelwizjd26i2b39dMD5
4d8d56bc68ac9d3f0fd07da48fb09d45
SHA16e613039c39c9054c50bdd1f7add44abbe294d44
SHA25605a3aaa02de0e4dcc8ec953c7f2af4801aa6511667e1ecff9ffc412a9877e508
SHA5124ff8435a7ad4d2624a96707dc80029db7dd6012f193e1213eac3a7a837f443512227cf0630f6a23ddf9132efa84f8fe71f1a4a3e4d75242e066b127379cc6810
-
C:\Users\Admin\AppData\Local\Temp\eixmavzMD5
a0ea25f18db709ae463effbbdddd822e
SHA1be778031717f4ebbb9d0a6e0e6939a49efa691fc
SHA256f8ed3e230b3c978498fada768aa2caea599f530f1c9eccb9701800eff18dd1e6
SHA512bd9ea6ba1e80b51173711fec920ef1b507793e56008046cf2ba877d8b0c088d0c99ae414fc4f5d77cfad2d7f118b52dcb2acb9a99fdcc260efd2788bc8a99926
-
C:\Users\Admin\AppData\Local\Temp\ieyjyt.exeMD5
bc3d93f29a29ac6fc1d17b3875b745ca
SHA163661516467f1125f025443cda2d55522b580134
SHA25611710934d6922fb486b6d1300536dc30045d77d00238b6b0ff7001fa4c932b92
SHA5126db6759c679ff893046f8270bc0596fb6da6f68addb7f06ce8b066987373a253ed918737266a42a5d90c61f509f34da31ee581a9d748bfb0af2e3302175445f8
-
C:\Users\Admin\AppData\Local\Temp\ieyjyt.exeMD5
bc3d93f29a29ac6fc1d17b3875b745ca
SHA163661516467f1125f025443cda2d55522b580134
SHA25611710934d6922fb486b6d1300536dc30045d77d00238b6b0ff7001fa4c932b92
SHA5126db6759c679ff893046f8270bc0596fb6da6f68addb7f06ce8b066987373a253ed918737266a42a5d90c61f509f34da31ee581a9d748bfb0af2e3302175445f8
-
C:\Users\Admin\AppData\Local\Temp\ieyjyt.exeMD5
bc3d93f29a29ac6fc1d17b3875b745ca
SHA163661516467f1125f025443cda2d55522b580134
SHA25611710934d6922fb486b6d1300536dc30045d77d00238b6b0ff7001fa4c932b92
SHA5126db6759c679ff893046f8270bc0596fb6da6f68addb7f06ce8b066987373a253ed918737266a42a5d90c61f509f34da31ee581a9d748bfb0af2e3302175445f8
-
memory/1176-144-0x0000000002D50000-0x000000000309A000-memory.dmpFilesize
3.3MB
-
memory/1176-142-0x0000000000740000-0x0000000000754000-memory.dmpFilesize
80KB
-
memory/1176-145-0x0000000002BB0000-0x0000000002C40000-memory.dmpFilesize
576KB
-
memory/1176-143-0x0000000000E90000-0x0000000000EB9000-memory.dmpFilesize
164KB
-
memory/1480-135-0x0000000000A70000-0x0000000000A72000-memory.dmpFilesize
8KB
-
memory/3044-146-0x00000000080F0000-0x00000000081A8000-memory.dmpFilesize
736KB
-
memory/3044-141-0x0000000002B70000-0x0000000002C2E000-memory.dmpFilesize
760KB
-
memory/4684-148-0x000001DC210F0000-0x000001DC21100000-memory.dmpFilesize
64KB
-
memory/4684-147-0x000001DC209A0000-0x000001DC209B0000-memory.dmpFilesize
64KB
-
memory/4684-149-0x000001DC23620000-0x000001DC23624000-memory.dmpFilesize
16KB
-
memory/5036-140-0x00000000015D0000-0x00000000015E1000-memory.dmpFilesize
68KB
-
memory/5036-138-0x0000000001730000-0x0000000001A7A000-memory.dmpFilesize
3.3MB
-
memory/5036-139-0x000000000041D000-0x000000000041E000-memory.dmpFilesize
4KB
-
memory/5036-134-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB