Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
02-03-2022 15:01
Static task
static1
General
-
Target
ea928c88deed19528dead0fc786936f6ac102f94905ce1bff6df678b7c560726.exe
-
Size
332KB
-
MD5
8bc5cae30e499dea0d78f85c309be304
-
SHA1
95b3af264ecfec7155002f8ee9bbc46c4946e84f
-
SHA256
ea928c88deed19528dead0fc786936f6ac102f94905ce1bff6df678b7c560726
-
SHA512
d6149bcc0747f00b53a429dbd1605433830d8f2f67d638eb5e4feb41cb43f5029f42ddeb23c369a5000d5b37896ee51cf6f79cbdc23f0848ce0a10d62901de99
Malware Config
Extracted
xloader
2.5
igwa
listingswithalex.com
funtabse.com
aydenwalling.com
prochal.net
superfoodsnederland.com
moldluck.com
dianekgordon.store
regionalhomescommercial.com
mysecuritymadesimple.com
malwaremastery.com
kodaikeiko.com
jrzg996.com
agricurve.net
songlingjiu.com
virginianundahfishingclub.com
friendschance.com
pastelpresents.com
answertitles.com
survival-hunter.com
nxfddl.com
traditionnevertrend.com
agrovessel.com
unicorm.digital
cucumboy.com
alemdogarimpo.com
laraful.com
hexwaa.com
hanu21st.com
knoycia.com
qishengxing.com
gopipurespices.com
fdkkrfidkdslsieofkld.info
elephantspublications.online
valeriebeijing.com
xn--42cg2czax6ptae6a.com
2shengman.com
sfcshavedice.com
ragworkhouse.com
stardomfrokch.xyz
exoticcenterfold.com
eventosartifice.com
test-order-noren.com
110bao.com
face-pro.online
freedomoff.com
futuresep.com
tremblock.com
chocolat-gillotte.com
speclove.com
ddflsl.com
goodnewsmbc.net
cloudtotaal.com
goapps-auth.com
ouch247max.com
sabra-sd.com
luxuryneverhurt.art
rxvendorpills.online
ludowinners.online
placemyorder.online
skyrim.company
monsterlecturer.com
controle-fiscal.com
phoenixinjurylawyer.online
nanoheadgames.com
toposales.com
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/4488-134-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/3188-142-0x0000000000330000-0x0000000000359000-memory.dmp xloader -
Executes dropped EXE 2 IoCs
Processes:
iizlfx.exeiizlfx.exepid process 3804 iizlfx.exe 4488 iizlfx.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
iizlfx.exeiizlfx.exesvchost.exedescription pid process target process PID 3804 set thread context of 4488 3804 iizlfx.exe iizlfx.exe PID 4488 set thread context of 2060 4488 iizlfx.exe Explorer.EXE PID 3188 set thread context of 2060 3188 svchost.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
iizlfx.exesvchost.exepid process 4488 iizlfx.exe 4488 iizlfx.exe 4488 iizlfx.exe 4488 iizlfx.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe 3188 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2060 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
iizlfx.exesvchost.exepid process 4488 iizlfx.exe 4488 iizlfx.exe 4488 iizlfx.exe 3188 svchost.exe 3188 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
iizlfx.exesvchost.exedescription pid process Token: SeDebugPrivilege 4488 iizlfx.exe Token: SeDebugPrivilege 3188 svchost.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
ea928c88deed19528dead0fc786936f6ac102f94905ce1bff6df678b7c560726.exeiizlfx.exeExplorer.EXEsvchost.exedescription pid process target process PID 2800 wrote to memory of 3804 2800 ea928c88deed19528dead0fc786936f6ac102f94905ce1bff6df678b7c560726.exe iizlfx.exe PID 2800 wrote to memory of 3804 2800 ea928c88deed19528dead0fc786936f6ac102f94905ce1bff6df678b7c560726.exe iizlfx.exe PID 2800 wrote to memory of 3804 2800 ea928c88deed19528dead0fc786936f6ac102f94905ce1bff6df678b7c560726.exe iizlfx.exe PID 3804 wrote to memory of 4488 3804 iizlfx.exe iizlfx.exe PID 3804 wrote to memory of 4488 3804 iizlfx.exe iizlfx.exe PID 3804 wrote to memory of 4488 3804 iizlfx.exe iizlfx.exe PID 3804 wrote to memory of 4488 3804 iizlfx.exe iizlfx.exe PID 3804 wrote to memory of 4488 3804 iizlfx.exe iizlfx.exe PID 3804 wrote to memory of 4488 3804 iizlfx.exe iizlfx.exe PID 2060 wrote to memory of 3188 2060 Explorer.EXE svchost.exe PID 2060 wrote to memory of 3188 2060 Explorer.EXE svchost.exe PID 2060 wrote to memory of 3188 2060 Explorer.EXE svchost.exe PID 3188 wrote to memory of 4076 3188 svchost.exe cmd.exe PID 3188 wrote to memory of 4076 3188 svchost.exe cmd.exe PID 3188 wrote to memory of 4076 3188 svchost.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ea928c88deed19528dead0fc786936f6ac102f94905ce1bff6df678b7c560726.exe"C:\Users\Admin\AppData\Local\Temp\ea928c88deed19528dead0fc786936f6ac102f94905ce1bff6df678b7c560726.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\iizlfx.exeC:\Users\Admin\AppData\Local\Temp\iizlfx.exe C:\Users\Admin\AppData\Local\Temp\ibfqtjhg3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\iizlfx.exeC:\Users\Admin\AppData\Local\Temp\iizlfx.exe C:\Users\Admin\AppData\Local\Temp\ibfqtjhg4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\iizlfx.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\fc81nqibepxmw1MD5
296fcc90486bd93b1a6e0593241d1c7f
SHA134c54d85fe773bf6068752501e16a5c9227d5bee
SHA2562a7dd4eaee410720ffc22a511932a3b1a2b13319f77e0085548d63010e73e18e
SHA512c29c5a7141c84a88db4e890c207a8c5f36987539b68037c82f3256ea6ef6cd679ee643344c0f028cb42c93b4e70ddb965e557dc419be4a06c91752e3157c4464
-
C:\Users\Admin\AppData\Local\Temp\ibfqtjhgMD5
ad17464f77b0864dea1025b4ca517e28
SHA18c0d2d3aea1c36f8dff24ea2467317ad9773ff68
SHA256a5a41b0b6c1032840a1bc802b29461ef67486a3f36b9d964df10e884ecba825f
SHA512e57a70fc66e2eddba4cf097d97e91fd1de2358be96f89c50a36c155916bcbba2b45f4e02d25819a84780bef2735a9fc4d1682d3b1793f7487668ef293d78c331
-
C:\Users\Admin\AppData\Local\Temp\iizlfx.exeMD5
018adcd630666bff50914157771f6e43
SHA140e4d330149f8b86766eac860ce3cc06e01f51ac
SHA256039e812b1d3a74c11b8f75424072a59733ef54ffbc1afb33c616966205336f2f
SHA512c2360421eff8f7d5a906690276581e7936f09de0b227b4fed9bda3fc2f261ebb9b5ac5516980bc8ffd60c3d8d3e752a09b246893ebbdd2f46bffddf79971d77f
-
C:\Users\Admin\AppData\Local\Temp\iizlfx.exeMD5
018adcd630666bff50914157771f6e43
SHA140e4d330149f8b86766eac860ce3cc06e01f51ac
SHA256039e812b1d3a74c11b8f75424072a59733ef54ffbc1afb33c616966205336f2f
SHA512c2360421eff8f7d5a906690276581e7936f09de0b227b4fed9bda3fc2f261ebb9b5ac5516980bc8ffd60c3d8d3e752a09b246893ebbdd2f46bffddf79971d77f
-
C:\Users\Admin\AppData\Local\Temp\iizlfx.exeMD5
018adcd630666bff50914157771f6e43
SHA140e4d330149f8b86766eac860ce3cc06e01f51ac
SHA256039e812b1d3a74c11b8f75424072a59733ef54ffbc1afb33c616966205336f2f
SHA512c2360421eff8f7d5a906690276581e7936f09de0b227b4fed9bda3fc2f261ebb9b5ac5516980bc8ffd60c3d8d3e752a09b246893ebbdd2f46bffddf79971d77f
-
memory/2060-140-0x0000000007E40000-0x0000000007F90000-memory.dmpFilesize
1.3MB
-
memory/2060-145-0x0000000002F10000-0x0000000002FF1000-memory.dmpFilesize
900KB
-
memory/3188-141-0x0000000000A00000-0x0000000000A0E000-memory.dmpFilesize
56KB
-
memory/3188-142-0x0000000000330000-0x0000000000359000-memory.dmpFilesize
164KB
-
memory/3188-143-0x0000000001000000-0x000000000134A000-memory.dmpFilesize
3.3MB
-
memory/3188-144-0x0000000000E90000-0x0000000000F20000-memory.dmpFilesize
576KB
-
memory/4488-137-0x00000000017F0000-0x0000000001B3A000-memory.dmpFilesize
3.3MB
-
memory/4488-138-0x000000000041D000-0x000000000041E000-memory.dmpFilesize
4KB
-
memory/4488-139-0x0000000000FE0000-0x0000000000FF1000-memory.dmpFilesize
68KB
-
memory/4488-134-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB