Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
07-03-2022 15:32
Static task
static1
Behavioral task
behavioral1
Sample
66fd2bc4d1ec466bcd76e50bbc959b9a794e897345e69305e11aa99d0b0d656d.exe
Resource
win7-20220223-en
General
-
Target
66fd2bc4d1ec466bcd76e50bbc959b9a794e897345e69305e11aa99d0b0d656d.exe
-
Size
357KB
-
MD5
b99e10d4eb07e4a986ee92bcf444a7bf
-
SHA1
470d703ad9ea51844f0577d917f7167cc032887d
-
SHA256
66fd2bc4d1ec466bcd76e50bbc959b9a794e897345e69305e11aa99d0b0d656d
-
SHA512
4914d79035dffa9ef00dc79ac756957a3cf686af41e414836ae0500ec1a9c5084cb77b1a2c1f7ff203d77b9f7897f8de3b38c1aadb36c68aa92d5900b18096b0
Malware Config
Extracted
xloader
2.5
pout
leadergaterealty.com
k7bsz.info
laidjapp1.com
eastcountytaxi.com
betterlife-uae.com
materaiku.com
chanhxebinhthuan-hcm.online
06gjm.xyz
67t.xyz
here-we-meet.com
screened-articletoseetoday.info
lucykg.club
mujdobron.quest
susakhi.com
funtabse.com
unlimitedpain.com
2ed58fwec.xyz
weighttrainingexpert.com
allisonsheillax.com
yektaburgers.com
altijdstoer.info
airemspapartments.com
videomuncher.com
centerstagedrama.com
nikkou-toy.store
arequipesymerengues.com
haishandl.com
fy2zy5.com
mailheld.digital
sheepysage.com
fabricadocredito.com
siq212.com
moo-coo.com
hoomxb.net
6s2.space
rsholding.net
castellanacustomboats.online
tremblock.com
ramblingkinkster.com
teamsooners.club
onlinecasino-univ.com
dash8board.com
aichuncha.com
springhilllawn.com
zgluke.com
happynft.agency
urbanempireapparel.com
guanyiren.com
biglotteryking.com
marionkgregory.store
mujeresyaccion.com
smcusa.net
mayyon.net
vivibanca.website
15dgj.xyz
miabossjewelry.com
ideeperloshopping.cloud
healizy.com
huvao.com
huggsforbubbs.com
radiomacadam.online
firirifilms.com
knowhorses.com
chickenbeetlebooks.com
transtarintl.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3044-134-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/3044-138-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/3588-142-0x00000000005B0000-0x00000000005D9000-memory.dmp xloader -
Executes dropped EXE 2 IoCs
Processes:
nwixhieg.exenwixhieg.exepid process 3412 nwixhieg.exe 3044 nwixhieg.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
nwixhieg.exenwixhieg.exeraserver.exedescription pid process target process PID 3412 set thread context of 3044 3412 nwixhieg.exe nwixhieg.exe PID 3044 set thread context of 2436 3044 nwixhieg.exe Explorer.EXE PID 3588 set thread context of 2436 3588 raserver.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
nwixhieg.exeraserver.exepid process 3044 nwixhieg.exe 3044 nwixhieg.exe 3044 nwixhieg.exe 3044 nwixhieg.exe 3588 raserver.exe 3588 raserver.exe 3588 raserver.exe 3588 raserver.exe 3588 raserver.exe 3588 raserver.exe 3588 raserver.exe 3588 raserver.exe 3588 raserver.exe 3588 raserver.exe 3588 raserver.exe 3588 raserver.exe 3588 raserver.exe 3588 raserver.exe 3588 raserver.exe 3588 raserver.exe 3588 raserver.exe 3588 raserver.exe 3588 raserver.exe 3588 raserver.exe 3588 raserver.exe 3588 raserver.exe 3588 raserver.exe 3588 raserver.exe 3588 raserver.exe 3588 raserver.exe 3588 raserver.exe 3588 raserver.exe 3588 raserver.exe 3588 raserver.exe 3588 raserver.exe 3588 raserver.exe 3588 raserver.exe 3588 raserver.exe 3588 raserver.exe 3588 raserver.exe 3588 raserver.exe 3588 raserver.exe 3588 raserver.exe 3588 raserver.exe 3588 raserver.exe 3588 raserver.exe 3588 raserver.exe 3588 raserver.exe 3588 raserver.exe 3588 raserver.exe 3588 raserver.exe 3588 raserver.exe 3588 raserver.exe 3588 raserver.exe 3588 raserver.exe 3588 raserver.exe 3588 raserver.exe 3588 raserver.exe 3588 raserver.exe 3588 raserver.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2436 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
nwixhieg.exeraserver.exepid process 3044 nwixhieg.exe 3044 nwixhieg.exe 3044 nwixhieg.exe 3588 raserver.exe 3588 raserver.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
nwixhieg.exeraserver.exedescription pid process Token: SeDebugPrivilege 3044 nwixhieg.exe Token: SeDebugPrivilege 3588 raserver.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
66fd2bc4d1ec466bcd76e50bbc959b9a794e897345e69305e11aa99d0b0d656d.exenwixhieg.exeExplorer.EXEraserver.exedescription pid process target process PID 220 wrote to memory of 3412 220 66fd2bc4d1ec466bcd76e50bbc959b9a794e897345e69305e11aa99d0b0d656d.exe nwixhieg.exe PID 220 wrote to memory of 3412 220 66fd2bc4d1ec466bcd76e50bbc959b9a794e897345e69305e11aa99d0b0d656d.exe nwixhieg.exe PID 220 wrote to memory of 3412 220 66fd2bc4d1ec466bcd76e50bbc959b9a794e897345e69305e11aa99d0b0d656d.exe nwixhieg.exe PID 3412 wrote to memory of 3044 3412 nwixhieg.exe nwixhieg.exe PID 3412 wrote to memory of 3044 3412 nwixhieg.exe nwixhieg.exe PID 3412 wrote to memory of 3044 3412 nwixhieg.exe nwixhieg.exe PID 3412 wrote to memory of 3044 3412 nwixhieg.exe nwixhieg.exe PID 3412 wrote to memory of 3044 3412 nwixhieg.exe nwixhieg.exe PID 3412 wrote to memory of 3044 3412 nwixhieg.exe nwixhieg.exe PID 2436 wrote to memory of 3588 2436 Explorer.EXE raserver.exe PID 2436 wrote to memory of 3588 2436 Explorer.EXE raserver.exe PID 2436 wrote to memory of 3588 2436 Explorer.EXE raserver.exe PID 3588 wrote to memory of 1224 3588 raserver.exe cmd.exe PID 3588 wrote to memory of 1224 3588 raserver.exe cmd.exe PID 3588 wrote to memory of 1224 3588 raserver.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\66fd2bc4d1ec466bcd76e50bbc959b9a794e897345e69305e11aa99d0b0d656d.exe"C:\Users\Admin\AppData\Local\Temp\66fd2bc4d1ec466bcd76e50bbc959b9a794e897345e69305e11aa99d0b0d656d.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\nwixhieg.exeC:\Users\Admin\AppData\Local\Temp\nwixhieg.exe C:\Users\Admin\AppData\Local\Temp\idgcov3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\nwixhieg.exeC:\Users\Admin\AppData\Local\Temp\nwixhieg.exe C:\Users\Admin\AppData\Local\Temp\idgcov4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\raserver.exe"C:\Windows\SysWOW64\raserver.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\nwixhieg.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\4mbuzq0rf0rv81MD5
bec780ab3a86d3885c9872f4d75dbcd5
SHA1a1122469144444e83c37fb27b69f32835a007379
SHA256a8447660db41efb0fc4bc2948f31c3b6ef82adf83844ccbb21ec45a37bfafe0d
SHA512ee210c5b7dac3494d7ed12793fcb292462f9dd190820c7099d233b223b5097b5541fc301cd32101947564a9e5934ff13753722f4d7fad83a503b27eadbe4fc29
-
C:\Users\Admin\AppData\Local\Temp\idgcovMD5
ef56418270d58e8a8ad6bc84ed05928c
SHA1d3210c0c1568cc6d67763c628654209cf0ee60be
SHA256ebb25e646a42bc51c2f6c03f5715a07b0e672256e348b37893e9f6a5a558d06e
SHA512a92d5b12b82241049cb588de455b214eca739efbb9ce06eed834b86e5ea512a8ddf751e3c1a81c1e1c6dd9ab5c4e9ca95586c475ccdbec0c64f5490e79eadbe7
-
C:\Users\Admin\AppData\Local\Temp\nwixhieg.exeMD5
ac46facd334c7cd106cde9fdf38e965c
SHA1daa001174d595132938cfc19c43579cbd4d082ca
SHA256c1d018b4850721d1a602b7aa0273ef1e00d962199167f1b09465a47daff31b1b
SHA512f546345984e3edb7651737306201e8b5a5d76c4b508170fb998ecb16245846cc3719052390aa47ca2b862bc0bbb5ae4174ec9605f5fb0c91758c4aef4092805e
-
C:\Users\Admin\AppData\Local\Temp\nwixhieg.exeMD5
ac46facd334c7cd106cde9fdf38e965c
SHA1daa001174d595132938cfc19c43579cbd4d082ca
SHA256c1d018b4850721d1a602b7aa0273ef1e00d962199167f1b09465a47daff31b1b
SHA512f546345984e3edb7651737306201e8b5a5d76c4b508170fb998ecb16245846cc3719052390aa47ca2b862bc0bbb5ae4174ec9605f5fb0c91758c4aef4092805e
-
C:\Users\Admin\AppData\Local\Temp\nwixhieg.exeMD5
ac46facd334c7cd106cde9fdf38e965c
SHA1daa001174d595132938cfc19c43579cbd4d082ca
SHA256c1d018b4850721d1a602b7aa0273ef1e00d962199167f1b09465a47daff31b1b
SHA512f546345984e3edb7651737306201e8b5a5d76c4b508170fb998ecb16245846cc3719052390aa47ca2b862bc0bbb5ae4174ec9605f5fb0c91758c4aef4092805e
-
memory/2436-140-0x0000000007900000-0x0000000007A96000-memory.dmpFilesize
1.6MB
-
memory/2436-145-0x0000000007AA0000-0x0000000007BB4000-memory.dmpFilesize
1.1MB
-
memory/3044-137-0x0000000000AC0000-0x0000000000E0A000-memory.dmpFilesize
3.3MB
-
memory/3044-138-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/3044-139-0x00000000005D0000-0x00000000005E1000-memory.dmpFilesize
68KB
-
memory/3044-134-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/3588-141-0x0000000000880000-0x000000000089F000-memory.dmpFilesize
124KB
-
memory/3588-142-0x00000000005B0000-0x00000000005D9000-memory.dmpFilesize
164KB
-
memory/3588-143-0x00000000047B0000-0x0000000004AFA000-memory.dmpFilesize
3.3MB
-
memory/3588-144-0x0000000004510000-0x00000000045A0000-memory.dmpFilesize
576KB