Analysis
-
max time kernel
4294213s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220310-en -
submitted
14-03-2022 10:22
Static task
static1
Behavioral task
behavioral1
Sample
QT190682062.js
Resource
win7-20220310-en
General
-
Target
QT190682062.js
-
Size
866KB
-
MD5
1a57814ee69545a677531e30491458f6
-
SHA1
2e4339114802ceb6f34077dfe27a39b4dfe2e595
-
SHA256
d808f56ae1df3f713475eeffac403cec3bc405e90c5aac6bda3209b87d2a7345
-
SHA512
6d96dbde544b60f44514f5f362a08fccd5469255fb9bc66c5b05dc0851987934d83482c2fbd6026193e49e93a6c76d48e004592bcd9fb9a28c889b706d408eb9
Malware Config
Extracted
xloader
2.5
qatv
sexycurvycool.com
webundefinedstaging.website
gaspeehaze.com
adomnaturals.com
best10canadianreviews.info
nikekogan.com
5537sbishop.info
khonnaisoi.com
cures8t.com
garthoaks.com
belvederepharmagroup.com
chivo.plus
qishanlin.top
ccjon1.com
biz-financeagency.com
bdqimeng88.top
3-little-pigs.com
ord13route.art
webku-trial.xyz
ncgf28.xyz
nickatwoodrealestate.com
123piezas.com
woodju.com
afmview.com
travessiacursos.com
shreerragroindustries.com
lilacw.com
travelingbrunchbesties.com
cityloot.net
healthspecialist.info
kaliseastrand.com
jecoman.com
ystmo.com
lifecoach.directory
callahaninsurancegroup.com
commercialglassreplacement.com
webesluts.com
h5aolyhh6.com
drgcatherine.com
ronas.top
thevoilagroup.com
diemcrypto.tools
invest68.com
eleinmsa.xyz
sddn3.xyz
7dakka.online
endesasoluciounica.com
authenticinvesments.com
texasjusticelawyers.com
canada-settlement.com
outlook-admins.com
primarywatch.com
kaboomslots.email
innoattic.com
upstreetbarbershop.com
trulyproofreading.com
calciumsignaling.com
13977999.com
sheriffindiana.biz
uncorrectly.com
jjyymh.com
worldpasspassport.com
yjwnktaz.com
royalknightent.store
swachharepolymix.com
Signatures
-
Xloader Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\bin.exe xloader behavioral1/memory/2024-58-0x0000000000E50000-0x0000000000E79000-memory.dmp xloader behavioral1/memory/1936-62-0x00000000000D0000-0x00000000000F9000-memory.dmp xloader C:\Users\Admin\AppData\Local\Temp\bin.exe xloader -
Blocklisted process makes network request 17 IoCs
Processes:
wscript.exeflow pid process 5 996 wscript.exe 6 996 wscript.exe 9 996 wscript.exe 14 996 wscript.exe 18 996 wscript.exe 21 996 wscript.exe 26 996 wscript.exe 32 996 wscript.exe 35 996 wscript.exe 38 996 wscript.exe 42 996 wscript.exe 46 996 wscript.exe 51 996 wscript.exe 57 996 wscript.exe 60 996 wscript.exe 67 996 wscript.exe 73 996 wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
bin.exepid process 2024 bin.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AiaxYKzLrg.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AiaxYKzLrg.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Windows\CurrentVersion\Run\00FAYTSXGU = "\"C:\\Users\\Admin\\AppData\\Roaming\\AiaxYKzLrg.js\"" wscript.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
bin.exechkdsk.exedescription pid process target process PID 2024 set thread context of 1192 2024 bin.exe Explorer.EXE PID 1936 set thread context of 1192 1936 chkdsk.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
chkdsk.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
bin.exechkdsk.exepid process 2024 bin.exe 2024 bin.exe 1936 chkdsk.exe 1936 chkdsk.exe 1936 chkdsk.exe 1936 chkdsk.exe 1936 chkdsk.exe 1936 chkdsk.exe 1936 chkdsk.exe 1936 chkdsk.exe 1936 chkdsk.exe 1936 chkdsk.exe 1936 chkdsk.exe 1936 chkdsk.exe 1936 chkdsk.exe 1936 chkdsk.exe 1936 chkdsk.exe 1936 chkdsk.exe 1936 chkdsk.exe 1936 chkdsk.exe 1936 chkdsk.exe 1936 chkdsk.exe 1936 chkdsk.exe 1936 chkdsk.exe 1936 chkdsk.exe 1936 chkdsk.exe 1936 chkdsk.exe 1936 chkdsk.exe 1936 chkdsk.exe 1936 chkdsk.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1192 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
bin.exechkdsk.exepid process 2024 bin.exe 2024 bin.exe 2024 bin.exe 1936 chkdsk.exe 1936 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
bin.exechkdsk.exedescription pid process Token: SeDebugPrivilege 2024 bin.exe Token: SeDebugPrivilege 1936 chkdsk.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1192 Explorer.EXE 1192 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1192 Explorer.EXE 1192 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
wscript.exeExplorer.EXEchkdsk.exedescription pid process target process PID 1852 wrote to memory of 996 1852 wscript.exe wscript.exe PID 1852 wrote to memory of 996 1852 wscript.exe wscript.exe PID 1852 wrote to memory of 996 1852 wscript.exe wscript.exe PID 1852 wrote to memory of 2024 1852 wscript.exe bin.exe PID 1852 wrote to memory of 2024 1852 wscript.exe bin.exe PID 1852 wrote to memory of 2024 1852 wscript.exe bin.exe PID 1852 wrote to memory of 2024 1852 wscript.exe bin.exe PID 1192 wrote to memory of 1936 1192 Explorer.EXE chkdsk.exe PID 1192 wrote to memory of 1936 1192 Explorer.EXE chkdsk.exe PID 1192 wrote to memory of 1936 1192 Explorer.EXE chkdsk.exe PID 1192 wrote to memory of 1936 1192 Explorer.EXE chkdsk.exe PID 1936 wrote to memory of 1072 1936 chkdsk.exe cmd.exe PID 1936 wrote to memory of 1072 1936 chkdsk.exe cmd.exe PID 1936 wrote to memory of 1072 1936 chkdsk.exe cmd.exe PID 1936 wrote to memory of 1072 1936 chkdsk.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\QT190682062.js2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\AiaxYKzLrg.js"3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\bin.exe"C:\Users\Admin\AppData\Local\Temp\bin.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\bin.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\bin.exeMD5
d2bc603d4e0e7011f2b8ba93bcd75293
SHA19fb2540d65441714cfcf7e4cc2432a96255f1f6d
SHA256c70b39662e04b20fb68d78b0dc45694b6cc9c564c7c0535c286ee37fd1730d4b
SHA51249835fc13efa9406fb7d7b85247013f45eeaa3e3cd9d1ae2a5c867f9231afae08c1051799b3b137f79476065035bedf5953d999da12e43a761dc369dfe90956b
-
C:\Users\Admin\AppData\Local\Temp\bin.exeMD5
d2bc603d4e0e7011f2b8ba93bcd75293
SHA19fb2540d65441714cfcf7e4cc2432a96255f1f6d
SHA256c70b39662e04b20fb68d78b0dc45694b6cc9c564c7c0535c286ee37fd1730d4b
SHA51249835fc13efa9406fb7d7b85247013f45eeaa3e3cd9d1ae2a5c867f9231afae08c1051799b3b137f79476065035bedf5953d999da12e43a761dc369dfe90956b
-
C:\Users\Admin\AppData\Roaming\AiaxYKzLrg.jsMD5
6262e524b30c6a58c36ed159871a60c0
SHA182e5b80c6c1092b6b7ec1360af65b6256666fb07
SHA25648a168f6a0f5ec1b8cabe07ca6a8e7d17e875c676d8eb9658c23b54dbed8f223
SHA512f5d5ac85b0922822d30a8bf8d68d3f69866926a68a45bb2dc2b8ea189012554ce45fec183eafea6169913249f59bc39f4d40d6361d3da8e5a04420e08acfbf1d
-
memory/1192-60-0x00000000060F0000-0x0000000006245000-memory.dmpFilesize
1.3MB
-
memory/1192-66-0x00000000049B0000-0x0000000004A80000-memory.dmpFilesize
832KB
-
memory/1852-54-0x000007FEFC511000-0x000007FEFC513000-memory.dmpFilesize
8KB
-
memory/1936-65-0x0000000001D60000-0x0000000001DF0000-memory.dmpFilesize
576KB
-
memory/1936-67-0x0000000076AE1000-0x0000000076AE3000-memory.dmpFilesize
8KB
-
memory/1936-61-0x0000000000200000-0x0000000000207000-memory.dmpFilesize
28KB
-
memory/1936-62-0x00000000000D0000-0x00000000000F9000-memory.dmpFilesize
164KB
-
memory/1936-64-0x0000000001E90000-0x0000000002193000-memory.dmpFilesize
3.0MB
-
memory/2024-57-0x0000000000850000-0x0000000000B53000-memory.dmpFilesize
3.0MB
-
memory/2024-59-0x0000000000130000-0x0000000000141000-memory.dmpFilesize
68KB
-
memory/2024-58-0x0000000000E50000-0x0000000000E79000-memory.dmpFilesize
164KB