Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
14-03-2022 10:22
Static task
static1
Behavioral task
behavioral1
Sample
QT190682062.js
Resource
win7-20220310-en
General
-
Target
QT190682062.js
-
Size
866KB
-
MD5
1a57814ee69545a677531e30491458f6
-
SHA1
2e4339114802ceb6f34077dfe27a39b4dfe2e595
-
SHA256
d808f56ae1df3f713475eeffac403cec3bc405e90c5aac6bda3209b87d2a7345
-
SHA512
6d96dbde544b60f44514f5f362a08fccd5469255fb9bc66c5b05dc0851987934d83482c2fbd6026193e49e93a6c76d48e004592bcd9fb9a28c889b706d408eb9
Malware Config
Extracted
xloader
2.5
qatv
sexycurvycool.com
webundefinedstaging.website
gaspeehaze.com
adomnaturals.com
best10canadianreviews.info
nikekogan.com
5537sbishop.info
khonnaisoi.com
cures8t.com
garthoaks.com
belvederepharmagroup.com
chivo.plus
qishanlin.top
ccjon1.com
biz-financeagency.com
bdqimeng88.top
3-little-pigs.com
ord13route.art
webku-trial.xyz
ncgf28.xyz
nickatwoodrealestate.com
123piezas.com
woodju.com
afmview.com
travessiacursos.com
shreerragroindustries.com
lilacw.com
travelingbrunchbesties.com
cityloot.net
healthspecialist.info
kaliseastrand.com
jecoman.com
ystmo.com
lifecoach.directory
callahaninsurancegroup.com
commercialglassreplacement.com
webesluts.com
h5aolyhh6.com
drgcatherine.com
ronas.top
thevoilagroup.com
diemcrypto.tools
invest68.com
eleinmsa.xyz
sddn3.xyz
7dakka.online
endesasoluciounica.com
authenticinvesments.com
texasjusticelawyers.com
canada-settlement.com
outlook-admins.com
primarywatch.com
kaboomslots.email
innoattic.com
upstreetbarbershop.com
trulyproofreading.com
calciumsignaling.com
13977999.com
sheriffindiana.biz
uncorrectly.com
jjyymh.com
worldpasspassport.com
yjwnktaz.com
royalknightent.store
swachharepolymix.com
Signatures
-
Xloader Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\bin.exe xloader C:\Users\Admin\AppData\Local\Temp\bin.exe xloader behavioral2/memory/4412-134-0x00000000005F0000-0x0000000000619000-memory.dmp xloader behavioral2/memory/4852-138-0x0000000000850000-0x0000000000879000-memory.dmp xloader -
Blocklisted process makes network request 16 IoCs
Processes:
wscript.exeflow pid process 6 3740 wscript.exe 11 3740 wscript.exe 18 3740 wscript.exe 28 3740 wscript.exe 35 3740 wscript.exe 38 3740 wscript.exe 43 3740 wscript.exe 50 3740 wscript.exe 52 3740 wscript.exe 56 3740 wscript.exe 63 3740 wscript.exe 66 3740 wscript.exe 70 3740 wscript.exe 74 3740 wscript.exe 80 3740 wscript.exe 85 3740 wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
bin.exepid process 4412 bin.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AiaxYKzLrg.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AiaxYKzLrg.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\00FAYTSXGU = "\"C:\\Users\\Admin\\AppData\\Roaming\\AiaxYKzLrg.js\"" wscript.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
bin.exewlanext.exedescription pid process target process PID 4412 set thread context of 3028 4412 bin.exe Explorer.EXE PID 4852 set thread context of 3028 4852 wlanext.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
bin.exewlanext.exepid process 4412 bin.exe 4412 bin.exe 4412 bin.exe 4412 bin.exe 4852 wlanext.exe 4852 wlanext.exe 4852 wlanext.exe 4852 wlanext.exe 4852 wlanext.exe 4852 wlanext.exe 4852 wlanext.exe 4852 wlanext.exe 4852 wlanext.exe 4852 wlanext.exe 4852 wlanext.exe 4852 wlanext.exe 4852 wlanext.exe 4852 wlanext.exe 4852 wlanext.exe 4852 wlanext.exe 4852 wlanext.exe 4852 wlanext.exe 4852 wlanext.exe 4852 wlanext.exe 4852 wlanext.exe 4852 wlanext.exe 4852 wlanext.exe 4852 wlanext.exe 4852 wlanext.exe 4852 wlanext.exe 4852 wlanext.exe 4852 wlanext.exe 4852 wlanext.exe 4852 wlanext.exe 4852 wlanext.exe 4852 wlanext.exe 4852 wlanext.exe 4852 wlanext.exe 4852 wlanext.exe 4852 wlanext.exe 4852 wlanext.exe 4852 wlanext.exe 4852 wlanext.exe 4852 wlanext.exe 4852 wlanext.exe 4852 wlanext.exe 4852 wlanext.exe 4852 wlanext.exe 4852 wlanext.exe 4852 wlanext.exe 4852 wlanext.exe 4852 wlanext.exe 4852 wlanext.exe 4852 wlanext.exe 4852 wlanext.exe 4852 wlanext.exe 4852 wlanext.exe 4852 wlanext.exe 4852 wlanext.exe 4852 wlanext.exe 4852 wlanext.exe 4852 wlanext.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3028 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
bin.exewlanext.exepid process 4412 bin.exe 4412 bin.exe 4412 bin.exe 4852 wlanext.exe 4852 wlanext.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
bin.exewlanext.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 4412 bin.exe Token: SeDebugPrivilege 4852 wlanext.exe Token: SeShutdownPrivilege 3028 Explorer.EXE Token: SeCreatePagefilePrivilege 3028 Explorer.EXE Token: SeShutdownPrivilege 3028 Explorer.EXE Token: SeCreatePagefilePrivilege 3028 Explorer.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
wscript.exeExplorer.EXEwlanext.exedescription pid process target process PID 2256 wrote to memory of 3740 2256 wscript.exe wscript.exe PID 2256 wrote to memory of 3740 2256 wscript.exe wscript.exe PID 2256 wrote to memory of 4412 2256 wscript.exe bin.exe PID 2256 wrote to memory of 4412 2256 wscript.exe bin.exe PID 2256 wrote to memory of 4412 2256 wscript.exe bin.exe PID 3028 wrote to memory of 4852 3028 Explorer.EXE wlanext.exe PID 3028 wrote to memory of 4852 3028 Explorer.EXE wlanext.exe PID 3028 wrote to memory of 4852 3028 Explorer.EXE wlanext.exe PID 4852 wrote to memory of 4340 4852 wlanext.exe cmd.exe PID 4852 wrote to memory of 4340 4852 wlanext.exe cmd.exe PID 4852 wrote to memory of 4340 4852 wlanext.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\QT190682062.js2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\AiaxYKzLrg.js"3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:3740 -
C:\Users\Admin\AppData\Local\Temp\bin.exe"C:\Users\Admin\AppData\Local\Temp\bin.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4412 -
C:\Windows\SysWOW64\wlanext.exe"C:\Windows\SysWOW64\wlanext.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\bin.exe"3⤵PID:4340
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\bin.exeMD5
d2bc603d4e0e7011f2b8ba93bcd75293
SHA19fb2540d65441714cfcf7e4cc2432a96255f1f6d
SHA256c70b39662e04b20fb68d78b0dc45694b6cc9c564c7c0535c286ee37fd1730d4b
SHA51249835fc13efa9406fb7d7b85247013f45eeaa3e3cd9d1ae2a5c867f9231afae08c1051799b3b137f79476065035bedf5953d999da12e43a761dc369dfe90956b
-
C:\Users\Admin\AppData\Local\Temp\bin.exeMD5
d2bc603d4e0e7011f2b8ba93bcd75293
SHA19fb2540d65441714cfcf7e4cc2432a96255f1f6d
SHA256c70b39662e04b20fb68d78b0dc45694b6cc9c564c7c0535c286ee37fd1730d4b
SHA51249835fc13efa9406fb7d7b85247013f45eeaa3e3cd9d1ae2a5c867f9231afae08c1051799b3b137f79476065035bedf5953d999da12e43a761dc369dfe90956b
-
C:\Users\Admin\AppData\Roaming\AiaxYKzLrg.jsMD5
6262e524b30c6a58c36ed159871a60c0
SHA182e5b80c6c1092b6b7ec1360af65b6256666fb07
SHA25648a168f6a0f5ec1b8cabe07ca6a8e7d17e875c676d8eb9658c23b54dbed8f223
SHA512f5d5ac85b0922822d30a8bf8d68d3f69866926a68a45bb2dc2b8ea189012554ce45fec183eafea6169913249f59bc39f4d40d6361d3da8e5a04420e08acfbf1d
-
memory/3028-136-0x0000000002C60000-0x0000000002D0F000-memory.dmpFilesize
700KB
-
memory/3028-141-0x00000000080B0000-0x0000000008170000-memory.dmpFilesize
768KB
-
memory/4412-133-0x0000000001740000-0x0000000001A8A000-memory.dmpFilesize
3.3MB
-
memory/4412-134-0x00000000005F0000-0x0000000000619000-memory.dmpFilesize
164KB
-
memory/4412-135-0x00000000016D0000-0x00000000016E1000-memory.dmpFilesize
68KB
-
memory/4852-137-0x0000000000180000-0x0000000000197000-memory.dmpFilesize
92KB
-
memory/4852-138-0x0000000000850000-0x0000000000879000-memory.dmpFilesize
164KB
-
memory/4852-139-0x0000000000FD0000-0x000000000131A000-memory.dmpFilesize
3.3MB
-
memory/4852-140-0x0000000000D60000-0x0000000000DF0000-memory.dmpFilesize
576KB