Analysis
-
max time kernel
166s -
max time network
173s -
platform
windows10_x64 -
resource
win10-20220223-en -
submitted
16-03-2022 09:22
Static task
static1
General
-
Target
c1bd0f2f3ac96d89502bb30e5397b77fd0801c400b6afe989d0b5d356b1926d0.exe
-
Size
303KB
-
MD5
56f2db36ab627f09c22008f06ce17974
-
SHA1
72eea805c0d1f4eaa68de67b73e3479bfc54e4a1
-
SHA256
c1bd0f2f3ac96d89502bb30e5397b77fd0801c400b6afe989d0b5d356b1926d0
-
SHA512
8a4dba7f5d5f9901e4dd1cd6cd2b23c985838d882e093611e8309176747b809cef364b18c82f260119d4c82e8c55accdf5293753cb43ed99fb238f9da0ad2e52
Malware Config
Extracted
xloader
2.5
ahc8
192451.com
wwwripostes.net
sirikhalsalaw.com
bitterbaybay.com
stella-scrubs.com
almanecermezcal.com
goodgood.online
translate-now.online
sincerefilm.com
quadrantforensics.com
johnfrenchart.com
plick-click.com
alnileen.com
tghi.xyz
172711.com
maymakita.com
punnyaseva.com
ukash-online.com
sho-yururi-blog.com
hebergement-solidaire.com
civicinfluencers.net
gzhf8888.com
kuleallstar.com
palisadeslodgecondos.com
holyhirschsprungs.com
azalearoseuk.com
jaggllc.com
italianrofrow.xyz
ioewur.xyz
3a5hlv.icu
kitcycle.com
estate.xyz
ankaraescortvip.xyz
richclubsite2001.xyz
kastore.website
515pleasantvalleyway.com
sittlermd.com
mytemple.group
tiny-wagen.com
sharaleesvintageflames.com
mentalesteem.com
sport-newss.online
fbve.space
lovingtruebloodindallas.com
eaglehospitality.biz
roofrepairnow.info
mcrosfts-updata.digital
cimpactinc.com
greatnotleyeast.com
lovely-tics.com
douglas-enterprise.com
dayannalima.online
ksodl.com
rainbowlampro.com
theinteriorsfurniture.com
eidmueller.email
cg020.online
gta6fuzhu.com
cinemaocity.com
hopeitivity.com
savageequipment.biz
groceriesbazaar.com
hempgotas.com
casino-pharaon-play.xyz
ralfrassendnk-login.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2556-119-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/3884-127-0x0000000002600000-0x0000000002629000-memory.dmp xloader -
Executes dropped EXE 2 IoCs
Processes:
drtvyqddpk.exedrtvyqddpk.exepid process 3572 drtvyqddpk.exe 2556 drtvyqddpk.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
drtvyqddpk.exedrtvyqddpk.exewlanext.exedescription pid process target process PID 3572 set thread context of 2556 3572 drtvyqddpk.exe drtvyqddpk.exe PID 2556 set thread context of 2268 2556 drtvyqddpk.exe Explorer.EXE PID 3884 set thread context of 2268 3884 wlanext.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 56 IoCs
Processes:
drtvyqddpk.exewlanext.exepid process 2556 drtvyqddpk.exe 2556 drtvyqddpk.exe 2556 drtvyqddpk.exe 2556 drtvyqddpk.exe 3884 wlanext.exe 3884 wlanext.exe 3884 wlanext.exe 3884 wlanext.exe 3884 wlanext.exe 3884 wlanext.exe 3884 wlanext.exe 3884 wlanext.exe 3884 wlanext.exe 3884 wlanext.exe 3884 wlanext.exe 3884 wlanext.exe 3884 wlanext.exe 3884 wlanext.exe 3884 wlanext.exe 3884 wlanext.exe 3884 wlanext.exe 3884 wlanext.exe 3884 wlanext.exe 3884 wlanext.exe 3884 wlanext.exe 3884 wlanext.exe 3884 wlanext.exe 3884 wlanext.exe 3884 wlanext.exe 3884 wlanext.exe 3884 wlanext.exe 3884 wlanext.exe 3884 wlanext.exe 3884 wlanext.exe 3884 wlanext.exe 3884 wlanext.exe 3884 wlanext.exe 3884 wlanext.exe 3884 wlanext.exe 3884 wlanext.exe 3884 wlanext.exe 3884 wlanext.exe 3884 wlanext.exe 3884 wlanext.exe 3884 wlanext.exe 3884 wlanext.exe 3884 wlanext.exe 3884 wlanext.exe 3884 wlanext.exe 3884 wlanext.exe 3884 wlanext.exe 3884 wlanext.exe 3884 wlanext.exe 3884 wlanext.exe 3884 wlanext.exe 3884 wlanext.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2268 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
drtvyqddpk.exewlanext.exepid process 2556 drtvyqddpk.exe 2556 drtvyqddpk.exe 2556 drtvyqddpk.exe 3884 wlanext.exe 3884 wlanext.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
drtvyqddpk.exewlanext.exedescription pid process Token: SeDebugPrivilege 2556 drtvyqddpk.exe Token: SeDebugPrivilege 3884 wlanext.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
c1bd0f2f3ac96d89502bb30e5397b77fd0801c400b6afe989d0b5d356b1926d0.exedrtvyqddpk.exeExplorer.EXEwlanext.exedescription pid process target process PID 3504 wrote to memory of 3572 3504 c1bd0f2f3ac96d89502bb30e5397b77fd0801c400b6afe989d0b5d356b1926d0.exe drtvyqddpk.exe PID 3504 wrote to memory of 3572 3504 c1bd0f2f3ac96d89502bb30e5397b77fd0801c400b6afe989d0b5d356b1926d0.exe drtvyqddpk.exe PID 3504 wrote to memory of 3572 3504 c1bd0f2f3ac96d89502bb30e5397b77fd0801c400b6afe989d0b5d356b1926d0.exe drtvyqddpk.exe PID 3572 wrote to memory of 2556 3572 drtvyqddpk.exe drtvyqddpk.exe PID 3572 wrote to memory of 2556 3572 drtvyqddpk.exe drtvyqddpk.exe PID 3572 wrote to memory of 2556 3572 drtvyqddpk.exe drtvyqddpk.exe PID 3572 wrote to memory of 2556 3572 drtvyqddpk.exe drtvyqddpk.exe PID 3572 wrote to memory of 2556 3572 drtvyqddpk.exe drtvyqddpk.exe PID 3572 wrote to memory of 2556 3572 drtvyqddpk.exe drtvyqddpk.exe PID 2268 wrote to memory of 3884 2268 Explorer.EXE wlanext.exe PID 2268 wrote to memory of 3884 2268 Explorer.EXE wlanext.exe PID 2268 wrote to memory of 3884 2268 Explorer.EXE wlanext.exe PID 3884 wrote to memory of 3792 3884 wlanext.exe cmd.exe PID 3884 wrote to memory of 3792 3884 wlanext.exe cmd.exe PID 3884 wrote to memory of 3792 3884 wlanext.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Users\Admin\AppData\Local\Temp\c1bd0f2f3ac96d89502bb30e5397b77fd0801c400b6afe989d0b5d356b1926d0.exe"C:\Users\Admin\AppData\Local\Temp\c1bd0f2f3ac96d89502bb30e5397b77fd0801c400b6afe989d0b5d356b1926d0.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Users\Admin\AppData\Local\Temp\drtvyqddpk.exeC:\Users\Admin\AppData\Local\Temp\drtvyqddpk.exe C:\Users\Admin\AppData\Local\Temp\wmauhtegtt3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Users\Admin\AppData\Local\Temp\drtvyqddpk.exeC:\Users\Admin\AppData\Local\Temp\drtvyqddpk.exe C:\Users\Admin\AppData\Local\Temp\wmauhtegtt4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2556 -
C:\Windows\SysWOW64\wlanext.exe"C:\Windows\SysWOW64\wlanext.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3884 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\drtvyqddpk.exe"3⤵PID:3792
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\30upuchg5wx5obygMD5
c57e8fe07739ebfd60a7fcec649903ec
SHA14feba783d40137ab2b2056686375f98042645732
SHA256540c159b3d9c786ba87065c17e8ea40110d0a51f52c7baf91362544870c4da02
SHA51236e2c0ca67bebc088110bb00e6c503ef1298bf13b295b852646cba025664825b6de9ff19031d3c30bf77e4d4200b4fa852c8214321e5de1dc8a019908eaf9d66
-
C:\Users\Admin\AppData\Local\Temp\drtvyqddpk.exeMD5
97b092c543bcbe563128a44a60121886
SHA1660ea604d228f97c0eaf4e8cb9236214a505e375
SHA25637b9df890d11a2ca96b79a1747ddf0833226c4b37323310c42d1126abd1073dc
SHA5123c0180d001ae7fb9d7ad9f850041ee47d2bb7fa9791fc68af913083748571543c24b9c5fb4e0af9e582b0590bba63606375e5f27c0657b142d8c99bd34a27ad3
-
C:\Users\Admin\AppData\Local\Temp\drtvyqddpk.exeMD5
97b092c543bcbe563128a44a60121886
SHA1660ea604d228f97c0eaf4e8cb9236214a505e375
SHA25637b9df890d11a2ca96b79a1747ddf0833226c4b37323310c42d1126abd1073dc
SHA5123c0180d001ae7fb9d7ad9f850041ee47d2bb7fa9791fc68af913083748571543c24b9c5fb4e0af9e582b0590bba63606375e5f27c0657b142d8c99bd34a27ad3
-
C:\Users\Admin\AppData\Local\Temp\drtvyqddpk.exeMD5
97b092c543bcbe563128a44a60121886
SHA1660ea604d228f97c0eaf4e8cb9236214a505e375
SHA25637b9df890d11a2ca96b79a1747ddf0833226c4b37323310c42d1126abd1073dc
SHA5123c0180d001ae7fb9d7ad9f850041ee47d2bb7fa9791fc68af913083748571543c24b9c5fb4e0af9e582b0590bba63606375e5f27c0657b142d8c99bd34a27ad3
-
C:\Users\Admin\AppData\Local\Temp\wmauhtegttMD5
bdd7e616eb49e4f3e6ea838b5464cd4c
SHA192d3d469bb31b3d190973eb6209267214f09fd24
SHA256b8a824fb0c24dfeccd74d759bd3b8e63a9987ad4f74ea68f8703bd5bc6bdefe8
SHA51236d8e735b3cd339ac604d8ddb31721470625543549cf289e4e336345f5f245029fb723b22963041e1e8c01f070e67133d6b7e3ede6681badb4765f2883c6a7ad
-
memory/2268-130-0x0000000006010000-0x00000000060E6000-memory.dmpFilesize
856KB
-
memory/2268-125-0x0000000005E80000-0x0000000006009000-memory.dmpFilesize
1.5MB
-
memory/2556-119-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2556-121-0x0000000001690000-0x00000000019B0000-memory.dmpFilesize
3.1MB
-
memory/2556-124-0x0000000001160000-0x00000000012AA000-memory.dmpFilesize
1.3MB
-
memory/2556-123-0x000000000041D000-0x000000000041E000-memory.dmpFilesize
4KB
-
memory/3572-118-0x0000000000810000-0x0000000000812000-memory.dmpFilesize
8KB
-
memory/3884-127-0x0000000002600000-0x0000000002629000-memory.dmpFilesize
164KB
-
memory/3884-128-0x0000000002C60000-0x0000000002F80000-memory.dmpFilesize
3.1MB
-
memory/3884-129-0x0000000002930000-0x0000000002ABF000-memory.dmpFilesize
1.6MB
-
memory/3884-126-0x0000000000180000-0x0000000000197000-memory.dmpFilesize
92KB