Analysis
-
max time kernel
155s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20220310-en -
submitted
18-03-2022 16:41
Static task
static1
Behavioral task
behavioral1
Sample
factura kts 770417.exe
Resource
win7-20220310-en
General
-
Target
factura kts 770417.exe
-
Size
304KB
-
MD5
dcedadc9e7ab6c8b55aba9a69f0ad589
-
SHA1
50e3e95a0823484c7729fc42250e310342335551
-
SHA256
a3722866259ff0b2d2578842e1b1667e17f597c274544bb6e02f24b91cb4dbd4
-
SHA512
5b7965c65482da6a20e9648b3994e7e4756d75655c5b49a3394277db023fc72cf4e92531cfb3a153c0ae1592b80b84640239e3723334014c24e2d0705df19f1c
Malware Config
Extracted
xloader
2.5
cbgo
santesha.com
britneysbeautybar.com
sh-cy17.com
jeffcarveragency.com
3117111.com
sobrehosting.net
ddm123.xyz
toxcompliance.com
auditorydesigns.com
vliftfacial.com
ielhii.com
naameliss.com
ritualchariot.com
solchange.com
quatre-vingts.design
lawnmowermashine.com
braceletsstore.net
admappy.com
tollivercoltd.com
vaidix.com
rodrigomartinsadv.com
bouncingskull.com
hamiltonhellerrealestate.com
dream-kidz.com
growupnotgrowold.com
clanginandbangin.com
cornerstone-constructions.com
mcdonalds-delivery.xyz
omnikro.com
nca-group.com
hughers3.com
move-mobius.com
shrivs.com
hoshikuzu-hegemony.com
zpwx17.online
masoncable.com
butecreditunion.com
creativefolksnetwork.xyz
lejanet.com
tacticalslings.club
bestprodutos.com
quirkysoul39.com
sdettest.com
aomendc.xyz
lorticepttoyof6.xyz
nonvaxrnpositions.com
maintainaviation.com
kubanitka.com
fractalmerch.xyz
elbowguru.com
nikiyang.com
cialisactivesupers.com
bestofrochester.info
ynov-rennes.com
saiden8164.com
ffuster.com
papierle.com
dobsonfryedentist.com
rufisquoisedetransit.com
compassionatecuddling.com
kimlady.com
mashinchand.com
semicivilization.com
milamixecommerce.com
ambassadorandceoclub.com
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1888-138-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/2208-146-0x0000000001130000-0x0000000001159000-memory.dmp xloader -
Executes dropped EXE 2 IoCs
Processes:
ericguhfpj.exeericguhfpj.exepid process 2324 ericguhfpj.exe 1888 ericguhfpj.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
ericguhfpj.exeericguhfpj.exewscript.exedescription pid process target process PID 2324 set thread context of 1888 2324 ericguhfpj.exe ericguhfpj.exe PID 1888 set thread context of 688 1888 ericguhfpj.exe Explorer.EXE PID 2208 set thread context of 688 2208 wscript.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 56 IoCs
Processes:
ericguhfpj.exewscript.exepid process 1888 ericguhfpj.exe 1888 ericguhfpj.exe 1888 ericguhfpj.exe 1888 ericguhfpj.exe 2208 wscript.exe 2208 wscript.exe 2208 wscript.exe 2208 wscript.exe 2208 wscript.exe 2208 wscript.exe 2208 wscript.exe 2208 wscript.exe 2208 wscript.exe 2208 wscript.exe 2208 wscript.exe 2208 wscript.exe 2208 wscript.exe 2208 wscript.exe 2208 wscript.exe 2208 wscript.exe 2208 wscript.exe 2208 wscript.exe 2208 wscript.exe 2208 wscript.exe 2208 wscript.exe 2208 wscript.exe 2208 wscript.exe 2208 wscript.exe 2208 wscript.exe 2208 wscript.exe 2208 wscript.exe 2208 wscript.exe 2208 wscript.exe 2208 wscript.exe 2208 wscript.exe 2208 wscript.exe 2208 wscript.exe 2208 wscript.exe 2208 wscript.exe 2208 wscript.exe 2208 wscript.exe 2208 wscript.exe 2208 wscript.exe 2208 wscript.exe 2208 wscript.exe 2208 wscript.exe 2208 wscript.exe 2208 wscript.exe 2208 wscript.exe 2208 wscript.exe 2208 wscript.exe 2208 wscript.exe 2208 wscript.exe 2208 wscript.exe 2208 wscript.exe 2208 wscript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 688 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
ericguhfpj.exewscript.exepid process 1888 ericguhfpj.exe 1888 ericguhfpj.exe 1888 ericguhfpj.exe 2208 wscript.exe 2208 wscript.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
ericguhfpj.exewscript.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1888 ericguhfpj.exe Token: SeDebugPrivilege 2208 wscript.exe Token: SeShutdownPrivilege 688 Explorer.EXE Token: SeCreatePagefilePrivilege 688 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
factura kts 770417.exeericguhfpj.exeExplorer.EXEwscript.exedescription pid process target process PID 5088 wrote to memory of 2324 5088 factura kts 770417.exe ericguhfpj.exe PID 5088 wrote to memory of 2324 5088 factura kts 770417.exe ericguhfpj.exe PID 5088 wrote to memory of 2324 5088 factura kts 770417.exe ericguhfpj.exe PID 2324 wrote to memory of 1888 2324 ericguhfpj.exe ericguhfpj.exe PID 2324 wrote to memory of 1888 2324 ericguhfpj.exe ericguhfpj.exe PID 2324 wrote to memory of 1888 2324 ericguhfpj.exe ericguhfpj.exe PID 2324 wrote to memory of 1888 2324 ericguhfpj.exe ericguhfpj.exe PID 2324 wrote to memory of 1888 2324 ericguhfpj.exe ericguhfpj.exe PID 2324 wrote to memory of 1888 2324 ericguhfpj.exe ericguhfpj.exe PID 688 wrote to memory of 2208 688 Explorer.EXE wscript.exe PID 688 wrote to memory of 2208 688 Explorer.EXE wscript.exe PID 688 wrote to memory of 2208 688 Explorer.EXE wscript.exe PID 2208 wrote to memory of 3528 2208 wscript.exe cmd.exe PID 2208 wrote to memory of 3528 2208 wscript.exe cmd.exe PID 2208 wrote to memory of 3528 2208 wscript.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\factura kts 770417.exe"C:\Users\Admin\AppData\Local\Temp\factura kts 770417.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ericguhfpj.exeC:\Users\Admin\AppData\Local\Temp\ericguhfpj.exe C:\Users\Admin\AppData\Local\Temp\eqsdwpl3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ericguhfpj.exeC:\Users\Admin\AppData\Local\Temp\ericguhfpj.exe C:\Users\Admin\AppData\Local\Temp\eqsdwpl4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\ericguhfpj.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\dp5ruz5jjg2zl3aaxxMD5
0cb58837f8940ea4573b23d4a1398a63
SHA12ca3429d60c566358f49ff930a4777b6decf18b1
SHA256a9e91b74e5ad16d878fd0ccf1dc6234f44b96f47d9cfcc8d7a4cc06c46575d63
SHA51216ebfaf2c2079d361610400dc3bc2e62cf287323fe6760790abc70b4a29e988172349878659613c7ad94fa9ddf21d0a3bbe0ffacaad9ca5e1fb3d048ef554b1c
-
C:\Users\Admin\AppData\Local\Temp\eqsdwplMD5
7517db1c67287f92e41d360adec941d4
SHA188018bc6214f91f4f2f48cdf5efa7ac0ba21f6c7
SHA25696ba2fe6c460e6e8baf9c02350eddb662baaa6ce02d21769384ecd82ffd2cf0a
SHA512fbe49c8c750bbf86220f1746e8c79cef5fa814453f35f4faff081372939c64be4afa96deb0ce85cbdb41c47fecf67e2814adbc558ac2dfc3e6cf8f6dafa85f7f
-
C:\Users\Admin\AppData\Local\Temp\ericguhfpj.exeMD5
25a662263939ed5c436ebcabe7c01ece
SHA1b6bffae40f91249c2fa2668e6dc2bbe3ade65f20
SHA256ef83946c30ca5b78ae2a0748c2baf78b0e0cd589c4a688238f7f47251aff74f6
SHA51235c17c76254f954bbde735b7bda08e11a923800e1036b079a7ed4b108931a0243c265ad8ebd34120f29fe0cb4f03f9f3a6a205dcbb0db0127be9116622aa2f79
-
C:\Users\Admin\AppData\Local\Temp\ericguhfpj.exeMD5
25a662263939ed5c436ebcabe7c01ece
SHA1b6bffae40f91249c2fa2668e6dc2bbe3ade65f20
SHA256ef83946c30ca5b78ae2a0748c2baf78b0e0cd589c4a688238f7f47251aff74f6
SHA51235c17c76254f954bbde735b7bda08e11a923800e1036b079a7ed4b108931a0243c265ad8ebd34120f29fe0cb4f03f9f3a6a205dcbb0db0127be9116622aa2f79
-
C:\Users\Admin\AppData\Local\Temp\ericguhfpj.exeMD5
25a662263939ed5c436ebcabe7c01ece
SHA1b6bffae40f91249c2fa2668e6dc2bbe3ade65f20
SHA256ef83946c30ca5b78ae2a0748c2baf78b0e0cd589c4a688238f7f47251aff74f6
SHA51235c17c76254f954bbde735b7bda08e11a923800e1036b079a7ed4b108931a0243c265ad8ebd34120f29fe0cb4f03f9f3a6a205dcbb0db0127be9116622aa2f79
-
memory/688-144-0x00000000085E0000-0x00000000086C5000-memory.dmpFilesize
916KB
-
memory/688-149-0x00000000086D0000-0x000000000883F000-memory.dmpFilesize
1.4MB
-
memory/1888-140-0x00000000014D0000-0x000000000181A000-memory.dmpFilesize
3.3MB
-
memory/1888-142-0x000000000041D000-0x000000000041E000-memory.dmpFilesize
4KB
-
memory/1888-143-0x0000000001030000-0x0000000001041000-memory.dmpFilesize
68KB
-
memory/1888-138-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2208-145-0x0000000000BE0000-0x0000000000C07000-memory.dmpFilesize
156KB
-
memory/2208-146-0x0000000001130000-0x0000000001159000-memory.dmpFilesize
164KB
-
memory/2208-147-0x00000000031B0000-0x00000000034FA000-memory.dmpFilesize
3.3MB
-
memory/2208-148-0x0000000002FE0000-0x0000000003070000-memory.dmpFilesize
576KB