Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10_x64 -
resource
win10-20220223-en -
submitted
30-03-2022 01:07
Static task
static1
General
-
Target
6cdd6c36d145369a75d707b389376e1c4854c927c6ba2635c59600e92bb7d050.exe
-
Size
339KB
-
MD5
8ca9c51a9d1c5ffd366b8bdf620aa5e3
-
SHA1
3ef8a19e0d2b81e82d5e8b492e687ef3baade09f
-
SHA256
6cdd6c36d145369a75d707b389376e1c4854c927c6ba2635c59600e92bb7d050
-
SHA512
2ac6376f38194d32fc181299b4f4ad70285ad4191ca0cfe377c30f71e964196827278ac1f3280d562b05d46378319570eea6d1c3e66c37c83c9128f348c91f9c
Malware Config
Extracted
xloader
2.5
ahc8
192451.com
wwwripostes.net
sirikhalsalaw.com
bitterbaybay.com
stella-scrubs.com
almanecermezcal.com
goodgood.online
translate-now.online
sincerefilm.com
quadrantforensics.com
johnfrenchart.com
plick-click.com
alnileen.com
tghi.xyz
172711.com
maymakita.com
punnyaseva.com
ukash-online.com
sho-yururi-blog.com
hebergement-solidaire.com
civicinfluencers.net
gzhf8888.com
kuleallstar.com
palisadeslodgecondos.com
holyhirschsprungs.com
azalearoseuk.com
jaggllc.com
italianrofrow.xyz
ioewur.xyz
3a5hlv.icu
kitcycle.com
estate.xyz
ankaraescortvip.xyz
richclubsite2001.xyz
kastore.website
515pleasantvalleyway.com
sittlermd.com
mytemple.group
tiny-wagen.com
sharaleesvintageflames.com
mentalesteem.com
sport-newss.online
fbve.space
lovingtruebloodindallas.com
eaglehospitality.biz
roofrepairnow.info
mcrosfts-updata.digital
cimpactinc.com
greatnotleyeast.com
lovely-tics.com
douglas-enterprise.com
dayannalima.online
ksodl.com
rainbowlampro.com
theinteriorsfurniture.com
eidmueller.email
cg020.online
gta6fuzhu.com
cinemaocity.com
hopeitivity.com
savageequipment.biz
groceriesbazaar.com
hempgotas.com
casino-pharaon-play.xyz
ralfrassendnk-login.com
Signatures
-
Xloader Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/3820-119-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/3820-120-0x000000000041D4F0-mapping.dmp xloader behavioral1/memory/3820-124-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/3848-129-0x0000000002FD0000-0x0000000002FF9000-memory.dmp xloader -
Executes dropped EXE 2 IoCs
Processes:
hmikwdpqfm.exehmikwdpqfm.exepid process 3508 hmikwdpqfm.exe 3820 hmikwdpqfm.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
hmikwdpqfm.exehmikwdpqfm.execmmon32.exedescription pid process target process PID 3508 set thread context of 3820 3508 hmikwdpqfm.exe hmikwdpqfm.exe PID 3820 set thread context of 2312 3820 hmikwdpqfm.exe Explorer.EXE PID 3848 set thread context of 2312 3848 cmmon32.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
hmikwdpqfm.execmmon32.exepid process 3820 hmikwdpqfm.exe 3820 hmikwdpqfm.exe 3820 hmikwdpqfm.exe 3820 hmikwdpqfm.exe 3848 cmmon32.exe 3848 cmmon32.exe 3848 cmmon32.exe 3848 cmmon32.exe 3848 cmmon32.exe 3848 cmmon32.exe 3848 cmmon32.exe 3848 cmmon32.exe 3848 cmmon32.exe 3848 cmmon32.exe 3848 cmmon32.exe 3848 cmmon32.exe 3848 cmmon32.exe 3848 cmmon32.exe 3848 cmmon32.exe 3848 cmmon32.exe 3848 cmmon32.exe 3848 cmmon32.exe 3848 cmmon32.exe 3848 cmmon32.exe 3848 cmmon32.exe 3848 cmmon32.exe 3848 cmmon32.exe 3848 cmmon32.exe 3848 cmmon32.exe 3848 cmmon32.exe 3848 cmmon32.exe 3848 cmmon32.exe 3848 cmmon32.exe 3848 cmmon32.exe 3848 cmmon32.exe 3848 cmmon32.exe 3848 cmmon32.exe 3848 cmmon32.exe 3848 cmmon32.exe 3848 cmmon32.exe 3848 cmmon32.exe 3848 cmmon32.exe 3848 cmmon32.exe 3848 cmmon32.exe 3848 cmmon32.exe 3848 cmmon32.exe 3848 cmmon32.exe 3848 cmmon32.exe 3848 cmmon32.exe 3848 cmmon32.exe 3848 cmmon32.exe 3848 cmmon32.exe 3848 cmmon32.exe 3848 cmmon32.exe 3848 cmmon32.exe 3848 cmmon32.exe 3848 cmmon32.exe 3848 cmmon32.exe 3848 cmmon32.exe 3848 cmmon32.exe 3848 cmmon32.exe 3848 cmmon32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2312 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
hmikwdpqfm.execmmon32.exepid process 3820 hmikwdpqfm.exe 3820 hmikwdpqfm.exe 3820 hmikwdpqfm.exe 3848 cmmon32.exe 3848 cmmon32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
hmikwdpqfm.execmmon32.exedescription pid process Token: SeDebugPrivilege 3820 hmikwdpqfm.exe Token: SeDebugPrivilege 3848 cmmon32.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
6cdd6c36d145369a75d707b389376e1c4854c927c6ba2635c59600e92bb7d050.exehmikwdpqfm.exeExplorer.EXEcmmon32.exedescription pid process target process PID 2512 wrote to memory of 3508 2512 6cdd6c36d145369a75d707b389376e1c4854c927c6ba2635c59600e92bb7d050.exe hmikwdpqfm.exe PID 2512 wrote to memory of 3508 2512 6cdd6c36d145369a75d707b389376e1c4854c927c6ba2635c59600e92bb7d050.exe hmikwdpqfm.exe PID 2512 wrote to memory of 3508 2512 6cdd6c36d145369a75d707b389376e1c4854c927c6ba2635c59600e92bb7d050.exe hmikwdpqfm.exe PID 3508 wrote to memory of 3820 3508 hmikwdpqfm.exe hmikwdpqfm.exe PID 3508 wrote to memory of 3820 3508 hmikwdpqfm.exe hmikwdpqfm.exe PID 3508 wrote to memory of 3820 3508 hmikwdpqfm.exe hmikwdpqfm.exe PID 3508 wrote to memory of 3820 3508 hmikwdpqfm.exe hmikwdpqfm.exe PID 3508 wrote to memory of 3820 3508 hmikwdpqfm.exe hmikwdpqfm.exe PID 3508 wrote to memory of 3820 3508 hmikwdpqfm.exe hmikwdpqfm.exe PID 2312 wrote to memory of 3848 2312 Explorer.EXE cmmon32.exe PID 2312 wrote to memory of 3848 2312 Explorer.EXE cmmon32.exe PID 2312 wrote to memory of 3848 2312 Explorer.EXE cmmon32.exe PID 3848 wrote to memory of 3844 3848 cmmon32.exe cmd.exe PID 3848 wrote to memory of 3844 3848 cmmon32.exe cmd.exe PID 3848 wrote to memory of 3844 3848 cmmon32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\6cdd6c36d145369a75d707b389376e1c4854c927c6ba2635c59600e92bb7d050.exe"C:\Users\Admin\AppData\Local\Temp\6cdd6c36d145369a75d707b389376e1c4854c927c6ba2635c59600e92bb7d050.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\hmikwdpqfm.exeC:\Users\Admin\AppData\Local\Temp\hmikwdpqfm.exe C:\Users\Admin\AppData\Local\Temp\wmzaavkvn3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\hmikwdpqfm.exeC:\Users\Admin\AppData\Local\Temp\hmikwdpqfm.exe C:\Users\Admin\AppData\Local\Temp\wmzaavkvn4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\hmikwdpqfm.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\hmikwdpqfm.exeFilesize
5KB
MD582f727731cfd99adb7c7791024010ea6
SHA19097fed498c15365c893de751dc09202d0ec7b19
SHA256c8c57849d145e4a6fb3b3504714c4ca2ba34a9d0fe84f0b62e2cdc0b1274499a
SHA512f21e330eb6d2cfb89fc1335c9f917edd545765d4105cfdb28bb30caf4fbccd86770645a8f84f6d3566ff8b421c68d9186d760162572a5ca049cc9100c5b019ab
-
C:\Users\Admin\AppData\Local\Temp\hmikwdpqfm.exeFilesize
5KB
MD582f727731cfd99adb7c7791024010ea6
SHA19097fed498c15365c893de751dc09202d0ec7b19
SHA256c8c57849d145e4a6fb3b3504714c4ca2ba34a9d0fe84f0b62e2cdc0b1274499a
SHA512f21e330eb6d2cfb89fc1335c9f917edd545765d4105cfdb28bb30caf4fbccd86770645a8f84f6d3566ff8b421c68d9186d760162572a5ca049cc9100c5b019ab
-
C:\Users\Admin\AppData\Local\Temp\hmikwdpqfm.exeFilesize
5KB
MD582f727731cfd99adb7c7791024010ea6
SHA19097fed498c15365c893de751dc09202d0ec7b19
SHA256c8c57849d145e4a6fb3b3504714c4ca2ba34a9d0fe84f0b62e2cdc0b1274499a
SHA512f21e330eb6d2cfb89fc1335c9f917edd545765d4105cfdb28bb30caf4fbccd86770645a8f84f6d3566ff8b421c68d9186d760162572a5ca049cc9100c5b019ab
-
C:\Users\Admin\AppData\Local\Temp\wmzaavkvnFilesize
5KB
MD55e51dab26c8fed623ae87ddc2656dabb
SHA1d7d5c786f063e4d133c88f745775a8b79a484bbe
SHA256bbcd54d358af35a2e56ebf9957fc0ff26bdb58bc663156f4a338d074491dc8bd
SHA51214315102e4b16b15a1bc1a92ecf9787451d39c0edc25dff31ee6bf87f1eb52d007ebc37d717626299d39126acef1204a37f1706e71aa2a69ce23e2dd12eb64c9
-
C:\Users\Admin\AppData\Local\Temp\xzqne7xgv46yime5nwb2Filesize
213KB
MD5ac55129efa2fd551e4eceeaa2ff57bd6
SHA18736beea239a41de6c8d1358fad0f146819b711e
SHA25618f06bb5d726cc75bb9acd624f9a95253a9c1f3d131a40f21d05617d9b59e2fd
SHA512a23a913271b4e5b3cdffe870cf2aed0b78422e8d806c051dd768bb0b6aa11afcc9e6aa85102ae5e1e39fedf43d0ba9f0ea6fb6b21522c3bd4aa7997fffa55552
-
memory/2312-133-0x0000000000F70000-0x000000000102C000-memory.dmpFilesize
752KB
-
memory/2312-126-0x0000000005590000-0x000000000572C000-memory.dmpFilesize
1.6MB
-
memory/3508-114-0x0000000000000000-mapping.dmp
-
memory/3820-123-0x0000000000E70000-0x0000000001190000-memory.dmpFilesize
3.1MB
-
memory/3820-124-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/3820-125-0x0000000000CD0000-0x0000000000E6E000-memory.dmpFilesize
1.6MB
-
memory/3820-120-0x000000000041D4F0-mapping.dmp
-
memory/3820-119-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/3844-130-0x0000000000000000-mapping.dmp
-
memory/3848-127-0x0000000000000000-mapping.dmp
-
memory/3848-129-0x0000000002FD0000-0x0000000002FF9000-memory.dmpFilesize
164KB
-
memory/3848-128-0x0000000000220000-0x000000000022C000-memory.dmpFilesize
48KB
-
memory/3848-131-0x0000000004700000-0x0000000004A20000-memory.dmpFilesize
3.1MB
-
memory/3848-132-0x0000000004AB0000-0x0000000004B40000-memory.dmpFilesize
576KB