Analysis
-
max time kernel
154s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20220331-en -
submitted
08-04-2022 08:28
Static task
static1
Behavioral task
behavioral1
Sample
fiyat talebi.exe
Resource
win7-20220311-en
General
-
Target
fiyat talebi.exe
-
Size
242KB
-
MD5
cd5a1f00e5069978e2265c76b1ddf25d
-
SHA1
b995ba1b34b3debabad436b14ad5c94829e6e27b
-
SHA256
f2b30831e93ef719ecc6b3d7fa88509a1b77d35068d4d6ab2728d9938c8a7859
-
SHA512
656bca68ff35b4f341f2347af02b0f68cf56b1e3a20629dd446e0abad18d229de2501879a002c7bf99b9b27890fc2e5c1171bb7d585312bf0eaf74827d30200c
Malware Config
Extracted
xloader
2.5
cbgo
santesha.com
britneysbeautybar.com
sh-cy17.com
jeffcarveragency.com
3117111.com
sobrehosting.net
ddm123.xyz
toxcompliance.com
auditorydesigns.com
vliftfacial.com
ielhii.com
naameliss.com
ritualchariot.com
solchange.com
quatre-vingts.design
lawnmowermashine.com
braceletsstore.net
admappy.com
tollivercoltd.com
vaidix.com
rodrigomartinsadv.com
bouncingskull.com
hamiltonhellerrealestate.com
dream-kidz.com
growupnotgrowold.com
clanginandbangin.com
cornerstone-constructions.com
mcdonalds-delivery.xyz
omnikro.com
nca-group.com
hughers3.com
move-mobius.com
shrivs.com
hoshikuzu-hegemony.com
zpwx17.online
masoncable.com
butecreditunion.com
creativefolksnetwork.xyz
lejanet.com
tacticalslings.club
bestprodutos.com
quirkysoul39.com
sdettest.com
aomendc.xyz
lorticepttoyof6.xyz
nonvaxrnpositions.com
maintainaviation.com
kubanitka.com
fractalmerch.xyz
elbowguru.com
nikiyang.com
cialisactivesupers.com
bestofrochester.info
ynov-rennes.com
saiden8164.com
ffuster.com
papierle.com
dobsonfryedentist.com
rufisquoisedetransit.com
compassionatecuddling.com
kimlady.com
mashinchand.com
semicivilization.com
milamixecommerce.com
ambassadorandceoclub.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4292-130-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/4292-134-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/4904-139-0x0000000000F10000-0x0000000000F39000-memory.dmp xloader -
Executes dropped EXE 2 IoCs
Processes:
qmzngjtx.exeqmzngjtx.exepid process 3348 qmzngjtx.exe 4292 qmzngjtx.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
qmzngjtx.exeqmzngjtx.exesvchost.exedescription pid process target process PID 3348 set thread context of 4292 3348 qmzngjtx.exe qmzngjtx.exe PID 4292 set thread context of 932 4292 qmzngjtx.exe Explorer.EXE PID 4904 set thread context of 932 4904 svchost.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
qmzngjtx.exesvchost.exepid process 4292 qmzngjtx.exe 4292 qmzngjtx.exe 4292 qmzngjtx.exe 4292 qmzngjtx.exe 4904 svchost.exe 4904 svchost.exe 4904 svchost.exe 4904 svchost.exe 4904 svchost.exe 4904 svchost.exe 4904 svchost.exe 4904 svchost.exe 4904 svchost.exe 4904 svchost.exe 4904 svchost.exe 4904 svchost.exe 4904 svchost.exe 4904 svchost.exe 4904 svchost.exe 4904 svchost.exe 4904 svchost.exe 4904 svchost.exe 4904 svchost.exe 4904 svchost.exe 4904 svchost.exe 4904 svchost.exe 4904 svchost.exe 4904 svchost.exe 4904 svchost.exe 4904 svchost.exe 4904 svchost.exe 4904 svchost.exe 4904 svchost.exe 4904 svchost.exe 4904 svchost.exe 4904 svchost.exe 4904 svchost.exe 4904 svchost.exe 4904 svchost.exe 4904 svchost.exe 4904 svchost.exe 4904 svchost.exe 4904 svchost.exe 4904 svchost.exe 4904 svchost.exe 4904 svchost.exe 4904 svchost.exe 4904 svchost.exe 4904 svchost.exe 4904 svchost.exe 4904 svchost.exe 4904 svchost.exe 4904 svchost.exe 4904 svchost.exe 4904 svchost.exe 4904 svchost.exe 4904 svchost.exe 4904 svchost.exe 4904 svchost.exe 4904 svchost.exe 4904 svchost.exe 4904 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 932 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
qmzngjtx.exesvchost.exepid process 4292 qmzngjtx.exe 4292 qmzngjtx.exe 4292 qmzngjtx.exe 4904 svchost.exe 4904 svchost.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
qmzngjtx.exesvchost.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 4292 qmzngjtx.exe Token: SeDebugPrivilege 4904 svchost.exe Token: SeShutdownPrivilege 932 Explorer.EXE Token: SeCreatePagefilePrivilege 932 Explorer.EXE Token: SeShutdownPrivilege 932 Explorer.EXE Token: SeCreatePagefilePrivilege 932 Explorer.EXE Token: SeShutdownPrivilege 932 Explorer.EXE Token: SeCreatePagefilePrivilege 932 Explorer.EXE Token: SeShutdownPrivilege 932 Explorer.EXE Token: SeCreatePagefilePrivilege 932 Explorer.EXE Token: SeShutdownPrivilege 932 Explorer.EXE Token: SeCreatePagefilePrivilege 932 Explorer.EXE Token: SeShutdownPrivilege 932 Explorer.EXE Token: SeCreatePagefilePrivilege 932 Explorer.EXE Token: SeShutdownPrivilege 932 Explorer.EXE Token: SeCreatePagefilePrivilege 932 Explorer.EXE Token: SeShutdownPrivilege 932 Explorer.EXE Token: SeCreatePagefilePrivilege 932 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
fiyat talebi.exeqmzngjtx.exeExplorer.EXEsvchost.exedescription pid process target process PID 4240 wrote to memory of 3348 4240 fiyat talebi.exe qmzngjtx.exe PID 4240 wrote to memory of 3348 4240 fiyat talebi.exe qmzngjtx.exe PID 4240 wrote to memory of 3348 4240 fiyat talebi.exe qmzngjtx.exe PID 3348 wrote to memory of 4292 3348 qmzngjtx.exe qmzngjtx.exe PID 3348 wrote to memory of 4292 3348 qmzngjtx.exe qmzngjtx.exe PID 3348 wrote to memory of 4292 3348 qmzngjtx.exe qmzngjtx.exe PID 3348 wrote to memory of 4292 3348 qmzngjtx.exe qmzngjtx.exe PID 3348 wrote to memory of 4292 3348 qmzngjtx.exe qmzngjtx.exe PID 3348 wrote to memory of 4292 3348 qmzngjtx.exe qmzngjtx.exe PID 932 wrote to memory of 4904 932 Explorer.EXE svchost.exe PID 932 wrote to memory of 4904 932 Explorer.EXE svchost.exe PID 932 wrote to memory of 4904 932 Explorer.EXE svchost.exe PID 4904 wrote to memory of 3924 4904 svchost.exe cmd.exe PID 4904 wrote to memory of 3924 4904 svchost.exe cmd.exe PID 4904 wrote to memory of 3924 4904 svchost.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fiyat talebi.exe"C:\Users\Admin\AppData\Local\Temp\fiyat talebi.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\qmzngjtx.exeC:\Users\Admin\AppData\Local\Temp\qmzngjtx.exe C:\Users\Admin\AppData\Local\Temp\qhidoqldbb3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\qmzngjtx.exeC:\Users\Admin\AppData\Local\Temp\qmzngjtx.exe C:\Users\Admin\AppData\Local\Temp\qhidoqldbb4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\qmzngjtx.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\n4ctxmrbh0uoaq3yhaFilesize
212KB
MD50800086693d43f3e3f5248c8789ef97c
SHA19779f40e0a93bd5825d7f715453924819b9a59e6
SHA256089179b2f01e25d4117e018c7ebe402d2e4c68b9774c15f29fde43fa57aa32df
SHA5128fa85746c74bd7b2361dab36e3228a1c8f27f2d6b9d6a01b10ab97f07212bdc1ba52724d4239cc76b649763be8c2d2f0f298430fbbb1af94d7d4e1f50d52e0f4
-
C:\Users\Admin\AppData\Local\Temp\qhidoqldbbFilesize
4KB
MD54189ad2dedcab199ef7a58a4c490733e
SHA1023179460cc47e1ede06f9e4cc5b7ecfd87dadc2
SHA256513b1e9affe4c24ff16e2156cb1bf14c0e7c75d53b6886341a01474e5c784f3b
SHA512f27292ea85b5f4cf47c982dce736afdc69f9f0893b0a521546803e524e195a72b5a0e5c132a4f7fdcbed96baecfcee22f7e53363c71a309022dd312dee2597dc
-
C:\Users\Admin\AppData\Local\Temp\qmzngjtx.exeFilesize
5KB
MD5120556bf1317f6395f13ff5377e308d9
SHA1f36799d4885de8cc8f8c947e4fc28e1a3a39beab
SHA25663b0f72ed3dade8ad655daf220470057fce741dda011d4cfbdd7646460df3f46
SHA51275902aac1f4f6758ac53ab717b6f91eb326a8acf331c495b08cff27c571c31d244d8b30cd812a2ecfd9fbf70c230f673672bdbde0b57ededfd8b1c26200c98dd
-
C:\Users\Admin\AppData\Local\Temp\qmzngjtx.exeFilesize
5KB
MD5120556bf1317f6395f13ff5377e308d9
SHA1f36799d4885de8cc8f8c947e4fc28e1a3a39beab
SHA25663b0f72ed3dade8ad655daf220470057fce741dda011d4cfbdd7646460df3f46
SHA51275902aac1f4f6758ac53ab717b6f91eb326a8acf331c495b08cff27c571c31d244d8b30cd812a2ecfd9fbf70c230f673672bdbde0b57ededfd8b1c26200c98dd
-
C:\Users\Admin\AppData\Local\Temp\qmzngjtx.exeFilesize
5KB
MD5120556bf1317f6395f13ff5377e308d9
SHA1f36799d4885de8cc8f8c947e4fc28e1a3a39beab
SHA25663b0f72ed3dade8ad655daf220470057fce741dda011d4cfbdd7646460df3f46
SHA51275902aac1f4f6758ac53ab717b6f91eb326a8acf331c495b08cff27c571c31d244d8b30cd812a2ecfd9fbf70c230f673672bdbde0b57ededfd8b1c26200c98dd
-
memory/932-136-0x0000000002870000-0x0000000002956000-memory.dmpFilesize
920KB
-
memory/932-143-0x0000000004240000-0x000000000430D000-memory.dmpFilesize
820KB
-
memory/3348-124-0x0000000000000000-mapping.dmp
-
memory/3924-141-0x0000000000000000-mapping.dmp
-
memory/4292-133-0x0000000000A30000-0x0000000000D7A000-memory.dmpFilesize
3.3MB
-
memory/4292-135-0x00000000009D0000-0x00000000009E1000-memory.dmpFilesize
68KB
-
memory/4292-134-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4292-130-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4292-129-0x0000000000000000-mapping.dmp
-
memory/4904-137-0x0000000000000000-mapping.dmp
-
memory/4904-138-0x0000000000890000-0x000000000089E000-memory.dmpFilesize
56KB
-
memory/4904-139-0x0000000000F10000-0x0000000000F39000-memory.dmpFilesize
164KB
-
memory/4904-140-0x0000000001C00000-0x0000000001F4A000-memory.dmpFilesize
3.3MB
-
memory/4904-142-0x0000000001A90000-0x0000000001B20000-memory.dmpFilesize
576KB