Analysis
-
max time kernel
163s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-04-2022 09:10
Static task
static1
Behavioral task
behavioral1
Sample
SKM_1504322RS.exe
Resource
win7-20220414-en
General
-
Target
SKM_1504322RS.exe
-
Size
192KB
-
MD5
d382db9d903f52d9f2f7eb2c1039b824
-
SHA1
c2e97ed52203259715f51ee9844176e18ea2cbbe
-
SHA256
59552104d4bb2bcc6518dab735dac7dbb731a988dda8b82d39fa10911e7b8ee3
-
SHA512
93711c47076a3c90d63ecf79b5d17a4a0f188cc7fd790f9af0740ee0907876fdbbc33da4e84a0f1b85050e9a00b0f05a592a78c0822b8251d3011f50427e56b3
Malware Config
Extracted
xloader
2.5
ahc8
192451.com
wwwripostes.net
sirikhalsalaw.com
bitterbaybay.com
stella-scrubs.com
almanecermezcal.com
goodgood.online
translate-now.online
sincerefilm.com
quadrantforensics.com
johnfrenchart.com
plick-click.com
alnileen.com
tghi.xyz
172711.com
maymakita.com
punnyaseva.com
ukash-online.com
sho-yururi-blog.com
hebergement-solidaire.com
civicinfluencers.net
gzhf8888.com
kuleallstar.com
palisadeslodgecondos.com
holyhirschsprungs.com
azalearoseuk.com
jaggllc.com
italianrofrow.xyz
ioewur.xyz
3a5hlv.icu
kitcycle.com
estate.xyz
ankaraescortvip.xyz
richclubsite2001.xyz
kastore.website
515pleasantvalleyway.com
sittlermd.com
mytemple.group
tiny-wagen.com
sharaleesvintageflames.com
mentalesteem.com
sport-newss.online
fbve.space
lovingtruebloodindallas.com
eaglehospitality.biz
roofrepairnow.info
mcrosfts-updata.digital
cimpactinc.com
greatnotleyeast.com
lovely-tics.com
douglas-enterprise.com
dayannalima.online
ksodl.com
rainbowlampro.com
theinteriorsfurniture.com
eidmueller.email
cg020.online
gta6fuzhu.com
cinemaocity.com
hopeitivity.com
savageequipment.biz
groceriesbazaar.com
hempgotas.com
casino-pharaon-play.xyz
ralfrassendnk-login.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4496-137-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/4496-140-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/4368-146-0x0000000000120000-0x0000000000149000-memory.dmp xloader -
Executes dropped EXE 2 IoCs
Processes:
wiecpplnw.exewiecpplnw.exepid process 4040 wiecpplnw.exe 4496 wiecpplnw.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
wiecpplnw.exewiecpplnw.execmmon32.exedescription pid process target process PID 4040 set thread context of 4496 4040 wiecpplnw.exe wiecpplnw.exe PID 4496 set thread context of 3292 4496 wiecpplnw.exe Explorer.EXE PID 4368 set thread context of 3292 4368 cmmon32.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
wiecpplnw.execmmon32.exepid process 4496 wiecpplnw.exe 4496 wiecpplnw.exe 4496 wiecpplnw.exe 4496 wiecpplnw.exe 4368 cmmon32.exe 4368 cmmon32.exe 4368 cmmon32.exe 4368 cmmon32.exe 4368 cmmon32.exe 4368 cmmon32.exe 4368 cmmon32.exe 4368 cmmon32.exe 4368 cmmon32.exe 4368 cmmon32.exe 4368 cmmon32.exe 4368 cmmon32.exe 4368 cmmon32.exe 4368 cmmon32.exe 4368 cmmon32.exe 4368 cmmon32.exe 4368 cmmon32.exe 4368 cmmon32.exe 4368 cmmon32.exe 4368 cmmon32.exe 4368 cmmon32.exe 4368 cmmon32.exe 4368 cmmon32.exe 4368 cmmon32.exe 4368 cmmon32.exe 4368 cmmon32.exe 4368 cmmon32.exe 4368 cmmon32.exe 4368 cmmon32.exe 4368 cmmon32.exe 4368 cmmon32.exe 4368 cmmon32.exe 4368 cmmon32.exe 4368 cmmon32.exe 4368 cmmon32.exe 4368 cmmon32.exe 4368 cmmon32.exe 4368 cmmon32.exe 4368 cmmon32.exe 4368 cmmon32.exe 4368 cmmon32.exe 4368 cmmon32.exe 4368 cmmon32.exe 4368 cmmon32.exe 4368 cmmon32.exe 4368 cmmon32.exe 4368 cmmon32.exe 4368 cmmon32.exe 4368 cmmon32.exe 4368 cmmon32.exe 4368 cmmon32.exe 4368 cmmon32.exe 4368 cmmon32.exe 4368 cmmon32.exe 4368 cmmon32.exe 4368 cmmon32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3292 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
wiecpplnw.execmmon32.exepid process 4496 wiecpplnw.exe 4496 wiecpplnw.exe 4496 wiecpplnw.exe 4368 cmmon32.exe 4368 cmmon32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
wiecpplnw.execmmon32.exedescription pid process Token: SeDebugPrivilege 4496 wiecpplnw.exe Token: SeDebugPrivilege 4368 cmmon32.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
SKM_1504322RS.exewiecpplnw.exeExplorer.EXEcmmon32.exedescription pid process target process PID 1580 wrote to memory of 4040 1580 SKM_1504322RS.exe wiecpplnw.exe PID 1580 wrote to memory of 4040 1580 SKM_1504322RS.exe wiecpplnw.exe PID 1580 wrote to memory of 4040 1580 SKM_1504322RS.exe wiecpplnw.exe PID 4040 wrote to memory of 4496 4040 wiecpplnw.exe wiecpplnw.exe PID 4040 wrote to memory of 4496 4040 wiecpplnw.exe wiecpplnw.exe PID 4040 wrote to memory of 4496 4040 wiecpplnw.exe wiecpplnw.exe PID 4040 wrote to memory of 4496 4040 wiecpplnw.exe wiecpplnw.exe PID 4040 wrote to memory of 4496 4040 wiecpplnw.exe wiecpplnw.exe PID 4040 wrote to memory of 4496 4040 wiecpplnw.exe wiecpplnw.exe PID 3292 wrote to memory of 4368 3292 Explorer.EXE cmmon32.exe PID 3292 wrote to memory of 4368 3292 Explorer.EXE cmmon32.exe PID 3292 wrote to memory of 4368 3292 Explorer.EXE cmmon32.exe PID 4368 wrote to memory of 1076 4368 cmmon32.exe cmd.exe PID 4368 wrote to memory of 1076 4368 cmmon32.exe cmd.exe PID 4368 wrote to memory of 1076 4368 cmmon32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Users\Admin\AppData\Local\Temp\SKM_1504322RS.exe"C:\Users\Admin\AppData\Local\Temp\SKM_1504322RS.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Users\Admin\AppData\Local\Temp\wiecpplnw.exeC:\Users\Admin\AppData\Local\Temp\wiecpplnw.exe C:\Users\Admin\AppData\Local\Temp\gnpqzaioa3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Users\Admin\AppData\Local\Temp\wiecpplnw.exeC:\Users\Admin\AppData\Local\Temp\wiecpplnw.exe C:\Users\Admin\AppData\Local\Temp\gnpqzaioa4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4496 -
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\wiecpplnw.exe"3⤵PID:1076
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\8cqj5cdlj81hkk3c7l9rFilesize
163KB
MD561f525c1ae1801219dfcde26c37fdde5
SHA1a8e554afd2e639eb8aa593cf7ca8aea3d164a8c4
SHA256ae49d13b232b43d23d78fd63570e8de611408418e69058c4f9e02bb88ecd7dc3
SHA5123f44fa452d6f70003952b7e7450407f539b5a6d1f4cbae97a16ae96a420906828d2b5f7aad287ff927f90dc9b1e7f175210b04b6a5b1b7ef1a7d3648bce8645c
-
C:\Users\Admin\AppData\Local\Temp\gnpqzaioaFilesize
5KB
MD540e7f44b50a0bbbbeed2861f98742d91
SHA1842279d94e7205fed6a4ebba1b1fadccfe9baa12
SHA256c512a420c4249e82ab53f60eafa5baff40e7bfde342bb8cad06233ce8bb58cb5
SHA51204b701517dead6f6ebfe4a41f7482b84c05782cdde5623f9f31bffafad0e37cd309dde7c3603aeb361b0814a15f016ac2de1bbff02c548512b2d11f48f61eada
-
C:\Users\Admin\AppData\Local\Temp\wiecpplnw.exeFilesize
4KB
MD573e2a848522ee8bef850a9f76b51732a
SHA17f2a15c92a16601334f18509a05f9147dddefad7
SHA256852f7e6d06eee3f482c6b2e0ddc948c57f9b6970b4e19882e026f777a686d922
SHA512e7e3f4aa0281fa3dc6e9151f9b6ff0816dc9abb92a2594458abdf3af77b5d4688d7ce46b2bf7b48d8f4535ef9daff7d4b14c0b3fc2b49c0e9e977aae950a555d
-
C:\Users\Admin\AppData\Local\Temp\wiecpplnw.exeFilesize
4KB
MD573e2a848522ee8bef850a9f76b51732a
SHA17f2a15c92a16601334f18509a05f9147dddefad7
SHA256852f7e6d06eee3f482c6b2e0ddc948c57f9b6970b4e19882e026f777a686d922
SHA512e7e3f4aa0281fa3dc6e9151f9b6ff0816dc9abb92a2594458abdf3af77b5d4688d7ce46b2bf7b48d8f4535ef9daff7d4b14c0b3fc2b49c0e9e977aae950a555d
-
C:\Users\Admin\AppData\Local\Temp\wiecpplnw.exeFilesize
4KB
MD573e2a848522ee8bef850a9f76b51732a
SHA17f2a15c92a16601334f18509a05f9147dddefad7
SHA256852f7e6d06eee3f482c6b2e0ddc948c57f9b6970b4e19882e026f777a686d922
SHA512e7e3f4aa0281fa3dc6e9151f9b6ff0816dc9abb92a2594458abdf3af77b5d4688d7ce46b2bf7b48d8f4535ef9daff7d4b14c0b3fc2b49c0e9e977aae950a555d
-
memory/1076-148-0x0000000000000000-mapping.dmp
-
memory/3292-143-0x00000000039B0000-0x0000000003A9C000-memory.dmpFilesize
944KB
-
memory/3292-150-0x0000000008D10000-0x0000000008E86000-memory.dmpFilesize
1.5MB
-
memory/4040-135-0x00000000009A0000-0x00000000009A2000-memory.dmpFilesize
8KB
-
memory/4040-130-0x0000000000000000-mapping.dmp
-
memory/4368-149-0x00000000020B0000-0x0000000002140000-memory.dmpFilesize
576KB
-
memory/4368-145-0x0000000000A80000-0x0000000000A8C000-memory.dmpFilesize
48KB
-
memory/4368-147-0x0000000002380000-0x00000000026CA000-memory.dmpFilesize
3.3MB
-
memory/4368-144-0x0000000000000000-mapping.dmp
-
memory/4368-146-0x0000000000120000-0x0000000000149000-memory.dmpFilesize
164KB
-
memory/4496-136-0x0000000000000000-mapping.dmp
-
memory/4496-142-0x0000000000500000-0x0000000000511000-memory.dmpFilesize
68KB
-
memory/4496-141-0x0000000000AA0000-0x0000000000DEA000-memory.dmpFilesize
3.3MB
-
memory/4496-140-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4496-137-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB