Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-04-2022 10:37
Static task
static1
Behavioral task
behavioral1
Sample
virement file gfx256.exe
Resource
win7-20220414-en
General
-
Target
virement file gfx256.exe
-
Size
219KB
-
MD5
4105db4e41a2c9399768201b068a2a8c
-
SHA1
d89976b120c88dc5cd57fc78a35d5474f53a34bb
-
SHA256
41752d18a6da546687259e730e12313a804b313d041631262df801ef5d092569
-
SHA512
9380a3dfa62d3baf8b41102a04104da523d3cd5e871ee955abd49230f4fa063fbc9205dad6202856a8b7edd063d44556b0ae282577590782c4a4d5dbd950a883
Malware Config
Extracted
xloader
2.5
cbgo
santesha.com
britneysbeautybar.com
sh-cy17.com
jeffcarveragency.com
3117111.com
sobrehosting.net
ddm123.xyz
toxcompliance.com
auditorydesigns.com
vliftfacial.com
ielhii.com
naameliss.com
ritualchariot.com
solchange.com
quatre-vingts.design
lawnmowermashine.com
braceletsstore.net
admappy.com
tollivercoltd.com
vaidix.com
rodrigomartinsadv.com
bouncingskull.com
hamiltonhellerrealestate.com
dream-kidz.com
growupnotgrowold.com
clanginandbangin.com
cornerstone-constructions.com
mcdonalds-delivery.xyz
omnikro.com
nca-group.com
hughers3.com
move-mobius.com
shrivs.com
hoshikuzu-hegemony.com
zpwx17.online
masoncable.com
butecreditunion.com
creativefolksnetwork.xyz
lejanet.com
tacticalslings.club
bestprodutos.com
quirkysoul39.com
sdettest.com
aomendc.xyz
lorticepttoyof6.xyz
nonvaxrnpositions.com
maintainaviation.com
kubanitka.com
fractalmerch.xyz
elbowguru.com
nikiyang.com
cialisactivesupers.com
bestofrochester.info
ynov-rennes.com
saiden8164.com
ffuster.com
papierle.com
dobsonfryedentist.com
rufisquoisedetransit.com
compassionatecuddling.com
kimlady.com
mashinchand.com
semicivilization.com
milamixecommerce.com
ambassadorandceoclub.com
Signatures
-
Xloader Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/828-64-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/828-65-0x000000000041D450-mapping.dmp xloader behavioral1/memory/828-68-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/2032-75-0x0000000000080000-0x00000000000A9000-memory.dmp xloader -
Executes dropped EXE 2 IoCs
Processes:
wtuklosens.exewtuklosens.exepid process 1704 wtuklosens.exe 828 wtuklosens.exe -
Loads dropped DLL 3 IoCs
Processes:
virement file gfx256.exewtuklosens.exepid process 1596 virement file gfx256.exe 1596 virement file gfx256.exe 1704 wtuklosens.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
wtuklosens.exewtuklosens.exeNETSTAT.EXEdescription pid process target process PID 1704 set thread context of 828 1704 wtuklosens.exe wtuklosens.exe PID 828 set thread context of 1260 828 wtuklosens.exe Explorer.EXE PID 2032 set thread context of 1260 2032 NETSTAT.EXE Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 2032 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
wtuklosens.exeNETSTAT.EXEpid process 828 wtuklosens.exe 828 wtuklosens.exe 2032 NETSTAT.EXE 2032 NETSTAT.EXE 2032 NETSTAT.EXE 2032 NETSTAT.EXE 2032 NETSTAT.EXE 2032 NETSTAT.EXE 2032 NETSTAT.EXE 2032 NETSTAT.EXE 2032 NETSTAT.EXE 2032 NETSTAT.EXE 2032 NETSTAT.EXE 2032 NETSTAT.EXE 2032 NETSTAT.EXE 2032 NETSTAT.EXE 2032 NETSTAT.EXE 2032 NETSTAT.EXE 2032 NETSTAT.EXE 2032 NETSTAT.EXE 2032 NETSTAT.EXE 2032 NETSTAT.EXE 2032 NETSTAT.EXE 2032 NETSTAT.EXE 2032 NETSTAT.EXE 2032 NETSTAT.EXE 2032 NETSTAT.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
wtuklosens.exeNETSTAT.EXEpid process 828 wtuklosens.exe 828 wtuklosens.exe 828 wtuklosens.exe 2032 NETSTAT.EXE 2032 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
wtuklosens.exeNETSTAT.EXEdescription pid process Token: SeDebugPrivilege 828 wtuklosens.exe Token: SeDebugPrivilege 2032 NETSTAT.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1260 Explorer.EXE 1260 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1260 Explorer.EXE 1260 Explorer.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
virement file gfx256.exewtuklosens.exeExplorer.EXENETSTAT.EXEdescription pid process target process PID 1596 wrote to memory of 1704 1596 virement file gfx256.exe wtuklosens.exe PID 1596 wrote to memory of 1704 1596 virement file gfx256.exe wtuklosens.exe PID 1596 wrote to memory of 1704 1596 virement file gfx256.exe wtuklosens.exe PID 1596 wrote to memory of 1704 1596 virement file gfx256.exe wtuklosens.exe PID 1704 wrote to memory of 828 1704 wtuklosens.exe wtuklosens.exe PID 1704 wrote to memory of 828 1704 wtuklosens.exe wtuklosens.exe PID 1704 wrote to memory of 828 1704 wtuklosens.exe wtuklosens.exe PID 1704 wrote to memory of 828 1704 wtuklosens.exe wtuklosens.exe PID 1704 wrote to memory of 828 1704 wtuklosens.exe wtuklosens.exe PID 1704 wrote to memory of 828 1704 wtuklosens.exe wtuklosens.exe PID 1704 wrote to memory of 828 1704 wtuklosens.exe wtuklosens.exe PID 1260 wrote to memory of 2032 1260 Explorer.EXE NETSTAT.EXE PID 1260 wrote to memory of 2032 1260 Explorer.EXE NETSTAT.EXE PID 1260 wrote to memory of 2032 1260 Explorer.EXE NETSTAT.EXE PID 1260 wrote to memory of 2032 1260 Explorer.EXE NETSTAT.EXE PID 2032 wrote to memory of 2000 2032 NETSTAT.EXE cmd.exe PID 2032 wrote to memory of 2000 2032 NETSTAT.EXE cmd.exe PID 2032 wrote to memory of 2000 2032 NETSTAT.EXE cmd.exe PID 2032 wrote to memory of 2000 2032 NETSTAT.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\virement file gfx256.exe"C:\Users\Admin\AppData\Local\Temp\virement file gfx256.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\wtuklosens.exeC:\Users\Admin\AppData\Local\Temp\wtuklosens.exe C:\Users\Admin\AppData\Local\Temp\ixvcuspnim3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\wtuklosens.exeC:\Users\Admin\AppData\Local\Temp\wtuklosens.exe C:\Users\Admin\AppData\Local\Temp\ixvcuspnim4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\wtuklosens.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ixvcuspnimFilesize
4KB
MD5336a7e42fb23d1284b1efbd661a930df
SHA163340b3a24fb5577aa9d7391836786418691df0b
SHA256a2c7b92b2e21cd1a90e14418cf3243c6ce98c81e4c5fa63220b3345dbb05485e
SHA512b9690f304cf6d9b3634f0836e2a09d4b1b3c3ac54632c5cd39ae8c9006ff9d7d05eb78f200661162e64a05f004213faaf4e10b40627b2471d71bca61bf7738bb
-
C:\Users\Admin\AppData\Local\Temp\jt8wkn8859n3dFilesize
163KB
MD5503e7aa394cf6b9cb16cc44655ba8a09
SHA1c6aa479c2786e1d132754bf562a1272a54d93ac7
SHA256b01960d09ca92e47d47f3d913d12461d145dbf25514fb81283af44e32170f56d
SHA5129be01f3c7e9aef2e4d72d27f50cf55d41d828554012ac1e7928a276e923f789e63b176f23c703cee994254e044cc3268ba618e3492ccc518e9ef43c93ec95262
-
C:\Users\Admin\AppData\Local\Temp\wtuklosens.exeFilesize
65KB
MD508fdf623546aa3d7c3b0354501e55bd0
SHA1857ba1a1d54067ac2588a00e4ef48615bc1b6d4c
SHA2566c4a8c2448b2a22a9872b88dd6e6fa0421c65c9129067f2339df76cf67be394c
SHA5127dbd6bb40884b3d4050b55a9952c6003a31fc5380739590de6720dbb0e062676b4f39ac7d337a7d51ccd2d36d25cb65e9cba1643c43ba8b5f90a0c90ab347d76
-
C:\Users\Admin\AppData\Local\Temp\wtuklosens.exeFilesize
65KB
MD508fdf623546aa3d7c3b0354501e55bd0
SHA1857ba1a1d54067ac2588a00e4ef48615bc1b6d4c
SHA2566c4a8c2448b2a22a9872b88dd6e6fa0421c65c9129067f2339df76cf67be394c
SHA5127dbd6bb40884b3d4050b55a9952c6003a31fc5380739590de6720dbb0e062676b4f39ac7d337a7d51ccd2d36d25cb65e9cba1643c43ba8b5f90a0c90ab347d76
-
C:\Users\Admin\AppData\Local\Temp\wtuklosens.exeFilesize
65KB
MD508fdf623546aa3d7c3b0354501e55bd0
SHA1857ba1a1d54067ac2588a00e4ef48615bc1b6d4c
SHA2566c4a8c2448b2a22a9872b88dd6e6fa0421c65c9129067f2339df76cf67be394c
SHA5127dbd6bb40884b3d4050b55a9952c6003a31fc5380739590de6720dbb0e062676b4f39ac7d337a7d51ccd2d36d25cb65e9cba1643c43ba8b5f90a0c90ab347d76
-
\Users\Admin\AppData\Local\Temp\wtuklosens.exeFilesize
65KB
MD508fdf623546aa3d7c3b0354501e55bd0
SHA1857ba1a1d54067ac2588a00e4ef48615bc1b6d4c
SHA2566c4a8c2448b2a22a9872b88dd6e6fa0421c65c9129067f2339df76cf67be394c
SHA5127dbd6bb40884b3d4050b55a9952c6003a31fc5380739590de6720dbb0e062676b4f39ac7d337a7d51ccd2d36d25cb65e9cba1643c43ba8b5f90a0c90ab347d76
-
\Users\Admin\AppData\Local\Temp\wtuklosens.exeFilesize
65KB
MD508fdf623546aa3d7c3b0354501e55bd0
SHA1857ba1a1d54067ac2588a00e4ef48615bc1b6d4c
SHA2566c4a8c2448b2a22a9872b88dd6e6fa0421c65c9129067f2339df76cf67be394c
SHA5127dbd6bb40884b3d4050b55a9952c6003a31fc5380739590de6720dbb0e062676b4f39ac7d337a7d51ccd2d36d25cb65e9cba1643c43ba8b5f90a0c90ab347d76
-
\Users\Admin\AppData\Local\Temp\wtuklosens.exeFilesize
65KB
MD508fdf623546aa3d7c3b0354501e55bd0
SHA1857ba1a1d54067ac2588a00e4ef48615bc1b6d4c
SHA2566c4a8c2448b2a22a9872b88dd6e6fa0421c65c9129067f2339df76cf67be394c
SHA5127dbd6bb40884b3d4050b55a9952c6003a31fc5380739590de6720dbb0e062676b4f39ac7d337a7d51ccd2d36d25cb65e9cba1643c43ba8b5f90a0c90ab347d76
-
memory/828-65-0x000000000041D450-mapping.dmp
-
memory/828-69-0x00000000006E0000-0x00000000009E3000-memory.dmpFilesize
3.0MB
-
memory/828-64-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/828-70-0x00000000002C0000-0x00000000002D1000-memory.dmpFilesize
68KB
-
memory/828-68-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1260-71-0x0000000004B50000-0x0000000004CA9000-memory.dmpFilesize
1.3MB
-
memory/1260-78-0x0000000006200000-0x000000000637C000-memory.dmpFilesize
1.5MB
-
memory/1596-54-0x0000000075781000-0x0000000075783000-memory.dmpFilesize
8KB
-
memory/1704-57-0x0000000000000000-mapping.dmp
-
memory/2000-73-0x0000000000000000-mapping.dmp
-
memory/2032-72-0x0000000000000000-mapping.dmp
-
memory/2032-74-0x0000000000410000-0x0000000000419000-memory.dmpFilesize
36KB
-
memory/2032-75-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/2032-76-0x00000000021F0000-0x00000000024F3000-memory.dmpFilesize
3.0MB
-
memory/2032-77-0x0000000000750000-0x00000000007E0000-memory.dmpFilesize
576KB