Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-04-2022 10:37
Static task
static1
Behavioral task
behavioral1
Sample
virement file gfx256.exe
Resource
win7-20220414-en
General
-
Target
virement file gfx256.exe
-
Size
219KB
-
MD5
4105db4e41a2c9399768201b068a2a8c
-
SHA1
d89976b120c88dc5cd57fc78a35d5474f53a34bb
-
SHA256
41752d18a6da546687259e730e12313a804b313d041631262df801ef5d092569
-
SHA512
9380a3dfa62d3baf8b41102a04104da523d3cd5e871ee955abd49230f4fa063fbc9205dad6202856a8b7edd063d44556b0ae282577590782c4a4d5dbd950a883
Malware Config
Extracted
xloader
2.5
cbgo
santesha.com
britneysbeautybar.com
sh-cy17.com
jeffcarveragency.com
3117111.com
sobrehosting.net
ddm123.xyz
toxcompliance.com
auditorydesigns.com
vliftfacial.com
ielhii.com
naameliss.com
ritualchariot.com
solchange.com
quatre-vingts.design
lawnmowermashine.com
braceletsstore.net
admappy.com
tollivercoltd.com
vaidix.com
rodrigomartinsadv.com
bouncingskull.com
hamiltonhellerrealestate.com
dream-kidz.com
growupnotgrowold.com
clanginandbangin.com
cornerstone-constructions.com
mcdonalds-delivery.xyz
omnikro.com
nca-group.com
hughers3.com
move-mobius.com
shrivs.com
hoshikuzu-hegemony.com
zpwx17.online
masoncable.com
butecreditunion.com
creativefolksnetwork.xyz
lejanet.com
tacticalslings.club
bestprodutos.com
quirkysoul39.com
sdettest.com
aomendc.xyz
lorticepttoyof6.xyz
nonvaxrnpositions.com
maintainaviation.com
kubanitka.com
fractalmerch.xyz
elbowguru.com
nikiyang.com
cialisactivesupers.com
bestofrochester.info
ynov-rennes.com
saiden8164.com
ffuster.com
papierle.com
dobsonfryedentist.com
rufisquoisedetransit.com
compassionatecuddling.com
kimlady.com
mashinchand.com
semicivilization.com
milamixecommerce.com
ambassadorandceoclub.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2156-136-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/2156-140-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/3664-145-0x00000000006F0000-0x0000000000719000-memory.dmp xloader -
Executes dropped EXE 2 IoCs
Processes:
wtuklosens.exewtuklosens.exepid process 2356 wtuklosens.exe 2156 wtuklosens.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
wtuklosens.exewtuklosens.exemsdt.exedescription pid process target process PID 2356 set thread context of 2156 2356 wtuklosens.exe wtuklosens.exe PID 2156 set thread context of 3152 2156 wtuklosens.exe Explorer.EXE PID 3664 set thread context of 3152 3664 msdt.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
wtuklosens.exemsdt.exepid process 2156 wtuklosens.exe 2156 wtuklosens.exe 2156 wtuklosens.exe 2156 wtuklosens.exe 3664 msdt.exe 3664 msdt.exe 3664 msdt.exe 3664 msdt.exe 3664 msdt.exe 3664 msdt.exe 3664 msdt.exe 3664 msdt.exe 3664 msdt.exe 3664 msdt.exe 3664 msdt.exe 3664 msdt.exe 3664 msdt.exe 3664 msdt.exe 3664 msdt.exe 3664 msdt.exe 3664 msdt.exe 3664 msdt.exe 3664 msdt.exe 3664 msdt.exe 3664 msdt.exe 3664 msdt.exe 3664 msdt.exe 3664 msdt.exe 3664 msdt.exe 3664 msdt.exe 3664 msdt.exe 3664 msdt.exe 3664 msdt.exe 3664 msdt.exe 3664 msdt.exe 3664 msdt.exe 3664 msdt.exe 3664 msdt.exe 3664 msdt.exe 3664 msdt.exe 3664 msdt.exe 3664 msdt.exe 3664 msdt.exe 3664 msdt.exe 3664 msdt.exe 3664 msdt.exe 3664 msdt.exe 3664 msdt.exe 3664 msdt.exe 3664 msdt.exe 3664 msdt.exe 3664 msdt.exe 3664 msdt.exe 3664 msdt.exe 3664 msdt.exe 3664 msdt.exe 3664 msdt.exe 3664 msdt.exe 3664 msdt.exe 3664 msdt.exe 3664 msdt.exe 3664 msdt.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3152 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
wtuklosens.exemsdt.exepid process 2156 wtuklosens.exe 2156 wtuklosens.exe 2156 wtuklosens.exe 3664 msdt.exe 3664 msdt.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
wtuklosens.exemsdt.exedescription pid process Token: SeDebugPrivilege 2156 wtuklosens.exe Token: SeDebugPrivilege 3664 msdt.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
virement file gfx256.exewtuklosens.exeExplorer.EXEmsdt.exedescription pid process target process PID 2428 wrote to memory of 2356 2428 virement file gfx256.exe wtuklosens.exe PID 2428 wrote to memory of 2356 2428 virement file gfx256.exe wtuklosens.exe PID 2428 wrote to memory of 2356 2428 virement file gfx256.exe wtuklosens.exe PID 2356 wrote to memory of 2156 2356 wtuklosens.exe wtuklosens.exe PID 2356 wrote to memory of 2156 2356 wtuklosens.exe wtuklosens.exe PID 2356 wrote to memory of 2156 2356 wtuklosens.exe wtuklosens.exe PID 2356 wrote to memory of 2156 2356 wtuklosens.exe wtuklosens.exe PID 2356 wrote to memory of 2156 2356 wtuklosens.exe wtuklosens.exe PID 2356 wrote to memory of 2156 2356 wtuklosens.exe wtuklosens.exe PID 3152 wrote to memory of 3664 3152 Explorer.EXE msdt.exe PID 3152 wrote to memory of 3664 3152 Explorer.EXE msdt.exe PID 3152 wrote to memory of 3664 3152 Explorer.EXE msdt.exe PID 3664 wrote to memory of 2472 3664 msdt.exe cmd.exe PID 3664 wrote to memory of 2472 3664 msdt.exe cmd.exe PID 3664 wrote to memory of 2472 3664 msdt.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\virement file gfx256.exe"C:\Users\Admin\AppData\Local\Temp\virement file gfx256.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\wtuklosens.exeC:\Users\Admin\AppData\Local\Temp\wtuklosens.exe C:\Users\Admin\AppData\Local\Temp\ixvcuspnim3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\wtuklosens.exeC:\Users\Admin\AppData\Local\Temp\wtuklosens.exe C:\Users\Admin\AppData\Local\Temp\ixvcuspnim4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\msdt.exe"C:\Windows\SysWOW64\msdt.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\wtuklosens.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ixvcuspnimFilesize
4KB
MD5336a7e42fb23d1284b1efbd661a930df
SHA163340b3a24fb5577aa9d7391836786418691df0b
SHA256a2c7b92b2e21cd1a90e14418cf3243c6ce98c81e4c5fa63220b3345dbb05485e
SHA512b9690f304cf6d9b3634f0836e2a09d4b1b3c3ac54632c5cd39ae8c9006ff9d7d05eb78f200661162e64a05f004213faaf4e10b40627b2471d71bca61bf7738bb
-
C:\Users\Admin\AppData\Local\Temp\jt8wkn8859n3dFilesize
163KB
MD5503e7aa394cf6b9cb16cc44655ba8a09
SHA1c6aa479c2786e1d132754bf562a1272a54d93ac7
SHA256b01960d09ca92e47d47f3d913d12461d145dbf25514fb81283af44e32170f56d
SHA5129be01f3c7e9aef2e4d72d27f50cf55d41d828554012ac1e7928a276e923f789e63b176f23c703cee994254e044cc3268ba618e3492ccc518e9ef43c93ec95262
-
C:\Users\Admin\AppData\Local\Temp\wtuklosens.exeFilesize
65KB
MD508fdf623546aa3d7c3b0354501e55bd0
SHA1857ba1a1d54067ac2588a00e4ef48615bc1b6d4c
SHA2566c4a8c2448b2a22a9872b88dd6e6fa0421c65c9129067f2339df76cf67be394c
SHA5127dbd6bb40884b3d4050b55a9952c6003a31fc5380739590de6720dbb0e062676b4f39ac7d337a7d51ccd2d36d25cb65e9cba1643c43ba8b5f90a0c90ab347d76
-
C:\Users\Admin\AppData\Local\Temp\wtuklosens.exeFilesize
65KB
MD508fdf623546aa3d7c3b0354501e55bd0
SHA1857ba1a1d54067ac2588a00e4ef48615bc1b6d4c
SHA2566c4a8c2448b2a22a9872b88dd6e6fa0421c65c9129067f2339df76cf67be394c
SHA5127dbd6bb40884b3d4050b55a9952c6003a31fc5380739590de6720dbb0e062676b4f39ac7d337a7d51ccd2d36d25cb65e9cba1643c43ba8b5f90a0c90ab347d76
-
C:\Users\Admin\AppData\Local\Temp\wtuklosens.exeFilesize
65KB
MD508fdf623546aa3d7c3b0354501e55bd0
SHA1857ba1a1d54067ac2588a00e4ef48615bc1b6d4c
SHA2566c4a8c2448b2a22a9872b88dd6e6fa0421c65c9129067f2339df76cf67be394c
SHA5127dbd6bb40884b3d4050b55a9952c6003a31fc5380739590de6720dbb0e062676b4f39ac7d337a7d51ccd2d36d25cb65e9cba1643c43ba8b5f90a0c90ab347d76
-
memory/2156-140-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2156-136-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2156-135-0x0000000000000000-mapping.dmp
-
memory/2156-139-0x0000000000AC0000-0x0000000000E0A000-memory.dmpFilesize
3.3MB
-
memory/2156-141-0x00000000005D0000-0x00000000005E1000-memory.dmpFilesize
68KB
-
memory/2356-130-0x0000000000000000-mapping.dmp
-
memory/2472-146-0x0000000000000000-mapping.dmp
-
memory/3152-142-0x0000000002730000-0x0000000002893000-memory.dmpFilesize
1.4MB
-
memory/3152-149-0x0000000008130000-0x00000000082B2000-memory.dmpFilesize
1.5MB
-
memory/3664-143-0x0000000000000000-mapping.dmp
-
memory/3664-144-0x00000000008F0000-0x0000000000947000-memory.dmpFilesize
348KB
-
memory/3664-145-0x00000000006F0000-0x0000000000719000-memory.dmpFilesize
164KB
-
memory/3664-147-0x0000000002850000-0x0000000002B9A000-memory.dmpFilesize
3.3MB
-
memory/3664-148-0x0000000002550000-0x00000000025E0000-memory.dmpFilesize
576KB