Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
14-05-2022 14:49
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220414-en
General
-
Target
tmp.exe
-
Size
257KB
-
MD5
de76ef6a11a63efc00b0303888bc0b7f
-
SHA1
7ab24456a49f6b61bc54d20a4d9c0b84f3ae696b
-
SHA256
fc6ebe8bc215a292bb3df340a84350ceb2be7187efc8e10381235cfa8d82f734
-
SHA512
51a5cf0f640d922ec0d8bf5ba3fcc06b6278e3ac45f07190710c5055a23102a614443641d8b6617775d5a786ccb1e9d10404dfa0e146e6c8ec3481c616214d99
Malware Config
Extracted
xloader
2.6
nc39
bohicaapparel.com
chilliesofwoodstock.com
szcipa.com
nirmalaswagruhafoods.com
orbitas.online
bjvxx.com
atomvpn.site
thecanvacoach.com
thewhitelounge.com
trwebz.xyz
yiwanggkm.com
maggiceden-io.com
kimyanindelisi.online
xn--e02b19uo0j.com
kaola74.top
klcsales.net
renacerdevteam.com
talkmoor.com
seobusinesslistings.com
contractornurd.com
wolksquit.com
hamiltonspringfield.com
skinclash.com
d-web.net
tige03.xyz
thereeldecoy.com
dutyapparel.com
vicentedotorarquitectos.com
bensdrywall.com
domainnetwoks.com
incorrectbenevolence.com
ramvadher.space
dbluvt.xyz
laps-clicks.com
thewattelectric.com
fogpromo.com
ibcfitting.com
get25000today.com
do-hobbies-indoors.com
marmagdistribuciones.com
newworldtongpaihotels.net
3astratford.com
tocarrythemessage.com
57shasha.club
117colgett.com
captainnoclue.com
rapejesus.site
grandas-svoboda.com
apartmentpermis.com
greatco.biz
joneswoodworks.com
lilatoons.com
banalto.com
caycilargida.online
gangez.com
tw-life.net
treasuresofjudaica.com
monin.one
earthdefense.global
troolygood.com
eafc.tech
southcarolinawire.xyz
designstatussupport.com
moorblaque.com
arjimni.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/952-63-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral1/memory/952-64-0x000000000041F260-mapping.dmp xloader behavioral1/memory/952-67-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral1/memory/1324-73-0x0000000000070000-0x000000000009B000-memory.dmp xloader -
Executes dropped EXE 2 IoCs
Processes:
yldnat.exeyldnat.exepid process 1964 yldnat.exe 952 yldnat.exe -
Loads dropped DLL 2 IoCs
Processes:
tmp.exeyldnat.exepid process 1992 tmp.exe 1964 yldnat.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
yldnat.exeyldnat.execscript.exedescription pid process target process PID 1964 set thread context of 952 1964 yldnat.exe yldnat.exe PID 952 set thread context of 1268 952 yldnat.exe Explorer.EXE PID 1324 set thread context of 1268 1324 cscript.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
yldnat.execscript.exepid process 952 yldnat.exe 952 yldnat.exe 1324 cscript.exe 1324 cscript.exe 1324 cscript.exe 1324 cscript.exe 1324 cscript.exe 1324 cscript.exe 1324 cscript.exe 1324 cscript.exe 1324 cscript.exe 1324 cscript.exe 1324 cscript.exe 1324 cscript.exe 1324 cscript.exe 1324 cscript.exe 1324 cscript.exe 1324 cscript.exe 1324 cscript.exe 1324 cscript.exe 1324 cscript.exe 1324 cscript.exe 1324 cscript.exe 1324 cscript.exe 1324 cscript.exe 1324 cscript.exe 1324 cscript.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
yldnat.execscript.exepid process 952 yldnat.exe 952 yldnat.exe 952 yldnat.exe 1324 cscript.exe 1324 cscript.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
yldnat.execscript.exedescription pid process Token: SeDebugPrivilege 952 yldnat.exe Token: SeDebugPrivilege 1324 cscript.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1268 Explorer.EXE 1268 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1268 Explorer.EXE 1268 Explorer.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
tmp.exeyldnat.exeExplorer.EXEcscript.exedescription pid process target process PID 1992 wrote to memory of 1964 1992 tmp.exe yldnat.exe PID 1992 wrote to memory of 1964 1992 tmp.exe yldnat.exe PID 1992 wrote to memory of 1964 1992 tmp.exe yldnat.exe PID 1992 wrote to memory of 1964 1992 tmp.exe yldnat.exe PID 1964 wrote to memory of 952 1964 yldnat.exe yldnat.exe PID 1964 wrote to memory of 952 1964 yldnat.exe yldnat.exe PID 1964 wrote to memory of 952 1964 yldnat.exe yldnat.exe PID 1964 wrote to memory of 952 1964 yldnat.exe yldnat.exe PID 1964 wrote to memory of 952 1964 yldnat.exe yldnat.exe PID 1964 wrote to memory of 952 1964 yldnat.exe yldnat.exe PID 1964 wrote to memory of 952 1964 yldnat.exe yldnat.exe PID 1268 wrote to memory of 1324 1268 Explorer.EXE cscript.exe PID 1268 wrote to memory of 1324 1268 Explorer.EXE cscript.exe PID 1268 wrote to memory of 1324 1268 Explorer.EXE cscript.exe PID 1268 wrote to memory of 1324 1268 Explorer.EXE cscript.exe PID 1324 wrote to memory of 1220 1324 cscript.exe cmd.exe PID 1324 wrote to memory of 1220 1324 cscript.exe cmd.exe PID 1324 wrote to memory of 1220 1324 cscript.exe cmd.exe PID 1324 wrote to memory of 1220 1324 cscript.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\yldnat.exeC:\Users\Admin\AppData\Local\Temp\yldnat.exe C:\Users\Admin\AppData\Local\Temp\boswagvgna3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\yldnat.exeC:\Users\Admin\AppData\Local\Temp\yldnat.exe C:\Users\Admin\AppData\Local\Temp\boswagvgna4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\yldnat.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\boswagvgnaFilesize
5KB
MD5d4aa661b180df0d15bb6d0dc8342b8ba
SHA107310f7d0c29cd6a18ae1174578f61b08e2ba844
SHA256e12b146fd62913d6650fcaf490cf973008929e47fd247cb3bd75b6e854cfdd89
SHA512b423c31088ce987d77ccb2ecfb055674868dd34a995cca1c5afff3ca6f2bfea0c64037d68132c43735140651cd550507773012c23f142f04b3de984fd4dab39a
-
C:\Users\Admin\AppData\Local\Temp\l4nnhna3wvu7agfFilesize
170KB
MD50b70240f412d375469a67f4e364e6edd
SHA1877d66cbfff0712d91ed65c7545577729b34cb1a
SHA256daae8081effed8bb74d40479d2264d791a8539f1ed8565438640ee6681d5dc64
SHA512c6980e41d2ea0d85d5a586a32ec6142b301b7e03ac1871587be5ac00fca6cea1680d62262a8656f1b1a4b428567b6baee0c05a35c07c8b9ea09594cb067b64c5
-
C:\Users\Admin\AppData\Local\Temp\yldnat.exeFilesize
78KB
MD5bc3c746db1d3f8a821bbdf17ca023450
SHA112459c0ef96bde1490b00fc9c6f09d69fbec046f
SHA256c503a6fbe974e2c177fafffc2f2d9f7c26473909a2ab054e305b0e231c54b785
SHA51292a0ebed569ede2306b15d12389110016fc45073beca5bd3ff813beda7988a042d1827ddf8b985112c3d606af378dea952962cb601a85e0eafa7d696eaccecf3
-
C:\Users\Admin\AppData\Local\Temp\yldnat.exeFilesize
78KB
MD5bc3c746db1d3f8a821bbdf17ca023450
SHA112459c0ef96bde1490b00fc9c6f09d69fbec046f
SHA256c503a6fbe974e2c177fafffc2f2d9f7c26473909a2ab054e305b0e231c54b785
SHA51292a0ebed569ede2306b15d12389110016fc45073beca5bd3ff813beda7988a042d1827ddf8b985112c3d606af378dea952962cb601a85e0eafa7d696eaccecf3
-
C:\Users\Admin\AppData\Local\Temp\yldnat.exeFilesize
78KB
MD5bc3c746db1d3f8a821bbdf17ca023450
SHA112459c0ef96bde1490b00fc9c6f09d69fbec046f
SHA256c503a6fbe974e2c177fafffc2f2d9f7c26473909a2ab054e305b0e231c54b785
SHA51292a0ebed569ede2306b15d12389110016fc45073beca5bd3ff813beda7988a042d1827ddf8b985112c3d606af378dea952962cb601a85e0eafa7d696eaccecf3
-
\Users\Admin\AppData\Local\Temp\yldnat.exeFilesize
78KB
MD5bc3c746db1d3f8a821bbdf17ca023450
SHA112459c0ef96bde1490b00fc9c6f09d69fbec046f
SHA256c503a6fbe974e2c177fafffc2f2d9f7c26473909a2ab054e305b0e231c54b785
SHA51292a0ebed569ede2306b15d12389110016fc45073beca5bd3ff813beda7988a042d1827ddf8b985112c3d606af378dea952962cb601a85e0eafa7d696eaccecf3
-
\Users\Admin\AppData\Local\Temp\yldnat.exeFilesize
78KB
MD5bc3c746db1d3f8a821bbdf17ca023450
SHA112459c0ef96bde1490b00fc9c6f09d69fbec046f
SHA256c503a6fbe974e2c177fafffc2f2d9f7c26473909a2ab054e305b0e231c54b785
SHA51292a0ebed569ede2306b15d12389110016fc45073beca5bd3ff813beda7988a042d1827ddf8b985112c3d606af378dea952962cb601a85e0eafa7d696eaccecf3
-
memory/952-64-0x000000000041F260-mapping.dmp
-
memory/952-69-0x0000000000220000-0x0000000000231000-memory.dmpFilesize
68KB
-
memory/952-63-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/952-67-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/952-68-0x0000000000880000-0x0000000000B83000-memory.dmpFilesize
3.0MB
-
memory/1220-74-0x0000000000000000-mapping.dmp
-
memory/1268-70-0x0000000006970000-0x0000000006AD2000-memory.dmpFilesize
1.4MB
-
memory/1268-77-0x0000000004E40000-0x0000000004F28000-memory.dmpFilesize
928KB
-
memory/1324-71-0x0000000000000000-mapping.dmp
-
memory/1324-72-0x00000000005A0000-0x00000000005C2000-memory.dmpFilesize
136KB
-
memory/1324-73-0x0000000000070000-0x000000000009B000-memory.dmpFilesize
172KB
-
memory/1324-75-0x00000000020C0000-0x00000000023C3000-memory.dmpFilesize
3.0MB
-
memory/1324-76-0x0000000001DF0000-0x0000000001E80000-memory.dmpFilesize
576KB
-
memory/1964-56-0x0000000000000000-mapping.dmp
-
memory/1992-54-0x0000000075DB1000-0x0000000075DB3000-memory.dmpFilesize
8KB