Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
14-05-2022 14:49
Static task
static1
General
-
Target
tmp.exe
-
Size
257KB
-
MD5
de76ef6a11a63efc00b0303888bc0b7f
-
SHA1
7ab24456a49f6b61bc54d20a4d9c0b84f3ae696b
-
SHA256
fc6ebe8bc215a292bb3df340a84350ceb2be7187efc8e10381235cfa8d82f734
-
SHA512
51a5cf0f640d922ec0d8bf5ba3fcc06b6278e3ac45f07190710c5055a23102a614443641d8b6617775d5a786ccb1e9d10404dfa0e146e6c8ec3481c616214d99
Malware Config
Extracted
xloader
2.6
nc39
bohicaapparel.com
chilliesofwoodstock.com
szcipa.com
nirmalaswagruhafoods.com
orbitas.online
bjvxx.com
atomvpn.site
thecanvacoach.com
thewhitelounge.com
trwebz.xyz
yiwanggkm.com
maggiceden-io.com
kimyanindelisi.online
xn--e02b19uo0j.com
kaola74.top
klcsales.net
renacerdevteam.com
talkmoor.com
seobusinesslistings.com
contractornurd.com
wolksquit.com
hamiltonspringfield.com
skinclash.com
d-web.net
tige03.xyz
thereeldecoy.com
dutyapparel.com
vicentedotorarquitectos.com
bensdrywall.com
domainnetwoks.com
incorrectbenevolence.com
ramvadher.space
dbluvt.xyz
laps-clicks.com
thewattelectric.com
fogpromo.com
ibcfitting.com
get25000today.com
do-hobbies-indoors.com
marmagdistribuciones.com
newworldtongpaihotels.net
3astratford.com
tocarrythemessage.com
57shasha.club
117colgett.com
captainnoclue.com
rapejesus.site
grandas-svoboda.com
apartmentpermis.com
greatco.biz
joneswoodworks.com
lilatoons.com
banalto.com
caycilargida.online
gangez.com
tw-life.net
treasuresofjudaica.com
monin.one
earthdefense.global
troolygood.com
eafc.tech
southcarolinawire.xyz
designstatussupport.com
moorblaque.com
arjimni.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2588-136-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral2/memory/2588-139-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral2/memory/4552-145-0x00000000010D0000-0x00000000010FB000-memory.dmp xloader -
Executes dropped EXE 2 IoCs
Processes:
yldnat.exeyldnat.exepid process 4784 yldnat.exe 2588 yldnat.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
yldnat.exeyldnat.exeraserver.exedescription pid process target process PID 4784 set thread context of 2588 4784 yldnat.exe yldnat.exe PID 2588 set thread context of 2560 2588 yldnat.exe Explorer.EXE PID 4552 set thread context of 2560 4552 raserver.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
yldnat.exeraserver.exepid process 2588 yldnat.exe 2588 yldnat.exe 2588 yldnat.exe 2588 yldnat.exe 4552 raserver.exe 4552 raserver.exe 4552 raserver.exe 4552 raserver.exe 4552 raserver.exe 4552 raserver.exe 4552 raserver.exe 4552 raserver.exe 4552 raserver.exe 4552 raserver.exe 4552 raserver.exe 4552 raserver.exe 4552 raserver.exe 4552 raserver.exe 4552 raserver.exe 4552 raserver.exe 4552 raserver.exe 4552 raserver.exe 4552 raserver.exe 4552 raserver.exe 4552 raserver.exe 4552 raserver.exe 4552 raserver.exe 4552 raserver.exe 4552 raserver.exe 4552 raserver.exe 4552 raserver.exe 4552 raserver.exe 4552 raserver.exe 4552 raserver.exe 4552 raserver.exe 4552 raserver.exe 4552 raserver.exe 4552 raserver.exe 4552 raserver.exe 4552 raserver.exe 4552 raserver.exe 4552 raserver.exe 4552 raserver.exe 4552 raserver.exe 4552 raserver.exe 4552 raserver.exe 4552 raserver.exe 4552 raserver.exe 4552 raserver.exe 4552 raserver.exe 4552 raserver.exe 4552 raserver.exe 4552 raserver.exe 4552 raserver.exe 4552 raserver.exe 4552 raserver.exe 4552 raserver.exe 4552 raserver.exe 4552 raserver.exe 4552 raserver.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2560 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
yldnat.exeraserver.exepid process 2588 yldnat.exe 2588 yldnat.exe 2588 yldnat.exe 4552 raserver.exe 4552 raserver.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
yldnat.exeraserver.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 2588 yldnat.exe Token: SeDebugPrivilege 4552 raserver.exe Token: SeShutdownPrivilege 2560 Explorer.EXE Token: SeCreatePagefilePrivilege 2560 Explorer.EXE Token: SeShutdownPrivilege 2560 Explorer.EXE Token: SeCreatePagefilePrivilege 2560 Explorer.EXE Token: SeShutdownPrivilege 2560 Explorer.EXE Token: SeCreatePagefilePrivilege 2560 Explorer.EXE Token: SeShutdownPrivilege 2560 Explorer.EXE Token: SeCreatePagefilePrivilege 2560 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
tmp.exeyldnat.exeExplorer.EXEraserver.exedescription pid process target process PID 3212 wrote to memory of 4784 3212 tmp.exe yldnat.exe PID 3212 wrote to memory of 4784 3212 tmp.exe yldnat.exe PID 3212 wrote to memory of 4784 3212 tmp.exe yldnat.exe PID 4784 wrote to memory of 2588 4784 yldnat.exe yldnat.exe PID 4784 wrote to memory of 2588 4784 yldnat.exe yldnat.exe PID 4784 wrote to memory of 2588 4784 yldnat.exe yldnat.exe PID 4784 wrote to memory of 2588 4784 yldnat.exe yldnat.exe PID 4784 wrote to memory of 2588 4784 yldnat.exe yldnat.exe PID 4784 wrote to memory of 2588 4784 yldnat.exe yldnat.exe PID 2560 wrote to memory of 4552 2560 Explorer.EXE raserver.exe PID 2560 wrote to memory of 4552 2560 Explorer.EXE raserver.exe PID 2560 wrote to memory of 4552 2560 Explorer.EXE raserver.exe PID 4552 wrote to memory of 1368 4552 raserver.exe cmd.exe PID 4552 wrote to memory of 1368 4552 raserver.exe cmd.exe PID 4552 wrote to memory of 1368 4552 raserver.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\yldnat.exeC:\Users\Admin\AppData\Local\Temp\yldnat.exe C:\Users\Admin\AppData\Local\Temp\boswagvgna3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\yldnat.exeC:\Users\Admin\AppData\Local\Temp\yldnat.exe C:\Users\Admin\AppData\Local\Temp\boswagvgna4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\raserver.exe"C:\Windows\SysWOW64\raserver.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\yldnat.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\boswagvgnaFilesize
5KB
MD5d4aa661b180df0d15bb6d0dc8342b8ba
SHA107310f7d0c29cd6a18ae1174578f61b08e2ba844
SHA256e12b146fd62913d6650fcaf490cf973008929e47fd247cb3bd75b6e854cfdd89
SHA512b423c31088ce987d77ccb2ecfb055674868dd34a995cca1c5afff3ca6f2bfea0c64037d68132c43735140651cd550507773012c23f142f04b3de984fd4dab39a
-
C:\Users\Admin\AppData\Local\Temp\l4nnhna3wvu7agfFilesize
170KB
MD50b70240f412d375469a67f4e364e6edd
SHA1877d66cbfff0712d91ed65c7545577729b34cb1a
SHA256daae8081effed8bb74d40479d2264d791a8539f1ed8565438640ee6681d5dc64
SHA512c6980e41d2ea0d85d5a586a32ec6142b301b7e03ac1871587be5ac00fca6cea1680d62262a8656f1b1a4b428567b6baee0c05a35c07c8b9ea09594cb067b64c5
-
C:\Users\Admin\AppData\Local\Temp\yldnat.exeFilesize
78KB
MD5bc3c746db1d3f8a821bbdf17ca023450
SHA112459c0ef96bde1490b00fc9c6f09d69fbec046f
SHA256c503a6fbe974e2c177fafffc2f2d9f7c26473909a2ab054e305b0e231c54b785
SHA51292a0ebed569ede2306b15d12389110016fc45073beca5bd3ff813beda7988a042d1827ddf8b985112c3d606af378dea952962cb601a85e0eafa7d696eaccecf3
-
C:\Users\Admin\AppData\Local\Temp\yldnat.exeFilesize
78KB
MD5bc3c746db1d3f8a821bbdf17ca023450
SHA112459c0ef96bde1490b00fc9c6f09d69fbec046f
SHA256c503a6fbe974e2c177fafffc2f2d9f7c26473909a2ab054e305b0e231c54b785
SHA51292a0ebed569ede2306b15d12389110016fc45073beca5bd3ff813beda7988a042d1827ddf8b985112c3d606af378dea952962cb601a85e0eafa7d696eaccecf3
-
C:\Users\Admin\AppData\Local\Temp\yldnat.exeFilesize
78KB
MD5bc3c746db1d3f8a821bbdf17ca023450
SHA112459c0ef96bde1490b00fc9c6f09d69fbec046f
SHA256c503a6fbe974e2c177fafffc2f2d9f7c26473909a2ab054e305b0e231c54b785
SHA51292a0ebed569ede2306b15d12389110016fc45073beca5bd3ff813beda7988a042d1827ddf8b985112c3d606af378dea952962cb601a85e0eafa7d696eaccecf3
-
memory/1368-147-0x0000000000000000-mapping.dmp
-
memory/2560-142-0x0000000002990000-0x0000000002A4B000-memory.dmpFilesize
748KB
-
memory/2560-149-0x0000000002DA0000-0x0000000002E5D000-memory.dmpFilesize
756KB
-
memory/2588-139-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2588-140-0x0000000001100000-0x000000000144A000-memory.dmpFilesize
3MB
-
memory/2588-141-0x0000000000D50000-0x0000000000D61000-memory.dmpFilesize
68KB
-
memory/2588-136-0x0000000000400000-0x000000000042B000-memory.dmpFilesize
172KB
-
memory/2588-135-0x0000000000000000-mapping.dmp
-
memory/4552-143-0x0000000000000000-mapping.dmp
-
memory/4552-144-0x0000000000130000-0x000000000014F000-memory.dmpFilesize
124KB
-
memory/4552-145-0x00000000010D0000-0x00000000010FB000-memory.dmpFilesize
172KB
-
memory/4552-146-0x0000000003000000-0x000000000334A000-memory.dmpFilesize
3MB
-
memory/4552-148-0x0000000002E30000-0x0000000002EC0000-memory.dmpFilesize
576KB
-
memory/4784-130-0x0000000000000000-mapping.dmp