Analysis
-
max time kernel
127s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2023 18:15
Static task
static1
Behavioral task
behavioral1
Sample
7d53754fb2eb6479e9d71d07036133421f4d153ec252873c7beeb619f762a90f.exe
Resource
win7-20221111-en
General
-
Target
7d53754fb2eb6479e9d71d07036133421f4d153ec252873c7beeb619f762a90f.exe
-
Size
226KB
-
MD5
403a0ec6b998f324dda677547ac8ec79
-
SHA1
2e9fcc41db347d053ec58de6881527a9f529edef
-
SHA256
7d53754fb2eb6479e9d71d07036133421f4d153ec252873c7beeb619f762a90f
-
SHA512
0608941d064e2e3121ee4a02dba4f486ba7c997b14405b2e6d63102566bb65fbc242bb25ef424b5f1ddf07e7bc7e8226b916a00e85fc6d8d2408e966cbeb891b
-
SSDEEP
3072:qyiLF8DnmJpNG/f90oL1yq8ogAQLxLmqjPXrxgUuUj14xy9WmfvuuWlAqXJeDg+P:qGV/l0oL1TToMqTVgfUs8efDJe81aL9f
Malware Config
Extracted
xloader
2.5
dx3n
polebear.xyz
luciamoca.com
185451.com
bookfriendspodcast.net
reliancetechsolutions.com
wuzuiso.com
ig-representative.com
ryotaohno.com
wlnhcl.com
oasispoolth.com
fo71.com
storyandidentity.com
sayarpro.com
arrow-electronics-corps.net
brasbux.com
nigeriaafricasummit.com
choud.store
medicareopenenrollment.info
amlhcz.com
fdklflkdioerklfdke.store
andreanieblas.com
whhsdzyl.com
millionistabruja.com
treeteescoop.com
taob518.com
wasjesusmarried.net
travisleecontracting.com
wearemarinemarine.com
hallywoodfire.com
girotonix.space
dietnow3.info
water07.com
girlnextdoorlashes.com
healthoffword.xyz
picketfenceboutique.com
coobons.com
johnfrenchart.com
xn--snabbtkrkortonline-j3b.com
silkyskin.one
mskstyle777.store
themetamorfose.com
psd2reality.com
04htt.xyz
report-help-session.com
huaxiayinshua.com
twinklylight.com
wrightpurpose.com
customsurfacescanada.com
ed1tconsulting.com
genesisfoundry.com
xxsq.net
hsncsoft.com
rfreilly.com
launchyourplffunnel.com
minjunsa.com
metaverseedtech.com
lens-experts.com
butikhira.xyz
onlinedatingoftallahassee.com
newarkroofingcontractor.com
jo1ntodaya.info
criticalequipmentservices.com
defence.group
appcast-60.com
iexiufu.net
Signatures
-
Xloader payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/628-138-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/628-141-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/3152-148-0x0000000000CD0000-0x0000000000CF9000-memory.dmp xloader behavioral2/memory/3152-151-0x0000000000CD0000-0x0000000000CF9000-memory.dmp xloader -
Executes dropped EXE 2 IoCs
Processes:
rcviyqs.exercviyqs.exepid process 4792 rcviyqs.exe 628 rcviyqs.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
rcviyqs.exercviyqs.exechkdsk.exedescription pid process target process PID 4792 set thread context of 628 4792 rcviyqs.exe rcviyqs.exe PID 628 set thread context of 2080 628 rcviyqs.exe Explorer.EXE PID 3152 set thread context of 2080 3152 chkdsk.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
chkdsk.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Suspicious behavior: EnumeratesProcesses 52 IoCs
Processes:
rcviyqs.exechkdsk.exepid process 628 rcviyqs.exe 628 rcviyqs.exe 628 rcviyqs.exe 628 rcviyqs.exe 3152 chkdsk.exe 3152 chkdsk.exe 3152 chkdsk.exe 3152 chkdsk.exe 3152 chkdsk.exe 3152 chkdsk.exe 3152 chkdsk.exe 3152 chkdsk.exe 3152 chkdsk.exe 3152 chkdsk.exe 3152 chkdsk.exe 3152 chkdsk.exe 3152 chkdsk.exe 3152 chkdsk.exe 3152 chkdsk.exe 3152 chkdsk.exe 3152 chkdsk.exe 3152 chkdsk.exe 3152 chkdsk.exe 3152 chkdsk.exe 3152 chkdsk.exe 3152 chkdsk.exe 3152 chkdsk.exe 3152 chkdsk.exe 3152 chkdsk.exe 3152 chkdsk.exe 3152 chkdsk.exe 3152 chkdsk.exe 3152 chkdsk.exe 3152 chkdsk.exe 3152 chkdsk.exe 3152 chkdsk.exe 3152 chkdsk.exe 3152 chkdsk.exe 3152 chkdsk.exe 3152 chkdsk.exe 3152 chkdsk.exe 3152 chkdsk.exe 3152 chkdsk.exe 3152 chkdsk.exe 3152 chkdsk.exe 3152 chkdsk.exe 3152 chkdsk.exe 3152 chkdsk.exe 3152 chkdsk.exe 3152 chkdsk.exe 3152 chkdsk.exe 3152 chkdsk.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2080 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
rcviyqs.exechkdsk.exepid process 628 rcviyqs.exe 628 rcviyqs.exe 628 rcviyqs.exe 3152 chkdsk.exe 3152 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rcviyqs.exechkdsk.exedescription pid process Token: SeDebugPrivilege 628 rcviyqs.exe Token: SeDebugPrivilege 3152 chkdsk.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
7d53754fb2eb6479e9d71d07036133421f4d153ec252873c7beeb619f762a90f.exercviyqs.exeExplorer.EXEchkdsk.exedescription pid process target process PID 2016 wrote to memory of 4792 2016 7d53754fb2eb6479e9d71d07036133421f4d153ec252873c7beeb619f762a90f.exe rcviyqs.exe PID 2016 wrote to memory of 4792 2016 7d53754fb2eb6479e9d71d07036133421f4d153ec252873c7beeb619f762a90f.exe rcviyqs.exe PID 2016 wrote to memory of 4792 2016 7d53754fb2eb6479e9d71d07036133421f4d153ec252873c7beeb619f762a90f.exe rcviyqs.exe PID 4792 wrote to memory of 628 4792 rcviyqs.exe rcviyqs.exe PID 4792 wrote to memory of 628 4792 rcviyqs.exe rcviyqs.exe PID 4792 wrote to memory of 628 4792 rcviyqs.exe rcviyqs.exe PID 4792 wrote to memory of 628 4792 rcviyqs.exe rcviyqs.exe PID 4792 wrote to memory of 628 4792 rcviyqs.exe rcviyqs.exe PID 4792 wrote to memory of 628 4792 rcviyqs.exe rcviyqs.exe PID 2080 wrote to memory of 3152 2080 Explorer.EXE chkdsk.exe PID 2080 wrote to memory of 3152 2080 Explorer.EXE chkdsk.exe PID 2080 wrote to memory of 3152 2080 Explorer.EXE chkdsk.exe PID 3152 wrote to memory of 1704 3152 chkdsk.exe cmd.exe PID 3152 wrote to memory of 1704 3152 chkdsk.exe cmd.exe PID 3152 wrote to memory of 1704 3152 chkdsk.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7d53754fb2eb6479e9d71d07036133421f4d153ec252873c7beeb619f762a90f.exe"C:\Users\Admin\AppData\Local\Temp\7d53754fb2eb6479e9d71d07036133421f4d153ec252873c7beeb619f762a90f.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\rcviyqs.exeC:\Users\Admin\AppData\Local\Temp\rcviyqs.exe C:\Users\Admin\AppData\Local\Temp\zdjjwjv3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\rcviyqs.exeC:\Users\Admin\AppData\Local\Temp\rcviyqs.exe C:\Users\Admin\AppData\Local\Temp\zdjjwjv4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\rcviyqs.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1ywlrkxvvx812p0hw00xFilesize
163KB
MD54ed69a3c1f8ab690c2a2dca2afc8dded
SHA1e39266fec1bb13a856a02f63a94ad0cbb5835379
SHA2565ad0d54e33047f593130a63ba5b4d045b843de968c2ab09b3eab4b648b362901
SHA5126d8a1f0b90e37f2bac77c07802c78524a26a9ac224f86ae6a06f6feef4b80752ae42eca728a8f0bdeb5a2b108c545f998f31d1ed0bd05176e6f94de88980cb34
-
C:\Users\Admin\AppData\Local\Temp\rcviyqs.exeFilesize
56KB
MD5ca62620c3ef481629e95d16ed9ae0017
SHA14d2d3489edefc06534adcf79baba5b8444a12767
SHA256071720955930988f96661616b256eff1bda2b181ca5b89638782134fc35c6de6
SHA512cfd026d7ff3c5f78232de23379158421005e9d24415baf808e11f14b283ebb46e34f12c11694db9f1f77ff7535043b7e9f373a08e1813ea400f5081d66bc2cc6
-
C:\Users\Admin\AppData\Local\Temp\rcviyqs.exeFilesize
56KB
MD5ca62620c3ef481629e95d16ed9ae0017
SHA14d2d3489edefc06534adcf79baba5b8444a12767
SHA256071720955930988f96661616b256eff1bda2b181ca5b89638782134fc35c6de6
SHA512cfd026d7ff3c5f78232de23379158421005e9d24415baf808e11f14b283ebb46e34f12c11694db9f1f77ff7535043b7e9f373a08e1813ea400f5081d66bc2cc6
-
C:\Users\Admin\AppData\Local\Temp\rcviyqs.exeFilesize
56KB
MD5ca62620c3ef481629e95d16ed9ae0017
SHA14d2d3489edefc06534adcf79baba5b8444a12767
SHA256071720955930988f96661616b256eff1bda2b181ca5b89638782134fc35c6de6
SHA512cfd026d7ff3c5f78232de23379158421005e9d24415baf808e11f14b283ebb46e34f12c11694db9f1f77ff7535043b7e9f373a08e1813ea400f5081d66bc2cc6
-
C:\Users\Admin\AppData\Local\Temp\zdjjwjvFilesize
5KB
MD5f6fed7693ed7d2d12d67639bcc14bc81
SHA1c102b969911458ab547ff88a2f6bed088306621b
SHA25660471f688a14618266cc6e77046711aad55d1679fea88170fd9250e1c24b59fc
SHA512911c596347be043945d2670d7b66bd3d5a3885fe068c8cd19c5f5ed110d942630d91d992147f5fc9482043ab913ffcee29b9a83573dde8330ddb702ef3e50294
-
memory/628-143-0x00000000017E0000-0x00000000017F1000-memory.dmpFilesize
68KB
-
memory/628-137-0x0000000000000000-mapping.dmp
-
memory/628-141-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/628-142-0x0000000001800000-0x0000000001B4A000-memory.dmpFilesize
3.3MB
-
memory/628-138-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1704-146-0x0000000000000000-mapping.dmp
-
memory/2080-152-0x0000000003310000-0x00000000033F1000-memory.dmpFilesize
900KB
-
memory/2080-153-0x0000000003310000-0x00000000033F1000-memory.dmpFilesize
900KB
-
memory/2080-144-0x0000000008AE0000-0x0000000008C25000-memory.dmpFilesize
1.3MB
-
memory/3152-145-0x0000000000000000-mapping.dmp
-
memory/3152-148-0x0000000000CD0000-0x0000000000CF9000-memory.dmpFilesize
164KB
-
memory/3152-149-0x00000000014D0000-0x000000000181A000-memory.dmpFilesize
3.3MB
-
memory/3152-150-0x0000000001300000-0x0000000001390000-memory.dmpFilesize
576KB
-
memory/3152-151-0x0000000000CD0000-0x0000000000CF9000-memory.dmpFilesize
164KB
-
memory/3152-147-0x0000000000200000-0x000000000020A000-memory.dmpFilesize
40KB
-
memory/4792-132-0x0000000000000000-mapping.dmp