Analysis
-
max time kernel
148s -
max time network
166s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
29-01-2023 19:10
Static task
static1
Behavioral task
behavioral1
Sample
e4c8d479759c6e189b3fa55159cb4399e47934d39cc3cbd28e2e75ba826ba86a.exe
Resource
win7-20221111-en
General
-
Target
e4c8d479759c6e189b3fa55159cb4399e47934d39cc3cbd28e2e75ba826ba86a.exe
-
Size
206KB
-
MD5
5617428ac63756a9a47d7c52603406d4
-
SHA1
5bc937e71aa0aab508360370a557f683675dc832
-
SHA256
e4c8d479759c6e189b3fa55159cb4399e47934d39cc3cbd28e2e75ba826ba86a
-
SHA512
25ef32b02505f1f334e4e86a6ef181ba531890219d6662152d71fbef7165e65bcfe84e347ff5f2d418c1c102781b2d6f38da7a84b7559be1a3180e14fbbd254d
-
SSDEEP
6144:59X0GvV6IedPyUuHwdkOGlQm52B/qsAs1SZXKyL/Klm:/0SV/Ui4GlQm52NqsAs1SUK7
Malware Config
Extracted
xloader
2.3
siwq
pestcontrolcleaning.com
openpandoras.com
timmsoski.com
viva-hair.com
icebergpeakgaming.com
pebblecreatives.com
marydilip.info
ashtonmaker.com
aclarandocafe.com
apibet365.com
maddykellyactor.com
sxtengchi.com
victoriamassage.net
html15.com
bamabailbonding.com
ltknudsen.com
haziee.com
knenglishkor.com
inpolychrome.com
inishcorp.com
maytinhdongbobmt.com
15jizhi.com
freeschoolbd.com
faberlicmaia.com
bostonm.info
ptale.com
cakesinchargecatering.com
shiliujiayi.com
repropservices.com
logics-company.com
joycasino-official-game2.win
xn--fiqp3jvzdn0t5iap16bo92a.com
brastanordic.com
fashionewz.com
shipu208.com
thenavigatorinn.com
blueglobe.productions
hysaty.club
trainwreckdiaries.com
hilltopsducks.com
3055014755.com
highonhomegrownpodcast.com
rockpaperinvest.com
xn--4oqs47atzkdrsc3b.com
unapfbu.icu
itdats.com
ratethisweek.com
chekeetel.com
alexnavarro.digital
qxmasmobi3dmall.com
fengxiongjiaonang.com
trustedbuildingadvisor.com
njmustangs.com
kankansia.com
buoybarriersolutions.com
azazui.com
leeeeskflerstore.store
rusticdesigngifts.com
mdjhh.com
metrocredito.info
bodytherapy.pro
vtnywvebi.club
bluestoneshome.com
sblzc.com
growmyrealty.com
Signatures
-
Xloader payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/556-67-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1920-73-0x0000000000080000-0x00000000000A9000-memory.dmp xloader behavioral1/memory/1920-77-0x0000000000080000-0x00000000000A9000-memory.dmp xloader -
Executes dropped EXE 2 IoCs
Processes:
tiv727shx.exetiv727shx.exepid process 280 tiv727shx.exe 556 tiv727shx.exe -
Loads dropped DLL 3 IoCs
Processes:
e4c8d479759c6e189b3fa55159cb4399e47934d39cc3cbd28e2e75ba826ba86a.exetiv727shx.exepid process 564 e4c8d479759c6e189b3fa55159cb4399e47934d39cc3cbd28e2e75ba826ba86a.exe 280 tiv727shx.exe 280 tiv727shx.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
tiv727shx.exetiv727shx.exewlanext.exedescription pid process target process PID 280 set thread context of 556 280 tiv727shx.exe tiv727shx.exe PID 556 set thread context of 1220 556 tiv727shx.exe Explorer.EXE PID 1920 set thread context of 1220 1920 wlanext.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
tiv727shx.exetiv727shx.exewlanext.exepid process 280 tiv727shx.exe 280 tiv727shx.exe 280 tiv727shx.exe 280 tiv727shx.exe 556 tiv727shx.exe 556 tiv727shx.exe 1920 wlanext.exe 1920 wlanext.exe 1920 wlanext.exe 1920 wlanext.exe 1920 wlanext.exe 1920 wlanext.exe 1920 wlanext.exe 1920 wlanext.exe 1920 wlanext.exe 1920 wlanext.exe 1920 wlanext.exe 1920 wlanext.exe 1920 wlanext.exe 1920 wlanext.exe 1920 wlanext.exe 1920 wlanext.exe 1920 wlanext.exe 1920 wlanext.exe 1920 wlanext.exe 1920 wlanext.exe 1920 wlanext.exe 1920 wlanext.exe 1920 wlanext.exe 1920 wlanext.exe 1920 wlanext.exe 1920 wlanext.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1220 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
tiv727shx.exetiv727shx.exewlanext.exepid process 280 tiv727shx.exe 556 tiv727shx.exe 556 tiv727shx.exe 556 tiv727shx.exe 1920 wlanext.exe 1920 wlanext.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
tiv727shx.exewlanext.exedescription pid process Token: SeDebugPrivilege 556 tiv727shx.exe Token: SeDebugPrivilege 1920 wlanext.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1220 Explorer.EXE 1220 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1220 Explorer.EXE 1220 Explorer.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
e4c8d479759c6e189b3fa55159cb4399e47934d39cc3cbd28e2e75ba826ba86a.exetiv727shx.exeExplorer.EXEwlanext.exedescription pid process target process PID 564 wrote to memory of 280 564 e4c8d479759c6e189b3fa55159cb4399e47934d39cc3cbd28e2e75ba826ba86a.exe tiv727shx.exe PID 564 wrote to memory of 280 564 e4c8d479759c6e189b3fa55159cb4399e47934d39cc3cbd28e2e75ba826ba86a.exe tiv727shx.exe PID 564 wrote to memory of 280 564 e4c8d479759c6e189b3fa55159cb4399e47934d39cc3cbd28e2e75ba826ba86a.exe tiv727shx.exe PID 564 wrote to memory of 280 564 e4c8d479759c6e189b3fa55159cb4399e47934d39cc3cbd28e2e75ba826ba86a.exe tiv727shx.exe PID 280 wrote to memory of 556 280 tiv727shx.exe tiv727shx.exe PID 280 wrote to memory of 556 280 tiv727shx.exe tiv727shx.exe PID 280 wrote to memory of 556 280 tiv727shx.exe tiv727shx.exe PID 280 wrote to memory of 556 280 tiv727shx.exe tiv727shx.exe PID 280 wrote to memory of 556 280 tiv727shx.exe tiv727shx.exe PID 1220 wrote to memory of 1920 1220 Explorer.EXE wlanext.exe PID 1220 wrote to memory of 1920 1220 Explorer.EXE wlanext.exe PID 1220 wrote to memory of 1920 1220 Explorer.EXE wlanext.exe PID 1220 wrote to memory of 1920 1220 Explorer.EXE wlanext.exe PID 1920 wrote to memory of 1308 1920 wlanext.exe cmd.exe PID 1920 wrote to memory of 1308 1920 wlanext.exe cmd.exe PID 1920 wrote to memory of 1308 1920 wlanext.exe cmd.exe PID 1920 wrote to memory of 1308 1920 wlanext.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e4c8d479759c6e189b3fa55159cb4399e47934d39cc3cbd28e2e75ba826ba86a.exe"C:\Users\Admin\AppData\Local\Temp\e4c8d479759c6e189b3fa55159cb4399e47934d39cc3cbd28e2e75ba826ba86a.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tiv727shx.exe"C:\Users\Admin\AppData\Local\Temp\tiv727shx.exe" "C:\Users\Admin\AppData\Local\Temp\olac3zs7jm3rr4i.dll" "C:\Users\Admin\AppData\Local\Temp\jjessap.d"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tiv727shx.exe"C:\Users\Admin\AppData\Local\Temp\tiv727shx.exe" "C:\Users\Admin\AppData\Local\Temp\olac3zs7jm3rr4i.dll" "C:\Users\Admin\AppData\Local\Temp\jjessap.d"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\wlanext.exe"C:\Windows\SysWOW64\wlanext.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\tiv727shx.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\jjessap.dFilesize
161KB
MD5f0321013d66a05ad984d95f978e4d7e4
SHA162233a1aad01dc0044c91fa54431ad0110cf9288
SHA256835734f506366a4ee16f26febc1a8dece7df7692e4f1dbc4f1fb6f4a2fbc7027
SHA51256b073d76fb1055547bdbcebe03e6cf287acda67ac05168d75de981fc6c12d8a305a513cc7cb31ed6764f0a02da8b3630a8f71b412f87c4d6947ebaf22a4dd25
-
C:\Users\Admin\AppData\Local\Temp\olac3zs7jm3rr4i.dllFilesize
12KB
MD55d58523f0a1d1cf356ae4975bddf6877
SHA129f74dcdb22286f06d611ac9870729e98fbb3d4c
SHA25688cdd8bb77b8f457d9b2b5a011392d82acdbd848e6440f0563ecf37058d7c554
SHA512afee0847e1627f7ccf76fd524867bd486e95c3acf0890e00ca117ef4dfebff71c890478dc20b9fec12b954449842593661e623edf9849b5bee613624cc0be498
-
C:\Users\Admin\AppData\Local\Temp\tiv727shx.exeFilesize
3KB
MD52f1d8da9ad48cdefe35d05d56e02e453
SHA137fb5e77ebe2b30d021bc5a4021efd679de6dd49
SHA25683e70a9a3067a8deb5ec5e472a80d3e5f6d82f90c0b5067c973c3077e43d2ca1
SHA51255c1e8618dad28fa2e40666e9707374604a980ae6791b5b2253d137b77af57fa30a3410da836cdeabee0dd9b3356e7ba53dc113dc13e1016e1f4b74273f2921f
-
C:\Users\Admin\AppData\Local\Temp\tiv727shx.exeFilesize
3KB
MD52f1d8da9ad48cdefe35d05d56e02e453
SHA137fb5e77ebe2b30d021bc5a4021efd679de6dd49
SHA25683e70a9a3067a8deb5ec5e472a80d3e5f6d82f90c0b5067c973c3077e43d2ca1
SHA51255c1e8618dad28fa2e40666e9707374604a980ae6791b5b2253d137b77af57fa30a3410da836cdeabee0dd9b3356e7ba53dc113dc13e1016e1f4b74273f2921f
-
C:\Users\Admin\AppData\Local\Temp\tiv727shx.exeFilesize
3KB
MD52f1d8da9ad48cdefe35d05d56e02e453
SHA137fb5e77ebe2b30d021bc5a4021efd679de6dd49
SHA25683e70a9a3067a8deb5ec5e472a80d3e5f6d82f90c0b5067c973c3077e43d2ca1
SHA51255c1e8618dad28fa2e40666e9707374604a980ae6791b5b2253d137b77af57fa30a3410da836cdeabee0dd9b3356e7ba53dc113dc13e1016e1f4b74273f2921f
-
\Users\Admin\AppData\Local\Temp\olac3zs7jm3rr4i.dllFilesize
12KB
MD55d58523f0a1d1cf356ae4975bddf6877
SHA129f74dcdb22286f06d611ac9870729e98fbb3d4c
SHA25688cdd8bb77b8f457d9b2b5a011392d82acdbd848e6440f0563ecf37058d7c554
SHA512afee0847e1627f7ccf76fd524867bd486e95c3acf0890e00ca117ef4dfebff71c890478dc20b9fec12b954449842593661e623edf9849b5bee613624cc0be498
-
\Users\Admin\AppData\Local\Temp\tiv727shx.exeFilesize
3KB
MD52f1d8da9ad48cdefe35d05d56e02e453
SHA137fb5e77ebe2b30d021bc5a4021efd679de6dd49
SHA25683e70a9a3067a8deb5ec5e472a80d3e5f6d82f90c0b5067c973c3077e43d2ca1
SHA51255c1e8618dad28fa2e40666e9707374604a980ae6791b5b2253d137b77af57fa30a3410da836cdeabee0dd9b3356e7ba53dc113dc13e1016e1f4b74273f2921f
-
\Users\Admin\AppData\Local\Temp\tiv727shx.exeFilesize
3KB
MD52f1d8da9ad48cdefe35d05d56e02e453
SHA137fb5e77ebe2b30d021bc5a4021efd679de6dd49
SHA25683e70a9a3067a8deb5ec5e472a80d3e5f6d82f90c0b5067c973c3077e43d2ca1
SHA51255c1e8618dad28fa2e40666e9707374604a980ae6791b5b2253d137b77af57fa30a3410da836cdeabee0dd9b3356e7ba53dc113dc13e1016e1f4b74273f2921f
-
memory/280-56-0x0000000000000000-mapping.dmp
-
memory/280-65-0x00000000744A0000-0x00000000744A7000-memory.dmpFilesize
28KB
-
memory/556-66-0x0000000000700000-0x0000000000A03000-memory.dmpFilesize
3.0MB
-
memory/556-67-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/556-68-0x0000000000260000-0x0000000000271000-memory.dmpFilesize
68KB
-
memory/556-63-0x000000000041D090-mapping.dmp
-
memory/564-54-0x0000000075D01000-0x0000000075D03000-memory.dmpFilesize
8KB
-
memory/1220-76-0x0000000004E50000-0x0000000004EEE000-memory.dmpFilesize
632KB
-
memory/1220-69-0x0000000004B80000-0x0000000004C6A000-memory.dmpFilesize
936KB
-
memory/1220-78-0x0000000004E50000-0x0000000004EEE000-memory.dmpFilesize
632KB
-
memory/1308-71-0x0000000000000000-mapping.dmp
-
memory/1920-74-0x0000000002000000-0x0000000002303000-memory.dmpFilesize
3.0MB
-
memory/1920-73-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/1920-75-0x0000000001D90000-0x0000000001E20000-memory.dmpFilesize
576KB
-
memory/1920-72-0x0000000000440000-0x0000000000456000-memory.dmpFilesize
88KB
-
memory/1920-77-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/1920-70-0x0000000000000000-mapping.dmp