Analysis
-
max time kernel
147s -
max time network
128s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
19-01-2021 07:28
Static task
static1
Behavioral task
behavioral1
Sample
xPkiX7vwNVqQf9I.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
xPkiX7vwNVqQf9I.exe
Resource
win10v20201028
General
-
Target
xPkiX7vwNVqQf9I.exe
-
Size
1.1MB
-
MD5
7c551b6169afa66e8966ad53730679ca
-
SHA1
d32cecce6d8f4dbe0556ad9fd0fc95f5eae93a56
-
SHA256
d087c47135a5a1f2aff88262dab08a447beb3c9a97aa18ee6a60212d81ee21f7
-
SHA512
f7652d9621b2d0acc049dfd0a712822b0f81cfc8072652256d9053d1a1193cecf6ad448157423d07bb8426b447eb99cb838f04642579800ea8116bee6711066d
Malware Config
Extracted
formbook
http://www.asicprominer.com/umSa/
lessensations.com
growcerybank.com
rvworkforce.com
djangosports.com
jgrosinger.com
tongjiash.com
rianebrady.com
xiaoxu.info
allwaysautism.com
couturev.com
dantedikhali.com
sagamoreca.com
sandisyardsale.com
happizi.com
moonchildboxco.store
maquillajembp.com
sojubythebay.com
verdexwellness.com
authenticperiod.cloud
bitpreserve.com
southernstarescape.com
therobloids.net
123hpcomsetu.com
hongtinvn.com
magnoliarack.net
jiegaojc.com
provaavincere.com
freefiregarena20.com
laurenpathak.com
become-flightattendant.com
shanyagus.com
top12watches.com
dcdialysiscenter.com
lawandlawholdingsinc.com
madisonpears.com
cakesinchargecatering.com
nc500-accommodation.com
cypherium.academy
wingmanwallet.com
spit-commodity.com
nhimlike.com
givebitties.com
xn--iiqa6618cvla.xn--hxt814e
abilitiesin.com
premioscreatube.com
foodtock.com
nationalmakeawillmonth.net
vettedwealthmanagement.com
bingent.info
betslotspin.com
sportsenviron.com
epskate.com
rsoliver.com
philrealtorpro.com
novelchapter.com
proclipperz.com
andresbuendia.com
bookmyshemale.com
newwavepost.net
4pro.life
sippatrbpnbireuen.com
asbuilt.services
speedfreightlines.com
irgendwie-sterben.xyz
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/268-6-0x000000000041D060-mapping.dmp xloader behavioral1/memory/268-5-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/556-14-0x00000000000D0000-0x00000000000F9000-memory.dmp xloader -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 952 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
xPkiX7vwNVqQf9I.exexPkiX7vwNVqQf9I.exerundll32.exedescription pid process target process PID 1076 set thread context of 268 1076 xPkiX7vwNVqQf9I.exe xPkiX7vwNVqQf9I.exe PID 268 set thread context of 1256 268 xPkiX7vwNVqQf9I.exe Explorer.EXE PID 556 set thread context of 1256 556 rundll32.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
xPkiX7vwNVqQf9I.exexPkiX7vwNVqQf9I.exerundll32.exepid process 1076 xPkiX7vwNVqQf9I.exe 268 xPkiX7vwNVqQf9I.exe 268 xPkiX7vwNVqQf9I.exe 556 rundll32.exe 556 rundll32.exe 556 rundll32.exe 556 rundll32.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
xPkiX7vwNVqQf9I.exerundll32.exepid process 268 xPkiX7vwNVqQf9I.exe 268 xPkiX7vwNVqQf9I.exe 268 xPkiX7vwNVqQf9I.exe 556 rundll32.exe 556 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
xPkiX7vwNVqQf9I.exexPkiX7vwNVqQf9I.exerundll32.exedescription pid process Token: SeDebugPrivilege 1076 xPkiX7vwNVqQf9I.exe Token: SeDebugPrivilege 268 xPkiX7vwNVqQf9I.exe Token: SeDebugPrivilege 556 rundll32.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
xPkiX7vwNVqQf9I.exeExplorer.EXErundll32.exedescription pid process target process PID 1076 wrote to memory of 396 1076 xPkiX7vwNVqQf9I.exe xPkiX7vwNVqQf9I.exe PID 1076 wrote to memory of 396 1076 xPkiX7vwNVqQf9I.exe xPkiX7vwNVqQf9I.exe PID 1076 wrote to memory of 396 1076 xPkiX7vwNVqQf9I.exe xPkiX7vwNVqQf9I.exe PID 1076 wrote to memory of 396 1076 xPkiX7vwNVqQf9I.exe xPkiX7vwNVqQf9I.exe PID 1076 wrote to memory of 396 1076 xPkiX7vwNVqQf9I.exe xPkiX7vwNVqQf9I.exe PID 1076 wrote to memory of 396 1076 xPkiX7vwNVqQf9I.exe xPkiX7vwNVqQf9I.exe PID 1076 wrote to memory of 396 1076 xPkiX7vwNVqQf9I.exe xPkiX7vwNVqQf9I.exe PID 1076 wrote to memory of 268 1076 xPkiX7vwNVqQf9I.exe xPkiX7vwNVqQf9I.exe PID 1076 wrote to memory of 268 1076 xPkiX7vwNVqQf9I.exe xPkiX7vwNVqQf9I.exe PID 1076 wrote to memory of 268 1076 xPkiX7vwNVqQf9I.exe xPkiX7vwNVqQf9I.exe PID 1076 wrote to memory of 268 1076 xPkiX7vwNVqQf9I.exe xPkiX7vwNVqQf9I.exe PID 1076 wrote to memory of 268 1076 xPkiX7vwNVqQf9I.exe xPkiX7vwNVqQf9I.exe PID 1076 wrote to memory of 268 1076 xPkiX7vwNVqQf9I.exe xPkiX7vwNVqQf9I.exe PID 1076 wrote to memory of 268 1076 xPkiX7vwNVqQf9I.exe xPkiX7vwNVqQf9I.exe PID 1076 wrote to memory of 268 1076 xPkiX7vwNVqQf9I.exe xPkiX7vwNVqQf9I.exe PID 1076 wrote to memory of 268 1076 xPkiX7vwNVqQf9I.exe xPkiX7vwNVqQf9I.exe PID 1076 wrote to memory of 268 1076 xPkiX7vwNVqQf9I.exe xPkiX7vwNVqQf9I.exe PID 1256 wrote to memory of 556 1256 Explorer.EXE rundll32.exe PID 1256 wrote to memory of 556 1256 Explorer.EXE rundll32.exe PID 1256 wrote to memory of 556 1256 Explorer.EXE rundll32.exe PID 1256 wrote to memory of 556 1256 Explorer.EXE rundll32.exe PID 1256 wrote to memory of 556 1256 Explorer.EXE rundll32.exe PID 1256 wrote to memory of 556 1256 Explorer.EXE rundll32.exe PID 1256 wrote to memory of 556 1256 Explorer.EXE rundll32.exe PID 556 wrote to memory of 952 556 rundll32.exe cmd.exe PID 556 wrote to memory of 952 556 rundll32.exe cmd.exe PID 556 wrote to memory of 952 556 rundll32.exe cmd.exe PID 556 wrote to memory of 952 556 rundll32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Users\Admin\AppData\Local\Temp\xPkiX7vwNVqQf9I.exe"C:\Users\Admin\AppData\Local\Temp\xPkiX7vwNVqQf9I.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Users\Admin\AppData\Local\Temp\xPkiX7vwNVqQf9I.exe"C:\Users\Admin\AppData\Local\Temp\xPkiX7vwNVqQf9I.exe"3⤵PID:396
-
C:\Users\Admin\AppData\Local\Temp\xPkiX7vwNVqQf9I.exe"C:\Users\Admin\AppData\Local\Temp\xPkiX7vwNVqQf9I.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:268 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\xPkiX7vwNVqQf9I.exe"3⤵
- Deletes itself
PID:952
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/268-9-0x00000000001F0000-0x0000000000201000-memory.dmpFilesize
68KB
-
memory/268-5-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/268-8-0x0000000000A40000-0x0000000000D43000-memory.dmpFilesize
3.0MB
-
memory/268-6-0x000000000041D060-mapping.dmp
-
memory/556-11-0x0000000000000000-mapping.dmp
-
memory/556-13-0x0000000000BF0000-0x0000000000BFE000-memory.dmpFilesize
56KB
-
memory/556-14-0x00000000000D0000-0x00000000000F9000-memory.dmpFilesize
164KB
-
memory/556-16-0x00000000021A0000-0x00000000024A3000-memory.dmpFilesize
3.0MB
-
memory/556-17-0x0000000000B60000-0x0000000000BF0000-memory.dmpFilesize
576KB
-
memory/952-15-0x0000000000000000-mapping.dmp
-
memory/1076-4-0x0000000000411000-0x0000000000412000-memory.dmpFilesize
4KB
-
memory/1076-3-0x0000000000410000-0x0000000000411000-memory.dmpFilesize
4KB
-
memory/1076-2-0x0000000075711000-0x0000000075713000-memory.dmpFilesize
8KB
-
memory/1256-10-0x0000000006B10000-0x0000000006C8B000-memory.dmpFilesize
1.5MB