Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
04-03-2021 18:19
Behavioral task
behavioral1
Sample
48c9e4c8_extracted.exe
Resource
win7v20201028
General
-
Target
48c9e4c8_extracted.exe
-
Size
160KB
-
MD5
d1a9b9e29edfb6ddefa1fe00e9486f6e
-
SHA1
4f8484df9b6ef4b54fbd7ebd882e10a155bc87f2
-
SHA256
bc68f1c3e90d38b089534333bded35a4c736b1d18bce2b2fe151a46a53ca390d
-
SHA512
3e87c8b6cac73fc46387891bda1c58d5ba0d3bee26f8c66eecbe4af976c5b8bd9c6b5bc3898743ebd488bf930077d3f310ac606c6332e120914ebb454274c4a0
Malware Config
Extracted
xloader
http://www.wekrazy.com/ianv/
toysclass.com
baohiemthuduc.com
dronesracers.com
wallis-platform.com
waltermorgan.fitness
vsn-designs.com
cengjing.life
trackcatologueorders.com
newworkpay.com
brainywoodindia.com
myrtlebeachstripperstoyou.com
saori.cloud
10fastvpn.com
freemindsweden.com
phatsquares.com
pandemia.tienda
7560eads6.com
sabjidada.com
zhyingj.group
nailmanicurest.com
makkoho.net
biaobazhongxin.com
wwwyourcardoctor.com
careless-customers2.com
greghickmanrealestate.com
testdomain0606.site
cantstealmyvote.com
binismailhealthcare.com
impact-holdingsgroup.com
plastic-girl.com
itcomputershn.com
racevx.xyz
jiangsuruiyou.com
tuding1688.com
kimloaig7.net
kannanconsulting.com
reconnecttogod.com
solverstv.com
therecover.computer
iamalittlesomething.com
rottendemocrats.com
triplayover.com
classonlinepy.com
magapatriotsdeals.com
casafacilpe.com
umasolarsupply.com
getinfloww.com
thecleanlifellc.com
knownyork.com
practicewithpersia.com
hervirtuouslife.com
goldjewelrybuyersplano.com
belleharlo.com
bundatrima.online
localvahomes.com
petreltradingchambers.com
jueligh.com
awadata.com
craftedcompulsion.com
dresiara.com
natsu-blog.net
nonbartv.com
greezymobbent.com
opelakcesoria.online
Signatures
-
Xloader Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/580-7-0x0000000000390000-0x00000000003B8000-memory.dmp xloader -
Suspicious use of SetThreadContext 2 IoCs
Processes:
48c9e4c8_extracted.execmmon32.exedescription pid process target process PID 1140 set thread context of 3012 1140 48c9e4c8_extracted.exe Explorer.EXE PID 580 set thread context of 3012 580 cmmon32.exe Explorer.EXE -
Modifies registry class 2 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
48c9e4c8_extracted.execmmon32.exepid process 1140 48c9e4c8_extracted.exe 1140 48c9e4c8_extracted.exe 1140 48c9e4c8_extracted.exe 1140 48c9e4c8_extracted.exe 580 cmmon32.exe 580 cmmon32.exe 580 cmmon32.exe 580 cmmon32.exe 580 cmmon32.exe 580 cmmon32.exe 580 cmmon32.exe 580 cmmon32.exe 580 cmmon32.exe 580 cmmon32.exe 580 cmmon32.exe 580 cmmon32.exe 580 cmmon32.exe 580 cmmon32.exe 580 cmmon32.exe 580 cmmon32.exe 580 cmmon32.exe 580 cmmon32.exe 580 cmmon32.exe 580 cmmon32.exe 580 cmmon32.exe 580 cmmon32.exe 580 cmmon32.exe 580 cmmon32.exe 580 cmmon32.exe 580 cmmon32.exe 580 cmmon32.exe 580 cmmon32.exe 580 cmmon32.exe 580 cmmon32.exe 580 cmmon32.exe 580 cmmon32.exe 580 cmmon32.exe 580 cmmon32.exe 580 cmmon32.exe 580 cmmon32.exe 580 cmmon32.exe 580 cmmon32.exe 580 cmmon32.exe 580 cmmon32.exe 580 cmmon32.exe 580 cmmon32.exe 580 cmmon32.exe 580 cmmon32.exe 580 cmmon32.exe 580 cmmon32.exe 580 cmmon32.exe 580 cmmon32.exe 580 cmmon32.exe 580 cmmon32.exe 580 cmmon32.exe 580 cmmon32.exe 580 cmmon32.exe 580 cmmon32.exe 580 cmmon32.exe 580 cmmon32.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
48c9e4c8_extracted.execmmon32.exepid process 1140 48c9e4c8_extracted.exe 1140 48c9e4c8_extracted.exe 1140 48c9e4c8_extracted.exe 580 cmmon32.exe 580 cmmon32.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
48c9e4c8_extracted.exeExplorer.EXEcmmon32.exedescription pid process Token: SeDebugPrivilege 1140 48c9e4c8_extracted.exe Token: SeShutdownPrivilege 3012 Explorer.EXE Token: SeCreatePagefilePrivilege 3012 Explorer.EXE Token: SeShutdownPrivilege 3012 Explorer.EXE Token: SeCreatePagefilePrivilege 3012 Explorer.EXE Token: SeDebugPrivilege 580 cmmon32.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 3012 Explorer.EXE 3012 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 3012 Explorer.EXE 3012 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3012 Explorer.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Explorer.EXEcmmon32.exedescription pid process target process PID 3012 wrote to memory of 580 3012 Explorer.EXE cmmon32.exe PID 3012 wrote to memory of 580 3012 Explorer.EXE cmmon32.exe PID 3012 wrote to memory of 580 3012 Explorer.EXE cmmon32.exe PID 580 wrote to memory of 2900 580 cmmon32.exe cmd.exe PID 580 wrote to memory of 2900 580 cmmon32.exe cmd.exe PID 580 wrote to memory of 2900 580 cmmon32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\48c9e4c8_extracted.exe"C:\Users\Admin\AppData\Local\Temp\48c9e4c8_extracted.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\48c9e4c8_extracted.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/580-5-0x0000000000000000-mapping.dmp
-
memory/580-6-0x0000000001020000-0x000000000102C000-memory.dmpFilesize
48KB
-
memory/580-7-0x0000000000390000-0x00000000003B8000-memory.dmpFilesize
160KB
-
memory/580-8-0x00000000045D0000-0x00000000048F0000-memory.dmpFilesize
3.1MB
-
memory/580-10-0x0000000000E90000-0x0000000000F1F000-memory.dmpFilesize
572KB
-
memory/1140-2-0x0000000001270000-0x0000000001590000-memory.dmpFilesize
3.1MB
-
memory/1140-3-0x00000000009D0000-0x00000000009E0000-memory.dmpFilesize
64KB
-
memory/2900-9-0x0000000000000000-mapping.dmp
-
memory/3012-4-0x00000000052B0000-0x00000000053C6000-memory.dmpFilesize
1.1MB
-
memory/3012-11-0x0000000006180000-0x00000000062A3000-memory.dmpFilesize
1.1MB