Analysis
-
max time kernel
108s -
max time network
12s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
20-04-2021 12:12
Static task
static1
Behavioral task
behavioral1
Sample
6eef942a79d429f3b78cbc803ecb9ea9.exe
Resource
win7v20210408
General
-
Target
6eef942a79d429f3b78cbc803ecb9ea9.exe
-
Size
891KB
-
MD5
6eef942a79d429f3b78cbc803ecb9ea9
-
SHA1
550109e8e745944617412936482670bd7d093c85
-
SHA256
cdaacff5e2118313479b5e8975d191e71731c2bb1646a4ee5bbf0adf22d86450
-
SHA512
34d924a1a54bc4b9cfacb4be3c1d4f00d346868b28e767c92ffa1c9a5b2558bf6d36803ce5c7e4fe8f01517f1c7b07637dee3e96df85e7fcee6958f9446bfb08
Malware Config
Extracted
xloader
2.3
http://www.autotrafficbot.com/evpn/
memoriesmade-l.com
babypowah.com
usinggroovefunnels.com
qapjv.com
kp031.com
kinfet.com
markmalls.com
keithforemandesigns.com
fydia.com
jesussaysalllivesmatter.com
sarachavesportela.com
standerup.com
monthlywifi.com
productsoffholland.com
newbieadvice.com
globalnetworkautomation.com
theholisticbirthco.com
physicalrobot.com
thesouthernhomesellers.com
teamcounteract.com
icomplementi.com
jsmsheetmetal.com
jcernadas.com
del-tekzen.com
alekseeva-center.info
arunkapur.com
gregismyrealestateagent.com
soalfintech.com
notrecondourbania.com
alum2alum.network
gototaku.com
moneymakeideas.com
dbdcontractlngllc.com
tor-one.com
walgreenlitigation.com
votestephaniezarb.com
washathome.club
zhuledao.com
sonyjewls.com
oncologyacademe.com
kuppers.info
cgpizza.net
glgshopbd.com
dodson4tulare.com
mishtifarmers.com
a1-2c.com
oligan-gs.com
countrysidehomeinvestors.com
bpro.swiss
fodiyo.com
playelementsgame.com
melhorquesantander.com
jamessicilia.com
abundancewithmelissaharvey.com
vatandoost.com
curiosityisthecurebook.com
o8y8.com
de-knutselkeet.com
advisorsonecall.com
homerangeopen.com
brusselsdesignproject.com
0449888.com
psychicsjaneholden.com
b-sphere.com
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1188-67-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1188-68-0x000000000041D0C0-mapping.dmp xloader -
Suspicious use of SetThreadContext 1 IoCs
Processes:
6eef942a79d429f3b78cbc803ecb9ea9.exedescription pid process target process PID 1632 set thread context of 1188 1632 6eef942a79d429f3b78cbc803ecb9ea9.exe 6eef942a79d429f3b78cbc803ecb9ea9.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
6eef942a79d429f3b78cbc803ecb9ea9.exe6eef942a79d429f3b78cbc803ecb9ea9.exepid process 1632 6eef942a79d429f3b78cbc803ecb9ea9.exe 1632 6eef942a79d429f3b78cbc803ecb9ea9.exe 1188 6eef942a79d429f3b78cbc803ecb9ea9.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
6eef942a79d429f3b78cbc803ecb9ea9.exedescription pid process Token: SeDebugPrivilege 1632 6eef942a79d429f3b78cbc803ecb9ea9.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
6eef942a79d429f3b78cbc803ecb9ea9.exedescription pid process target process PID 1632 wrote to memory of 1188 1632 6eef942a79d429f3b78cbc803ecb9ea9.exe 6eef942a79d429f3b78cbc803ecb9ea9.exe PID 1632 wrote to memory of 1188 1632 6eef942a79d429f3b78cbc803ecb9ea9.exe 6eef942a79d429f3b78cbc803ecb9ea9.exe PID 1632 wrote to memory of 1188 1632 6eef942a79d429f3b78cbc803ecb9ea9.exe 6eef942a79d429f3b78cbc803ecb9ea9.exe PID 1632 wrote to memory of 1188 1632 6eef942a79d429f3b78cbc803ecb9ea9.exe 6eef942a79d429f3b78cbc803ecb9ea9.exe PID 1632 wrote to memory of 1188 1632 6eef942a79d429f3b78cbc803ecb9ea9.exe 6eef942a79d429f3b78cbc803ecb9ea9.exe PID 1632 wrote to memory of 1188 1632 6eef942a79d429f3b78cbc803ecb9ea9.exe 6eef942a79d429f3b78cbc803ecb9ea9.exe PID 1632 wrote to memory of 1188 1632 6eef942a79d429f3b78cbc803ecb9ea9.exe 6eef942a79d429f3b78cbc803ecb9ea9.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6eef942a79d429f3b78cbc803ecb9ea9.exe"C:\Users\Admin\AppData\Local\Temp\6eef942a79d429f3b78cbc803ecb9ea9.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Users\Admin\AppData\Local\Temp\6eef942a79d429f3b78cbc803ecb9ea9.exe"C:\Users\Admin\AppData\Local\Temp\6eef942a79d429f3b78cbc803ecb9ea9.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1188
-