Analysis
-
max time kernel
152s -
max time network
150s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
06-05-2021 14:04
Static task
static1
Behavioral task
behavioral1
Sample
tgix.exe
Resource
win7v20210408
General
-
Target
tgix.exe
-
Size
1.1MB
-
MD5
2e3f9f38f7cb188b1f25028061c75724
-
SHA1
6fcc9441c9738e854d38e21a92a2a211049dc612
-
SHA256
b356ada562e3300d6a94806979b8920abbae8b40ff9ce89b5f5c2a10e0f970b0
-
SHA512
046ccf12497f5a63a1033b83ecd0a390e1eb088d9bcb5636163b1bb4b5d4a1b04532c7497a27a18b01a6a70739bb72b211376e99bb3b5572a7ba83766ab75550
Malware Config
Extracted
xloader
2.3
http://www.liancaiwangv5.com/oerg/
brightly-common.com
petwellness.pet
oldhamluxury.com
cmpembroidery.com
physicalrobot.com
irynazumba.com
testyourself11.com
theblacksportswoman.com
mottestertraining.agency
confrontinghate.info
tamiigun.com
pod14.club
implementnowsolutions.net
letsdance.website
cashforkeysdz.net
grupoprotecsasac.com
kol-lek-tiv.net
funeralhomesmaroail.com
lwfunding.com
junkglobal.com
planbeee.com
cloudfoodz.com
jalilvandconsulting.com
dsheatpumps.com
loisirdefense.com
kitchensavershop.com
smarthealthubclub.com
happyupa.com
hellonetworker.com
sparkyspizzaor.com
avenew.pro
onlineregular.com
lateliersensible.com
nhietluyen.com
magicclass.ltd
cactusrootspalmsprings.com
bodascivileshouston.com
manicolada.com
tabernacleenterprise.com
pbpurchase.com
senmec23.com
assetnj.com
eveningtaxservice.com
gufobardo.com
ertcfdg.xyz
sky-odhner.com
ventures-sellers.com
anquanbx.com
proteccare.com
imprussts.com
solentplanning.com
eskisla.com
sparktheblogbycirque.com
retailala.com
freeglobe.life
business247.space
rentwithdex.com
clipsq.com
taratakeson.com
mkdepannage.run
kjfdjdjkfkjejfdre.com
fayd000.icu
freejobsalertpk.com
innovision3d.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1504-63-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral1/memory/1504-64-0x000000000041D050-mapping.dmp xloader behavioral1/memory/372-72-0x0000000000080000-0x00000000000A8000-memory.dmp xloader -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1468 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
tgix.exetgix.execmmon32.exedescription pid process target process PID 1840 set thread context of 1504 1840 tgix.exe tgix.exe PID 1504 set thread context of 1200 1504 tgix.exe Explorer.EXE PID 372 set thread context of 1200 372 cmmon32.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
tgix.execmmon32.exepid process 1504 tgix.exe 1504 tgix.exe 372 cmmon32.exe 372 cmmon32.exe 372 cmmon32.exe 372 cmmon32.exe 372 cmmon32.exe 372 cmmon32.exe 372 cmmon32.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
tgix.execmmon32.exepid process 1504 tgix.exe 1504 tgix.exe 1504 tgix.exe 372 cmmon32.exe 372 cmmon32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
tgix.execmmon32.exedescription pid process Token: SeDebugPrivilege 1504 tgix.exe Token: SeDebugPrivilege 372 cmmon32.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
tgix.exeExplorer.EXEcmmon32.exedescription pid process target process PID 1840 wrote to memory of 1504 1840 tgix.exe tgix.exe PID 1840 wrote to memory of 1504 1840 tgix.exe tgix.exe PID 1840 wrote to memory of 1504 1840 tgix.exe tgix.exe PID 1840 wrote to memory of 1504 1840 tgix.exe tgix.exe PID 1840 wrote to memory of 1504 1840 tgix.exe tgix.exe PID 1840 wrote to memory of 1504 1840 tgix.exe tgix.exe PID 1840 wrote to memory of 1504 1840 tgix.exe tgix.exe PID 1200 wrote to memory of 372 1200 Explorer.EXE cmmon32.exe PID 1200 wrote to memory of 372 1200 Explorer.EXE cmmon32.exe PID 1200 wrote to memory of 372 1200 Explorer.EXE cmmon32.exe PID 1200 wrote to memory of 372 1200 Explorer.EXE cmmon32.exe PID 372 wrote to memory of 1468 372 cmmon32.exe cmd.exe PID 372 wrote to memory of 1468 372 cmmon32.exe cmd.exe PID 372 wrote to memory of 1468 372 cmmon32.exe cmd.exe PID 372 wrote to memory of 1468 372 cmmon32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tgix.exe"C:\Users\Admin\AppData\Local\Temp\tgix.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tgix.exe"C:\Users\Admin\AppData\Local\Temp\tgix.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\tgix.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/372-69-0x0000000000000000-mapping.dmp
-
memory/372-75-0x0000000000A60000-0x0000000000AEF000-memory.dmpFilesize
572KB
-
memory/372-73-0x0000000002300000-0x0000000002603000-memory.dmpFilesize
3.0MB
-
memory/372-72-0x0000000000080000-0x00000000000A8000-memory.dmpFilesize
160KB
-
memory/372-71-0x0000000000EF0000-0x0000000000EFD000-memory.dmpFilesize
52KB
-
memory/1200-76-0x0000000006130000-0x00000000061F5000-memory.dmpFilesize
788KB
-
memory/1200-68-0x0000000004A30000-0x0000000004B6D000-memory.dmpFilesize
1.2MB
-
memory/1468-70-0x0000000000000000-mapping.dmp
-
memory/1504-63-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1504-67-0x0000000000080000-0x0000000000090000-memory.dmpFilesize
64KB
-
memory/1504-66-0x0000000000850000-0x0000000000B53000-memory.dmpFilesize
3.0MB
-
memory/1504-64-0x000000000041D050-mapping.dmp
-
memory/1840-60-0x00000000757C1000-0x00000000757C3000-memory.dmpFilesize
8KB
-
memory/1840-62-0x0000000000C51000-0x0000000000C52000-memory.dmpFilesize
4KB
-
memory/1840-61-0x0000000000C50000-0x0000000000C51000-memory.dmpFilesize
4KB