Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
06-05-2021 14:04
Static task
static1
Behavioral task
behavioral1
Sample
tgix.exe
Resource
win7v20210408
General
-
Target
tgix.exe
-
Size
1.1MB
-
MD5
2e3f9f38f7cb188b1f25028061c75724
-
SHA1
6fcc9441c9738e854d38e21a92a2a211049dc612
-
SHA256
b356ada562e3300d6a94806979b8920abbae8b40ff9ce89b5f5c2a10e0f970b0
-
SHA512
046ccf12497f5a63a1033b83ecd0a390e1eb088d9bcb5636163b1bb4b5d4a1b04532c7497a27a18b01a6a70739bb72b211376e99bb3b5572a7ba83766ab75550
Malware Config
Extracted
xloader
2.3
http://www.liancaiwangv5.com/oerg/
brightly-common.com
petwellness.pet
oldhamluxury.com
cmpembroidery.com
physicalrobot.com
irynazumba.com
testyourself11.com
theblacksportswoman.com
mottestertraining.agency
confrontinghate.info
tamiigun.com
pod14.club
implementnowsolutions.net
letsdance.website
cashforkeysdz.net
grupoprotecsasac.com
kol-lek-tiv.net
funeralhomesmaroail.com
lwfunding.com
junkglobal.com
planbeee.com
cloudfoodz.com
jalilvandconsulting.com
dsheatpumps.com
loisirdefense.com
kitchensavershop.com
smarthealthubclub.com
happyupa.com
hellonetworker.com
sparkyspizzaor.com
avenew.pro
onlineregular.com
lateliersensible.com
nhietluyen.com
magicclass.ltd
cactusrootspalmsprings.com
bodascivileshouston.com
manicolada.com
tabernacleenterprise.com
pbpurchase.com
senmec23.com
assetnj.com
eveningtaxservice.com
gufobardo.com
ertcfdg.xyz
sky-odhner.com
ventures-sellers.com
anquanbx.com
proteccare.com
imprussts.com
solentplanning.com
eskisla.com
sparktheblogbycirque.com
retailala.com
freeglobe.life
business247.space
rentwithdex.com
clipsq.com
taratakeson.com
mkdepannage.run
kjfdjdjkfkjejfdre.com
fayd000.icu
freejobsalertpk.com
innovision3d.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3600-116-0x000000000041D050-mapping.dmp xloader behavioral2/memory/3600-115-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral2/memory/1020-124-0x0000000003370000-0x0000000003398000-memory.dmp xloader -
Suspicious use of SetThreadContext 3 IoCs
Processes:
tgix.exetgix.exewscript.exedescription pid process target process PID 4432 set thread context of 3600 4432 tgix.exe tgix.exe PID 3600 set thread context of 2416 3600 tgix.exe Explorer.EXE PID 1020 set thread context of 2416 1020 wscript.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
tgix.exewscript.exepid process 3600 tgix.exe 3600 tgix.exe 3600 tgix.exe 3600 tgix.exe 1020 wscript.exe 1020 wscript.exe 1020 wscript.exe 1020 wscript.exe 1020 wscript.exe 1020 wscript.exe 1020 wscript.exe 1020 wscript.exe 1020 wscript.exe 1020 wscript.exe 1020 wscript.exe 1020 wscript.exe 1020 wscript.exe 1020 wscript.exe 1020 wscript.exe 1020 wscript.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
tgix.exewscript.exepid process 3600 tgix.exe 3600 tgix.exe 3600 tgix.exe 1020 wscript.exe 1020 wscript.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
tgix.exewscript.exedescription pid process Token: SeDebugPrivilege 3600 tgix.exe Token: SeDebugPrivilege 1020 wscript.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
tgix.exeExplorer.EXEwscript.exedescription pid process target process PID 4432 wrote to memory of 3600 4432 tgix.exe tgix.exe PID 4432 wrote to memory of 3600 4432 tgix.exe tgix.exe PID 4432 wrote to memory of 3600 4432 tgix.exe tgix.exe PID 4432 wrote to memory of 3600 4432 tgix.exe tgix.exe PID 4432 wrote to memory of 3600 4432 tgix.exe tgix.exe PID 4432 wrote to memory of 3600 4432 tgix.exe tgix.exe PID 2416 wrote to memory of 1020 2416 Explorer.EXE wscript.exe PID 2416 wrote to memory of 1020 2416 Explorer.EXE wscript.exe PID 2416 wrote to memory of 1020 2416 Explorer.EXE wscript.exe PID 1020 wrote to memory of 4000 1020 wscript.exe cmd.exe PID 1020 wrote to memory of 4000 1020 wscript.exe cmd.exe PID 1020 wrote to memory of 4000 1020 wscript.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tgix.exe"C:\Users\Admin\AppData\Local\Temp\tgix.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tgix.exe"C:\Users\Admin\AppData\Local\Temp\tgix.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\tgix.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1020-124-0x0000000003370000-0x0000000003398000-memory.dmpFilesize
160KB
-
memory/1020-121-0x0000000000000000-mapping.dmp
-
memory/1020-123-0x0000000000DB0000-0x0000000000DD7000-memory.dmpFilesize
156KB
-
memory/1020-125-0x0000000005380000-0x00000000056A0000-memory.dmpFilesize
3.1MB
-
memory/1020-126-0x0000000005200000-0x000000000528F000-memory.dmpFilesize
572KB
-
memory/2416-120-0x00000000069B0000-0x0000000006ACB000-memory.dmpFilesize
1.1MB
-
memory/2416-127-0x0000000005860000-0x00000000059A9000-memory.dmpFilesize
1.3MB
-
memory/3600-116-0x000000000041D050-mapping.dmp
-
memory/3600-115-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/3600-118-0x00000000010A0000-0x00000000013C0000-memory.dmpFilesize
3.1MB
-
memory/3600-119-0x0000000000C80000-0x0000000000C90000-memory.dmpFilesize
64KB
-
memory/4000-122-0x0000000000000000-mapping.dmp
-
memory/4432-114-0x0000000003140000-0x0000000003141000-memory.dmpFilesize
4KB