Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
06-05-2021 13:03
Static task
static1
Behavioral task
behavioral1
Sample
tgix.exe
Resource
win7v20210408
General
-
Target
tgix.exe
-
Size
1.1MB
-
MD5
2e3f9f38f7cb188b1f25028061c75724
-
SHA1
6fcc9441c9738e854d38e21a92a2a211049dc612
-
SHA256
b356ada562e3300d6a94806979b8920abbae8b40ff9ce89b5f5c2a10e0f970b0
-
SHA512
046ccf12497f5a63a1033b83ecd0a390e1eb088d9bcb5636163b1bb4b5d4a1b04532c7497a27a18b01a6a70739bb72b211376e99bb3b5572a7ba83766ab75550
Malware Config
Extracted
xloader
2.3
http://www.liancaiwangv5.com/oerg/
brightly-common.com
petwellness.pet
oldhamluxury.com
cmpembroidery.com
physicalrobot.com
irynazumba.com
testyourself11.com
theblacksportswoman.com
mottestertraining.agency
confrontinghate.info
tamiigun.com
pod14.club
implementnowsolutions.net
letsdance.website
cashforkeysdz.net
grupoprotecsasac.com
kol-lek-tiv.net
funeralhomesmaroail.com
lwfunding.com
junkglobal.com
planbeee.com
cloudfoodz.com
jalilvandconsulting.com
dsheatpumps.com
loisirdefense.com
kitchensavershop.com
smarthealthubclub.com
happyupa.com
hellonetworker.com
sparkyspizzaor.com
avenew.pro
onlineregular.com
lateliersensible.com
nhietluyen.com
magicclass.ltd
cactusrootspalmsprings.com
bodascivileshouston.com
manicolada.com
tabernacleenterprise.com
pbpurchase.com
senmec23.com
assetnj.com
eveningtaxservice.com
gufobardo.com
ertcfdg.xyz
sky-odhner.com
ventures-sellers.com
anquanbx.com
proteccare.com
imprussts.com
solentplanning.com
eskisla.com
sparktheblogbycirque.com
retailala.com
freeglobe.life
business247.space
rentwithdex.com
clipsq.com
taratakeson.com
mkdepannage.run
kjfdjdjkfkjejfdre.com
fayd000.icu
freejobsalertpk.com
innovision3d.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2808-116-0x000000000041D050-mapping.dmp xloader behavioral2/memory/2808-115-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral2/memory/2240-124-0x0000000000A60000-0x0000000000A88000-memory.dmp xloader -
Suspicious use of SetThreadContext 3 IoCs
Processes:
tgix.exetgix.exechkdsk.exedescription pid process target process PID 1736 set thread context of 2808 1736 tgix.exe tgix.exe PID 2808 set thread context of 3052 2808 tgix.exe Explorer.EXE PID 2240 set thread context of 3052 2240 chkdsk.exe Explorer.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
chkdsk.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
tgix.exechkdsk.exepid process 2808 tgix.exe 2808 tgix.exe 2808 tgix.exe 2808 tgix.exe 2240 chkdsk.exe 2240 chkdsk.exe 2240 chkdsk.exe 2240 chkdsk.exe 2240 chkdsk.exe 2240 chkdsk.exe 2240 chkdsk.exe 2240 chkdsk.exe 2240 chkdsk.exe 2240 chkdsk.exe 2240 chkdsk.exe 2240 chkdsk.exe 2240 chkdsk.exe 2240 chkdsk.exe 2240 chkdsk.exe 2240 chkdsk.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
tgix.exechkdsk.exepid process 2808 tgix.exe 2808 tgix.exe 2808 tgix.exe 2240 chkdsk.exe 2240 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
tgix.exechkdsk.exedescription pid process Token: SeDebugPrivilege 2808 tgix.exe Token: SeDebugPrivilege 2240 chkdsk.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
tgix.exeExplorer.EXEchkdsk.exedescription pid process target process PID 1736 wrote to memory of 2808 1736 tgix.exe tgix.exe PID 1736 wrote to memory of 2808 1736 tgix.exe tgix.exe PID 1736 wrote to memory of 2808 1736 tgix.exe tgix.exe PID 1736 wrote to memory of 2808 1736 tgix.exe tgix.exe PID 1736 wrote to memory of 2808 1736 tgix.exe tgix.exe PID 1736 wrote to memory of 2808 1736 tgix.exe tgix.exe PID 3052 wrote to memory of 2240 3052 Explorer.EXE chkdsk.exe PID 3052 wrote to memory of 2240 3052 Explorer.EXE chkdsk.exe PID 3052 wrote to memory of 2240 3052 Explorer.EXE chkdsk.exe PID 2240 wrote to memory of 3976 2240 chkdsk.exe cmd.exe PID 2240 wrote to memory of 3976 2240 chkdsk.exe cmd.exe PID 2240 wrote to memory of 3976 2240 chkdsk.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tgix.exe"C:\Users\Admin\AppData\Local\Temp\tgix.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tgix.exe"C:\Users\Admin\AppData\Local\Temp\tgix.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\tgix.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1736-114-0x00000000018C0000-0x00000000018C1000-memory.dmpFilesize
4KB
-
memory/2240-123-0x0000000000D00000-0x0000000000D0A000-memory.dmpFilesize
40KB
-
memory/2240-121-0x0000000000000000-mapping.dmp
-
memory/2240-124-0x0000000000A60000-0x0000000000A88000-memory.dmpFilesize
160KB
-
memory/2240-125-0x00000000051E0000-0x0000000005500000-memory.dmpFilesize
3.1MB
-
memory/2240-126-0x0000000005150000-0x00000000051DF000-memory.dmpFilesize
572KB
-
memory/2808-115-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/2808-118-0x0000000001A40000-0x0000000001D60000-memory.dmpFilesize
3.1MB
-
memory/2808-119-0x0000000001580000-0x0000000001590000-memory.dmpFilesize
64KB
-
memory/2808-116-0x000000000041D050-mapping.dmp
-
memory/3052-120-0x0000000005F50000-0x00000000060BA000-memory.dmpFilesize
1.4MB
-
memory/3052-127-0x0000000004FD0000-0x0000000005158000-memory.dmpFilesize
1.5MB
-
memory/3976-122-0x0000000000000000-mapping.dmp