Analysis
-
max time kernel
102s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
06-05-2021 15:34
Static task
static1
Behavioral task
behavioral1
Sample
0e312eccc907155b510e531e9519ede3e44ee79a67cb5dba0f3a0c39e9a3d083.bin.exe
Resource
win7v20210410
General
-
Target
0e312eccc907155b510e531e9519ede3e44ee79a67cb5dba0f3a0c39e9a3d083.bin.exe
-
Size
76KB
-
MD5
1670bb70c724ff6142617ac83676b3a0
-
SHA1
7bfd700d81d79b06d82c83d5f78a41990c6c391e
-
SHA256
0e312eccc907155b510e531e9519ede3e44ee79a67cb5dba0f3a0c39e9a3d083
-
SHA512
052a570f26c74a0982010b1f2b7caca42bb706a8ade59b5cdde4020fb1aa65bea3001b5b8ff23e95cd7f79a37ee0f908e05800f5f06eccf3e24a27c679bb29ae
Malware Config
Extracted
xloader
2.3
http://www.innovativevan.com/i8be/
cdymjim.icu
globalmilitaryaircraft.com
slusheestore.com
freepdfconvert.net
itadsweden.com
legenddocs.com
metholyptus.com
966cm.com
mobilitygloves-protect.com
travaze.net
go-kalisa.com
believehavefaith.com
nywebhost.com
semitsol.com
wowyuu.net
cochesb2b.com
gobesttobuy.com
senmec23.com
bmsgw.com
newazenterprise.com
onlinefitnessmechanic.com
makeournationsafeagain.com
climat2020.com
hamsikoysutlaci.net
networkslice.com
wanganwanderer1.com
nationwidesignage.com
lucianmediazone.com
geekyweel.com
hzky888.com
mcfarlaneweb.com
c-w3.com
covidstracking.com
flowingwealth.com
sprinklesglobal.com
secret-mall.com
extraclasss.com
stasiapl.com
1905vintage.com
8649gb.com
brisketbeard.com
optionsafecode.com
foms4om.com
differentquartz.info
freshly.pizza
levettfyneralhome.com
leteeshirtboutique.com
creativesdanfe.com
t-oils.com
seoforamz.com
carbon2algae.com
kronospros.com
storepisode.com
viautong30.com
weipr.net
mjspizzaandwinghouse.com
e-yzr.com
webcamthing.com
wb917.com
sedentariocero.com
salon-solution.com
solgeneration.com
viviennevaile.com
weightlossbiloxi.com
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2272-121-0x0000000000401000-0x0000000000541000-memory.dmp xloader behavioral2/memory/2272-122-0x0000000000400000-0x0000000000428000-memory.dmp xloader -
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
0e312eccc907155b510e531e9519ede3e44ee79a67cb5dba0f3a0c39e9a3d083.bin.exe0e312eccc907155b510e531e9519ede3e44ee79a67cb5dba0f3a0c39e9a3d083.bin.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe 0e312eccc907155b510e531e9519ede3e44ee79a67cb5dba0f3a0c39e9a3d083.bin.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe 0e312eccc907155b510e531e9519ede3e44ee79a67cb5dba0f3a0c39e9a3d083.bin.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
0e312eccc907155b510e531e9519ede3e44ee79a67cb5dba0f3a0c39e9a3d083.bin.exe0e312eccc907155b510e531e9519ede3e44ee79a67cb5dba0f3a0c39e9a3d083.bin.exepid process 804 0e312eccc907155b510e531e9519ede3e44ee79a67cb5dba0f3a0c39e9a3d083.bin.exe 2272 0e312eccc907155b510e531e9519ede3e44ee79a67cb5dba0f3a0c39e9a3d083.bin.exe 2272 0e312eccc907155b510e531e9519ede3e44ee79a67cb5dba0f3a0c39e9a3d083.bin.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
0e312eccc907155b510e531e9519ede3e44ee79a67cb5dba0f3a0c39e9a3d083.bin.exedescription pid process target process PID 804 set thread context of 2272 804 0e312eccc907155b510e531e9519ede3e44ee79a67cb5dba0f3a0c39e9a3d083.bin.exe 0e312eccc907155b510e531e9519ede3e44ee79a67cb5dba0f3a0c39e9a3d083.bin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
0e312eccc907155b510e531e9519ede3e44ee79a67cb5dba0f3a0c39e9a3d083.bin.exepid process 2272 0e312eccc907155b510e531e9519ede3e44ee79a67cb5dba0f3a0c39e9a3d083.bin.exe 2272 0e312eccc907155b510e531e9519ede3e44ee79a67cb5dba0f3a0c39e9a3d083.bin.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
0e312eccc907155b510e531e9519ede3e44ee79a67cb5dba0f3a0c39e9a3d083.bin.exepid process 804 0e312eccc907155b510e531e9519ede3e44ee79a67cb5dba0f3a0c39e9a3d083.bin.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
0e312eccc907155b510e531e9519ede3e44ee79a67cb5dba0f3a0c39e9a3d083.bin.exepid process 804 0e312eccc907155b510e531e9519ede3e44ee79a67cb5dba0f3a0c39e9a3d083.bin.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
0e312eccc907155b510e531e9519ede3e44ee79a67cb5dba0f3a0c39e9a3d083.bin.exedescription pid process target process PID 804 wrote to memory of 2272 804 0e312eccc907155b510e531e9519ede3e44ee79a67cb5dba0f3a0c39e9a3d083.bin.exe 0e312eccc907155b510e531e9519ede3e44ee79a67cb5dba0f3a0c39e9a3d083.bin.exe PID 804 wrote to memory of 2272 804 0e312eccc907155b510e531e9519ede3e44ee79a67cb5dba0f3a0c39e9a3d083.bin.exe 0e312eccc907155b510e531e9519ede3e44ee79a67cb5dba0f3a0c39e9a3d083.bin.exe PID 804 wrote to memory of 2272 804 0e312eccc907155b510e531e9519ede3e44ee79a67cb5dba0f3a0c39e9a3d083.bin.exe 0e312eccc907155b510e531e9519ede3e44ee79a67cb5dba0f3a0c39e9a3d083.bin.exe PID 804 wrote to memory of 2272 804 0e312eccc907155b510e531e9519ede3e44ee79a67cb5dba0f3a0c39e9a3d083.bin.exe 0e312eccc907155b510e531e9519ede3e44ee79a67cb5dba0f3a0c39e9a3d083.bin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e312eccc907155b510e531e9519ede3e44ee79a67cb5dba0f3a0c39e9a3d083.bin.exe"C:\Users\Admin\AppData\Local\Temp\0e312eccc907155b510e531e9519ede3e44ee79a67cb5dba0f3a0c39e9a3d083.bin.exe"1⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\0e312eccc907155b510e531e9519ede3e44ee79a67cb5dba0f3a0c39e9a3d083.bin.exe"C:\Users\Admin\AppData\Local\Temp\0e312eccc907155b510e531e9519ede3e44ee79a67cb5dba0f3a0c39e9a3d083.bin.exe"2⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/804-116-0x0000000002120000-0x000000000212D000-memory.dmpFilesize
52KB
-
memory/2272-117-0x0000000000401480-mapping.dmp
-
memory/2272-118-0x0000000000400000-0x0000000000553000-memory.dmpFilesize
1.3MB
-
memory/2272-119-0x0000000000401000-0x00000000004FD000-memory.dmpFilesize
1008KB
-
memory/2272-120-0x0000000000560000-0x0000000000660000-memory.dmpFilesize
1024KB
-
memory/2272-121-0x0000000000401000-0x0000000000541000-memory.dmpFilesize
1.2MB
-
memory/2272-122-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/2272-123-0x000000001E710000-0x000000001EA30000-memory.dmpFilesize
3.1MB