Analysis
-
max time kernel
12s -
max time network
126s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
27-07-2021 16:07
Static task
static1
Behavioral task
behavioral1
Sample
346c1f083ba87535c999f17587d0d8b9.exe
Resource
win7v20210408
General
-
Target
346c1f083ba87535c999f17587d0d8b9.exe
-
Size
252KB
-
MD5
346c1f083ba87535c999f17587d0d8b9
-
SHA1
82a6caee2df88f4944f0f144e70f8d70675ec45e
-
SHA256
537a1b1e9a633875a74664967b2e62803f01b619fb26df9b4762b6795ee1b0ec
-
SHA512
086617b903ad3ae3c4145a9b3f122e560c64f4f0ef7a153b980f35213fa58ff5d9d480956502183ba1f310dbe0337efb81997d0f2b16a1bf751ad78935a8577b
Malware Config
Extracted
xloader
2.3
http://www.extinctionbrews.com/dy8g/
mzyxi-rkah-y.net
okinawarongnho.com
qq66520.com
nimbus.watch
cwdelrio.com
regalshopper.com
avito-payment.life
jorgeporcayo.com
galvinsky.digital
guys-only.com
asmfruits-almacenes.com
boatrace-life04.net
cochez.club
thelastvictor.net
janieleconte.com
ivoirepneus.com
saludflv.info
mydreamtv.net
austinphy.com
cajunseafoodstcloud.com
13006608192.com
clear3media.com
thegrowclinic.com
findfoodshop.com
livegaming.store
greensei.com
atmaapothecary.com
builtbydawn.com
wthcoffee.com
melodezu.com
oikoschain.com
matcitekids.com
killrstudio.com
doityourselfism.com
monsoonnerd.com
swissbankmusic.com
envisionfordheights.com
invisiongc.net
aizaibali.com
professioneconsulenza.net
chaneabond.com
theamercianhouseboat.com
scuolatua.com
surivaganza.com
xn--vuq722jwngjre.com
quiteimediato.space
ecofingers.com
manageoceanaccount.com
cindywillardrealtor.com
garimpeirastore.online
tinsley.website
fitnesstwentytwenty.com
thenorthgoldline.com
scuolacounselingroma.com
iwccgroup.com
wideawakemomma.com
anthonysavillemiddleschool.com
sprinkleresources.com
ravexim3.com
onedadtwodudes.com
shxytl.com
iriscloudvideo.com
theshapecreator.com
vermogenswerte.com
Signatures
-
Xloader Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3684-116-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Suspicious use of SetThreadContext 1 IoCs
Processes:
346c1f083ba87535c999f17587d0d8b9.exedescription pid process target process PID 3540 set thread context of 3684 3540 346c1f083ba87535c999f17587d0d8b9.exe 346c1f083ba87535c999f17587d0d8b9.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
346c1f083ba87535c999f17587d0d8b9.exepid process 3684 346c1f083ba87535c999f17587d0d8b9.exe 3684 346c1f083ba87535c999f17587d0d8b9.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
346c1f083ba87535c999f17587d0d8b9.exepid process 3540 346c1f083ba87535c999f17587d0d8b9.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
346c1f083ba87535c999f17587d0d8b9.exedescription pid process target process PID 3540 wrote to memory of 3684 3540 346c1f083ba87535c999f17587d0d8b9.exe 346c1f083ba87535c999f17587d0d8b9.exe PID 3540 wrote to memory of 3684 3540 346c1f083ba87535c999f17587d0d8b9.exe 346c1f083ba87535c999f17587d0d8b9.exe PID 3540 wrote to memory of 3684 3540 346c1f083ba87535c999f17587d0d8b9.exe 346c1f083ba87535c999f17587d0d8b9.exe PID 3540 wrote to memory of 3684 3540 346c1f083ba87535c999f17587d0d8b9.exe 346c1f083ba87535c999f17587d0d8b9.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\346c1f083ba87535c999f17587d0d8b9.exe"C:\Users\Admin\AppData\Local\Temp\346c1f083ba87535c999f17587d0d8b9.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\346c1f083ba87535c999f17587d0d8b9.exe"C:\Users\Admin\AppData\Local\Temp\346c1f083ba87535c999f17587d0d8b9.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3540-115-0x0000000000460000-0x000000000050E000-memory.dmpFilesize
696KB
-
memory/3684-114-0x000000000041D090-mapping.dmp
-
memory/3684-116-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/3684-117-0x0000000000C00000-0x0000000000F20000-memory.dmpFilesize
3.1MB