Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
15-09-2021 06:35
Static task
static1
Behavioral task
behavioral1
Sample
PO 56720012359.exe
Resource
win7-en
General
-
Target
PO 56720012359.exe
-
Size
297KB
-
MD5
839c75a88734aaf014ef0c3d77ce9109
-
SHA1
10d79cb8e51fd30bfff63b2465ba0e111f6dd500
-
SHA256
1829af596150521350d812c07f81226755d397e4755f649e083cc06de7d6f402
-
SHA512
e6feddaf0616f781a8d9de9fd68e78654c2be2c1e5bff676fc4d78de7ca6f8f6cace5245117d7554c4f50452c6d7d60ab5a62d1f66580ed8707ec835d91cc551
Malware Config
Extracted
xloader
2.3
b6cu
http://www.allfyllofficial.com/b6cu/
sxdiyan.com
web0084.com
cpafirmspokane.com
la-bio-geo.com
chacrit.com
stuntfighting.com
rjsworkshop.com
themillennialsfinest.com
thefrontrealestate.com
chairmn.com
best1korea.com
gudssutu.icu
backupchip.net
shrikanthamimports.com
sportrecoverysleeve.com
healthy-shack.com
investperwear.com
intertradeperu.com
resonantonshop.com
greghugheslaw.com
instrumentum.store
creative-cloud.info
sansfoundations.com
pmca.asia
night.doctor
19v5.com
cmas.life
yhanlikho.com
kartikpatelrealtor.com
viralpagi.com
samsonengineeringco.com
mh666.cool
laboratoriosjj.com
produklokal.com
tjhysb.com
solutions-oigroup.com
chictarh.com
gotmail.info
yourvalue.online
mylinkreview.com
champonpowerequipment.com
starcoupeownersindonesia.com
buzagialtligi.com
botol2-lasdnk.com
blunss.info
l3-construction.com
fmodesign.com
silkraga.com
editimpact.com
unionairjordanla.com
lacageavin.com
gushixiu.com
cleanlast.com
awvpvkmzxa.com
xiaosandao.com
nldcostmetics.com
prosperitywithsoul.com
kheticulture.com
booksbykimberlyeandco.com
creativehughes.com
mobilewz.com
arerasols.com
w-hanaemi-personal.com
dynamonetwork.com
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3160-116-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/3272-122-0x00000000030E0000-0x0000000003109000-memory.dmp xloader -
Suspicious use of SetThreadContext 3 IoCs
Processes:
PO 56720012359.exePO 56720012359.exemsdt.exedescription pid process target process PID 3128 set thread context of 3160 3128 PO 56720012359.exe PO 56720012359.exe PID 3160 set thread context of 3016 3160 PO 56720012359.exe Explorer.EXE PID 3272 set thread context of 3016 3272 msdt.exe Explorer.EXE -
Modifies registry class 2 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
PO 56720012359.exemsdt.exepid process 3160 PO 56720012359.exe 3160 PO 56720012359.exe 3160 PO 56720012359.exe 3160 PO 56720012359.exe 3272 msdt.exe 3272 msdt.exe 3272 msdt.exe 3272 msdt.exe 3272 msdt.exe 3272 msdt.exe 3272 msdt.exe 3272 msdt.exe 3272 msdt.exe 3272 msdt.exe 3272 msdt.exe 3272 msdt.exe 3272 msdt.exe 3272 msdt.exe 3272 msdt.exe 3272 msdt.exe 3272 msdt.exe 3272 msdt.exe 3272 msdt.exe 3272 msdt.exe 3272 msdt.exe 3272 msdt.exe 3272 msdt.exe 3272 msdt.exe 3272 msdt.exe 3272 msdt.exe 3272 msdt.exe 3272 msdt.exe 3272 msdt.exe 3272 msdt.exe 3272 msdt.exe 3272 msdt.exe 3272 msdt.exe 3272 msdt.exe 3272 msdt.exe 3272 msdt.exe 3272 msdt.exe 3272 msdt.exe 3272 msdt.exe 3272 msdt.exe 3272 msdt.exe 3272 msdt.exe 3272 msdt.exe 3272 msdt.exe 3272 msdt.exe 3272 msdt.exe 3272 msdt.exe 3272 msdt.exe 3272 msdt.exe 3272 msdt.exe 3272 msdt.exe 3272 msdt.exe 3272 msdt.exe 3272 msdt.exe 3272 msdt.exe 3272 msdt.exe 3272 msdt.exe 3272 msdt.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3016 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
PO 56720012359.exePO 56720012359.exemsdt.exepid process 3128 PO 56720012359.exe 3160 PO 56720012359.exe 3160 PO 56720012359.exe 3160 PO 56720012359.exe 3272 msdt.exe 3272 msdt.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
PO 56720012359.exemsdt.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 3160 PO 56720012359.exe Token: SeDebugPrivilege 3272 msdt.exe Token: SeShutdownPrivilege 3016 Explorer.EXE Token: SeCreatePagefilePrivilege 3016 Explorer.EXE Token: SeShutdownPrivilege 3016 Explorer.EXE Token: SeCreatePagefilePrivilege 3016 Explorer.EXE Token: SeShutdownPrivilege 3016 Explorer.EXE Token: SeCreatePagefilePrivilege 3016 Explorer.EXE Token: SeShutdownPrivilege 3016 Explorer.EXE Token: SeCreatePagefilePrivilege 3016 Explorer.EXE Token: SeShutdownPrivilege 3016 Explorer.EXE Token: SeCreatePagefilePrivilege 3016 Explorer.EXE -
Suspicious use of FindShellTrayWindow 10 IoCs
Processes:
Explorer.EXEpid process 3016 Explorer.EXE 3016 Explorer.EXE 3016 Explorer.EXE 3016 Explorer.EXE 3016 Explorer.EXE 3016 Explorer.EXE 3016 Explorer.EXE 3016 Explorer.EXE 3016 Explorer.EXE 3016 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 3016 Explorer.EXE 3016 Explorer.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
PO 56720012359.exeExplorer.EXEmsdt.exedescription pid process target process PID 3128 wrote to memory of 3160 3128 PO 56720012359.exe PO 56720012359.exe PID 3128 wrote to memory of 3160 3128 PO 56720012359.exe PO 56720012359.exe PID 3128 wrote to memory of 3160 3128 PO 56720012359.exe PO 56720012359.exe PID 3128 wrote to memory of 3160 3128 PO 56720012359.exe PO 56720012359.exe PID 3016 wrote to memory of 3272 3016 Explorer.EXE msdt.exe PID 3016 wrote to memory of 3272 3016 Explorer.EXE msdt.exe PID 3016 wrote to memory of 3272 3016 Explorer.EXE msdt.exe PID 3272 wrote to memory of 4012 3272 msdt.exe cmd.exe PID 3272 wrote to memory of 4012 3272 msdt.exe cmd.exe PID 3272 wrote to memory of 4012 3272 msdt.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PO 56720012359.exe"C:\Users\Admin\AppData\Local\Temp\PO 56720012359.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PO 56720012359.exe"C:\Users\Admin\AppData\Local\Temp\PO 56720012359.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\msdt.exe"C:\Windows\SysWOW64\msdt.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\PO 56720012359.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3016-126-0x00000000032D0000-0x000000000338F000-memory.dmpFilesize
764KB
-
memory/3016-119-0x0000000005840000-0x00000000059DD000-memory.dmpFilesize
1.6MB
-
memory/3128-115-0x0000000000D50000-0x0000000000DFE000-memory.dmpFilesize
696KB
-
memory/3160-116-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/3160-117-0x0000000001770000-0x0000000001A90000-memory.dmpFilesize
3.1MB
-
memory/3160-118-0x00000000011F0000-0x0000000001200000-memory.dmpFilesize
64KB
-
memory/3160-114-0x000000000041D0B0-mapping.dmp
-
memory/3272-120-0x0000000000000000-mapping.dmp
-
memory/3272-121-0x0000000000380000-0x00000000004F3000-memory.dmpFilesize
1.4MB
-
memory/3272-123-0x0000000004B70000-0x0000000004E90000-memory.dmpFilesize
3.1MB
-
memory/3272-125-0x0000000004750000-0x00000000047DF000-memory.dmpFilesize
572KB
-
memory/3272-122-0x00000000030E0000-0x0000000003109000-memory.dmpFilesize
164KB
-
memory/4012-124-0x0000000000000000-mapping.dmp