Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
12-11-2021 13:13
Static task
static1
Behavioral task
behavioral1
Sample
1fc555b7fcb6c2587e8a51c215f10dfe.exe
Resource
win7-en-20211104
General
-
Target
1fc555b7fcb6c2587e8a51c215f10dfe.exe
-
Size
437KB
-
MD5
1fc555b7fcb6c2587e8a51c215f10dfe
-
SHA1
7d8fecccd2bef2ff373f231032b6d3dcdbb04938
-
SHA256
4fa90d4fa0908b71eab4b5639465fc8e8c8933ede1e56941b5f65175e62bd09b
-
SHA512
a61ea67571838a8894cf76c7b069061debb78dbe5a58d6cdd2e837f6839306233481133ac0a8ef86fb9105232c9ff5ec992e2bb0bb4d036b1ae4e8690eef68de
Malware Config
Extracted
xloader
2.5
noha
http://www.mglracing.com/noha/
iphone13promax.support
trailer-racks.xyz
overseaspoolservice.com
r2d2u.com
dawajeju.com
nextgenproxyvote.com
xn--vhqp8mm8dbtz.group
commonsenserisk.com
cmcqgxtyd.com
data2form.com
bois-applique.com
originallollipop.com
lj0008lj.net
spfldvaccineday.info
phalcosnusa.com
llcmastermachine.com
onlyforu14.rest
bestmarketingautomations.com
officialswitchmusic.com
thepretenseofjustice.com
authenticradio.net
standardizedsubmissions.com
aegnoshipping.com
478762.com
inclusionchecks.com
number-is-04.net
yyds9527.space
big-thought.com
controle2.email
groupninemed.com
fisworkdeck.com
imonbayazid.com
pixlrz.com
headlinebysmp.com
simulatefuck.com
efficientmother.com
wkshops22012.xyz
artehamburguer.com
beauallenpoetry.com
bonairemarathon.com
sprintfingers.com
ranbix.com
denghaoxin.club
jillianvansice.com
purpledge.com
mariadimitropoulou.com
surveyplanetgroup.tech
apocalyptoapertureserrature.net
cbd-cannabis.store
dirtcheapfire.com
xn--zbss74a16j.xn--czru2d
auth-appsgo.com
estchemdelat.space
kweeka.money
marketingtipsntricks.com
dayandwestbeauty.com
paddlercentral.com
nongminle.net
aodesai.store
evtasimaucretleri.com
micj7873.com
unarecord.com
zsnhviig.xyz
hallmark-transport.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1852-63-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1852-64-0x000000000041D490-mapping.dmp xloader behavioral1/memory/876-73-0x0000000000080000-0x00000000000A9000-memory.dmp xloader -
Suspicious use of SetThreadContext 3 IoCs
Processes:
1fc555b7fcb6c2587e8a51c215f10dfe.exeRegSvcs.exeraserver.exedescription pid process target process PID 1408 set thread context of 1852 1408 1fc555b7fcb6c2587e8a51c215f10dfe.exe RegSvcs.exe PID 1852 set thread context of 1208 1852 RegSvcs.exe Explorer.EXE PID 876 set thread context of 1208 876 raserver.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
1fc555b7fcb6c2587e8a51c215f10dfe.exeRegSvcs.exeraserver.exepid process 1408 1fc555b7fcb6c2587e8a51c215f10dfe.exe 1408 1fc555b7fcb6c2587e8a51c215f10dfe.exe 1852 RegSvcs.exe 1852 RegSvcs.exe 876 raserver.exe 876 raserver.exe 876 raserver.exe 876 raserver.exe 876 raserver.exe 876 raserver.exe 876 raserver.exe 876 raserver.exe 876 raserver.exe 876 raserver.exe 876 raserver.exe 876 raserver.exe 876 raserver.exe 876 raserver.exe 876 raserver.exe 876 raserver.exe 876 raserver.exe 876 raserver.exe 876 raserver.exe 876 raserver.exe 876 raserver.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
RegSvcs.exeraserver.exepid process 1852 RegSvcs.exe 1852 RegSvcs.exe 1852 RegSvcs.exe 876 raserver.exe 876 raserver.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
1fc555b7fcb6c2587e8a51c215f10dfe.exeRegSvcs.exeraserver.exedescription pid process Token: SeDebugPrivilege 1408 1fc555b7fcb6c2587e8a51c215f10dfe.exe Token: SeDebugPrivilege 1852 RegSvcs.exe Token: SeDebugPrivilege 876 raserver.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1208 Explorer.EXE 1208 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1208 Explorer.EXE 1208 Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
1fc555b7fcb6c2587e8a51c215f10dfe.exeExplorer.EXEraserver.exedescription pid process target process PID 1408 wrote to memory of 1852 1408 1fc555b7fcb6c2587e8a51c215f10dfe.exe RegSvcs.exe PID 1408 wrote to memory of 1852 1408 1fc555b7fcb6c2587e8a51c215f10dfe.exe RegSvcs.exe PID 1408 wrote to memory of 1852 1408 1fc555b7fcb6c2587e8a51c215f10dfe.exe RegSvcs.exe PID 1408 wrote to memory of 1852 1408 1fc555b7fcb6c2587e8a51c215f10dfe.exe RegSvcs.exe PID 1408 wrote to memory of 1852 1408 1fc555b7fcb6c2587e8a51c215f10dfe.exe RegSvcs.exe PID 1408 wrote to memory of 1852 1408 1fc555b7fcb6c2587e8a51c215f10dfe.exe RegSvcs.exe PID 1408 wrote to memory of 1852 1408 1fc555b7fcb6c2587e8a51c215f10dfe.exe RegSvcs.exe PID 1408 wrote to memory of 1852 1408 1fc555b7fcb6c2587e8a51c215f10dfe.exe RegSvcs.exe PID 1408 wrote to memory of 1852 1408 1fc555b7fcb6c2587e8a51c215f10dfe.exe RegSvcs.exe PID 1408 wrote to memory of 1852 1408 1fc555b7fcb6c2587e8a51c215f10dfe.exe RegSvcs.exe PID 1208 wrote to memory of 876 1208 Explorer.EXE raserver.exe PID 1208 wrote to memory of 876 1208 Explorer.EXE raserver.exe PID 1208 wrote to memory of 876 1208 Explorer.EXE raserver.exe PID 1208 wrote to memory of 876 1208 Explorer.EXE raserver.exe PID 876 wrote to memory of 752 876 raserver.exe cmd.exe PID 876 wrote to memory of 752 876 raserver.exe cmd.exe PID 876 wrote to memory of 752 876 raserver.exe cmd.exe PID 876 wrote to memory of 752 876 raserver.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1fc555b7fcb6c2587e8a51c215f10dfe.exe"C:\Users\Admin\AppData\Local\Temp\1fc555b7fcb6c2587e8a51c215f10dfe.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\raserver.exe"C:\Windows\SysWOW64\raserver.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/752-71-0x0000000000000000-mapping.dmp
-
memory/876-75-0x0000000000350000-0x00000000003E0000-memory.dmpFilesize
576KB
-
memory/876-73-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/876-74-0x0000000000AA0000-0x0000000000DA3000-memory.dmpFilesize
3.0MB
-
memory/876-72-0x0000000000DD0000-0x0000000000DEC000-memory.dmpFilesize
112KB
-
memory/876-69-0x0000000000000000-mapping.dmp
-
memory/1208-68-0x0000000006030000-0x000000000616C000-memory.dmpFilesize
1.2MB
-
memory/1208-76-0x0000000006170000-0x00000000062A8000-memory.dmpFilesize
1.2MB
-
memory/1408-60-0x0000000005B00000-0x0000000005B46000-memory.dmpFilesize
280KB
-
memory/1408-55-0x0000000001360000-0x0000000001361000-memory.dmpFilesize
4KB
-
memory/1408-59-0x00000000003D0000-0x00000000003D7000-memory.dmpFilesize
28KB
-
memory/1408-58-0x0000000004BA0000-0x0000000004BA1000-memory.dmpFilesize
4KB
-
memory/1408-57-0x0000000075C51000-0x0000000075C53000-memory.dmpFilesize
8KB
-
memory/1852-67-0x0000000000190000-0x00000000001A1000-memory.dmpFilesize
68KB
-
memory/1852-66-0x0000000000AB0000-0x0000000000DB3000-memory.dmpFilesize
3.0MB
-
memory/1852-64-0x000000000041D490-mapping.dmp
-
memory/1852-63-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1852-62-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1852-61-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB