Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
13-11-2021 22:06
Static task
static1
Behavioral task
behavioral1
Sample
abbd913fabcce80fe6c14f8103800378.exe
Resource
win7-en-20211104
General
-
Target
abbd913fabcce80fe6c14f8103800378.exe
-
Size
700KB
-
MD5
abbd913fabcce80fe6c14f8103800378
-
SHA1
bbfd5bd99597e246fe61dc8fa4cbaa99c1808b1b
-
SHA256
e7cabf681ce8989913c4c78c8f539a791c852e0e637f359d2a399b91dc676506
-
SHA512
7eb56ebeac274545ccbf91ed01e1290ccd168b5b506a027993745ad6d8255ed652d32c1570218aca10434c40c7218f5e088e8d2021b30f8eef674d22dcc64655
Malware Config
Extracted
xloader
2.5
n58i
http://www.makingitreignz.com/n58i/
charlottebishop.com
afafshawwabibi.com
salomesac.com
albaelectric.info
ashcm.com
cxlgroups.com
kbittesting.com
stogelair.com
dgredg.com
smokersoutletinc.com
gdmo112.com
innovationmotive.xyz
outbarter.info
abevegege.online
peterjhill.com
fubosportsbetting.com
probristow.com
despirad.com
halloweengeneral.com
milesofsmileskinder.com
luly-boo.com
noordinaryinsurance.com
buildertest342.com
drivelingo.com
idaivos.com
ebonycamsworld.com
mooknationmedia.com
brenthagenbuch.net
rwatyz40s.xyz
ceramicfinishing.com
maliya-interiors.com
ghlmadesimple.com
4546768.rest
povxxxvideos.com
szqkjy.com
1rmg.tech
miskarangsimpang.xyz
jgjec.com
preventpor.xyz
mcdonnellanalytics.store
dsknit.com
high-clicks2.com
niceauto.mobi
kadenselection.com
firuzekahve.com
emiliaclarkedaily.net
trianglepost.press
wellorise.store
bolder.equipment
metropolitanprolifestyle.com
berthagiles.top
tanba-dekanshofarm.net
publicitysocial.com
kosener.com
atelierdesignstudio.com
solosix.club
triimio.com
sukoteishu.com
industrialsblockxchange.com
jsyonghui.com
aspenceramica.com
daikondefense.com
estudioamlegal.com
abetttermountbethel.com
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1480-61-0x000000000041D470-mapping.dmp xloader behavioral1/memory/1480-62-0x0000000000080000-0x00000000000A9000-memory.dmp xloader -
Suspicious use of SetThreadContext 1 IoCs
Processes:
abbd913fabcce80fe6c14f8103800378.exedescription pid process target process PID 1540 set thread context of 1480 1540 abbd913fabcce80fe6c14f8103800378.exe abbd913fabcce80fe6c14f8103800378.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
abbd913fabcce80fe6c14f8103800378.exepid process 1480 abbd913fabcce80fe6c14f8103800378.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
abbd913fabcce80fe6c14f8103800378.exedescription pid process Token: SeDebugPrivilege 1540 abbd913fabcce80fe6c14f8103800378.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
abbd913fabcce80fe6c14f8103800378.exedescription pid process target process PID 1540 wrote to memory of 1480 1540 abbd913fabcce80fe6c14f8103800378.exe abbd913fabcce80fe6c14f8103800378.exe PID 1540 wrote to memory of 1480 1540 abbd913fabcce80fe6c14f8103800378.exe abbd913fabcce80fe6c14f8103800378.exe PID 1540 wrote to memory of 1480 1540 abbd913fabcce80fe6c14f8103800378.exe abbd913fabcce80fe6c14f8103800378.exe PID 1540 wrote to memory of 1480 1540 abbd913fabcce80fe6c14f8103800378.exe abbd913fabcce80fe6c14f8103800378.exe PID 1540 wrote to memory of 1480 1540 abbd913fabcce80fe6c14f8103800378.exe abbd913fabcce80fe6c14f8103800378.exe PID 1540 wrote to memory of 1480 1540 abbd913fabcce80fe6c14f8103800378.exe abbd913fabcce80fe6c14f8103800378.exe PID 1540 wrote to memory of 1480 1540 abbd913fabcce80fe6c14f8103800378.exe abbd913fabcce80fe6c14f8103800378.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\abbd913fabcce80fe6c14f8103800378.exe"C:\Users\Admin\AppData\Local\Temp\abbd913fabcce80fe6c14f8103800378.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abbd913fabcce80fe6c14f8103800378.exe"C:\Users\Admin\AppData\Local\Temp\abbd913fabcce80fe6c14f8103800378.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1480-58-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/1480-59-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/1480-61-0x000000000041D470-mapping.dmp
-
memory/1480-62-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/1480-64-0x00000000007F0000-0x0000000000AF3000-memory.dmpFilesize
3.0MB
-
memory/1540-55-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/1540-57-0x0000000001FA0000-0x0000000001FA1000-memory.dmpFilesize
4KB