Analysis
-
max time kernel
110s -
max time network
124s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
15-11-2021 09:33
Static task
static1
General
-
Target
29cec08e007fcd2217b0bd25adf7e58e019d4d4c32de795aae95390e4f530c4f.exe
-
Size
461KB
-
MD5
8cec5b455b359860f5a7aa647331783f
-
SHA1
6a84b356819c29b95ebf305671298879f6c784f1
-
SHA256
29cec08e007fcd2217b0bd25adf7e58e019d4d4c32de795aae95390e4f530c4f
-
SHA512
06607c55fdb311450e64d6ab892b5d673dfd0cbc629dae68f4fe7094de69558e12f6b22977c5be885ecf63de2a3fdce3f608a953493f0fe244a75645114087f2
Malware Config
Extracted
xloader
2.5
n58i
http://www.makingitreignz.com/n58i/
charlottebishop.com
afafshawwabibi.com
salomesac.com
albaelectric.info
ashcm.com
cxlgroups.com
kbittesting.com
stogelair.com
dgredg.com
smokersoutletinc.com
gdmo112.com
innovationmotive.xyz
outbarter.info
abevegege.online
peterjhill.com
fubosportsbetting.com
probristow.com
despirad.com
halloweengeneral.com
milesofsmileskinder.com
luly-boo.com
noordinaryinsurance.com
buildertest342.com
drivelingo.com
idaivos.com
ebonycamsworld.com
mooknationmedia.com
brenthagenbuch.net
rwatyz40s.xyz
ceramicfinishing.com
maliya-interiors.com
ghlmadesimple.com
4546768.rest
povxxxvideos.com
szqkjy.com
1rmg.tech
miskarangsimpang.xyz
jgjec.com
preventpor.xyz
mcdonnellanalytics.store
dsknit.com
high-clicks2.com
niceauto.mobi
kadenselection.com
firuzekahve.com
emiliaclarkedaily.net
trianglepost.press
wellorise.store
bolder.equipment
metropolitanprolifestyle.com
berthagiles.top
tanba-dekanshofarm.net
publicitysocial.com
kosener.com
atelierdesignstudio.com
solosix.club
triimio.com
sukoteishu.com
industrialsblockxchange.com
jsyonghui.com
aspenceramica.com
daikondefense.com
estudioamlegal.com
abetttermountbethel.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/3788-122-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/3788-123-0x000000000041D470-mapping.dmp xloader behavioral1/memory/3788-124-0x0000000000E00000-0x0000000000F4A000-memory.dmp xloader -
Suspicious use of SetThreadContext 1 IoCs
Processes:
29cec08e007fcd2217b0bd25adf7e58e019d4d4c32de795aae95390e4f530c4f.exedescription pid process target process PID 4064 set thread context of 3788 4064 29cec08e007fcd2217b0bd25adf7e58e019d4d4c32de795aae95390e4f530c4f.exe 29cec08e007fcd2217b0bd25adf7e58e019d4d4c32de795aae95390e4f530c4f.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
29cec08e007fcd2217b0bd25adf7e58e019d4d4c32de795aae95390e4f530c4f.exepid process 3788 29cec08e007fcd2217b0bd25adf7e58e019d4d4c32de795aae95390e4f530c4f.exe 3788 29cec08e007fcd2217b0bd25adf7e58e019d4d4c32de795aae95390e4f530c4f.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
29cec08e007fcd2217b0bd25adf7e58e019d4d4c32de795aae95390e4f530c4f.exedescription pid process Token: SeDebugPrivilege 4064 29cec08e007fcd2217b0bd25adf7e58e019d4d4c32de795aae95390e4f530c4f.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
29cec08e007fcd2217b0bd25adf7e58e019d4d4c32de795aae95390e4f530c4f.exedescription pid process target process PID 4064 wrote to memory of 3788 4064 29cec08e007fcd2217b0bd25adf7e58e019d4d4c32de795aae95390e4f530c4f.exe 29cec08e007fcd2217b0bd25adf7e58e019d4d4c32de795aae95390e4f530c4f.exe PID 4064 wrote to memory of 3788 4064 29cec08e007fcd2217b0bd25adf7e58e019d4d4c32de795aae95390e4f530c4f.exe 29cec08e007fcd2217b0bd25adf7e58e019d4d4c32de795aae95390e4f530c4f.exe PID 4064 wrote to memory of 3788 4064 29cec08e007fcd2217b0bd25adf7e58e019d4d4c32de795aae95390e4f530c4f.exe 29cec08e007fcd2217b0bd25adf7e58e019d4d4c32de795aae95390e4f530c4f.exe PID 4064 wrote to memory of 3788 4064 29cec08e007fcd2217b0bd25adf7e58e019d4d4c32de795aae95390e4f530c4f.exe 29cec08e007fcd2217b0bd25adf7e58e019d4d4c32de795aae95390e4f530c4f.exe PID 4064 wrote to memory of 3788 4064 29cec08e007fcd2217b0bd25adf7e58e019d4d4c32de795aae95390e4f530c4f.exe 29cec08e007fcd2217b0bd25adf7e58e019d4d4c32de795aae95390e4f530c4f.exe PID 4064 wrote to memory of 3788 4064 29cec08e007fcd2217b0bd25adf7e58e019d4d4c32de795aae95390e4f530c4f.exe 29cec08e007fcd2217b0bd25adf7e58e019d4d4c32de795aae95390e4f530c4f.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\29cec08e007fcd2217b0bd25adf7e58e019d4d4c32de795aae95390e4f530c4f.exe"C:\Users\Admin\AppData\Local\Temp\29cec08e007fcd2217b0bd25adf7e58e019d4d4c32de795aae95390e4f530c4f.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\29cec08e007fcd2217b0bd25adf7e58e019d4d4c32de795aae95390e4f530c4f.exe"C:\Users\Admin\AppData\Local\Temp\29cec08e007fcd2217b0bd25adf7e58e019d4d4c32de795aae95390e4f530c4f.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3788-122-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/3788-123-0x000000000041D470-mapping.dmp
-
memory/3788-124-0x0000000000E00000-0x0000000000F4A000-memory.dmpFilesize
1.3MB
-
memory/4064-115-0x0000000001250000-0x0000000001251000-memory.dmpFilesize
4KB
-
memory/4064-117-0x00000000051E0000-0x00000000051E1000-memory.dmpFilesize
4KB
-
memory/4064-118-0x0000000004BB0000-0x0000000004BB1000-memory.dmpFilesize
4KB
-
memory/4064-119-0x0000000004D50000-0x0000000004D51000-memory.dmpFilesize
4KB
-
memory/4064-120-0x0000000004B10000-0x0000000004BA2000-memory.dmpFilesize
584KB
-
memory/4064-121-0x00000000050A0000-0x00000000050A1000-memory.dmpFilesize
4KB