Analysis
-
max time kernel
123s -
max time network
123s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
30-11-2021 20:10
Static task
static1
Behavioral task
behavioral1
Sample
f4eb13ef6fef846933c731aecae8f978.exe
Resource
win7-en-20211104
General
-
Target
f4eb13ef6fef846933c731aecae8f978.exe
-
Size
371KB
-
MD5
f4eb13ef6fef846933c731aecae8f978
-
SHA1
f27a8de41120825fc9a59b05e79bb92ccc766b2d
-
SHA256
cd53040ec21c86fa58a23ef8a844b96b05454800c6aabe0e9d5772e3ab07bce6
-
SHA512
b5bd82041cd093a42aca06b7628dd1d3c93948c4919bab0a3e88bca828e87240a9e755f5759a9c092d9b67351952c589cecb251ff97f52ccff5c8d60c68f02c0
Malware Config
Extracted
xloader
2.5
mwev
http://www.scion-go-getter.com/mwev/
9linefarms.com
meadow-spring.com
texascountrycharts.com
chinatowndeliver.com
grindsword.com
thegurusigavebirthto.com
rip-online.com
lm-safe-keepingtoyof6.xyz
plumbtechconsulting.com
jgoerlach.com
inbloomsolutions.com
foxandmew.com
tikomobile.store
waybunch.com
thepatriottutor.com
qask.top
pharmacylinked.com
ishii-miona.com
sugarandrocks.com
anabolenpower.net
my9m.com
ywboxiong.xyz
primetire.net
yshxdys.com
royallecleaning.com
xtrategit.com
almashrabia.net
bundlezandco.com
sandman.network
vinhomes-grand-park.com
jbarecipes.com
squareleatherbox.net
breathechurch.digital
wodemcil.com
carthy.foundation
galimfish.com
reflectbag.com
lheteclase.quest
yourvirtualevent.services
custercountycritique.com
liyahgadgets.com
sweetascaramelllc.com
lzgirlz.com
flydubaime.com
aanhanger-verhuur.com
schooldiry.com
theroadtorodriguez.com
mrteez.club
gxystgs.com
runz.online
kometbux.com
mintyhelper.com
bestinvest-4u.com
bjxxc.com
e-readertnpasumo5.xyz
experimentwithoutlimits.com
21yingyang.com
recbi56ni.com
tabulose-milfs-live.com
uglyatoz.com
websitessample.com
gogopficg.xyz
fourthandwhiteoak.com
fulvousemollientplanet.com
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2188-127-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/2188-128-0x000000000041D480-mapping.dmp xloader -
Suspicious use of SetThreadContext 1 IoCs
Processes:
f4eb13ef6fef846933c731aecae8f978.exedescription pid process target process PID 3508 set thread context of 2188 3508 f4eb13ef6fef846933c731aecae8f978.exe f4eb13ef6fef846933c731aecae8f978.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
f4eb13ef6fef846933c731aecae8f978.exepid process 2188 f4eb13ef6fef846933c731aecae8f978.exe 2188 f4eb13ef6fef846933c731aecae8f978.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
f4eb13ef6fef846933c731aecae8f978.exedescription pid process target process PID 3508 wrote to memory of 2188 3508 f4eb13ef6fef846933c731aecae8f978.exe f4eb13ef6fef846933c731aecae8f978.exe PID 3508 wrote to memory of 2188 3508 f4eb13ef6fef846933c731aecae8f978.exe f4eb13ef6fef846933c731aecae8f978.exe PID 3508 wrote to memory of 2188 3508 f4eb13ef6fef846933c731aecae8f978.exe f4eb13ef6fef846933c731aecae8f978.exe PID 3508 wrote to memory of 2188 3508 f4eb13ef6fef846933c731aecae8f978.exe f4eb13ef6fef846933c731aecae8f978.exe PID 3508 wrote to memory of 2188 3508 f4eb13ef6fef846933c731aecae8f978.exe f4eb13ef6fef846933c731aecae8f978.exe PID 3508 wrote to memory of 2188 3508 f4eb13ef6fef846933c731aecae8f978.exe f4eb13ef6fef846933c731aecae8f978.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f4eb13ef6fef846933c731aecae8f978.exe"C:\Users\Admin\AppData\Local\Temp\f4eb13ef6fef846933c731aecae8f978.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f4eb13ef6fef846933c731aecae8f978.exe"C:\Users\Admin\AppData\Local\Temp\f4eb13ef6fef846933c731aecae8f978.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2188-127-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2188-128-0x000000000041D480-mapping.dmp
-
memory/2188-129-0x0000000001040000-0x0000000001360000-memory.dmpFilesize
3.1MB
-
memory/3508-118-0x0000000000120000-0x0000000000121000-memory.dmpFilesize
4KB
-
memory/3508-120-0x0000000004F50000-0x0000000004F51000-memory.dmpFilesize
4KB
-
memory/3508-121-0x0000000004A50000-0x0000000004A51000-memory.dmpFilesize
4KB
-
memory/3508-122-0x00000000049C0000-0x00000000049C1000-memory.dmpFilesize
4KB
-
memory/3508-123-0x00000000049E0000-0x00000000049E1000-memory.dmpFilesize
4KB
-
memory/3508-124-0x0000000004C30000-0x0000000004C36000-memory.dmpFilesize
24KB
-
memory/3508-125-0x0000000006E00000-0x0000000006E01000-memory.dmpFilesize
4KB
-
memory/3508-126-0x0000000006F00000-0x0000000006F59000-memory.dmpFilesize
356KB