Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
10-01-2022 23:39
Static task
static1
Behavioral task
behavioral1
Sample
IMG-022013758.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
IMG-022013758.exe
Resource
win10-en-20211208
General
-
Target
IMG-022013758.exe
-
Size
1.2MB
-
MD5
911dd6e4e76bd413bd62a3de696f6982
-
SHA1
ad9ad231d5a86565f5ab719dd4a0e3eab42cfc5d
-
SHA256
4724b55ca938b0bbdc393ddfecec9ccad30b911490e9fc1922546596526cdb04
-
SHA512
b37bbf84af87cc3d17cafecbc351104344d665c39ffd8efc0801819c0f15a5f4d032ae8d6e0b46357f75a63aabcac3d6f9a2b68c4c2883c3168e6d0e39e97317
Malware Config
Extracted
xloader
2.5
p8ce
wishmeluck1.xyz
nawabumi.com
terra.fish
eoraipsumami.quest
awakeningyourid.com
csyein.com
tslsinteligentes.com
cataractusa.com
capitalwheelstogo.com
staffremotely.com
trashbinwasher.com
blaneyparkrendezvous.com
yolrt.com
northendtaproom.com
showgeini.com
b95206.com
almcpersonaltraining.com
lovabledoodleshome.com
woodlandstationcondos.com
nikahlive.com
sassholesentiments.com
bupis44.info
salahiheartclinic.com
loveandpersonality.com
electric-cortex.com
beijixing-zs.com
proper-sa.com
legacyfamilypartners.com
psidsamor.com
schotinderoos.com
kosma-concept.com
onitled.com
zscyyds.xyz
mannatgroups.com
radweb-demo.com
lambanghieuquangcao.info
antabatik.com
lerongclub.com
mobssvipshop.com
dr-walther.com
ibexitconsultants.com
cnyprospects.com
j9mkt64.com
archer-claims.com
lggrandinn.com
jowhp.com
outdoormz.store
cantikgroup.company
2brothersprinting.com
ginamodernart.com
koupeespen.quest
senerants.tech
designthrottle.com
emquality.com
cerulesafe.com
orascomservice.com
skinsotight.com
premiumconciergemarbella.com
cottagepor.xyz
gwayav.com
johnguidesyou.com
corporativokale.com
jskswj.com
xinico.info
gebaeudetechnik-burscheid.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1388-60-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1388-61-0x000000000041D490-mapping.dmp xloader behavioral1/memory/1380-69-0x00000000000C0000-0x00000000000E9000-memory.dmp xloader -
Suspicious use of SetThreadContext 3 IoCs
Processes:
IMG-022013758.exeaspnet_regbrowsers.exechkdsk.exedescription pid process target process PID 612 set thread context of 1388 612 IMG-022013758.exe aspnet_regbrowsers.exe PID 1388 set thread context of 1416 1388 aspnet_regbrowsers.exe Explorer.EXE PID 1380 set thread context of 1416 1380 chkdsk.exe Explorer.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
chkdsk.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
Processes:
aspnet_regbrowsers.exechkdsk.exepid process 1388 aspnet_regbrowsers.exe 1388 aspnet_regbrowsers.exe 1380 chkdsk.exe 1380 chkdsk.exe 1380 chkdsk.exe 1380 chkdsk.exe 1380 chkdsk.exe 1380 chkdsk.exe 1380 chkdsk.exe 1380 chkdsk.exe 1380 chkdsk.exe 1380 chkdsk.exe 1380 chkdsk.exe 1380 chkdsk.exe 1380 chkdsk.exe 1380 chkdsk.exe 1380 chkdsk.exe 1380 chkdsk.exe 1380 chkdsk.exe 1380 chkdsk.exe 1380 chkdsk.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
aspnet_regbrowsers.exechkdsk.exepid process 1388 aspnet_regbrowsers.exe 1388 aspnet_regbrowsers.exe 1388 aspnet_regbrowsers.exe 1380 chkdsk.exe 1380 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
IMG-022013758.exeaspnet_regbrowsers.exechkdsk.exedescription pid process Token: SeDebugPrivilege 612 IMG-022013758.exe Token: SeDebugPrivilege 1388 aspnet_regbrowsers.exe Token: SeDebugPrivilege 1380 chkdsk.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1416 Explorer.EXE 1416 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1416 Explorer.EXE 1416 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
IMG-022013758.exeExplorer.EXEchkdsk.exedescription pid process target process PID 612 wrote to memory of 1388 612 IMG-022013758.exe aspnet_regbrowsers.exe PID 612 wrote to memory of 1388 612 IMG-022013758.exe aspnet_regbrowsers.exe PID 612 wrote to memory of 1388 612 IMG-022013758.exe aspnet_regbrowsers.exe PID 612 wrote to memory of 1388 612 IMG-022013758.exe aspnet_regbrowsers.exe PID 612 wrote to memory of 1388 612 IMG-022013758.exe aspnet_regbrowsers.exe PID 612 wrote to memory of 1388 612 IMG-022013758.exe aspnet_regbrowsers.exe PID 612 wrote to memory of 1388 612 IMG-022013758.exe aspnet_regbrowsers.exe PID 1416 wrote to memory of 1380 1416 Explorer.EXE chkdsk.exe PID 1416 wrote to memory of 1380 1416 Explorer.EXE chkdsk.exe PID 1416 wrote to memory of 1380 1416 Explorer.EXE chkdsk.exe PID 1416 wrote to memory of 1380 1416 Explorer.EXE chkdsk.exe PID 1380 wrote to memory of 1708 1380 chkdsk.exe cmd.exe PID 1380 wrote to memory of 1708 1380 chkdsk.exe cmd.exe PID 1380 wrote to memory of 1708 1380 chkdsk.exe cmd.exe PID 1380 wrote to memory of 1708 1380 chkdsk.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Users\Admin\AppData\Local\Temp\IMG-022013758.exe"C:\Users\Admin\AppData\Local\Temp\IMG-022013758.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:612 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1388 -
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"3⤵PID:1708
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/612-55-0x00000000011D0000-0x00000000012FE000-memory.dmpFilesize
1.2MB
-
memory/612-56-0x0000000000F00000-0x0000000000F01000-memory.dmpFilesize
4KB
-
memory/612-57-0x0000000000250000-0x0000000000264000-memory.dmpFilesize
80KB
-
memory/612-54-0x00000000011D0000-0x00000000012FE000-memory.dmpFilesize
1.2MB
-
memory/1380-66-0x0000000000000000-mapping.dmp
-
memory/1380-71-0x00000000009A0000-0x0000000000A30000-memory.dmpFilesize
576KB
-
memory/1380-68-0x0000000000FB0000-0x0000000000FB7000-memory.dmpFilesize
28KB
-
memory/1380-70-0x0000000000C20000-0x0000000000F23000-memory.dmpFilesize
3.0MB
-
memory/1380-69-0x00000000000C0000-0x00000000000E9000-memory.dmpFilesize
164KB
-
memory/1388-64-0x0000000000290000-0x00000000002A1000-memory.dmpFilesize
68KB
-
memory/1388-63-0x00000000008E0000-0x0000000000BE3000-memory.dmpFilesize
3.0MB
-
memory/1388-61-0x000000000041D490-mapping.dmp
-
memory/1388-60-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1388-58-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1388-59-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1416-65-0x0000000004D20000-0x0000000004DFE000-memory.dmpFilesize
888KB
-
memory/1416-72-0x0000000006990000-0x0000000006A74000-memory.dmpFilesize
912KB
-
memory/1708-67-0x0000000000000000-mapping.dmp