Resubmissions
17-01-2022 09:47
220117-lsbfvahch4 1017-01-2022 09:46
220117-lrzr2shehk 117-01-2022 09:40
220117-lnkhyshcf3 10Analysis
-
max time kernel
4265058s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
17-01-2022 09:40
Static task
static1
General
-
Target
10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74.exe
-
Size
592KB
-
MD5
f8e05f051c4151136ab7da1002e4c915
-
SHA1
23bd18eee8c7cdc3fe21ecb778af9a89e855b71e
-
SHA256
10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74
-
SHA512
427a04103a5fbede6f2ebe2e5e82a5fc4790b5108ac9bb165f96cc04871d655ca12a92d2bbaea13491a56e76122aa0412595613560e392fa1a7365c81e829463
Malware Config
Extracted
xloader
2.5
pnug
natureate.com
ita-pots.website
sucohansmushroom.com
produrielrosen.com
gosystemupdatenow.online
jiskra.art
janwiench.com
norfolkfoodhall.com
iloveaddictss.com
pogozip.com
buyinstapva.com
teardirectionfreedom.xyz
0205168.com
apaixonadosporpugs.online
jawscoinc.com
crafter.quest
wikipedianow.com
radiopuls.net
kendama-co.com
goodstudycanada.com
huzhoucs.com
asinment.com
fuchsundrudolph.com
arthurenathalia.com
globalcosmeticsstudios.com
brandrackley.com
freemanhub.one
utserver.online
fullspecter.com
wshowcase.com
airjordanshoes-retro.com
linguimatics.com
app-verlengen.icu
singpost.red
j4.claims
inoteapp.net
jrdautomotivellc.com
xn--beaupre-6xa.com
mypolicyportal.net
wdgjdhpg.com
anshulindla.com
m981070.com
vertentebike.com
claim-available.com
buyfudgybombs.com
adfnapoli.com
blackfuid.com
clambakedelivered.info
marketingworksonhold.com
xvyj.top
richardsonsfinest.com
gurimix.com
dorhop.com
mauigrowngreencoffee.net
juzytuu.xyz
pokorny.industries
floridapermitsolutions.com
right-on-target-store.com
ynaire.com
nextpar.com
disdrone.com
fruitfulvinebirth.com
africanfairytale.com
leisuresabah.com
safetyeats.asia
Signatures
-
Xloader Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/4056-138-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Suspicious use of SetThreadContext 1 IoCs
Processes:
10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74.exedescription pid process target process PID 3528 set thread context of 4056 3528 10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74.exe 10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotification.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotification.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotification.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74.exepid process 4056 10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74.exe 4056 10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
MusNotification.exedescription pid process Token: SeShutdownPrivilege 3748 MusNotification.exe Token: SeCreatePagefilePrivilege 3748 MusNotification.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74.exedescription pid process target process PID 3528 wrote to memory of 4056 3528 10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74.exe 10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74.exe PID 3528 wrote to memory of 4056 3528 10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74.exe 10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74.exe PID 3528 wrote to memory of 4056 3528 10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74.exe 10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74.exe PID 3528 wrote to memory of 4056 3528 10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74.exe 10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74.exe PID 3528 wrote to memory of 4056 3528 10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74.exe 10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74.exe PID 3528 wrote to memory of 4056 3528 10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74.exe 10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74.exe"C:\Users\Admin\AppData\Local\Temp\10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74.exe"C:\Users\Admin\AppData\Local\Temp\10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\MusNotification.exeC:\Windows\system32\MusNotification.exe1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3528-130-0x0000000000930000-0x00000000009CA000-memory.dmpFilesize
616KB
-
memory/3528-131-0x0000000000930000-0x00000000009CA000-memory.dmpFilesize
616KB
-
memory/3528-132-0x00000000058E0000-0x0000000005E84000-memory.dmpFilesize
5.6MB
-
memory/3528-133-0x00000000053D0000-0x0000000005462000-memory.dmpFilesize
584KB
-
memory/3528-134-0x0000000005330000-0x00000000058D4000-memory.dmpFilesize
5.6MB
-
memory/3528-135-0x0000000005380000-0x000000000538A000-memory.dmpFilesize
40KB
-
memory/3528-136-0x0000000008CB0000-0x0000000008D4C000-memory.dmpFilesize
624KB
-
memory/4056-137-0x0000000000000000-mapping.dmp
-
memory/4056-138-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4056-139-0x0000000000F00000-0x000000000124A000-memory.dmpFilesize
3.3MB