Analysis
-
max time kernel
148s -
max time network
146s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
28-01-2022 12:43
Static task
static1
Behavioral task
behavioral1
Sample
tlBHrCrteFXy8Jz.exe
Resource
win7-en-20211208
General
-
Target
tlBHrCrteFXy8Jz.exe
-
Size
775KB
-
MD5
0e9943c0e2afaf5e9acec16ce184b444
-
SHA1
dc1c5f809a3e6e9a3358878d455cb235d2245460
-
SHA256
dc368951f1df68a92c51f9afe6ad73c717b040fb9af6a278e9201b176362ed70
-
SHA512
a7a7e54dc8a144266447b8c500a02adb2dcd855224f8780c6fbfe573ca3eedd1e78ab998aaa4adcfb1f717d670159b93d13cb340e2601fc936d0cc417b78eb50
Malware Config
Extracted
xloader
2.5
b3xd
nestonconstruction.com
ratnainternational.com
3bersaudara.com
scottkmoody.store
1metroband.com
prechit.com
desertbirdmercantile.com
marciabernice.com
packard.vote
selo.global
fourthandwhiteoak.com
ecoplagas.online
api-jipotvcom.xyz
shabellafurniture.com
maxmonacomarble.com
imprimiruncalendario.com
cochepordinero.net
teamosu.club
therightleftfoot.com
mitt-masters.com
transformeddestiny.com
vzyz.top
perfectotr.com
rnhapr.com
polebear.xyz
tiatapa.com
plick-click.com
losfantasticos.com
georgemacpherson.xyz
sadiknitwears.com
hpmetaverse.com
smart-life-hacks.com
gpowermall.com
codegreenautomation.com
investment-scientist.com
igthksolution.com
lrtlffnr.xyz
ecomm-hub.com
99ganbi.top
quaked.net
teliazepte.com
www24fa.top
nobleslim.com
hsbsr9s.sbs
yetiecoolerusa.com
hourly.limo
idesignuix.com
fun4freegames.com
wxqfilm.com
auburnfuid.com
chengxinyuan.online
yzztx.com
huggsforbubbs.com
cdrbk.com
eclipses.today
sigmamu.com
5pineridge.com
lowfrictionvideo.com
ord12route.art
accreditslots.com
madeitinhome.com
insurance.pink
thietkenoithatvanphong.asia
gkynykj.com
meizi.ltd
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1412-61-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1208-68-0x0000000000090000-0x00000000000B9000-memory.dmp xloader -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1068 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
tlBHrCrteFXy8Jz.exetlBHrCrteFXy8Jz.exerundll32.exedescription pid process target process PID 740 set thread context of 1412 740 tlBHrCrteFXy8Jz.exe tlBHrCrteFXy8Jz.exe PID 1412 set thread context of 1380 1412 tlBHrCrteFXy8Jz.exe Explorer.EXE PID 1208 set thread context of 1380 1208 rundll32.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
tlBHrCrteFXy8Jz.exerundll32.exepid process 1412 tlBHrCrteFXy8Jz.exe 1412 tlBHrCrteFXy8Jz.exe 1208 rundll32.exe 1208 rundll32.exe 1208 rundll32.exe 1208 rundll32.exe 1208 rundll32.exe 1208 rundll32.exe 1208 rundll32.exe 1208 rundll32.exe 1208 rundll32.exe 1208 rundll32.exe 1208 rundll32.exe 1208 rundll32.exe 1208 rundll32.exe 1208 rundll32.exe 1208 rundll32.exe 1208 rundll32.exe 1208 rundll32.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
tlBHrCrteFXy8Jz.exerundll32.exepid process 1412 tlBHrCrteFXy8Jz.exe 1412 tlBHrCrteFXy8Jz.exe 1412 tlBHrCrteFXy8Jz.exe 1208 rundll32.exe 1208 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
tlBHrCrteFXy8Jz.exerundll32.exedescription pid process Token: SeDebugPrivilege 1412 tlBHrCrteFXy8Jz.exe Token: SeDebugPrivilege 1208 rundll32.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1380 Explorer.EXE 1380 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1380 Explorer.EXE 1380 Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
tlBHrCrteFXy8Jz.exeExplorer.EXErundll32.exedescription pid process target process PID 740 wrote to memory of 1412 740 tlBHrCrteFXy8Jz.exe tlBHrCrteFXy8Jz.exe PID 740 wrote to memory of 1412 740 tlBHrCrteFXy8Jz.exe tlBHrCrteFXy8Jz.exe PID 740 wrote to memory of 1412 740 tlBHrCrteFXy8Jz.exe tlBHrCrteFXy8Jz.exe PID 740 wrote to memory of 1412 740 tlBHrCrteFXy8Jz.exe tlBHrCrteFXy8Jz.exe PID 740 wrote to memory of 1412 740 tlBHrCrteFXy8Jz.exe tlBHrCrteFXy8Jz.exe PID 740 wrote to memory of 1412 740 tlBHrCrteFXy8Jz.exe tlBHrCrteFXy8Jz.exe PID 740 wrote to memory of 1412 740 tlBHrCrteFXy8Jz.exe tlBHrCrteFXy8Jz.exe PID 1380 wrote to memory of 1208 1380 Explorer.EXE rundll32.exe PID 1380 wrote to memory of 1208 1380 Explorer.EXE rundll32.exe PID 1380 wrote to memory of 1208 1380 Explorer.EXE rundll32.exe PID 1380 wrote to memory of 1208 1380 Explorer.EXE rundll32.exe PID 1380 wrote to memory of 1208 1380 Explorer.EXE rundll32.exe PID 1380 wrote to memory of 1208 1380 Explorer.EXE rundll32.exe PID 1380 wrote to memory of 1208 1380 Explorer.EXE rundll32.exe PID 1208 wrote to memory of 1068 1208 rundll32.exe cmd.exe PID 1208 wrote to memory of 1068 1208 rundll32.exe cmd.exe PID 1208 wrote to memory of 1068 1208 rundll32.exe cmd.exe PID 1208 wrote to memory of 1068 1208 rundll32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tlBHrCrteFXy8Jz.exe"C:\Users\Admin\AppData\Local\Temp\tlBHrCrteFXy8Jz.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tlBHrCrteFXy8Jz.exe"C:\Users\Admin\AppData\Local\Temp\tlBHrCrteFXy8Jz.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\tlBHrCrteFXy8Jz.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/740-54-0x0000000000210000-0x00000000002DA000-memory.dmpFilesize
808KB
-
memory/740-55-0x0000000076141000-0x0000000076143000-memory.dmpFilesize
8KB
-
memory/740-56-0x0000000004EF0000-0x0000000004EF1000-memory.dmpFilesize
4KB
-
memory/740-57-0x0000000000300000-0x000000000030C000-memory.dmpFilesize
48KB
-
memory/740-58-0x00000000022C0000-0x000000000231E000-memory.dmpFilesize
376KB
-
memory/1208-68-0x0000000000090000-0x00000000000B9000-memory.dmpFilesize
164KB
-
memory/1208-67-0x0000000000C40000-0x0000000000C4E000-memory.dmpFilesize
56KB
-
memory/1208-69-0x0000000002050000-0x0000000002353000-memory.dmpFilesize
3.0MB
-
memory/1208-70-0x0000000000530000-0x0000000000C11000-memory.dmpFilesize
6.9MB
-
memory/1380-65-0x0000000005000000-0x000000000515E000-memory.dmpFilesize
1.4MB
-
memory/1380-71-0x0000000006BD0000-0x0000000006D04000-memory.dmpFilesize
1.2MB
-
memory/1412-60-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1412-61-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1412-63-0x0000000000B50000-0x0000000000E53000-memory.dmpFilesize
3.0MB
-
memory/1412-64-0x00000000001D0000-0x00000000001E1000-memory.dmpFilesize
68KB
-
memory/1412-59-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB