Analysis
-
max time kernel
53s -
max time network
143s -
platform
windows10_x64 -
resource
win10-20220223-en -
submitted
03-03-2022 23:38
Static task
static1
General
-
Target
c7ceb2adec0ec0d5d01cbbc2753f0c2ddfc149c2e4daa47a519f44604ea5e557.exe
-
Size
15KB
-
MD5
40674110ecc6a402569f906e115d3d8b
-
SHA1
6771637dd6d3d89a9fd630f7b179d379b558bf77
-
SHA256
c7ceb2adec0ec0d5d01cbbc2753f0c2ddfc149c2e4daa47a519f44604ea5e557
-
SHA512
809c144a8418c0cd06ff365f51602000b2cc836d9cf49e8c9b2c394e1de9a61941cf461beec169d6837a2b29ad7aa70a936ddc59b9c1ea99e24efeae76bab018
Malware Config
Extracted
xloader
2.5
ahc8
192451.com
wwwripostes.net
sirikhalsalaw.com
bitterbaybay.com
stella-scrubs.com
almanecermezcal.com
goodgood.online
translate-now.online
sincerefilm.com
quadrantforensics.com
johnfrenchart.com
plick-click.com
alnileen.com
tghi.xyz
172711.com
maymakita.com
punnyaseva.com
ukash-online.com
sho-yururi-blog.com
hebergement-solidaire.com
civicinfluencers.net
gzhf8888.com
kuleallstar.com
palisadeslodgecondos.com
holyhirschsprungs.com
azalearoseuk.com
jaggllc.com
italianrofrow.xyz
ioewur.xyz
3a5hlv.icu
kitcycle.com
estate.xyz
ankaraescortvip.xyz
richclubsite2001.xyz
kastore.website
515pleasantvalleyway.com
sittlermd.com
mytemple.group
tiny-wagen.com
sharaleesvintageflames.com
mentalesteem.com
sport-newss.online
fbve.space
lovingtruebloodindallas.com
eaglehospitality.biz
roofrepairnow.info
mcrosfts-updata.digital
cimpactinc.com
greatnotleyeast.com
lovely-tics.com
douglas-enterprise.com
dayannalima.online
ksodl.com
rainbowlampro.com
theinteriorsfurniture.com
eidmueller.email
cg020.online
gta6fuzhu.com
cinemaocity.com
hopeitivity.com
savageequipment.biz
groceriesbazaar.com
hempgotas.com
casino-pharaon-play.xyz
ralfrassendnk-login.com
Signatures
-
Xloader Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/3280-123-0x0000000000500000-0x0000000000529000-memory.dmp xloader -
Downloads MZ/PE file
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
c7ceb2adec0ec0d5d01cbbc2753f0c2ddfc149c2e4daa47a519f44604ea5e557.exedescription pid process target process PID 2024 set thread context of 3280 2024 c7ceb2adec0ec0d5d01cbbc2753f0c2ddfc149c2e4daa47a519f44604ea5e557.exe c7ceb2adec0ec0d5d01cbbc2753f0c2ddfc149c2e4daa47a519f44604ea5e557.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2440 3280 WerFault.exe c7ceb2adec0ec0d5d01cbbc2753f0c2ddfc149c2e4daa47a519f44604ea5e557.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
c7ceb2adec0ec0d5d01cbbc2753f0c2ddfc149c2e4daa47a519f44604ea5e557.exedescription pid process Token: SeDebugPrivilege 2024 c7ceb2adec0ec0d5d01cbbc2753f0c2ddfc149c2e4daa47a519f44604ea5e557.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
c7ceb2adec0ec0d5d01cbbc2753f0c2ddfc149c2e4daa47a519f44604ea5e557.exedescription pid process target process PID 2024 wrote to memory of 3280 2024 c7ceb2adec0ec0d5d01cbbc2753f0c2ddfc149c2e4daa47a519f44604ea5e557.exe c7ceb2adec0ec0d5d01cbbc2753f0c2ddfc149c2e4daa47a519f44604ea5e557.exe PID 2024 wrote to memory of 3280 2024 c7ceb2adec0ec0d5d01cbbc2753f0c2ddfc149c2e4daa47a519f44604ea5e557.exe c7ceb2adec0ec0d5d01cbbc2753f0c2ddfc149c2e4daa47a519f44604ea5e557.exe PID 2024 wrote to memory of 3280 2024 c7ceb2adec0ec0d5d01cbbc2753f0c2ddfc149c2e4daa47a519f44604ea5e557.exe c7ceb2adec0ec0d5d01cbbc2753f0c2ddfc149c2e4daa47a519f44604ea5e557.exe PID 2024 wrote to memory of 3280 2024 c7ceb2adec0ec0d5d01cbbc2753f0c2ddfc149c2e4daa47a519f44604ea5e557.exe c7ceb2adec0ec0d5d01cbbc2753f0c2ddfc149c2e4daa47a519f44604ea5e557.exe PID 2024 wrote to memory of 3280 2024 c7ceb2adec0ec0d5d01cbbc2753f0c2ddfc149c2e4daa47a519f44604ea5e557.exe c7ceb2adec0ec0d5d01cbbc2753f0c2ddfc149c2e4daa47a519f44604ea5e557.exe PID 2024 wrote to memory of 3280 2024 c7ceb2adec0ec0d5d01cbbc2753f0c2ddfc149c2e4daa47a519f44604ea5e557.exe c7ceb2adec0ec0d5d01cbbc2753f0c2ddfc149c2e4daa47a519f44604ea5e557.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c7ceb2adec0ec0d5d01cbbc2753f0c2ddfc149c2e4daa47a519f44604ea5e557.exe"C:\Users\Admin\AppData\Local\Temp\c7ceb2adec0ec0d5d01cbbc2753f0c2ddfc149c2e4daa47a519f44604ea5e557.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Users\Admin\AppData\Local\Temp\c7ceb2adec0ec0d5d01cbbc2753f0c2ddfc149c2e4daa47a519f44604ea5e557.exe"C:\Users\Admin\AppData\Local\Temp\c7ceb2adec0ec0d5d01cbbc2753f0c2ddfc149c2e4daa47a519f44604ea5e557.exe"2⤵PID:3280
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 1883⤵
- Program crash
PID:2440
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2024-114-0x0000000000700000-0x000000000070A000-memory.dmpFilesize
40KB
-
memory/2024-115-0x00000000055F0000-0x0000000005AEE000-memory.dmpFilesize
5.0MB
-
memory/2024-116-0x0000000004F90000-0x0000000005022000-memory.dmpFilesize
584KB
-
memory/2024-117-0x0000000073700000-0x0000000073DEE000-memory.dmpFilesize
6.9MB
-
memory/2024-118-0x0000000004F30000-0x0000000004F3A000-memory.dmpFilesize
40KB
-
memory/2024-119-0x0000000004EF0000-0x0000000004F82000-memory.dmpFilesize
584KB
-
memory/2024-120-0x0000000004F70000-0x0000000004F8E000-memory.dmpFilesize
120KB
-
memory/2024-121-0x00000000060F0000-0x000000000618C000-memory.dmpFilesize
624KB
-
memory/3280-123-0x0000000000500000-0x0000000000529000-memory.dmpFilesize
164KB