Analysis
-
max time kernel
4294182s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
11-03-2022 23:29
Static task
static1
Behavioral task
behavioral1
Sample
Cslmw.exe
Resource
win7-20220311-en
General
-
Target
Cslmw.exe
-
Size
23KB
-
MD5
f252b7a35b4b4af6a7dee8840b1e7132
-
SHA1
e9fa1a744adc80c91203aaf06e4edbcd25cac199
-
SHA256
4a5a4b370430e4f8fed7a3e8e7deb08321740497e0e693482352d2db973dbabd
-
SHA512
389e94b834f64609e8b2a861f5697a3b5b7eee4e2f71b76ae19a616560bd1f8d1d3396cf13e657c41792e43caedd61fe6641983819bbf83f8625fbd693c65af5
Malware Config
Extracted
xloader
2.5
ssac
beautybybrin.com
oregemo.com
prospectoriq.com
blazermid.com
cloudnineloans.com
myyntisofta.com
filoupoils.com
web-solutiontnpasumo3.xyz
becbares.com
lines-hikkoshi.com
ohayouwww.com
writingdadsobituarywithdad.com
bridalbaes.com
jamshir.com
rangertots.com
dankbrobeans.com
titan111.com
uplearns.info
maxicashprokil.xyz
evc24.com
mingshan888.com
thehomefurnishings.com
jjyive.space
vtkk.info
state-attorney.online
zoho.systems
nd300.com
ivermectinforanimals.ca
gruppobenedetto.com
planet99angka.xyz
astrotiq.com
fangshensj.com
ocean.limited
zalaridumpf.quest
cursolibreonline.com
lifein.art
identspactures.com
nfltvgo.com
chronicfit.store
mariajosereina.com
hebbz764776341.com
anpxlmmspix.mobi
mydevhub.tech
nobelrealm.com
dentalteamny.com
patinerd.com
socratisbey.xyz
hnylcwfs.com
yujieqin.com
midorato.com
sunglowdragon.com
americaplr.com
cxqdscape.com
situsgacor.xyz
sattlerei-dortmund.com
life120lospaccio.com
riddleme.one
perpustakaan-geominerba.online
renatafaceandbodyskincare.com
allkoreas.com
myvisitiq.com
candlesallday.com
poleador.com
4hsp116.com
homesbyvw.com
Signatures
-
Xloader Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/292-64-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Cslmw.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\Knolmy = "\"C:\\Users\\Admin\\AppData\\Roaming\\Onqsw\\Knolmy.exe\"" Cslmw.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Cslmw.exedescription pid process target process PID 1996 set thread context of 292 1996 Cslmw.exe Cslmw.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1224 292 WerFault.exe Cslmw.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Cslmw.exepid process 1996 Cslmw.exe 1996 Cslmw.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Cslmw.exedescription pid process Token: SeDebugPrivilege 1996 Cslmw.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
Cslmw.exeCslmw.exedescription pid process target process PID 1996 wrote to memory of 292 1996 Cslmw.exe Cslmw.exe PID 1996 wrote to memory of 292 1996 Cslmw.exe Cslmw.exe PID 1996 wrote to memory of 292 1996 Cslmw.exe Cslmw.exe PID 1996 wrote to memory of 292 1996 Cslmw.exe Cslmw.exe PID 1996 wrote to memory of 292 1996 Cslmw.exe Cslmw.exe PID 1996 wrote to memory of 292 1996 Cslmw.exe Cslmw.exe PID 1996 wrote to memory of 292 1996 Cslmw.exe Cslmw.exe PID 292 wrote to memory of 1224 292 Cslmw.exe WerFault.exe PID 292 wrote to memory of 1224 292 Cslmw.exe WerFault.exe PID 292 wrote to memory of 1224 292 Cslmw.exe WerFault.exe PID 292 wrote to memory of 1224 292 Cslmw.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Cslmw.exe"C:\Users\Admin\AppData\Local\Temp\Cslmw.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Cslmw.exeC:\Users\Admin\AppData\Local\Temp\Cslmw.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 292 -s 363⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/292-60-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/292-62-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/292-64-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1996-54-0x0000000000980000-0x000000000098C000-memory.dmpFilesize
48KB
-
memory/1996-55-0x00000000740C0000-0x00000000747AE000-memory.dmpFilesize
6.9MB
-
memory/1996-56-0x00000000049D0000-0x00000000049D1000-memory.dmpFilesize
4KB
-
memory/1996-57-0x00000000051F0000-0x000000000526E000-memory.dmpFilesize
504KB
-
memory/1996-58-0x00000000005A0000-0x00000000005E8000-memory.dmpFilesize
288KB
-
memory/1996-59-0x0000000005330000-0x000000000537C000-memory.dmpFilesize
304KB