Analysis
-
max time kernel
4294180s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
14-03-2022 19:07
Static task
static1
Behavioral task
behavioral1
Sample
4f623f7aab4fc4b985783241478917d0.exe
Resource
win7-20220311-en
General
-
Target
4f623f7aab4fc4b985783241478917d0.exe
-
Size
930KB
-
MD5
4f623f7aab4fc4b985783241478917d0
-
SHA1
e6d98b26140257c7214e113f2c2143de4f22a453
-
SHA256
c8781b8dca56fa093b3df95c16360b2dc381eadb10b4f9055e11b39f34284749
-
SHA512
d6487c4395521cd8a1590c7c4a9bb8ab28c69b39a6fd2dfba90e4f13e5b471ca3c0621ee6f1c14c7f6d718b2d6228dbb0142bcdb12ca3b32f097670b8f65ee61
Malware Config
Extracted
xloader
2.5
ahc8
192451.com
wwwripostes.net
sirikhalsalaw.com
bitterbaybay.com
stella-scrubs.com
almanecermezcal.com
goodgood.online
translate-now.online
sincerefilm.com
quadrantforensics.com
johnfrenchart.com
plick-click.com
alnileen.com
tghi.xyz
172711.com
maymakita.com
punnyaseva.com
ukash-online.com
sho-yururi-blog.com
hebergement-solidaire.com
civicinfluencers.net
gzhf8888.com
kuleallstar.com
palisadeslodgecondos.com
holyhirschsprungs.com
azalearoseuk.com
jaggllc.com
italianrofrow.xyz
ioewur.xyz
3a5hlv.icu
kitcycle.com
estate.xyz
ankaraescortvip.xyz
richclubsite2001.xyz
kastore.website
515pleasantvalleyway.com
sittlermd.com
mytemple.group
tiny-wagen.com
sharaleesvintageflames.com
mentalesteem.com
sport-newss.online
fbve.space
lovingtruebloodindallas.com
eaglehospitality.biz
roofrepairnow.info
mcrosfts-updata.digital
cimpactinc.com
greatnotleyeast.com
lovely-tics.com
douglas-enterprise.com
dayannalima.online
ksodl.com
rainbowlampro.com
theinteriorsfurniture.com
eidmueller.email
cg020.online
gta6fuzhu.com
cinemaocity.com
hopeitivity.com
savageequipment.biz
groceriesbazaar.com
hempgotas.com
casino-pharaon-play.xyz
ralfrassendnk-login.com
Signatures
-
Xloader Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1072-64-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Suspicious use of SetThreadContext 1 IoCs
Processes:
4f623f7aab4fc4b985783241478917d0.exedescription pid process target process PID 1392 set thread context of 1072 1392 4f623f7aab4fc4b985783241478917d0.exe 4f623f7aab4fc4b985783241478917d0.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1108 1072 WerFault.exe 4f623f7aab4fc4b985783241478917d0.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
4f623f7aab4fc4b985783241478917d0.exe4f623f7aab4fc4b985783241478917d0.exedescription pid process target process PID 1392 wrote to memory of 1072 1392 4f623f7aab4fc4b985783241478917d0.exe 4f623f7aab4fc4b985783241478917d0.exe PID 1392 wrote to memory of 1072 1392 4f623f7aab4fc4b985783241478917d0.exe 4f623f7aab4fc4b985783241478917d0.exe PID 1392 wrote to memory of 1072 1392 4f623f7aab4fc4b985783241478917d0.exe 4f623f7aab4fc4b985783241478917d0.exe PID 1392 wrote to memory of 1072 1392 4f623f7aab4fc4b985783241478917d0.exe 4f623f7aab4fc4b985783241478917d0.exe PID 1392 wrote to memory of 1072 1392 4f623f7aab4fc4b985783241478917d0.exe 4f623f7aab4fc4b985783241478917d0.exe PID 1392 wrote to memory of 1072 1392 4f623f7aab4fc4b985783241478917d0.exe 4f623f7aab4fc4b985783241478917d0.exe PID 1392 wrote to memory of 1072 1392 4f623f7aab4fc4b985783241478917d0.exe 4f623f7aab4fc4b985783241478917d0.exe PID 1072 wrote to memory of 1108 1072 4f623f7aab4fc4b985783241478917d0.exe WerFault.exe PID 1072 wrote to memory of 1108 1072 4f623f7aab4fc4b985783241478917d0.exe WerFault.exe PID 1072 wrote to memory of 1108 1072 4f623f7aab4fc4b985783241478917d0.exe WerFault.exe PID 1072 wrote to memory of 1108 1072 4f623f7aab4fc4b985783241478917d0.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f623f7aab4fc4b985783241478917d0.exe"C:\Users\Admin\AppData\Local\Temp\4f623f7aab4fc4b985783241478917d0.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4f623f7aab4fc4b985783241478917d0.exe"C:\Users\Admin\AppData\Local\Temp\4f623f7aab4fc4b985783241478917d0.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 363⤵
- Program crash
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1072-60-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1072-62-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1072-64-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1392-54-0x0000000000FB0000-0x000000000109E000-memory.dmpFilesize
952KB
-
memory/1392-55-0x00000000747F0000-0x0000000074EDE000-memory.dmpFilesize
6.9MB
-
memory/1392-56-0x0000000004DB0000-0x0000000004DB1000-memory.dmpFilesize
4KB
-
memory/1392-57-0x0000000000460000-0x000000000047A000-memory.dmpFilesize
104KB
-
memory/1392-58-0x0000000007D50000-0x0000000007E04000-memory.dmpFilesize
720KB
-
memory/1392-59-0x0000000000A10000-0x0000000000A46000-memory.dmpFilesize
216KB