Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21/06/2022, 11:07
Static task
static1
Behavioral task
behavioral1
Sample
AWB_811470484778.exe
Resource
win7-20220414-en
General
-
Target
AWB_811470484778.exe
-
Size
450KB
-
MD5
2dce5b90b3f523aff613693f6d93769c
-
SHA1
d9947b0881ac67b10687b48ed44a49c6198df310
-
SHA256
7e05b0a9ffe1cfbc4cb926477d044ad7b6046352f8734b95037e4f5ef21bca99
-
SHA512
260b2415fe8afcc389d39df5fb50dd73969ac1c45ce3ffd38aefb8260bc36c31c0105275c69806a3fa58239b2aeaf193efd5c9e25ed092593ec6ab8d2a1eda28
Malware Config
Extracted
xloader
2.5
h4st
hawkonline.club
unitedkingdomvoip.site
tbrme.com
ysxol.xyz
oviagrooming.com
pokerdominogame.com
perabett463.com
orderjoessteaks.com
sjczyw.com
christensonbrothers.com
stanegroupe.com
residencialseniorspa.com
eyetechlabs.com
lens-experts.com
69988.club
skateboardlovers.com
ourhighlandacres.net
dskensho343.xyz
dance985.com
iran-style.com
autism-101.com
hdwiz.online
atomcapital.net
seelenmedicus144.com
range4tis.com
affordablebathroomsbyfrank.net
sosienna.com
forge21.xyz
sinergiberkaryabersama.com
christinesyquia.com
newleafremodel.com
doitlive.online
hyiptron.com
hobartiamusic.com
dvfdressoutlet.com
puzzlelux.com
arkdia.xyz
turnerverve.quest
detectorlifestyle.com
milanoineout.com
zjins.com
globalfrances.com
cactus-aio.com
fzl-fs.com
freshiestuning.com
vertiney.com
mayclaim.com
8m1id.online
fiercefantasyshop.com
genesisrofprc.xyz
eventsp.xyz
morningvibecoffee.com
angellogordon.com
peopleonhealth.com
batuhanasut.com
fabianmarin.com
5starrentertainment.com
tauikrychy.space
magnetstudios.global
korenshop.com
mbljbspro.com
takeyourshot3500.pro
sjsteinhardt.com
cabanatvs.com
jenaeeaginshair.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 4 IoCs
resource yara_rule behavioral2/memory/3944-136-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/3944-142-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/4600-145-0x0000000000AC0000-0x0000000000AE9000-memory.dmp xloader behavioral2/memory/4600-149-0x0000000000AC0000-0x0000000000AE9000-memory.dmp xloader -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 536 set thread context of 3944 536 AWB_811470484778.exe 89 PID 3944 set thread context of 672 3944 AWB_811470484778.exe 39 PID 4600 set thread context of 672 4600 explorer.exe 39 -
Suspicious behavior: EnumeratesProcesses 44 IoCs
pid Process 3944 AWB_811470484778.exe 3944 AWB_811470484778.exe 3944 AWB_811470484778.exe 3944 AWB_811470484778.exe 4600 explorer.exe 4600 explorer.exe 4600 explorer.exe 4600 explorer.exe 4600 explorer.exe 4600 explorer.exe 4600 explorer.exe 4600 explorer.exe 4600 explorer.exe 4600 explorer.exe 4600 explorer.exe 4600 explorer.exe 4600 explorer.exe 4600 explorer.exe 4600 explorer.exe 4600 explorer.exe 4600 explorer.exe 4600 explorer.exe 4600 explorer.exe 4600 explorer.exe 4600 explorer.exe 4600 explorer.exe 4600 explorer.exe 4600 explorer.exe 4600 explorer.exe 4600 explorer.exe 4600 explorer.exe 4600 explorer.exe 4600 explorer.exe 4600 explorer.exe 4600 explorer.exe 4600 explorer.exe 4600 explorer.exe 4600 explorer.exe 4600 explorer.exe 4600 explorer.exe 4600 explorer.exe 4600 explorer.exe 4600 explorer.exe 4600 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 672 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 3944 AWB_811470484778.exe 3944 AWB_811470484778.exe 3944 AWB_811470484778.exe 4600 explorer.exe 4600 explorer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3944 AWB_811470484778.exe Token: SeDebugPrivilege 4600 explorer.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 536 wrote to memory of 3944 536 AWB_811470484778.exe 89 PID 536 wrote to memory of 3944 536 AWB_811470484778.exe 89 PID 536 wrote to memory of 3944 536 AWB_811470484778.exe 89 PID 536 wrote to memory of 3944 536 AWB_811470484778.exe 89 PID 536 wrote to memory of 3944 536 AWB_811470484778.exe 89 PID 536 wrote to memory of 3944 536 AWB_811470484778.exe 89 PID 672 wrote to memory of 4600 672 Explorer.EXE 90 PID 672 wrote to memory of 4600 672 Explorer.EXE 90 PID 672 wrote to memory of 4600 672 Explorer.EXE 90 PID 4600 wrote to memory of 4836 4600 explorer.exe 91 PID 4600 wrote to memory of 4836 4600 explorer.exe 91 PID 4600 wrote to memory of 4836 4600 explorer.exe 91
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe"C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe"C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3944
-
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\AWB_811470484778.exe"3⤵PID:4836
-
-