Analysis
-
max time kernel
146s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21/06/2022, 10:21
Static task
static1
General
-
Target
ccc5f7c2dcf83d72150071b31ff3036834f0d26544e2c2c274bce95d234b14ea.exe
-
Size
963KB
-
MD5
83dd3acd8f3e455bfd2c4711453399c3
-
SHA1
8895c917c9a3157939036647ba402f02d98f29e4
-
SHA256
ccc5f7c2dcf83d72150071b31ff3036834f0d26544e2c2c274bce95d234b14ea
-
SHA512
72fee0861dad6d8f44f450e00950bb1c486961b7f114d822f1e5e0335c7214800b1c8242a35f409220eac72f8b2dfd56a238c5e10be13d52507e521daa5cb2d2
Malware Config
Extracted
xloader
2.6
gd9m
screens.ma
coachingdiary.com
cannabisconsultant.xyz
sirenonthemoon.com
gabrielatrejo.com
blumenladentampa.com
sturisticosadmcancun.com
qdygo.net
nubearies.com
thedestinationcrafter.com
fastblacktv.com
sanakatha.com
birdviewsecurityandshipping.com
waterfilterhub.xyz
92658.top
xigen.xyz
barikadcrew.com
herzogbjj.com
veminis.com
thnawya.net
gamertags.xyz
tenergyx.com
truthhaircuts.com
liveorangelake.com
paleosunvibes.com
globalworthy.com
editura-makarije.net
kashifashions.com
donestebanesquel.com
snoopsistahs.com
metatranzact.com
flawlesslook.store
ansiedademansa.com
apb.beauty
selfdefenseandimprovement.com
slr-of.com
nostalgija-sibenik.com
012channel.com
pdms.info
yhhj54.top
szscgz.com
pepsiessence.com
gspleakdetection.com
nephpropulsionsystems.com
pigeonpix.com
universalproviderservicetx.com
tur-v-dagestan.site
iknindia.com
mediacontactservices.com
basslinebeast.net
thinparty.com
nshy.agency
zendflowers.com
ankararuzgarhaliyikama.com
134688703.com
pengshengkeji.com
lequationbasque.com
prednisolone.cfd
menofnyc.com
artfkts.com
njbankruptcy.me
silvblansrl.com
promalehealth.com
futurax.global
yiwajg.com
Signatures
-
Xloader Payload 1 IoCs
resource yara_rule behavioral1/memory/1976-137-0x0000000000400000-0x000000000042B000-memory.dmp xloader -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1108 set thread context of 1976 1108 ccc5f7c2dcf83d72150071b31ff3036834f0d26544e2c2c274bce95d234b14ea.exe 91 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1108 ccc5f7c2dcf83d72150071b31ff3036834f0d26544e2c2c274bce95d234b14ea.exe 1108 ccc5f7c2dcf83d72150071b31ff3036834f0d26544e2c2c274bce95d234b14ea.exe 1976 ccc5f7c2dcf83d72150071b31ff3036834f0d26544e2c2c274bce95d234b14ea.exe 1976 ccc5f7c2dcf83d72150071b31ff3036834f0d26544e2c2c274bce95d234b14ea.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1108 ccc5f7c2dcf83d72150071b31ff3036834f0d26544e2c2c274bce95d234b14ea.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1108 wrote to memory of 1976 1108 ccc5f7c2dcf83d72150071b31ff3036834f0d26544e2c2c274bce95d234b14ea.exe 91 PID 1108 wrote to memory of 1976 1108 ccc5f7c2dcf83d72150071b31ff3036834f0d26544e2c2c274bce95d234b14ea.exe 91 PID 1108 wrote to memory of 1976 1108 ccc5f7c2dcf83d72150071b31ff3036834f0d26544e2c2c274bce95d234b14ea.exe 91 PID 1108 wrote to memory of 1976 1108 ccc5f7c2dcf83d72150071b31ff3036834f0d26544e2c2c274bce95d234b14ea.exe 91 PID 1108 wrote to memory of 1976 1108 ccc5f7c2dcf83d72150071b31ff3036834f0d26544e2c2c274bce95d234b14ea.exe 91 PID 1108 wrote to memory of 1976 1108 ccc5f7c2dcf83d72150071b31ff3036834f0d26544e2c2c274bce95d234b14ea.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\ccc5f7c2dcf83d72150071b31ff3036834f0d26544e2c2c274bce95d234b14ea.exe"C:\Users\Admin\AppData\Local\Temp\ccc5f7c2dcf83d72150071b31ff3036834f0d26544e2c2c274bce95d234b14ea.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Users\Admin\AppData\Local\Temp\ccc5f7c2dcf83d72150071b31ff3036834f0d26544e2c2c274bce95d234b14ea.exe"C:\Users\Admin\AppData\Local\Temp\ccc5f7c2dcf83d72150071b31ff3036834f0d26544e2c2c274bce95d234b14ea.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1976
-