Analysis
-
max time kernel
57s -
max time network
78s -
platform
windows10_x64 -
resource
win10-20220414-en -
submitted
21/06/2022, 10:21
Static task
static1
General
-
Target
25773608894ed7dced5dd50dc02483ffdd6d9ee3d79333aa8292c5d2a2586e21.exe
-
Size
467KB
-
MD5
0a7ee72e2b57214272b36a91835ece31
-
SHA1
4f8ba6b8eee9c2f612cd046b34905cd110ec1b12
-
SHA256
25773608894ed7dced5dd50dc02483ffdd6d9ee3d79333aa8292c5d2a2586e21
-
SHA512
22d253e97694d8c62bd188c3ce9008445b3e41389672049ff8d768746fff3fba20a5025ca535b804a9bf976435cb7836e8d728009327c55ada359d2ee35c9f5b
Malware Config
Extracted
xloader
2.6
a2es
glutenfreebahrain.com
sportrid.com
js-films.com
cie-revolver.com
outsourcinginstitutebd.com
roboticsdatascience.com
tebrunk.com
needgreatwork.com
df1b8j2iwbl33n.life
voluum-training.com
cherna-roza.com
xiyouap.com
bluefiftyfoundation.com
angolettomc.com
yhcp225.com
keondredejawn.com
ifeelsilky.com
coraorganizing.com
smartmindstutorials.com
tanphucuong.info
cxy.cool
criatorioimperial.online
timelyzer.com
chounvwd.com
taxidrivertrading.com
vooyage.xyz
mbtq.financial
tmshop.ma
newexmag.com
wildblumebmd.com
faucetvddw.club
sexism.info
precisionspinecolorado.com
jmigy.com
theplayhouse88.com
theskinrevive.com
envisionexpereience.com
matuschekandcompany.com
zouyuting.com
loansbill-pay.website
albertoalaniz.space
elfstore.net
klapia.online
panxiaozhi.net
soprodutosgeniais.com
amstorex.com
tiktokrycy41.xyz
datisbrick.com
hotelnoucanguillem.com
prekkr.com
jensenko.com
spiritualteashop.com
cyberdyne.world
0xauetw0ye50f.xyz
berendsit.com
kalycollcwn.info
tonenusdt.xyz
ckhla.com
igralki.com
princesskinnymixers.com
tvmountinstallguy.com
choicegoodsshop.com
diamont-services.com
mideazhiyou.com
katescakesandcreations.com
Signatures
-
Xloader Payload 2 IoCs
resource yara_rule behavioral1/memory/4200-190-0x000000000041F2B0-mapping.dmp xloader behavioral1/memory/4200-197-0x0000000000400000-0x000000000042B000-memory.dmp xloader -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4692 set thread context of 4200 4692 25773608894ed7dced5dd50dc02483ffdd6d9ee3d79333aa8292c5d2a2586e21.exe 69 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4200 25773608894ed7dced5dd50dc02483ffdd6d9ee3d79333aa8292c5d2a2586e21.exe 4200 25773608894ed7dced5dd50dc02483ffdd6d9ee3d79333aa8292c5d2a2586e21.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4692 wrote to memory of 4200 4692 25773608894ed7dced5dd50dc02483ffdd6d9ee3d79333aa8292c5d2a2586e21.exe 69 PID 4692 wrote to memory of 4200 4692 25773608894ed7dced5dd50dc02483ffdd6d9ee3d79333aa8292c5d2a2586e21.exe 69 PID 4692 wrote to memory of 4200 4692 25773608894ed7dced5dd50dc02483ffdd6d9ee3d79333aa8292c5d2a2586e21.exe 69 PID 4692 wrote to memory of 4200 4692 25773608894ed7dced5dd50dc02483ffdd6d9ee3d79333aa8292c5d2a2586e21.exe 69 PID 4692 wrote to memory of 4200 4692 25773608894ed7dced5dd50dc02483ffdd6d9ee3d79333aa8292c5d2a2586e21.exe 69 PID 4692 wrote to memory of 4200 4692 25773608894ed7dced5dd50dc02483ffdd6d9ee3d79333aa8292c5d2a2586e21.exe 69
Processes
-
C:\Users\Admin\AppData\Local\Temp\25773608894ed7dced5dd50dc02483ffdd6d9ee3d79333aa8292c5d2a2586e21.exe"C:\Users\Admin\AppData\Local\Temp\25773608894ed7dced5dd50dc02483ffdd6d9ee3d79333aa8292c5d2a2586e21.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Users\Admin\AppData\Local\Temp\25773608894ed7dced5dd50dc02483ffdd6d9ee3d79333aa8292c5d2a2586e21.exe"C:\Users\Admin\AppData\Local\Temp\25773608894ed7dced5dd50dc02483ffdd6d9ee3d79333aa8292c5d2a2586e21.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4200
-