Analysis
-
max time kernel
43s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
23-06-2022 19:49
Static task
static1
Behavioral task
behavioral1
Sample
0fa72e0e60187e79ab720cf120edab4f.exe
Resource
win7-20220414-en
General
-
Target
0fa72e0e60187e79ab720cf120edab4f.exe
-
Size
571KB
-
MD5
0fa72e0e60187e79ab720cf120edab4f
-
SHA1
0bc9f1238c5560286a7a0273497bee2e19b73d81
-
SHA256
400cf8fe4f1f1d748f7e6696227fe25164aa51e2c731e5cc621d708d0015065b
-
SHA512
93e9424a6d2f1c62c19397b835ddb69d48fe448e549222ba49d631467053f92625ddcb2a51c85b3bf202077c8c80e933e38b7a7fcc839c79775180ba10d73f9d
Malware Config
Extracted
xloader
2.8
nekq
/c9oNOPSc9aX85OuoqU=
OJ273U/T/c7no1jC
oPn68XFXJsCG6JOuoqU=
iAUbpb8k0vTRkUTK
pPasgiv9XQi4ESRJKCjRfGdj
J5jO/Yz6+M7no1jC
XdhiI9HBZsZlyKZ1jPx+JvxZEg==
uKpYHaMJ+OCnb0yGJ5d4Fg==
9/aD58LBdIIAdGJIaaiSTSuqn1/A
Q52txESw1ro3n3NlouzWgmgm06DFAvFR
nv0k5OdLOI8bBbwMrO7Lp059Fw==
NJ3N6nHo3qKAhDZJKCjRfGdj
z0FFAyMlzFonbTkMu79n
IxOiRvLolOiHw2lEcphyDfqqn1/A
Pi0Kkdu8Vr84Fg==
hGmJW4f0Eelq7fRazg3f1qZr
+O+SUb0HHflx55l0J5d4Fg==
raG3zxXI4rgz6Ipsia0=
OZuQHihvYzPayG4Ax70=
EYKIJDSGpYffFZOuoqU=
RiG6fwJkVjf+upSGq+xqGvQ=
yMn8IKcnhfKr3cHW3dKGOst5Kfs=
NJS+fG/HsPma6sbp3FFo
eVFb1AZ3DH4b
61TNckYVfA==
ffMnSNFQfVrHZ2IAtOCqYizuyKnX
70RqO2HkGKkkG8vp3FFo
92V/ICpI9lXQx7AWin7f1qZr
29FtIMG4Zs+F4czG2dqNOMt5Kfs=
PzfOODMoxB3no1jC
jwh3GdLHaeSX7pOuoqU=
baLRnrWxTW8Pz+c=
/FlqMm13mWUh2b2pmsrAajtrFg==
18ltMLMePUwXyKKBoPfLp059Fw==
txKXwLInM18=
+d3yvetQd4U4FAqXMx+7YEVLIL1MtA==
bkVE1kps4Ug=
FoXxgcq7Vr84Fg==
fPX3mcgiSWYsA9Y18CPhx4LIcjsNvA==
9mGfxRFdSy0AxHLRhvZYcct5Kfs=
KYWoUYfq3IfymWDGJ5d4Fg==
L6GuerAcEGjpDPJRyA3f1qZr
xBJS8ejSPw63i3X6oLlcB6TWinDFAvFR
RS/FdzYij6ekBfA=
eeZribK9ZbhQjnumV3M39ONxG5ysZms=
3T1rCx2hxKCGmYjgJ5d4Fg==
gn0m8664WreN2bYHjXvf1qZr
BHIAHzyRs4szCvCADVRrFvuqn1/A
OyPKafPXcI3JGoPp3FFo
vSWNGaywKfRx+ti72An8n3Qy26HFAvFR
oH5ADLfKfYHtdSV67/PGp059Fw==
jwL6h4vyE+/A3LoJjXvf1qZr
Xs9Zc2deDC9V8+k=
T5+bMXJEq4EOpWo4KnA/JRB0Hw==
e+oUSQb+r8NI5c6or+xqGvQ=
wjXF2vHymfKODIJZfKo=
T0A5XQuKf1AE+G/Iaw==
+O2YZgehQqekBfA=
LY8YRnN7UkRTvJrV
xkVcJFDA8c7no1jC
Ze4Rn6IiDDhTvJrV
XU3mjCPwkCTjF5OuoqU=
+tMPp6nFfw/aG5OuoqU=
Y9HTKZMsX7J8o2IlOF/757hy
pakujwalize.xyz
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1644-62-0x000000000041F670-mapping.dmp xloader behavioral1/memory/1644-61-0x0000000000400000-0x000000000042C000-memory.dmp xloader -
Suspicious use of SetThreadContext 1 IoCs
Processes:
0fa72e0e60187e79ab720cf120edab4f.exedescription pid process target process PID 1612 set thread context of 1644 1612 0fa72e0e60187e79ab720cf120edab4f.exe 0fa72e0e60187e79ab720cf120edab4f.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
0fa72e0e60187e79ab720cf120edab4f.exe0fa72e0e60187e79ab720cf120edab4f.exepid process 1612 0fa72e0e60187e79ab720cf120edab4f.exe 1612 0fa72e0e60187e79ab720cf120edab4f.exe 1644 0fa72e0e60187e79ab720cf120edab4f.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0fa72e0e60187e79ab720cf120edab4f.exedescription pid process Token: SeDebugPrivilege 1612 0fa72e0e60187e79ab720cf120edab4f.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
0fa72e0e60187e79ab720cf120edab4f.exedescription pid process target process PID 1612 wrote to memory of 1644 1612 0fa72e0e60187e79ab720cf120edab4f.exe 0fa72e0e60187e79ab720cf120edab4f.exe PID 1612 wrote to memory of 1644 1612 0fa72e0e60187e79ab720cf120edab4f.exe 0fa72e0e60187e79ab720cf120edab4f.exe PID 1612 wrote to memory of 1644 1612 0fa72e0e60187e79ab720cf120edab4f.exe 0fa72e0e60187e79ab720cf120edab4f.exe PID 1612 wrote to memory of 1644 1612 0fa72e0e60187e79ab720cf120edab4f.exe 0fa72e0e60187e79ab720cf120edab4f.exe PID 1612 wrote to memory of 1644 1612 0fa72e0e60187e79ab720cf120edab4f.exe 0fa72e0e60187e79ab720cf120edab4f.exe PID 1612 wrote to memory of 1644 1612 0fa72e0e60187e79ab720cf120edab4f.exe 0fa72e0e60187e79ab720cf120edab4f.exe PID 1612 wrote to memory of 1644 1612 0fa72e0e60187e79ab720cf120edab4f.exe 0fa72e0e60187e79ab720cf120edab4f.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0fa72e0e60187e79ab720cf120edab4f.exe"C:\Users\Admin\AppData\Local\Temp\0fa72e0e60187e79ab720cf120edab4f.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\0fa72e0e60187e79ab720cf120edab4f.exe"C:\Users\Admin\AppData\Local\Temp\0fa72e0e60187e79ab720cf120edab4f.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1612-54-0x0000000001340000-0x00000000013D6000-memory.dmpFilesize
600KB
-
memory/1612-55-0x00000000002F0000-0x000000000030E000-memory.dmpFilesize
120KB
-
memory/1612-56-0x00000000052A0000-0x000000000530A000-memory.dmpFilesize
424KB
-
memory/1612-57-0x0000000000B90000-0x0000000000BC2000-memory.dmpFilesize
200KB
-
memory/1644-58-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1644-59-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1644-62-0x000000000041F670-mapping.dmp
-
memory/1644-61-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1644-63-0x0000000000A60000-0x0000000000D63000-memory.dmpFilesize
3.0MB