Overview
overview
10Static
static
1033.exe
windows10-2004-x64
1034.exe
windows10-2004-x64
1035.exe
windows10-2004-x64
1036.exe
windows10-2004-x64
1037.exe
windows10-2004-x64
1038.exe
windows10-2004-x64
1039.exe
windows10-2004-x64
1040.exe
windows10-2004-x64
1041.exe
windows10-2004-x64
1042.exe
windows10-2004-x64
1043.exe
windows10-2004-x64
1044.exe
windows10-2004-x64
1045.exe
windows10-2004-x64
1046.exe
windows10-2004-x64
10Analysis
-
max time kernel
152s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02-09-2022 03:27
Behavioral task
behavioral1
Sample
33.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral2
Sample
34.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral3
Sample
35.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral4
Sample
36.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
37.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral6
Sample
38.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral7
Sample
39.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral8
Sample
40.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral9
Sample
41.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral10
Sample
42.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral11
Sample
43.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral12
Sample
44.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral13
Sample
45.exe
Resource
win10v2004-20220812-en
General
-
Target
36.exe
-
Size
176KB
-
MD5
d68996bdcd5a2b28de82355a1107fb9f
-
SHA1
f4ac00f5e4864a47da3569e0e75eb051e5ffd2bb
-
SHA256
85668639c9ef2ed33488e13f4cfdb3f90342425c0f7a2ff014e77bd316e5581c
-
SHA512
d7c34972a76078ffde2c0cf7b2be0e39ffb0b070fea4c8b04e7f0e9339a8d1c50c427af659c2f9e634a9c71f04a87d8a54cf4cf8880a0ebdeab5a49f072aa536
-
SSDEEP
3072:LVz5TPJuR4ptWuN9X3kUAJefLJMfC0OfWKHFpfY9kn992ffG57AhohP:NFgOph9noeTJTPnfjnUzoh
Malware Config
Extracted
xloader
2.9
iewb
n8FLlgIlb1rSEg5hJ9xMbw4hcmR38Q==
5vIAIY+pt81OtWs+FdIEdk7Y
LHIKc+oWGIQUUlfAAtEEdk7Y
ePM/cX2jvHrS
5hvPEw22+fdvmJz3C8FIVq0=
mb9EeX2jvHrS
Dx2zIYNvfjo8VUo5
6jVPnyJekv2RAc4gLKNwEqQ=
KWatHyjdE5Gj1Ng=
t9lk70gzUAZty4qjbVjF
6eUBeFPzKBWT125BFNIEdk7Y
dZUXOIyqTJGj1Ng=
iL3TVh2Jl5QVStnzxcAhIL8=
J1prtyklUfZGR/xDD71IbkWRd2yx
s9FgCOBRW9bU0Y6jbVjF
RYCbQDzcFBhcylgu
Fl0BV/8RJm6F9QRg8LXXTLo=
0dhumHzrCCZ3wdQg7nFF1AlL6Tk=
xvL+iL6wwX+/wH9K4lbZ/A==
N0lVceIFD5Gj1Ng=
5/mnQbHhJ7IzcYjyQbXXTLo=
luHuIKrfNeUkJOfRV0dA8o3Ghkt95g==
yuh2thpBWtHl2ZV48rXXTLo=
ADcuaODkD5eytord4lbZ/A==
PIWRAgq8/zx4aipDyILc
TdUPJBksRZU=
NorCQjrrH5Gj1Ng=
WXUOku0EDZGj1Ng=
4w8mrX8lanCcoWZLU0SkkkSRd2yx
KIYkq/0QN5gPTFK37XszY0fa
s8lIykhdVZjlEA1g8LXXTLo=
AkBw4LE9RQNHkyRsMQ==
fLzVWEjyMarikyRsMQ==
6j1f2ZsFFRpcylgu
zu3YwbBReoIuUh1vdsGonTCDfw==
EGD0PEju53oDSuwu9765d/4KSkXU3Qxh
rc0aZhksRZU=
Un//ZcCsqyaNtEcnt6mLu7Lqdw==
V4Eqwh4FEHqIflW508EYzYSbOeC5
EiWpwJgAFRV5e1r60cAEdk7Y
VW8Pf9PN65HU1otP4lbZ/A==
FFdOyJcMGxpcylgu
KztLpY85vJkLFw==
yh8vtO4GRPQ2kyRsMQ==
qMfrSiqZvghLUyRy/7XXTLo=
eKTGPwmf3swEq2Y3
aoseYSTrlPsvGQ==
Z6tKw0RfgS5+1o6jbVjF
CyU0azDFBZGj1Ng=
7Cy+5co/ZZbhC8dW6eo=
LXmN0EJimQWHylwnbTS6afIlJZHj+Q==
2R2cFWiX1hlZYz2UKh4i12ikiTP55p5Bfg==
jqHcD+eAi5EYlVrJm0TN
cqO55WilyvQ9mG1P4lbZ/A==
BERqtpY6pZDbB8dW6eo=
VpzDHQBueZvY24qjbVjF
OWUELQ6s28NVxom7evrIPfCLfw==
5iO6Dg619fIVQz+Q3I+ZMdmwry4=
d6GiFh7QJaHO2Jxz8bXXTLo=
NlFh6bdVeihxxT1MH+A+TL3MaA==
0PWJHpPJ9zh3nasMO8FIVq0=
19Fom6FBSQ1QrMU=
aYWBmw6431DfHsdW6eo=
Jj7U++2X3M4Eq2Y3
mounscape.com
Signatures
-
Xloader payload 2 IoCs
Processes:
resource yara_rule behavioral4/memory/1508-137-0x0000000000700000-0x000000000072C000-memory.dmp xloader behavioral4/memory/1508-140-0x0000000000700000-0x000000000072C000-memory.dmp xloader -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
36.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 36.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
36.execmmon32.exedescription pid process target process PID 4412 set thread context of 2220 4412 36.exe Explorer.EXE PID 1508 set thread context of 2220 1508 cmmon32.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
36.execmmon32.exepid process 4412 36.exe 4412 36.exe 4412 36.exe 4412 36.exe 1508 cmmon32.exe 1508 cmmon32.exe 1508 cmmon32.exe 1508 cmmon32.exe 1508 cmmon32.exe 1508 cmmon32.exe 1508 cmmon32.exe 1508 cmmon32.exe 1508 cmmon32.exe 1508 cmmon32.exe 1508 cmmon32.exe 1508 cmmon32.exe 1508 cmmon32.exe 1508 cmmon32.exe 1508 cmmon32.exe 1508 cmmon32.exe 1508 cmmon32.exe 1508 cmmon32.exe 1508 cmmon32.exe 1508 cmmon32.exe 1508 cmmon32.exe 1508 cmmon32.exe 1508 cmmon32.exe 1508 cmmon32.exe 1508 cmmon32.exe 1508 cmmon32.exe 1508 cmmon32.exe 1508 cmmon32.exe 1508 cmmon32.exe 1508 cmmon32.exe 1508 cmmon32.exe 1508 cmmon32.exe 1508 cmmon32.exe 1508 cmmon32.exe 1508 cmmon32.exe 1508 cmmon32.exe 1508 cmmon32.exe 1508 cmmon32.exe 1508 cmmon32.exe 1508 cmmon32.exe 1508 cmmon32.exe 1508 cmmon32.exe 1508 cmmon32.exe 1508 cmmon32.exe 1508 cmmon32.exe 1508 cmmon32.exe 1508 cmmon32.exe 1508 cmmon32.exe 1508 cmmon32.exe 1508 cmmon32.exe 1508 cmmon32.exe 1508 cmmon32.exe 1508 cmmon32.exe 1508 cmmon32.exe 1508 cmmon32.exe 1508 cmmon32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2220 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
36.execmmon32.exepid process 4412 36.exe 4412 36.exe 4412 36.exe 1508 cmmon32.exe 1508 cmmon32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
36.execmmon32.exedescription pid process Token: SeDebugPrivilege 4412 36.exe Token: SeDebugPrivilege 1508 cmmon32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Explorer.EXEcmmon32.exedescription pid process target process PID 2220 wrote to memory of 1508 2220 Explorer.EXE cmmon32.exe PID 2220 wrote to memory of 1508 2220 Explorer.EXE cmmon32.exe PID 2220 wrote to memory of 1508 2220 Explorer.EXE cmmon32.exe PID 1508 wrote to memory of 4488 1508 cmmon32.exe cmd.exe PID 1508 wrote to memory of 4488 1508 cmmon32.exe cmd.exe PID 1508 wrote to memory of 4488 1508 cmmon32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\36.exe"C:\Users\Admin\AppData\Local\Temp\36.exe"2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\36.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1508-135-0x0000000000000000-mapping.dmp
-
memory/1508-136-0x0000000000CE0000-0x0000000000CEC000-memory.dmpFilesize
48KB
-
memory/1508-137-0x0000000000700000-0x000000000072C000-memory.dmpFilesize
176KB
-
memory/1508-139-0x0000000002690000-0x00000000029DA000-memory.dmpFilesize
3.3MB
-
memory/1508-140-0x0000000000700000-0x000000000072C000-memory.dmpFilesize
176KB
-
memory/1508-141-0x0000000002430000-0x00000000024C0000-memory.dmpFilesize
576KB
-
memory/2220-134-0x0000000008080000-0x000000000821E000-memory.dmpFilesize
1.6MB
-
memory/2220-142-0x0000000002CD0000-0x0000000002DBC000-memory.dmpFilesize
944KB
-
memory/2220-143-0x0000000002CD0000-0x0000000002DBC000-memory.dmpFilesize
944KB
-
memory/4412-132-0x0000000000C20000-0x0000000000F6A000-memory.dmpFilesize
3.3MB
-
memory/4412-133-0x0000000000C00000-0x0000000000C11000-memory.dmpFilesize
68KB
-
memory/4488-138-0x0000000000000000-mapping.dmp