Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19/01/2023, 07:32
Static task
static1
Behavioral task
behavioral1
Sample
7d850c7483817ae91c6b6dde59c22141b754d04ec2e0985ffcd85b08f2e9ae58.exe
Resource
win7-20221111-en
General
-
Target
7d850c7483817ae91c6b6dde59c22141b754d04ec2e0985ffcd85b08f2e9ae58.exe
-
Size
243KB
-
MD5
79f342dceff76485db960d4e9de522f2
-
SHA1
e54b0ca25b62d3f377b68d3037ff4d78350a627b
-
SHA256
7d850c7483817ae91c6b6dde59c22141b754d04ec2e0985ffcd85b08f2e9ae58
-
SHA512
548ab3961741ffec55a593b26bbc383e7afbae20509f475e46ecf3470334d6c125d6fc0e6ef5fd4f85eccd2492db8320628228e5c1bc5dd89ed5822bb958c1a5
-
SSDEEP
6144:cFgRqbsZzgQvSwEMFusUCj2eY7UBytn4/oOshpgfMc:qsZz+lMksdG7UBa4/o3kMc
Malware Config
Extracted
xloader
2.6
zgtb
gabriellep.com
honghe4.xyz
anisaofrendas.com
happy-tile.com
thesulkies.com
international-ipo.com
tazeco.info
hhhzzz.xyz
vrmonster.xyz
theearthresidencia.com
sportape.xyz
elshadaibaterias.com
koredeiihibi.com
taxtaa.com
globalcityb.com
fxivcama.com
dagsmith.com
elmar-bhp.com
peakice.net
jhcdjewelry.com
moradagroup.tech
luminantentertainment.com
originalfatfrog.com
istanbulbahis239.com
digismart.cloud
egclass.com
video-raamsdonk.online
enjoyhavoc.online
elegantmuka.com
crememeup.store
gasgangllc.com
worldmarketking.com
johnywan.icu
ctxd089.com
vipbuy-my.com
cboelua.com
sitesv.com
7788tiepin.com
unionfound.com
freecrdditreport.com
symmetrya.online
thinoe.com
line-view.com
immobilien-mj.com
alignedmagic.com
mecontaisso.com
plumberbalanced.com
zhouwuxiawu.com
obokbusinessbootcamp.com
chance-lo.com
jujuskiny.com
kkrcrzyz.xyz
daquan168.com
groupeinvictuscorporation.com
leadswebhosting.com
payphelpcenter950851354.info
subvip60.site
ink-desk.com
luminaurascent.com
jivraj9india.com
topproroofer.com
nxteam.net
can-amexico.com
premhub.club
zs-yaoshi.com
Signatures
-
Xloader payload 4 IoCs
resource yara_rule behavioral2/memory/1600-135-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral2/memory/1600-141-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral2/memory/4340-144-0x0000000000520000-0x000000000054B000-memory.dmp xloader behavioral2/memory/4340-147-0x0000000000520000-0x000000000054B000-memory.dmp xloader -
Blocklisted process makes network request 3 IoCs
flow pid Process 45 4340 rundll32.exe 64 4340 rundll32.exe 69 4340 rundll32.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1264 set thread context of 1600 1264 7d850c7483817ae91c6b6dde59c22141b754d04ec2e0985ffcd85b08f2e9ae58.exe 83 PID 1600 set thread context of 3048 1600 cvtres.exe 54 PID 4340 set thread context of 3048 4340 rundll32.exe 54 -
Suspicious behavior: EnumeratesProcesses 62 IoCs
pid Process 1264 7d850c7483817ae91c6b6dde59c22141b754d04ec2e0985ffcd85b08f2e9ae58.exe 1264 7d850c7483817ae91c6b6dde59c22141b754d04ec2e0985ffcd85b08f2e9ae58.exe 1600 cvtres.exe 1600 cvtres.exe 1600 cvtres.exe 1600 cvtres.exe 4340 rundll32.exe 4340 rundll32.exe 4340 rundll32.exe 4340 rundll32.exe 4340 rundll32.exe 4340 rundll32.exe 4340 rundll32.exe 4340 rundll32.exe 4340 rundll32.exe 4340 rundll32.exe 4340 rundll32.exe 4340 rundll32.exe 4340 rundll32.exe 4340 rundll32.exe 4340 rundll32.exe 4340 rundll32.exe 4340 rundll32.exe 4340 rundll32.exe 4340 rundll32.exe 4340 rundll32.exe 4340 rundll32.exe 4340 rundll32.exe 4340 rundll32.exe 4340 rundll32.exe 4340 rundll32.exe 4340 rundll32.exe 4340 rundll32.exe 4340 rundll32.exe 4340 rundll32.exe 4340 rundll32.exe 4340 rundll32.exe 4340 rundll32.exe 4340 rundll32.exe 4340 rundll32.exe 4340 rundll32.exe 4340 rundll32.exe 4340 rundll32.exe 4340 rundll32.exe 4340 rundll32.exe 4340 rundll32.exe 4340 rundll32.exe 4340 rundll32.exe 4340 rundll32.exe 4340 rundll32.exe 4340 rundll32.exe 4340 rundll32.exe 4340 rundll32.exe 4340 rundll32.exe 4340 rundll32.exe 4340 rundll32.exe 4340 rundll32.exe 4340 rundll32.exe 4340 rundll32.exe 4340 rundll32.exe 4340 rundll32.exe 4340 rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3048 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 1600 cvtres.exe 1600 cvtres.exe 1600 cvtres.exe 4340 rundll32.exe 4340 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1264 7d850c7483817ae91c6b6dde59c22141b754d04ec2e0985ffcd85b08f2e9ae58.exe Token: SeDebugPrivilege 1600 cvtres.exe Token: SeDebugPrivilege 4340 rundll32.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1264 wrote to memory of 680 1264 7d850c7483817ae91c6b6dde59c22141b754d04ec2e0985ffcd85b08f2e9ae58.exe 82 PID 1264 wrote to memory of 680 1264 7d850c7483817ae91c6b6dde59c22141b754d04ec2e0985ffcd85b08f2e9ae58.exe 82 PID 1264 wrote to memory of 680 1264 7d850c7483817ae91c6b6dde59c22141b754d04ec2e0985ffcd85b08f2e9ae58.exe 82 PID 1264 wrote to memory of 1600 1264 7d850c7483817ae91c6b6dde59c22141b754d04ec2e0985ffcd85b08f2e9ae58.exe 83 PID 1264 wrote to memory of 1600 1264 7d850c7483817ae91c6b6dde59c22141b754d04ec2e0985ffcd85b08f2e9ae58.exe 83 PID 1264 wrote to memory of 1600 1264 7d850c7483817ae91c6b6dde59c22141b754d04ec2e0985ffcd85b08f2e9ae58.exe 83 PID 1264 wrote to memory of 1600 1264 7d850c7483817ae91c6b6dde59c22141b754d04ec2e0985ffcd85b08f2e9ae58.exe 83 PID 1264 wrote to memory of 1600 1264 7d850c7483817ae91c6b6dde59c22141b754d04ec2e0985ffcd85b08f2e9ae58.exe 83 PID 1264 wrote to memory of 1600 1264 7d850c7483817ae91c6b6dde59c22141b754d04ec2e0985ffcd85b08f2e9ae58.exe 83 PID 3048 wrote to memory of 4340 3048 Explorer.EXE 84 PID 3048 wrote to memory of 4340 3048 Explorer.EXE 84 PID 3048 wrote to memory of 4340 3048 Explorer.EXE 84 PID 4340 wrote to memory of 5024 4340 rundll32.exe 85 PID 4340 wrote to memory of 5024 4340 rundll32.exe 85 PID 4340 wrote to memory of 5024 4340 rundll32.exe 85
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Users\Admin\AppData\Local\Temp\7d850c7483817ae91c6b6dde59c22141b754d04ec2e0985ffcd85b08f2e9ae58.exe"C:\Users\Admin\AppData\Local\Temp\7d850c7483817ae91c6b6dde59c22141b754d04ec2e0985ffcd85b08f2e9ae58.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"3⤵PID:680
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1600
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"3⤵PID:5024
-
-