Analysis
-
max time kernel
97s -
max time network
96s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
20/01/2023, 18:13
Behavioral task
behavioral1
Sample
0.exe
Resource
win7-20221111-en
General
-
Target
0.exe
-
Size
163KB
-
MD5
a4a9a8d2a7bfdcc21c51a2b2015e6de9
-
SHA1
5ce069dd1c3bc14adbf6629d30350999f42dd6ab
-
SHA256
223430a82147cb3fdb9c50c0f133c766c42a24ac655406dd908d198a8334dcda
-
SHA512
86ebdabf102aafb0a4ca5be2446bc6a533e595856f47ff50ac2fe7f71d045576cd684c7a42870bae4f8c65f2f8262fa828058bab51c94f6b8cc7ad92153266aa
-
SSDEEP
3072:38JCSpCjqSQeAdXZGMy0evnZqQso21HZWgO9b75Gz63WPA0rA:3tC0gIMHSZqQso2qgO9btG+3W40
Malware Config
Extracted
xloader
2.5
2bun
istanbulescort1.xyz
sh1rt.online
digitalmarmot.com
worldscoolesthifi.com
zorgportaalmdn.store
bswys.com
las3curiosas.com
ucokisal.com
xn--j1ad.net
myoveragerecovery.com
eltool.net
shungiteglobal.com
telenor-no.com
xulonrobotics.com
soyredy.com
1forall.info
patsyzeitlin.com
hellocs.xyz
hasundue.net
dein-urkundenrahmen.com
1w3.space
billionaireglobal.university
dexservers.com
gabriellasexwale.com
scientechnic-lighting.com
keenflat.com
huecoffeelab.com
homeonlineinsurance.com
ztjpyxgs.com
unviajeinsospechado.com
rentaofyr.com
griggwealth.group
aerodomnan.com
schonheitschirurg.online
radiocheck24.com
heliomedia.tech
rocotemenevi.quest
vabycuo6.xyz
tacticalbow.us
nvtdigital.com
1712fillmore.com
lovecommunityllc.net
xecutivesmultiservices.com
skr0212.xyz
statewidedispatcher.com
supportkey.xyz
beautifulfloralshop.com
solarstrom.xyz
selectbrandhub.com
varinoar.com
parcels12.cc
cubares6.com
k9e8axr6bn2z.biz
divagirldesigns.club
awataraubud.com
loudcloset.com
zenfusion.art
tpctpc.xyz
albaelectric.info
dy518777.com
twisteid.com
vatgia9.com
kylirjenner.com
gruppocicala.com
chou0212.com
Signatures
-
Xloader payload 2 IoCs
resource yara_rule behavioral1/memory/1772-61-0x00000000000C0000-0x00000000000E9000-memory.dmp xloader behavioral1/memory/1772-65-0x00000000000C0000-0x00000000000E9000-memory.dmp xloader -
Deletes itself 1 IoCs
pid Process 948 cmd.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1708 set thread context of 1228 1708 0.exe 17 PID 1772 set thread context of 1228 1772 mstsc.exe 17 -
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 1708 0.exe 1708 0.exe 1772 mstsc.exe 1772 mstsc.exe 1772 mstsc.exe 1772 mstsc.exe 1772 mstsc.exe 1772 mstsc.exe 1772 mstsc.exe 1772 mstsc.exe 1772 mstsc.exe 1772 mstsc.exe 1772 mstsc.exe 1772 mstsc.exe 1772 mstsc.exe 1772 mstsc.exe 1772 mstsc.exe 1772 mstsc.exe 1772 mstsc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1228 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 1708 0.exe 1708 0.exe 1708 0.exe 1772 mstsc.exe 1772 mstsc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1708 0.exe Token: SeDebugPrivilege 1772 mstsc.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1228 Explorer.EXE 1228 Explorer.EXE -
Suspicious use of SendNotifyMessage 16 IoCs
pid Process 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1228 wrote to memory of 1772 1228 Explorer.EXE 28 PID 1228 wrote to memory of 1772 1228 Explorer.EXE 28 PID 1228 wrote to memory of 1772 1228 Explorer.EXE 28 PID 1228 wrote to memory of 1772 1228 Explorer.EXE 28 PID 1772 wrote to memory of 948 1772 mstsc.exe 29 PID 1772 wrote to memory of 948 1772 mstsc.exe 29 PID 1772 wrote to memory of 948 1772 mstsc.exe 29 PID 1772 wrote to memory of 948 1772 mstsc.exe 29
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Users\Admin\AppData\Local\Temp\0.exe"C:\Users\Admin\AppData\Local\Temp\0.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1708
-
-
C:\Windows\SysWOW64\mstsc.exe"C:\Windows\SysWOW64\mstsc.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\0.exe"3⤵
- Deletes itself
PID:948
-
-