Analysis
-
max time kernel
93s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
20/01/2023, 18:13
Behavioral task
behavioral1
Sample
0.exe
Resource
win7-20221111-en
General
-
Target
0.exe
-
Size
163KB
-
MD5
a4a9a8d2a7bfdcc21c51a2b2015e6de9
-
SHA1
5ce069dd1c3bc14adbf6629d30350999f42dd6ab
-
SHA256
223430a82147cb3fdb9c50c0f133c766c42a24ac655406dd908d198a8334dcda
-
SHA512
86ebdabf102aafb0a4ca5be2446bc6a533e595856f47ff50ac2fe7f71d045576cd684c7a42870bae4f8c65f2f8262fa828058bab51c94f6b8cc7ad92153266aa
-
SSDEEP
3072:38JCSpCjqSQeAdXZGMy0evnZqQso21HZWgO9b75Gz63WPA0rA:3tC0gIMHSZqQso2qgO9btG+3W40
Malware Config
Extracted
xloader
2.5
2bun
istanbulescort1.xyz
sh1rt.online
digitalmarmot.com
worldscoolesthifi.com
zorgportaalmdn.store
bswys.com
las3curiosas.com
ucokisal.com
xn--j1ad.net
myoveragerecovery.com
eltool.net
shungiteglobal.com
telenor-no.com
xulonrobotics.com
soyredy.com
1forall.info
patsyzeitlin.com
hellocs.xyz
hasundue.net
dein-urkundenrahmen.com
1w3.space
billionaireglobal.university
dexservers.com
gabriellasexwale.com
scientechnic-lighting.com
keenflat.com
huecoffeelab.com
homeonlineinsurance.com
ztjpyxgs.com
unviajeinsospechado.com
rentaofyr.com
griggwealth.group
aerodomnan.com
schonheitschirurg.online
radiocheck24.com
heliomedia.tech
rocotemenevi.quest
vabycuo6.xyz
tacticalbow.us
nvtdigital.com
1712fillmore.com
lovecommunityllc.net
xecutivesmultiservices.com
skr0212.xyz
statewidedispatcher.com
supportkey.xyz
beautifulfloralshop.com
solarstrom.xyz
selectbrandhub.com
varinoar.com
parcels12.cc
cubares6.com
k9e8axr6bn2z.biz
divagirldesigns.club
awataraubud.com
loudcloset.com
zenfusion.art
tpctpc.xyz
albaelectric.info
dy518777.com
twisteid.com
vatgia9.com
kylirjenner.com
gruppocicala.com
chou0212.com
Signatures
-
Xloader payload 2 IoCs
resource yara_rule behavioral2/memory/3300-138-0x0000000000140000-0x0000000000169000-memory.dmp xloader behavioral2/memory/3300-142-0x0000000000140000-0x0000000000169000-memory.dmp xloader -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 5092 set thread context of 2492 5092 0.exe 54 PID 3300 set thread context of 2492 3300 WWAHost.exe 54 -
Suspicious behavior: EnumeratesProcesses 40 IoCs
pid Process 5092 0.exe 5092 0.exe 5092 0.exe 5092 0.exe 3300 WWAHost.exe 3300 WWAHost.exe 3300 WWAHost.exe 3300 WWAHost.exe 3300 WWAHost.exe 3300 WWAHost.exe 3300 WWAHost.exe 3300 WWAHost.exe 3300 WWAHost.exe 3300 WWAHost.exe 3300 WWAHost.exe 3300 WWAHost.exe 3300 WWAHost.exe 3300 WWAHost.exe 3300 WWAHost.exe 3300 WWAHost.exe 3300 WWAHost.exe 3300 WWAHost.exe 3300 WWAHost.exe 3300 WWAHost.exe 3300 WWAHost.exe 3300 WWAHost.exe 3300 WWAHost.exe 3300 WWAHost.exe 3300 WWAHost.exe 3300 WWAHost.exe 3300 WWAHost.exe 3300 WWAHost.exe 3300 WWAHost.exe 3300 WWAHost.exe 3300 WWAHost.exe 3300 WWAHost.exe 3300 WWAHost.exe 3300 WWAHost.exe 3300 WWAHost.exe 3300 WWAHost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2492 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 5092 0.exe 5092 0.exe 5092 0.exe 3300 WWAHost.exe 3300 WWAHost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 5092 0.exe Token: SeDebugPrivilege 3300 WWAHost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2492 wrote to memory of 3300 2492 Explorer.EXE 103 PID 2492 wrote to memory of 3300 2492 Explorer.EXE 103 PID 2492 wrote to memory of 3300 2492 Explorer.EXE 103 PID 3300 wrote to memory of 1144 3300 WWAHost.exe 107 PID 3300 wrote to memory of 1144 3300 WWAHost.exe 107 PID 3300 wrote to memory of 1144 3300 WWAHost.exe 107
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Users\Admin\AppData\Local\Temp\0.exe"C:\Users\Admin\AppData\Local\Temp\0.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5092
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:4380
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:3828
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:1180
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:3696
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:3680
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:3720
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:3436
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:5000
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:4704
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:3708
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:2472
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:400
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:4700
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:4736
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:4816
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:4292
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:4448
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:3204
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:3864
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:4444
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:3024
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:5004
-
-
C:\Windows\SysWOW64\WWAHost.exe"C:\Windows\SysWOW64\WWAHost.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\0.exe"3⤵PID:1144
-
-