Analysis Overview
SHA256
7d53754fb2eb6479e9d71d07036133421f4d153ec252873c7beeb619f762a90f
Threat Level: Known bad
The file 7d53754fb2eb6479e9d71d07036133421f4d153ec252873c7beeb619f762a90f was found to be: Known bad.
Malicious Activity Summary
Xloader
Xloader payload
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Enumerates physical storage devices
NSIS installer
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-20 18:15
Signatures
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-20 18:15
Reported
2023-01-20 18:18
Platform
win7-20221111-en
Max time kernel
27s
Max time network
30s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rcviyqs.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7d53754fb2eb6479e9d71d07036133421f4d153ec252873c7beeb619f762a90f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rcviyqs.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7d53754fb2eb6479e9d71d07036133421f4d153ec252873c7beeb619f762a90f.exe
"C:\Users\Admin\AppData\Local\Temp\7d53754fb2eb6479e9d71d07036133421f4d153ec252873c7beeb619f762a90f.exe"
C:\Users\Admin\AppData\Local\Temp\rcviyqs.exe
C:\Users\Admin\AppData\Local\Temp\rcviyqs.exe C:\Users\Admin\AppData\Local\Temp\zdjjwjv
C:\Users\Admin\AppData\Local\Temp\rcviyqs.exe
C:\Users\Admin\AppData\Local\Temp\rcviyqs.exe C:\Users\Admin\AppData\Local\Temp\zdjjwjv
Network
Files
memory/1204-54-0x00000000753F1000-0x00000000753F3000-memory.dmp
\Users\Admin\AppData\Local\Temp\rcviyqs.exe
| MD5 | ca62620c3ef481629e95d16ed9ae0017 |
| SHA1 | 4d2d3489edefc06534adcf79baba5b8444a12767 |
| SHA256 | 071720955930988f96661616b256eff1bda2b181ca5b89638782134fc35c6de6 |
| SHA512 | cfd026d7ff3c5f78232de23379158421005e9d24415baf808e11f14b283ebb46e34f12c11694db9f1f77ff7535043b7e9f373a08e1813ea400f5081d66bc2cc6 |
memory/2036-56-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\rcviyqs.exe
| MD5 | ca62620c3ef481629e95d16ed9ae0017 |
| SHA1 | 4d2d3489edefc06534adcf79baba5b8444a12767 |
| SHA256 | 071720955930988f96661616b256eff1bda2b181ca5b89638782134fc35c6de6 |
| SHA512 | cfd026d7ff3c5f78232de23379158421005e9d24415baf808e11f14b283ebb46e34f12c11694db9f1f77ff7535043b7e9f373a08e1813ea400f5081d66bc2cc6 |
C:\Users\Admin\AppData\Local\Temp\zdjjwjv
| MD5 | f6fed7693ed7d2d12d67639bcc14bc81 |
| SHA1 | c102b969911458ab547ff88a2f6bed088306621b |
| SHA256 | 60471f688a14618266cc6e77046711aad55d1679fea88170fd9250e1c24b59fc |
| SHA512 | 911c596347be043945d2670d7b66bd3d5a3885fe068c8cd19c5f5ed110d942630d91d992147f5fc9482043ab913ffcee29b9a83573dde8330ddb702ef3e50294 |
C:\Users\Admin\AppData\Local\Temp\1ywlrkxvvx812p0hw00x
| MD5 | 4ed69a3c1f8ab690c2a2dca2afc8dded |
| SHA1 | e39266fec1bb13a856a02f63a94ad0cbb5835379 |
| SHA256 | 5ad0d54e33047f593130a63ba5b4d045b843de968c2ab09b3eab4b648b362901 |
| SHA512 | 6d8a1f0b90e37f2bac77c07802c78524a26a9ac224f86ae6a06f6feef4b80752ae42eca728a8f0bdeb5a2b108c545f998f31d1ed0bd05176e6f94de88980cb34 |
C:\Users\Admin\AppData\Local\Temp\rcviyqs.exe
| MD5 | ca62620c3ef481629e95d16ed9ae0017 |
| SHA1 | 4d2d3489edefc06534adcf79baba5b8444a12767 |
| SHA256 | 071720955930988f96661616b256eff1bda2b181ca5b89638782134fc35c6de6 |
| SHA512 | cfd026d7ff3c5f78232de23379158421005e9d24415baf808e11f14b283ebb46e34f12c11694db9f1f77ff7535043b7e9f373a08e1813ea400f5081d66bc2cc6 |
\Users\Admin\AppData\Local\Temp\rcviyqs.exe
| MD5 | ca62620c3ef481629e95d16ed9ae0017 |
| SHA1 | 4d2d3489edefc06534adcf79baba5b8444a12767 |
| SHA256 | 071720955930988f96661616b256eff1bda2b181ca5b89638782134fc35c6de6 |
| SHA512 | cfd026d7ff3c5f78232de23379158421005e9d24415baf808e11f14b283ebb46e34f12c11694db9f1f77ff7535043b7e9f373a08e1813ea400f5081d66bc2cc6 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-20 18:15
Reported
2023-01-20 18:18
Platform
win10v2004-20221111-en
Max time kernel
127s
Max time network
130s
Command Line
Signatures
Xloader
Xloader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rcviyqs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rcviyqs.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4792 set thread context of 628 | N/A | C:\Users\Admin\AppData\Local\Temp\rcviyqs.exe | C:\Users\Admin\AppData\Local\Temp\rcviyqs.exe |
| PID 628 set thread context of 2080 | N/A | C:\Users\Admin\AppData\Local\Temp\rcviyqs.exe | C:\Windows\Explorer.EXE |
| PID 3152 set thread context of 2080 | N/A | C:\Windows\SysWOW64\chkdsk.exe | C:\Windows\Explorer.EXE |
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\chkdsk.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rcviyqs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rcviyqs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rcviyqs.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\chkdsk.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\chkdsk.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\rcviyqs.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\chkdsk.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\7d53754fb2eb6479e9d71d07036133421f4d153ec252873c7beeb619f762a90f.exe
"C:\Users\Admin\AppData\Local\Temp\7d53754fb2eb6479e9d71d07036133421f4d153ec252873c7beeb619f762a90f.exe"
C:\Users\Admin\AppData\Local\Temp\rcviyqs.exe
C:\Users\Admin\AppData\Local\Temp\rcviyqs.exe C:\Users\Admin\AppData\Local\Temp\zdjjwjv
C:\Users\Admin\AppData\Local\Temp\rcviyqs.exe
C:\Users\Admin\AppData\Local\Temp\rcviyqs.exe C:\Users\Admin\AppData\Local\Temp\zdjjwjv
C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\rcviyqs.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | www.reliancetechsolutions.com | udp |
| N/A | 34.102.136.180:80 | www.reliancetechsolutions.com | tcp |
| N/A | 67.27.153.254:80 | tcp | |
| N/A | 8.8.8.8:53 | www.newarkroofingcontractor.com | udp |
| N/A | 198.54.117.217:80 | www.newarkroofingcontractor.com | tcp |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 8.8.8.8:53 | www.medicareopenenrollment.info | udp |
| N/A | 199.34.228.50:80 | www.medicareopenenrollment.info | tcp |
| N/A | 67.27.153.254:80 | tcp | |
| N/A | 8.8.8.8:53 | www.hsncsoft.com | udp |
| N/A | 8.8.8.8:53 | www.ig-representative.com | udp |
| N/A | 8.8.8.8:53 | www.appcast-60.com | udp |
| N/A | 8.8.8.8:53 | www.fo71.com | udp |
| N/A | 8.8.8.8:53 | www.criticalequipmentservices.com | udp |
| N/A | 198.54.117.212:80 | www.criticalequipmentservices.com | tcp |
| N/A | 8.8.8.8:53 | www.hallywoodfire.com | udp |
| N/A | 99.83.154.118:80 | www.hallywoodfire.com | tcp |
| N/A | 8.8.8.8:53 | www.lens-experts.com | udp |
| N/A | 8.8.8.8:53 | www.johnfrenchart.com | udp |
| N/A | 72.14.188.72:80 | www.johnfrenchart.com | tcp |
| N/A | 8.8.8.8:53 | www.treeteescoop.com | udp |
| N/A | 8.8.8.8:53 | www.xn--snabbtkrkortonline-j3b.com | udp |
| N/A | 185.212.71.189:80 | www.xn--snabbtkrkortonline-j3b.com | tcp |
| N/A | 8.8.8.8:53 | www.iexiufu.net | udp |
| N/A | 216.172.145.254:80 | www.iexiufu.net | tcp |
| N/A | 8.8.8.8:53 | www.twinklylight.com | udp |
| N/A | 52.20.84.62:80 | www.twinklylight.com | tcp |
| N/A | 8.8.8.8:53 | www.fo71.com | udp |
| N/A | 8.8.8.8:53 | www.minjunsa.com | udp |
| N/A | 8.8.8.8:53 | www.newarkroofingcontractor.com | udp |
| N/A | 198.54.117.216:80 | www.newarkroofingcontractor.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\rcviyqs.exe
| MD5 | ca62620c3ef481629e95d16ed9ae0017 |
| SHA1 | 4d2d3489edefc06534adcf79baba5b8444a12767 |
| SHA256 | 071720955930988f96661616b256eff1bda2b181ca5b89638782134fc35c6de6 |
| SHA512 | cfd026d7ff3c5f78232de23379158421005e9d24415baf808e11f14b283ebb46e34f12c11694db9f1f77ff7535043b7e9f373a08e1813ea400f5081d66bc2cc6 |
memory/4792-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\rcviyqs.exe
| MD5 | ca62620c3ef481629e95d16ed9ae0017 |
| SHA1 | 4d2d3489edefc06534adcf79baba5b8444a12767 |
| SHA256 | 071720955930988f96661616b256eff1bda2b181ca5b89638782134fc35c6de6 |
| SHA512 | cfd026d7ff3c5f78232de23379158421005e9d24415baf808e11f14b283ebb46e34f12c11694db9f1f77ff7535043b7e9f373a08e1813ea400f5081d66bc2cc6 |
C:\Users\Admin\AppData\Local\Temp\zdjjwjv
| MD5 | f6fed7693ed7d2d12d67639bcc14bc81 |
| SHA1 | c102b969911458ab547ff88a2f6bed088306621b |
| SHA256 | 60471f688a14618266cc6e77046711aad55d1679fea88170fd9250e1c24b59fc |
| SHA512 | 911c596347be043945d2670d7b66bd3d5a3885fe068c8cd19c5f5ed110d942630d91d992147f5fc9482043ab913ffcee29b9a83573dde8330ddb702ef3e50294 |
C:\Users\Admin\AppData\Local\Temp\1ywlrkxvvx812p0hw00x
| MD5 | 4ed69a3c1f8ab690c2a2dca2afc8dded |
| SHA1 | e39266fec1bb13a856a02f63a94ad0cbb5835379 |
| SHA256 | 5ad0d54e33047f593130a63ba5b4d045b843de968c2ab09b3eab4b648b362901 |
| SHA512 | 6d8a1f0b90e37f2bac77c07802c78524a26a9ac224f86ae6a06f6feef4b80752ae42eca728a8f0bdeb5a2b108c545f998f31d1ed0bd05176e6f94de88980cb34 |
memory/628-137-0x0000000000000000-mapping.dmp
memory/628-138-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rcviyqs.exe
| MD5 | ca62620c3ef481629e95d16ed9ae0017 |
| SHA1 | 4d2d3489edefc06534adcf79baba5b8444a12767 |
| SHA256 | 071720955930988f96661616b256eff1bda2b181ca5b89638782134fc35c6de6 |
| SHA512 | cfd026d7ff3c5f78232de23379158421005e9d24415baf808e11f14b283ebb46e34f12c11694db9f1f77ff7535043b7e9f373a08e1813ea400f5081d66bc2cc6 |
memory/628-141-0x0000000000400000-0x0000000000429000-memory.dmp
memory/628-142-0x0000000001800000-0x0000000001B4A000-memory.dmp
memory/628-143-0x00000000017E0000-0x00000000017F1000-memory.dmp
memory/2080-144-0x0000000008AE0000-0x0000000008C25000-memory.dmp
memory/3152-145-0x0000000000000000-mapping.dmp
memory/1704-146-0x0000000000000000-mapping.dmp
memory/3152-147-0x0000000000200000-0x000000000020A000-memory.dmp
memory/3152-148-0x0000000000CD0000-0x0000000000CF9000-memory.dmp
memory/3152-149-0x00000000014D0000-0x000000000181A000-memory.dmp
memory/3152-150-0x0000000001300000-0x0000000001390000-memory.dmp
memory/3152-151-0x0000000000CD0000-0x0000000000CF9000-memory.dmp
memory/2080-152-0x0000000003310000-0x00000000033F1000-memory.dmp
memory/2080-153-0x0000000003310000-0x00000000033F1000-memory.dmp