Analysis Overview
SHA256
d73dfe16ee1bc567ce32a408839c9074509ad6cc1e21fd710f7a9f97a5d623e2
Threat Level: Known bad
The file d73dfe16ee1bc567ce32a408839c9074509ad6cc1e21fd710f7a9f97a5d623e2 was found to be: Known bad.
Malicious Activity Summary
Xloader
CustAttr .NET packer
Xloader payload
Suspicious use of SetThreadContext
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-01-29 20:27
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-29 20:27
Reported
2023-01-29 20:29
Platform
win10v2004-20220812-en
Max time kernel
130s
Max time network
152s
Command Line
Signatures
Xloader
Xloader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4556 set thread context of 1700 | N/A | C:\Users\Admin\AppData\Local\Temp\d73dfe16ee1bc567ce32a408839c9074509ad6cc1e21fd710f7a9f97a5d623e2.exe | C:\Users\Admin\AppData\Local\Temp\d73dfe16ee1bc567ce32a408839c9074509ad6cc1e21fd710f7a9f97a5d623e2.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d73dfe16ee1bc567ce32a408839c9074509ad6cc1e21fd710f7a9f97a5d623e2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d73dfe16ee1bc567ce32a408839c9074509ad6cc1e21fd710f7a9f97a5d623e2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d73dfe16ee1bc567ce32a408839c9074509ad6cc1e21fd710f7a9f97a5d623e2.exe
"C:\Users\Admin\AppData\Local\Temp\d73dfe16ee1bc567ce32a408839c9074509ad6cc1e21fd710f7a9f97a5d623e2.exe"
C:\Users\Admin\AppData\Local\Temp\d73dfe16ee1bc567ce32a408839c9074509ad6cc1e21fd710f7a9f97a5d623e2.exe
"C:\Users\Admin\AppData\Local\Temp\d73dfe16ee1bc567ce32a408839c9074509ad6cc1e21fd710f7a9f97a5d623e2.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 13.89.179.8:443 | tcp | |
| N/A | 8.8.8.8:53 | 15.89.54.20.in-addr.arpa | udp |
| N/A | 8.238.20.126:80 | tcp |
Files
memory/4556-132-0x0000000000500000-0x00000000005FC000-memory.dmp
memory/4556-133-0x0000000004F90000-0x000000000502C000-memory.dmp
memory/4556-134-0x0000000005690000-0x0000000005C34000-memory.dmp
memory/4556-135-0x00000000050E0000-0x0000000005172000-memory.dmp
memory/4556-136-0x0000000005030000-0x000000000503A000-memory.dmp
memory/4556-137-0x0000000005180000-0x00000000051D6000-memory.dmp
memory/1700-138-0x0000000000000000-mapping.dmp
memory/1700-139-0x0000000000400000-0x0000000000428000-memory.dmp
memory/1700-140-0x00000000017B0000-0x0000000001AFA000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-29 20:27
Reported
2023-01-29 20:29
Platform
win7-20221111-en
Max time kernel
103s
Max time network
31s
Command Line
Signatures
Xloader
CustAttr .NET packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xloader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1232 set thread context of 1500 | N/A | C:\Users\Admin\AppData\Local\Temp\d73dfe16ee1bc567ce32a408839c9074509ad6cc1e21fd710f7a9f97a5d623e2.exe | C:\Users\Admin\AppData\Local\Temp\d73dfe16ee1bc567ce32a408839c9074509ad6cc1e21fd710f7a9f97a5d623e2.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d73dfe16ee1bc567ce32a408839c9074509ad6cc1e21fd710f7a9f97a5d623e2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d73dfe16ee1bc567ce32a408839c9074509ad6cc1e21fd710f7a9f97a5d623e2.exe
"C:\Users\Admin\AppData\Local\Temp\d73dfe16ee1bc567ce32a408839c9074509ad6cc1e21fd710f7a9f97a5d623e2.exe"
C:\Users\Admin\AppData\Local\Temp\d73dfe16ee1bc567ce32a408839c9074509ad6cc1e21fd710f7a9f97a5d623e2.exe
"C:\Users\Admin\AppData\Local\Temp\d73dfe16ee1bc567ce32a408839c9074509ad6cc1e21fd710f7a9f97a5d623e2.exe"
Network
Files
memory/1232-54-0x00000000012A0000-0x000000000139C000-memory.dmp
memory/1232-55-0x00000000760B1000-0x00000000760B3000-memory.dmp
memory/1232-56-0x0000000000390000-0x0000000000398000-memory.dmp
memory/1232-57-0x0000000001250000-0x00000000012A6000-memory.dmp
memory/1500-58-0x0000000000400000-0x0000000000428000-memory.dmp
memory/1500-59-0x0000000000400000-0x0000000000428000-memory.dmp
memory/1500-61-0x0000000000400000-0x0000000000428000-memory.dmp
memory/1500-62-0x000000000041CFC0-mapping.dmp
memory/1500-63-0x00000000008D0000-0x0000000000BD3000-memory.dmp