Analysis Overview
SHA256
d48c6eda4d7da385d81986abfc9e091f3498cad3d29adf040eda851f28a10e1a
Threat Level: Known bad
The file d48c6eda4d7da385d81986abfc9e091f3498cad3d29adf040eda851f28a10e1a was found to be: Known bad.
Malicious Activity Summary
Xloader
Xloader payload
Suspicious use of SetThreadContext
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-01-29 20:27
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-29 20:27
Reported
2023-01-29 20:30
Platform
win7-20220901-en
Max time kernel
118s
Max time network
49s
Command Line
Signatures
Xloader
Xloader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2024 set thread context of 620 | N/A | C:\Users\Admin\AppData\Local\Temp\d48c6eda4d7da385d81986abfc9e091f3498cad3d29adf040eda851f28a10e1a.exe | C:\Users\Admin\AppData\Local\Temp\d48c6eda4d7da385d81986abfc9e091f3498cad3d29adf040eda851f28a10e1a.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d48c6eda4d7da385d81986abfc9e091f3498cad3d29adf040eda851f28a10e1a.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d48c6eda4d7da385d81986abfc9e091f3498cad3d29adf040eda851f28a10e1a.exe
"C:\Users\Admin\AppData\Local\Temp\d48c6eda4d7da385d81986abfc9e091f3498cad3d29adf040eda851f28a10e1a.exe"
C:\Users\Admin\AppData\Local\Temp\d48c6eda4d7da385d81986abfc9e091f3498cad3d29adf040eda851f28a10e1a.exe
"C:\Users\Admin\AppData\Local\Temp\d48c6eda4d7da385d81986abfc9e091f3498cad3d29adf040eda851f28a10e1a.exe"
Network
Files
memory/2024-54-0x00000000759F1000-0x00000000759F3000-memory.dmp
memory/2024-55-0x0000000074A00000-0x0000000074FAB000-memory.dmp
memory/2024-56-0x0000000074A00000-0x0000000074FAB000-memory.dmp
memory/620-57-0x0000000000400000-0x0000000000428000-memory.dmp
memory/620-58-0x0000000000400000-0x0000000000428000-memory.dmp
memory/620-60-0x0000000000400000-0x0000000000428000-memory.dmp
memory/620-61-0x000000000041D000-mapping.dmp
memory/2024-62-0x0000000074A00000-0x0000000074FAB000-memory.dmp
memory/620-63-0x0000000000AC0000-0x0000000000DC3000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-29 20:27
Reported
2023-01-29 20:29
Platform
win10v2004-20220812-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Xloader
Xloader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5056 set thread context of 4932 | N/A | C:\Users\Admin\AppData\Local\Temp\d48c6eda4d7da385d81986abfc9e091f3498cad3d29adf040eda851f28a10e1a.exe | C:\Users\Admin\AppData\Local\Temp\d48c6eda4d7da385d81986abfc9e091f3498cad3d29adf040eda851f28a10e1a.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\d48c6eda4d7da385d81986abfc9e091f3498cad3d29adf040eda851f28a10e1a.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d48c6eda4d7da385d81986abfc9e091f3498cad3d29adf040eda851f28a10e1a.exe
"C:\Users\Admin\AppData\Local\Temp\d48c6eda4d7da385d81986abfc9e091f3498cad3d29adf040eda851f28a10e1a.exe"
C:\Users\Admin\AppData\Local\Temp\d48c6eda4d7da385d81986abfc9e091f3498cad3d29adf040eda851f28a10e1a.exe
"C:\Users\Admin\AppData\Local\Temp\d48c6eda4d7da385d81986abfc9e091f3498cad3d29adf040eda851f28a10e1a.exe"
C:\Users\Admin\AppData\Local\Temp\d48c6eda4d7da385d81986abfc9e091f3498cad3d29adf040eda851f28a10e1a.exe
"C:\Users\Admin\AppData\Local\Temp\d48c6eda4d7da385d81986abfc9e091f3498cad3d29adf040eda851f28a10e1a.exe"
C:\Users\Admin\AppData\Local\Temp\d48c6eda4d7da385d81986abfc9e091f3498cad3d29adf040eda851f28a10e1a.exe
"C:\Users\Admin\AppData\Local\Temp\d48c6eda4d7da385d81986abfc9e091f3498cad3d29adf040eda851f28a10e1a.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 52.109.8.44:443 | tcp | |
| N/A | 52.168.112.66:443 | tcp | |
| N/A | 8.8.8.8:53 | 106.89.54.20.in-addr.arpa | udp |
| N/A | 8.252.51.254:80 | tcp | |
| N/A | 104.80.225.205:443 | tcp |
Files
memory/5056-132-0x0000000074EC0000-0x0000000075471000-memory.dmp
memory/5056-133-0x0000000074EC0000-0x0000000075471000-memory.dmp
memory/4684-134-0x0000000000000000-mapping.dmp
memory/1944-135-0x0000000000000000-mapping.dmp
memory/4932-136-0x0000000000000000-mapping.dmp
memory/4932-137-0x0000000000400000-0x0000000000428000-memory.dmp
memory/5056-138-0x0000000074EC0000-0x0000000075471000-memory.dmp
memory/4932-139-0x0000000001680000-0x00000000019CA000-memory.dmp