Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29/01/2023, 20:28
Static task
static1
Behavioral task
behavioral1
Sample
b668feb6432eb6a52d23ee84b25b68244d388bd08e749ba45820dc6a3100153d.exe
Resource
win7-20221111-en
General
-
Target
b668feb6432eb6a52d23ee84b25b68244d388bd08e749ba45820dc6a3100153d.exe
-
Size
756KB
-
MD5
7c59504b9dfb4ff80ed8530c5bce9ed7
-
SHA1
04aa7316158ef192b45b2501d4d09a73da05474c
-
SHA256
b668feb6432eb6a52d23ee84b25b68244d388bd08e749ba45820dc6a3100153d
-
SHA512
b0f50962d31a3ffa1f9d259b5ae0f4d5bca9f1be76afcf76f503266ff5ccffafed00789b43fce758dc88ecc94fa636eab3bd8204a98eb4b37f3268c3b9acba4b
-
SSDEEP
12288:9bodd+JGv9M6HLzLOKqyL4y2lHmKjgnXeZQcXMwxm:9Edd+Q/LRL4fmKkOZc
Malware Config
Extracted
xloader
2.3
ur06
philippebrooksdesign.com
cmoorestudio.com
profille-sarina23tammara.club
dqulxe.com
uiffinger.com
nolarapper.com
maconanimalexterminator.com
bisovka.com
loveisloveent.com
datication.com
spxo66.com
drhelpnow.com
ladybug-cle.com
macocome.com
thepoppysocks.com
eldritchparadox.com
mercadolibre.company
ismartfarm.com
kansascarlot.com
kevinld.com
p87mbu2ss.xyz
the-makery.info
untegoro.site
newyorkcityhemorrhoidcenter.com
crystalclearwholistics.com
iregentos.info
fullskis.com
promanconsortium.com
800029120.com
mummyisme.com
humpychocks.com
myfavestuff.store
naturalfemina.com
bimetalthermostatksd.com
draysehaniminciftligi.com
sf9820.com
4thop.com
24les.com
thepupcrew.com
strangephobias.com
hotmamabody.com
restaurantsilhouette.com
texasadultdayservices.com
binahaiat.com
nipseythegreat.com
pelisplusxd.net
mamborio.com
elitedigitalperformance.com
therileyretreat.com
aieqbgk.icu
corkboardit.net
katieberiont.com
telemedicinehamilton.com
imagistor.com
tekdesignltd.com
bmw-7979.com
animaliaartist.com
straightlineautoserviceerie.net
qoo10online.com
tesseracoffee.com
central-car-sales.com
thecleaningenthusiast.com
musicmercch.com
pearlpham.com
allismd.com
Signatures
-
Xloader payload 1 IoCs
resource yara_rule behavioral2/memory/1816-136-0x0000000000400000-0x0000000000428000-memory.dmp xloader -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3496 set thread context of 1816 3496 b668feb6432eb6a52d23ee84b25b68244d388bd08e749ba45820dc6a3100153d.exe 91 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3496 b668feb6432eb6a52d23ee84b25b68244d388bd08e749ba45820dc6a3100153d.exe 3496 b668feb6432eb6a52d23ee84b25b68244d388bd08e749ba45820dc6a3100153d.exe 1816 b668feb6432eb6a52d23ee84b25b68244d388bd08e749ba45820dc6a3100153d.exe 1816 b668feb6432eb6a52d23ee84b25b68244d388bd08e749ba45820dc6a3100153d.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3496 b668feb6432eb6a52d23ee84b25b68244d388bd08e749ba45820dc6a3100153d.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3496 wrote to memory of 1968 3496 b668feb6432eb6a52d23ee84b25b68244d388bd08e749ba45820dc6a3100153d.exe 90 PID 3496 wrote to memory of 1968 3496 b668feb6432eb6a52d23ee84b25b68244d388bd08e749ba45820dc6a3100153d.exe 90 PID 3496 wrote to memory of 1968 3496 b668feb6432eb6a52d23ee84b25b68244d388bd08e749ba45820dc6a3100153d.exe 90 PID 3496 wrote to memory of 1816 3496 b668feb6432eb6a52d23ee84b25b68244d388bd08e749ba45820dc6a3100153d.exe 91 PID 3496 wrote to memory of 1816 3496 b668feb6432eb6a52d23ee84b25b68244d388bd08e749ba45820dc6a3100153d.exe 91 PID 3496 wrote to memory of 1816 3496 b668feb6432eb6a52d23ee84b25b68244d388bd08e749ba45820dc6a3100153d.exe 91 PID 3496 wrote to memory of 1816 3496 b668feb6432eb6a52d23ee84b25b68244d388bd08e749ba45820dc6a3100153d.exe 91 PID 3496 wrote to memory of 1816 3496 b668feb6432eb6a52d23ee84b25b68244d388bd08e749ba45820dc6a3100153d.exe 91 PID 3496 wrote to memory of 1816 3496 b668feb6432eb6a52d23ee84b25b68244d388bd08e749ba45820dc6a3100153d.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\b668feb6432eb6a52d23ee84b25b68244d388bd08e749ba45820dc6a3100153d.exe"C:\Users\Admin\AppData\Local\Temp\b668feb6432eb6a52d23ee84b25b68244d388bd08e749ba45820dc6a3100153d.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Users\Admin\AppData\Local\Temp\b668feb6432eb6a52d23ee84b25b68244d388bd08e749ba45820dc6a3100153d.exe"C:\Users\Admin\AppData\Local\Temp\b668feb6432eb6a52d23ee84b25b68244d388bd08e749ba45820dc6a3100153d.exe"2⤵PID:1968
-
-
C:\Users\Admin\AppData\Local\Temp\b668feb6432eb6a52d23ee84b25b68244d388bd08e749ba45820dc6a3100153d.exe"C:\Users\Admin\AppData\Local\Temp\b668feb6432eb6a52d23ee84b25b68244d388bd08e749ba45820dc6a3100153d.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1816
-