Analysis
-
max time kernel
106s -
max time network
32s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
29-01-2023 19:48
Static task
static1
Behavioral task
behavioral1
Sample
358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe
Resource
win7-20221111-en
General
-
Target
358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe
-
Size
522KB
-
MD5
b18e598f9eba3ea6050fb0e70cc81cd4
-
SHA1
683f6f2ce4279c428870f29dae17bdce0d68a4b7
-
SHA256
358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c
-
SHA512
c2ce9e88a445a8046bb3594324423b2e3ee84cf369a8a114c7053d8a6c588fb5ca3c9927656a973ba7530219f6293cda42dd073370073308a6f91dd006de7e08
-
SSDEEP
12288:Twm/lE0DO2lolaNVSI+Kn4DUYB6U3vrA:UmdfDO2JNVYKnnlUTA
Malware Config
Extracted
xloader
2.3
8zdn
yourherogarden.net
onlineharambee.net
cerrajeriaurgencias24horas.com
distritoforex.com
verifyclientserverssr.com
dandwg.com
co2-zero.global
joshssl.com
meckwt.com
theammf.com
rawclectic.com
gzgnetwork.com
richmondavenuecoc.com
nicolelyte.com
thetinyclosetboutique.com
llt-group.net
seven-sky-design.com
joganifinancialgrp.com
elementsvapes.com
bingent.info
quaichshop.net
unethicalsgsblaw.com
matts.digital
lexafit.com
covidwanderings.com
pk972.com
fanashaadivine.com
winharadesigns.com
adosignite.com
goldengatesimmigration.com
unazampanelcuore.com
gasexecutive.com
sdps365.net
worthingtonminnesota.com
ducatsupply.com
beijinghui1.icu
hn-bet.com
homeforsalesteamboat.com
tiaozaoxinlingshou.net
mrbils.net
depuitycollector.com
winningovereating.com
usedonlyrvs.com
verbinoz.com
threepocketmedia.com
lizbing.com
fivestardogfoods.com
edevercal.net
irisettelment.com
beautyphernalia.com
terrawindglobalprotection.net
floridaindian.com
kidzistore.com
kulisbet117.com
logingatech.info
ftdk.net
lawwise.legal
bruthawar.com
lemonpublishing.com
6781529.com
zfxsotc.com
shroomsdrop.com
ahm-app.com
finesilversmith.com
basiclablife.com
Signatures
-
CustAttr .NET packer 1 IoCs
Detects CustAttr .NET packer in memory.
Processes:
resource yara_rule behavioral1/memory/2036-56-0x0000000000250000-0x0000000000258000-memory.dmp CustAttr -
Xloader payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1120-62-0x000000000041D020-mapping.dmp xloader behavioral1/memory/1120-61-0x0000000000400000-0x0000000000428000-memory.dmp xloader -
Suspicious use of SetThreadContext 1 IoCs
Processes:
358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exedescription pid process target process PID 2036 set thread context of 1120 2036 358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe 358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exepid process 1120 358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exedescription pid process target process PID 2036 wrote to memory of 1120 2036 358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe 358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe PID 2036 wrote to memory of 1120 2036 358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe 358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe PID 2036 wrote to memory of 1120 2036 358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe 358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe PID 2036 wrote to memory of 1120 2036 358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe 358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe PID 2036 wrote to memory of 1120 2036 358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe 358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe PID 2036 wrote to memory of 1120 2036 358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe 358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe PID 2036 wrote to memory of 1120 2036 358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe 358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe"C:\Users\Admin\AppData\Local\Temp\358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe"C:\Users\Admin\AppData\Local\Temp\358617c3f29ddf056376c61812aaa5cf84b5b12eefbc652357b9a4f5e975d79c.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1120-59-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1120-58-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1120-62-0x000000000041D020-mapping.dmp
-
memory/1120-61-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1120-63-0x0000000000B40000-0x0000000000E43000-memory.dmpFilesize
3.0MB
-
memory/2036-54-0x0000000000AB0000-0x0000000000B38000-memory.dmpFilesize
544KB
-
memory/2036-55-0x0000000075511000-0x0000000075513000-memory.dmpFilesize
8KB
-
memory/2036-56-0x0000000000250000-0x0000000000258000-memory.dmpFilesize
32KB
-
memory/2036-57-0x00000000021E0000-0x0000000002236000-memory.dmpFilesize
344KB