Analysis
-
max time kernel
144s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
31/01/2023, 20:38
Behavioral task
behavioral1
Sample
SWhs.exe
Resource
win7-20220812-en
windows7-x64
General
-
Target
SWhs.exe
-
Size
160KB
-
MD5
9b39457703898f689b0e92a03d3408bf
-
SHA1
12cfebd737b58e1d961f226e087716ff38c420d3
-
SHA256
163e4dd4d77797c1b788c03c0f71911d2181573bdf4f048e953563b072a234c6
-
SHA512
73d7983c9582b28fff9044e328d6358c27a00aa687694e695a1f52c74d2eb43cd5674af6ad8c00b54fbdaa1c54896d1d775f529244f749f18c570713c3e24fa9
-
SSDEEP
3072:EhhrDpv/3jb+Na8dZL9My3BhYpm16G5tKartyetVTeH+QRRnNxm4s:E3gpF9NxhEm1j5tXrYette/nF
Malware Config
Extracted
xloader
2.3
pzb5
laceez-store.com
fastcobra.icu
adust.site
parcelpunk.com
dabanse.info
themacshisha.com
ketogenic-success.com
simplyrip.com
antoniolima.icu
ruyakeji.net
sysintegrados2.com
triangle-resolute.com
muratkivrak.com
ntwrkrecs.com
gtxhcntq.icu
charlottepromo.com
trygreenbar.com
abbathandhottub.com
sliim-up.com
hoteldeleauvive.com
itsunnyinflorida.com
stukeyenterprise.com
texasmarijuanadispensary.com
makemestupid.com
wrapcare.info
elevencasual.com
berrymaps.com
eufootball.xyz
guiatrompeta.com
dlinteriordesigns.com
vseboliit.life
akoocg.com
liselibrary.com
strikeoutchallenge.com
blenheimdesigns.com
largeprintonline.com
nevillwearsprada.com
elyonbosstimer.com
bfjgktv.com
cybermovistar.com
morenosappliancerepair.com
sqxiandai.com
haneen-ts.com
askjiaju.net
soyalbalucia.com
mycounsellinghk.com
influentexports.com
disarmsales.com
sproutone.com
clasifood.com
gigafoon.com
donorsflames.store
clinique-alhanane.com
interdomiciliocanarias.com
modestin.online
magicisntreal.com
desibeast.com
thefreelanceteam.net
trendingproductus.com
bramwalda.com
fabriq-s.com
chaoticscave.net
7thenglish.com
howtogetmyboyfriendback.net
keprom.works
Signatures
-
Xloader payload 2 IoCs
resource yara_rule behavioral1/memory/1700-61-0x0000000000090000-0x00000000000B9000-memory.dmp xloader behavioral1/memory/1700-65-0x0000000000090000-0x00000000000B9000-memory.dmp xloader -
Deletes itself 1 IoCs
pid Process 1576 cmd.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1972 set thread context of 1216 1972 SWhs.exe 13 PID 1700 set thread context of 1216 1700 msiexec.exe 13 -
Suspicious behavior: EnumeratesProcesses 27 IoCs
pid Process 1972 SWhs.exe 1972 SWhs.exe 1700 msiexec.exe 1700 msiexec.exe 1700 msiexec.exe 1700 msiexec.exe 1700 msiexec.exe 1700 msiexec.exe 1700 msiexec.exe 1700 msiexec.exe 1700 msiexec.exe 1700 msiexec.exe 1700 msiexec.exe 1700 msiexec.exe 1700 msiexec.exe 1700 msiexec.exe 1700 msiexec.exe 1700 msiexec.exe 1700 msiexec.exe 1700 msiexec.exe 1700 msiexec.exe 1700 msiexec.exe 1700 msiexec.exe 1700 msiexec.exe 1700 msiexec.exe 1700 msiexec.exe 1700 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1216 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 1972 SWhs.exe 1972 SWhs.exe 1972 SWhs.exe 1700 msiexec.exe 1700 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1972 SWhs.exe Token: SeDebugPrivilege 1700 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1216 Explorer.EXE 1216 Explorer.EXE -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1216 wrote to memory of 1700 1216 Explorer.EXE 28 PID 1216 wrote to memory of 1700 1216 Explorer.EXE 28 PID 1216 wrote to memory of 1700 1216 Explorer.EXE 28 PID 1216 wrote to memory of 1700 1216 Explorer.EXE 28 PID 1216 wrote to memory of 1700 1216 Explorer.EXE 28 PID 1216 wrote to memory of 1700 1216 Explorer.EXE 28 PID 1216 wrote to memory of 1700 1216 Explorer.EXE 28 PID 1700 wrote to memory of 1576 1700 msiexec.exe 29 PID 1700 wrote to memory of 1576 1700 msiexec.exe 29 PID 1700 wrote to memory of 1576 1700 msiexec.exe 29 PID 1700 wrote to memory of 1576 1700 msiexec.exe 29
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Users\Admin\AppData\Local\Temp\SWhs.exe"C:\Users\Admin\AppData\Local\Temp\SWhs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1972
-
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\SWhs.exe"3⤵
- Deletes itself
PID:1576
-
-