Analysis Overview
SHA256
5d0597862de02a1bc417d127b0160e32d4558f790d6f4f1d9eb3eb7a36e6ca83
Threat Level: Known bad
The file 50a4fbbf71d27bfffb438d40976030f4b1445cb446300ede262f276fb5527b00.bin.sample.gz was found to be: Known bad.
Malicious Activity Summary
Detects MosaicLoader payload
MosaicLoader
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-04-06 23:09
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-04-06 23:09
Reported
2023-04-06 23:12
Platform
win7-20230220-en
Max time kernel
141s
Max time network
30s
Command Line
Signatures
Detects MosaicLoader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
MosaicLoader
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe"
C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | t1.xofinity.com | udp |
| CN | 182.61.201.91:80 | t1.xofinity.com | tcp |
| N/A | 127.0.0.1:49166 | tcp | |
| N/A | 127.0.0.1:49168 | tcp |
Files
memory/1772-55-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/1340-54-0x0000000000400000-0x0000000000B18000-memory.dmp
memory/1340-56-0x0000000000220000-0x000000000029B000-memory.dmp
memory/1772-57-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/1340-58-0x0000000002590000-0x0000000002710000-memory.dmp
memory/1772-59-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/1772-60-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/1772-61-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/1772-62-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/1772-63-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/1340-64-0x0000000002590000-0x0000000002710000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-04-06 23:09
Reported
2023-04-06 23:12
Platform
win10v2004-20230221-en
Max time kernel
92s
Max time network
154s
Command Line
Signatures
Detects MosaicLoader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
MosaicLoader
Suspicious behavior: EnumeratesProcesses
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sample.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe"
C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.18.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t1.xofinity.com | udp |
| CN | 182.61.201.90:80 | t1.xofinity.com | tcp |
| N/A | 127.0.0.1:49723 | tcp | |
| N/A | 127.0.0.1:49725 | tcp | |
| US | 8.8.8.8:53 | 90.201.61.182.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.233.140.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 37.146.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 20.189.173.6:443 | tcp | |
| US | 8.8.8.8:53 | 194.77.24.184.in-addr.arpa | udp |
Files
memory/1932-134-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/4824-133-0x0000000000400000-0x0000000000B18000-memory.dmp
memory/4824-137-0x0000000002870000-0x00000000028EB000-memory.dmp
memory/1932-139-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/4824-138-0x00000000029C0000-0x0000000002B63000-memory.dmp
memory/1932-136-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/1932-140-0x0000000000400000-0x00000000004B7000-memory.dmp
memory/1932-141-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/1932-142-0x0000000000400000-0x00000000004B7000-memory.dmp