Analysis
-
max time kernel
117s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
16-07-2023 10:28
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Variant.Bulz.771382.15623.28477.exe
Resource
win7-20230712-en
General
-
Target
SecuriteInfo.com.Variant.Bulz.771382.15623.28477.exe
-
Size
793KB
-
MD5
f299a3572c1ca67f5df9c027c50f5488
-
SHA1
98ae2458837e4f2bc4e518fd867d3edd28c4236f
-
SHA256
b30baea69e5ba92f56e7d7aa79bb30ed9e889dfde1a690244c9fe02baef4617a
-
SHA512
b67592a6fcb8110d41c86bc65141a4138fe251d139009f66235591e60a90905214d2694799f386f7ded8b1e247d38c024e8d102c05fdd645ba8045c81e7de4aa
-
SSDEEP
12288:MotEJb4xECMrM7I+KA0Z2+8cjtHei+uo0hE/:nCCMrG/R0wTcjtHei+uo0hE/
Malware Config
Extracted
xloader
2.5
mjyv
wenyuexuan.com
tropicaldepression.info
healthylifefit.com
reemletenleafy.com
jmrrve.com
mabduh.com
esomvw.com
selfcaresereneneness.com
murdabudz.com
meinemail.online
brandqrcodes.com
live-in-pflege.com
nickrecovery.com
ziototoristorante.com
chatcure.com
corlora.com
localagentlab.com
yogo7.net
krveop.com
heianswer.xyz
idproslot.xyz
anielleharris.com
lebonaharchitects.com
chilestew.com
ventasdecasasylotes.xyz
welcome-sber.store
ahmedintisher.com
pastlinks.com
productprinting.online
babybox.media
volteraenergy.net
chinatowndeliver.com
behiscalm.com
totalselfconfidence.net
single-on-purpose.com
miyonbuilding.com
medicalmanagementinc.info
bellaalubo.com
dubaibiologicdentist.com
jspagnier-graveur.com
deskbk.com
thehauntdepot.com
5fbuy.com
calmingscience.com
luvnecklace.com
noun-bug.com
mysenarai.com
socialmediaplugin.com
livinglovinglincoln.com
vaxfreeschool.com
bjjinmei.com
p60p.com
upgradepklohb.xyz
georges-lego.com
lkkogltoyof4.xyz
fryhealty.com
peacetransformationpath.com
lightfootsteps.com
recreativemysteriousgift.com
luminoza.website
mccorklehometeam.com
car-insurance-rates-x2.info
serpasboutiquedecarnes.com
1971event.com
simpeltattofor.men
Signatures
-
Xloader payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1720-65-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.Variant.Bulz.771382.15623.28477.exedescription pid process target process PID 1688 set thread context of 1720 1688 SecuriteInfo.com.Variant.Bulz.771382.15623.28477.exe SecuriteInfo.com.Variant.Bulz.771382.15623.28477.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
SecuriteInfo.com.Variant.Bulz.771382.15623.28477.exepid process 1720 SecuriteInfo.com.Variant.Bulz.771382.15623.28477.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
SecuriteInfo.com.Variant.Bulz.771382.15623.28477.exedescription pid process Token: SeDebugPrivilege 1688 SecuriteInfo.com.Variant.Bulz.771382.15623.28477.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
SecuriteInfo.com.Variant.Bulz.771382.15623.28477.exedescription pid process target process PID 1688 wrote to memory of 1720 1688 SecuriteInfo.com.Variant.Bulz.771382.15623.28477.exe SecuriteInfo.com.Variant.Bulz.771382.15623.28477.exe PID 1688 wrote to memory of 1720 1688 SecuriteInfo.com.Variant.Bulz.771382.15623.28477.exe SecuriteInfo.com.Variant.Bulz.771382.15623.28477.exe PID 1688 wrote to memory of 1720 1688 SecuriteInfo.com.Variant.Bulz.771382.15623.28477.exe SecuriteInfo.com.Variant.Bulz.771382.15623.28477.exe PID 1688 wrote to memory of 1720 1688 SecuriteInfo.com.Variant.Bulz.771382.15623.28477.exe SecuriteInfo.com.Variant.Bulz.771382.15623.28477.exe PID 1688 wrote to memory of 1720 1688 SecuriteInfo.com.Variant.Bulz.771382.15623.28477.exe SecuriteInfo.com.Variant.Bulz.771382.15623.28477.exe PID 1688 wrote to memory of 1720 1688 SecuriteInfo.com.Variant.Bulz.771382.15623.28477.exe SecuriteInfo.com.Variant.Bulz.771382.15623.28477.exe PID 1688 wrote to memory of 1720 1688 SecuriteInfo.com.Variant.Bulz.771382.15623.28477.exe SecuriteInfo.com.Variant.Bulz.771382.15623.28477.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Bulz.771382.15623.28477.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Bulz.771382.15623.28477.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Bulz.771382.15623.28477.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Bulz.771382.15623.28477.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1688-54-0x0000000000940000-0x0000000000A0C000-memory.dmpFilesize
816KB
-
memory/1688-55-0x0000000074010000-0x00000000746FE000-memory.dmpFilesize
6.9MB
-
memory/1688-56-0x0000000004D50000-0x0000000004D90000-memory.dmpFilesize
256KB
-
memory/1688-57-0x0000000074010000-0x00000000746FE000-memory.dmpFilesize
6.9MB
-
memory/1688-58-0x0000000004D50000-0x0000000004D90000-memory.dmpFilesize
256KB
-
memory/1720-59-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1720-61-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1720-63-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1720-65-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1720-66-0x0000000000A10000-0x0000000000D13000-memory.dmpFilesize
3.0MB
-
memory/1720-67-0x0000000000A10000-0x0000000000D13000-memory.dmpFilesize
3.0MB