Analysis
-
max time kernel
137s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2023 10:30
Static task
static1
Behavioral task
behavioral1
Sample
06e39ab322fda94c231cd51b9f5e60ea.exe
Resource
win7-20231129-en
General
-
Target
06e39ab322fda94c231cd51b9f5e60ea.exe
-
Size
692KB
-
MD5
06e39ab322fda94c231cd51b9f5e60ea
-
SHA1
8cc59571463811f56006426ee81a0d5b220beaec
-
SHA256
c55b9c07d7796fc4b41095b8bada978ef5995211936a301cfdbd6be4d0c0ec67
-
SHA512
17bc8ac8741e294a03990230e913163555c1a400827db44c95282ed9cf000f04f698537d677af9bcda7d13dee03ff3f7bd2766854074cde3960db946c61cadbe
-
SSDEEP
12288:6az2qMvipacTQEwH0YSMd8c0LNbuiGgNXhLGt9xHg7HvTTxL+CMDE:j3+EwH0YSMR0ZuKNXtQXA7HvnxI4
Malware Config
Extracted
xloader
2.5
gab8
amateurfeetworship.com
big-food.biz
metaversevolution.com
profecional-pacasmayo.com
royzoom.com
bekindevolution.com
hokozaki.com
waltersswholesale.com
wayfinderacu.com
schnurrgallery.com
babygearrentals.net
imggtoken.club
24x7x366.com
lakiernictwo.info
les-cours.com
dwticket.com
onarollshades.com
ramireztradepartners.com
safarparfums.com
6ngie.info
hoedetamni.quest
europeangurl.com
sakhakot.com
franciscoalpizar.com
jsyysn.com
goldberg-lighting.com
symbebidas.online
aucoeurducadeau.com
diamondscaterers.com
surswain.quest
gequper.xyz
roytsb.com
332151.com
hienrenow.com
skullother.com
betnubhelp.com
donerightcleaningnation.info
noukou-tonkotsu.xyz
bulkysofthome.com
yuejiayouhua.com
sevillalimpieza.com
involvefinance.com
obz7mo9amu.com
niftyfashionreward.com
refunddngame.com
norllix.com
vergadercentrumdji.com
1006e.com
boraeresici.com
partnerbebefits.com
hejabbanifatemi.com
bigskypediatrics.com
thefortclub.com
blacksource.xyz
happyklikshop.com
fullamodatoptan.com
pinupcams.info
javnfts.com
duocvietpharmacy.com
babyfloki.tech
cequitycorp.com
frenziedflora.com
5cherries.com
slurcap.com
purodetalle.com
Signatures
-
Xloader payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4288-17-0x00000000003B0000-0x00000000003D9000-memory.dmp xloader -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/memory/2108-7-0x0000000007150000-0x0000000007178000-memory.dmp agile_net -
Suspicious use of SetThreadContext 1 IoCs
Processes:
06e39ab322fda94c231cd51b9f5e60ea.exedescription pid process target process PID 2108 set thread context of 4288 2108 06e39ab322fda94c231cd51b9f5e60ea.exe 06e39ab322fda94c231cd51b9f5e60ea.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1460 4288 WerFault.exe 06e39ab322fda94c231cd51b9f5e60ea.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
06e39ab322fda94c231cd51b9f5e60ea.exepid process 2108 06e39ab322fda94c231cd51b9f5e60ea.exe 2108 06e39ab322fda94c231cd51b9f5e60ea.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
06e39ab322fda94c231cd51b9f5e60ea.exedescription pid process Token: SeDebugPrivilege 2108 06e39ab322fda94c231cd51b9f5e60ea.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
06e39ab322fda94c231cd51b9f5e60ea.exedescription pid process target process PID 2108 wrote to memory of 4288 2108 06e39ab322fda94c231cd51b9f5e60ea.exe 06e39ab322fda94c231cd51b9f5e60ea.exe PID 2108 wrote to memory of 4288 2108 06e39ab322fda94c231cd51b9f5e60ea.exe 06e39ab322fda94c231cd51b9f5e60ea.exe PID 2108 wrote to memory of 4288 2108 06e39ab322fda94c231cd51b9f5e60ea.exe 06e39ab322fda94c231cd51b9f5e60ea.exe PID 2108 wrote to memory of 4288 2108 06e39ab322fda94c231cd51b9f5e60ea.exe 06e39ab322fda94c231cd51b9f5e60ea.exe PID 2108 wrote to memory of 4288 2108 06e39ab322fda94c231cd51b9f5e60ea.exe 06e39ab322fda94c231cd51b9f5e60ea.exe PID 2108 wrote to memory of 4288 2108 06e39ab322fda94c231cd51b9f5e60ea.exe 06e39ab322fda94c231cd51b9f5e60ea.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\06e39ab322fda94c231cd51b9f5e60ea.exe"C:\Users\Admin\AppData\Local\Temp\06e39ab322fda94c231cd51b9f5e60ea.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\06e39ab322fda94c231cd51b9f5e60ea.exe"C:\Users\Admin\AppData\Local\Temp\06e39ab322fda94c231cd51b9f5e60ea.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 1843⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4288 -ip 42881⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2108-8-0x00000000071F0000-0x0000000007256000-memory.dmpFilesize
408KB
-
memory/2108-2-0x0000000005E70000-0x0000000006414000-memory.dmpFilesize
5.6MB
-
memory/2108-7-0x0000000007150000-0x0000000007178000-memory.dmpFilesize
160KB
-
memory/2108-10-0x0000000005930000-0x0000000005940000-memory.dmpFilesize
64KB
-
memory/2108-4-0x0000000005960000-0x00000000059FC000-memory.dmpFilesize
624KB
-
memory/2108-5-0x0000000005A00000-0x0000000005D54000-memory.dmpFilesize
3.3MB
-
memory/2108-6-0x0000000005930000-0x0000000005940000-memory.dmpFilesize
64KB
-
memory/2108-9-0x00000000071B0000-0x00000000071D2000-memory.dmpFilesize
136KB
-
memory/2108-20-0x0000000074DB0000-0x0000000075560000-memory.dmpFilesize
7.7MB
-
memory/2108-1-0x0000000074DB0000-0x0000000075560000-memory.dmpFilesize
7.7MB
-
memory/2108-3-0x0000000005810000-0x00000000058A2000-memory.dmpFilesize
584KB
-
memory/2108-11-0x0000000074DB0000-0x0000000075560000-memory.dmpFilesize
7.7MB
-
memory/2108-12-0x0000000005930000-0x0000000005940000-memory.dmpFilesize
64KB
-
memory/2108-13-0x0000000005930000-0x0000000005940000-memory.dmpFilesize
64KB
-
memory/2108-14-0x0000000007B70000-0x0000000007B84000-memory.dmpFilesize
80KB
-
memory/2108-15-0x000000000A1A0000-0x000000000A1A6000-memory.dmpFilesize
24KB
-
memory/2108-0-0x0000000000D70000-0x0000000000E24000-memory.dmpFilesize
720KB
-
memory/4288-17-0x00000000003B0000-0x00000000003D9000-memory.dmpFilesize
164KB