Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22-12-2023 13:15
Static task
static1
Behavioral task
behavioral1
Sample
Ri9RSdOwP2DvMFi.exe
Resource
win7-20231215-en
General
-
Target
Ri9RSdOwP2DvMFi.exe
-
Size
782KB
-
MD5
93fcca51eeb3f566119693d2f9745926
-
SHA1
9cb3c035e948b0e1e27f2a8515fed6deb14857a5
-
SHA256
effde9dee423f050461080a9efc44435f4abd5d772e0a436f84f758b95ff65b2
-
SHA512
978b52d10a3a00429322c21cb492f7f72a1bbe175d3915b37d01d4ecde9b0b66f29228625c1e5abf71ad3b5110f9021059c5daaa8f7ea25b5fb7e641ffb06d85
-
SSDEEP
6144:luFJLgGJz99KYyo3wdTPnoJx6DqVY2RvE/KMuKszf7hOgoP2Oncbq3VHOflCbF23:KzfDyvnGmqvs/5YOgoZsHYMaPVUnt
Malware Config
Extracted
xloader
2.3
b5ne
haridwarweb.com
rltzjd.com
betsvia.com
swiftnestit.com
sndebate.com
intervene-suave.net
frejany.com
findcremationsearcher.info
jchmlt.com
sanenkj.com
donnypoppins.com
pallainfotech.com
dinerbite.com
aj2223.online
4ociousdragon.com
rnpackersandmovers.com
working-mum.com
savewife.com
reissteams.com
visionenterprisesindia.com
amazoneoez.xyz
plsliveevent.com
iumboprivacy.com
3305broderick.com
advertswise.com
polomedicine.com
guyelangguo.com
dyslexic-entrepreneur.com
originalgolfer.club
bloggerms.info
motownbakery.com
rush8t.com
nycperioapp.com
summercamp.world
nxbinus.com
destravamulher.com
gastlawyers.com
wogbi.com
binskehr.com
thepivotisreal.com
yourprivateresort.info
yingcharoen2017.com
bulkproofxns.xyz
profisvet.com
whiteandgraystone.com
find-xiaomi-today.cloud
admin11.com
dudaolin.com
hrb-friend.com
yorbaregional.com
serviciosinformaticosjose.com
rootsnglam.com
topvegasspanv.com
tgirmerch.com
cheatmopro.xyz
shopthoitranghana.com
qwik-hire.com
steamcommunityhub.info
fcaimage.com
vincentcpn.com
falconrysport.com
duobaocloud.net
dstshopping.com
limhontology.com
amarilisreyes.com
Signatures
-
Xloader payload 4 IoCs
resource yara_rule behavioral1/memory/2600-17-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral1/memory/2600-22-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral1/memory/548-27-0x0000000000080000-0x00000000000A8000-memory.dmp xloader behavioral1/memory/548-29-0x0000000000080000-0x00000000000A8000-memory.dmp xloader -
Deletes itself 1 IoCs
pid Process 1856 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2232 set thread context of 2600 2232 Ri9RSdOwP2DvMFi.exe 31 PID 2600 set thread context of 1216 2600 Ri9RSdOwP2DvMFi.exe 17 PID 548 set thread context of 1216 548 wininit.exe 17 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2572 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 2232 Ri9RSdOwP2DvMFi.exe 2232 Ri9RSdOwP2DvMFi.exe 2600 Ri9RSdOwP2DvMFi.exe 2600 Ri9RSdOwP2DvMFi.exe 548 wininit.exe 548 wininit.exe 548 wininit.exe 548 wininit.exe 548 wininit.exe 548 wininit.exe 548 wininit.exe 548 wininit.exe 548 wininit.exe 548 wininit.exe 548 wininit.exe 548 wininit.exe 548 wininit.exe 548 wininit.exe 548 wininit.exe 548 wininit.exe 548 wininit.exe 548 wininit.exe 548 wininit.exe 548 wininit.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 2600 Ri9RSdOwP2DvMFi.exe 2600 Ri9RSdOwP2DvMFi.exe 2600 Ri9RSdOwP2DvMFi.exe 548 wininit.exe 548 wininit.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2232 Ri9RSdOwP2DvMFi.exe Token: SeDebugPrivilege 2600 Ri9RSdOwP2DvMFi.exe Token: SeDebugPrivilege 548 wininit.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2232 wrote to memory of 2572 2232 Ri9RSdOwP2DvMFi.exe 30 PID 2232 wrote to memory of 2572 2232 Ri9RSdOwP2DvMFi.exe 30 PID 2232 wrote to memory of 2572 2232 Ri9RSdOwP2DvMFi.exe 30 PID 2232 wrote to memory of 2572 2232 Ri9RSdOwP2DvMFi.exe 30 PID 2232 wrote to memory of 2600 2232 Ri9RSdOwP2DvMFi.exe 31 PID 2232 wrote to memory of 2600 2232 Ri9RSdOwP2DvMFi.exe 31 PID 2232 wrote to memory of 2600 2232 Ri9RSdOwP2DvMFi.exe 31 PID 2232 wrote to memory of 2600 2232 Ri9RSdOwP2DvMFi.exe 31 PID 2232 wrote to memory of 2600 2232 Ri9RSdOwP2DvMFi.exe 31 PID 2232 wrote to memory of 2600 2232 Ri9RSdOwP2DvMFi.exe 31 PID 2232 wrote to memory of 2600 2232 Ri9RSdOwP2DvMFi.exe 31 PID 1216 wrote to memory of 548 1216 Explorer.EXE 33 PID 1216 wrote to memory of 548 1216 Explorer.EXE 33 PID 1216 wrote to memory of 548 1216 Explorer.EXE 33 PID 1216 wrote to memory of 548 1216 Explorer.EXE 33 PID 548 wrote to memory of 1856 548 wininit.exe 34 PID 548 wrote to memory of 1856 548 wininit.exe 34 PID 548 wrote to memory of 1856 548 wininit.exe 34 PID 548 wrote to memory of 1856 548 wininit.exe 34
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Users\Admin\AppData\Local\Temp\Ri9RSdOwP2DvMFi.exe"C:\Users\Admin\AppData\Local\Temp\Ri9RSdOwP2DvMFi.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\raWKsgTnHRZckF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp48C3.tmp"3⤵
- Creates scheduled task(s)
PID:2572
-
-
C:\Users\Admin\AppData\Local\Temp\Ri9RSdOwP2DvMFi.exe"C:\Users\Admin\AppData\Local\Temp\Ri9RSdOwP2DvMFi.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2600
-
-
-
C:\Windows\SysWOW64\wininit.exe"C:\Windows\SysWOW64\wininit.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Ri9RSdOwP2DvMFi.exe"3⤵
- Deletes itself
PID:1856
-
-