Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
24/12/2023, 22:01
Static task
static1
Behavioral task
behavioral1
Sample
144734ca7e0810e7aac23d8b4bfa7153.exe
Resource
win7-20231215-en
General
-
Target
144734ca7e0810e7aac23d8b4bfa7153.exe
-
Size
611KB
-
MD5
144734ca7e0810e7aac23d8b4bfa7153
-
SHA1
dd04f41840f4b8320c1d83356ac721d1324f7bda
-
SHA256
6e5d3e6fe85bedb198ba121b5e488ec76175a151e6b14359777367fcebf4a616
-
SHA512
b440dad3952c0b3da5b26c31e99688e60ee12ff0458e023f6984f76d60d4956abec67b7ebfae432d2b336880a1b46257e19c708ac2d80779fa5ef75baaf45de2
-
SSDEEP
12288:b2gmnQ/Fec5qGRDXguvFlMSRMkJsJHWJWnwwcgVILm1X7mo5oFCEkv:SH8j5RpFqSGkJswWnz7mo5oFCEkv
Malware Config
Extracted
xloader
2.3
p2io
essentiallyourscandles.com
cleanxcare.com
bigplatesmallwallet.com
iotcloud.technology
dmgt4m2g8y2uh.net
malcorinmobiliaria.com
thriveglucose.com
fuhaitongxin.com
magetu.info
pyithuhluttaw.net
myfavbutik.com
xzklrhy.com
anewdistraction.com
mercuryaid.net
thesoulrevitalist.com
swayam-moj.com
liminaltechnology.com
lucytime.com
alfenas.info
carmelodesign.com
newmopeds.com
cyrilgraze.com
ruhexuangou.com
trendbold.com
centergolosinas.com
leonardocarrillo.com
advancedaccessapplications.com
aideliveryrobot.com
defenestration.world
zgcbw.net
shopihy.com
3cheer.com
untylservice.com
totally-seo.com
cmannouncements.com
tpcgzwlpyggm.mobi
hfjxhs.com
balloon-artists.com
vectoroutlines.com
boogerstv.com
procircleacademy.com
tricqr.com
hazard-protection.com
buylocalclub.info
m678.xyz
hiddenwholesale.com
ololmychartlogin.com
redudiban.com
brunoecatarina.com
69-1hn7uc.net
zmzcrossrt.xyz
dreamcashbuyers.com
yunlimall.com
jonathan-mandt.com
painhut.com
pandemisorgugirisi-tr.com
sonderbach.net
kce0728com.net
austinpavingcompany.com
biztekno.com
rodriggi.com
micheldrake.com
foxwaybrasil.com
a3i7ufz4pt3.net
adultpeace.com
Signatures
-
CustAttr .NET packer 1 IoCs
Detects CustAttr .NET packer in memory.
resource yara_rule behavioral1/memory/1452-3-0x00000000003C0000-0x00000000003D2000-memory.dmp CustAttr -
Xloader payload 2 IoCs
resource yara_rule behavioral1/memory/2632-14-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral1/memory/2632-17-0x0000000000AE0000-0x0000000000DE3000-memory.dmp xloader -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1452 set thread context of 2632 1452 144734ca7e0810e7aac23d8b4bfa7153.exe 30 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2632 144734ca7e0810e7aac23d8b4bfa7153.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1452 wrote to memory of 2632 1452 144734ca7e0810e7aac23d8b4bfa7153.exe 30 PID 1452 wrote to memory of 2632 1452 144734ca7e0810e7aac23d8b4bfa7153.exe 30 PID 1452 wrote to memory of 2632 1452 144734ca7e0810e7aac23d8b4bfa7153.exe 30 PID 1452 wrote to memory of 2632 1452 144734ca7e0810e7aac23d8b4bfa7153.exe 30 PID 1452 wrote to memory of 2632 1452 144734ca7e0810e7aac23d8b4bfa7153.exe 30 PID 1452 wrote to memory of 2632 1452 144734ca7e0810e7aac23d8b4bfa7153.exe 30 PID 1452 wrote to memory of 2632 1452 144734ca7e0810e7aac23d8b4bfa7153.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\144734ca7e0810e7aac23d8b4bfa7153.exe"C:\Users\Admin\AppData\Local\Temp\144734ca7e0810e7aac23d8b4bfa7153.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Users\Admin\AppData\Local\Temp\144734ca7e0810e7aac23d8b4bfa7153.exe"C:\Users\Admin\AppData\Local\Temp\144734ca7e0810e7aac23d8b4bfa7153.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2632
-