Analysis
-
max time kernel
96s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
24/12/2023, 18:37
Static task
static1
Behavioral task
behavioral1
Sample
0c737a6befc4bba6c1ddba35d396f9d6.exe
Resource
win7-20231215-en
General
-
Target
0c737a6befc4bba6c1ddba35d396f9d6.exe
-
Size
261KB
-
MD5
0c737a6befc4bba6c1ddba35d396f9d6
-
SHA1
e8e1dc5a5df9cc353f5a8be32dd19eef38a5b909
-
SHA256
f6bd2853a8346c75b10f30184adf3a12ddcc7b25dac4a1b0a5e281179b1e1322
-
SHA512
57e70330eb5f07a359bb2889fd98c76009502e29e76ed7d27615b7e031bfe0a536bbc7b9a446ce35ec37a9abdcfa80bbfe653a67fa631408c28c2b78964d5014
-
SSDEEP
6144:d/gFDMLc/CNihEGpptdMN2/CS/jyjLndnqPU5IJFGTP:dMDMoKkh5/I8CS/jyvA8CJFGTP
Malware Config
Extracted
xloader
2.3
b6a4
reviewsresolutions.com
binhminhgardenshophouse.com
nebulacom.com
kadhambaristudio.com
viltoom.club
supmomma.com
tjszxddc.com
darlingmemories.com
hyperultrapure.com
vibembrio.com
reallycoolmask.com
cumbukita.com
brian-newby.com
abstractaccessories.com
marykinky.com
minnesotareversemtgloans.com
prasetlement.com
xplpgi.com
xn--gdask-y7a.com
uababaseball.com
intesmartscale.com
hmwcin.com
pavel-levakov.com
esmebonnell.com
hdyfworldwide.com
shanghaino1milpitas.com
abrosnm3.com
millenialife.info
cgfia.com
sk275.com
anwaltmaier.wien
adminlagu.com
halaltory.com
ketofoodfight.club
mossymilecouture.com
toinfinityandabroad.com
goldstreamradio.com
hs-ciq.net
shedajackson.com
kussharoko.net
superpackersmovers.com
thecarbonbox.store
kayfkitchen.com
remedicore.com
zfozxr.icu
bloodbluemoons.com
vistaonlinedemo.com
tucirculodeideas.com
saanythinghealth.com
codenevisi.com
pickyclick.com
streammsex.com
ledtorchtr.com
louisgrech.com
realdocumentsforsale.com
compragospel.com
starlet5.xyz
phasmaelectro.com
kos-living.com
casamattapm.com
ievapavulane.com
wakeupwithfreedom.com
matkomiljevic.com
leonaprojects.com
miraculousventures.com
Signatures
-
Xloader payload 1 IoCs
resource yara_rule behavioral2/memory/1352-3-0x0000000000700000-0x0000000000728000-memory.dmp xloader -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4840 set thread context of 1352 4840 0c737a6befc4bba6c1ddba35d396f9d6.exe 16 -
Program crash 1 IoCs
pid pid_target Process procid_target 4844 4840 WerFault.exe 14 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1352 0c737a6befc4bba6c1ddba35d396f9d6.exe 1352 0c737a6befc4bba6c1ddba35d396f9d6.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 4840 0c737a6befc4bba6c1ddba35d396f9d6.exe 4840 0c737a6befc4bba6c1ddba35d396f9d6.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4840 wrote to memory of 1352 4840 0c737a6befc4bba6c1ddba35d396f9d6.exe 16 PID 4840 wrote to memory of 1352 4840 0c737a6befc4bba6c1ddba35d396f9d6.exe 16 PID 4840 wrote to memory of 1352 4840 0c737a6befc4bba6c1ddba35d396f9d6.exe 16 PID 4840 wrote to memory of 1352 4840 0c737a6befc4bba6c1ddba35d396f9d6.exe 16
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c737a6befc4bba6c1ddba35d396f9d6.exe"C:\Users\Admin\AppData\Local\Temp\0c737a6befc4bba6c1ddba35d396f9d6.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Users\Admin\AppData\Local\Temp\0c737a6befc4bba6c1ddba35d396f9d6.exe"C:\Users\Admin\AppData\Local\Temp\0c737a6befc4bba6c1ddba35d396f9d6.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1352
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4840 -s 3122⤵
- Program crash
PID:4844
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4840 -ip 48401⤵PID:4908