Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
24/12/2023, 18:39
Static task
static1
Behavioral task
behavioral1
Sample
0c90a502cf1d5e66b289b82a22fc1693.exe
Resource
win7-20231129-en
General
-
Target
0c90a502cf1d5e66b289b82a22fc1693.exe
-
Size
1.3MB
-
MD5
0c90a502cf1d5e66b289b82a22fc1693
-
SHA1
b7309e98f9d8b58442a77e1619e4524efd7f6a35
-
SHA256
12d89c6e8e3ef2ec6ae4fda7dce291a2418a51daa9eba44a583ced847c9e4e42
-
SHA512
fdb013cb09ca14093e5a2f177f91ed1349d47f4c17f7f610818fcf583c00ac518ed55eb655ed460b157024c150b23cdc8406d3795253a5ec7096adc339a2b6b3
-
SSDEEP
24576:RZKjksXks2y8j19UAWU6rXVoHHsxZmJYis4xBZMN6Z7nsG/d60wZ:RZKaPUjU6rXVosx8J24xgN6Z7n8
Malware Config
Extracted
xloader
2.3
uecu
ishtarhotel.com
woodstrends.icu
jalenowens.com
manno.expert
ssg1asia.com
telepathylaw.com
quickoprintnv.com
abrosnm3.com
lumberjackcatering.com
beachujamaica.com
thomasjeffersonbyrd.com
starryfinds.com
shelavish2.com
royalglamempirellc.com
deixandomeuemprego.com
alexgoestech.xyz
opticamn.com
fermanchevybrandon.com
milbodegas.info
adunarsrl.com
dataatlus.com
missabrams.com
beaconservicesuk.com
tvforpc.website
dipmarketingagency.com
milsontt.com
londonsashwindowsservices.com
feedmysheepdaily.com
firsttimephysics.com
hosefire.com
southdocknj.com
idfstool.com
drelip.com
decayette.com
awakenedgodsofbeauty.com
easttexasranch.com
risinglanka.com
meetingoffices.com
vase-composition.com
kupon.asia
alltimeselfstorage.com
gatorbrewcoffee.com
api-pay-agent.com
height-project.online
flbtyc638.com
psdmoravita.com
highbrowhairstudio.com
deepblueriver.com
yh22022.com
sts-100.com
michaelfmoore.com
alzheimers.computer
produtos-servicos.website
zyuyktlcu.icu
ezewasser.com
outstanding-palisade.com
saioura.com
core.run
allaboutlifeblog.com
foodolog.net
somerderm.com
scootrlv.com
ahjjbxg.com
gasworldchampionships.com
illoftapartments.com
Signatures
-
CustAttr .NET packer 1 IoCs
Detects CustAttr .NET packer in memory.
resource yara_rule behavioral2/memory/4476-7-0x00000000059E0000-0x00000000059F2000-memory.dmp CustAttr -
Xloader payload 4 IoCs
resource yara_rule behavioral2/memory/1320-12-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral2/memory/1320-17-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral2/memory/5112-22-0x0000000000440000-0x0000000000468000-memory.dmp xloader behavioral2/memory/5112-25-0x0000000000440000-0x0000000000468000-memory.dmp xloader -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 4476 set thread context of 1320 4476 0c90a502cf1d5e66b289b82a22fc1693.exe 105 PID 1320 set thread context of 3380 1320 RegSvcs.exe 56 PID 5112 set thread context of 3380 5112 NETSTAT.EXE 56 -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 5112 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 37 IoCs
pid Process 4476 0c90a502cf1d5e66b289b82a22fc1693.exe 4476 0c90a502cf1d5e66b289b82a22fc1693.exe 1320 RegSvcs.exe 1320 RegSvcs.exe 1320 RegSvcs.exe 1320 RegSvcs.exe 1320 RegSvcs.exe 5112 NETSTAT.EXE 5112 NETSTAT.EXE 5112 NETSTAT.EXE 5112 NETSTAT.EXE 5112 NETSTAT.EXE 5112 NETSTAT.EXE 5112 NETSTAT.EXE 5112 NETSTAT.EXE 5112 NETSTAT.EXE 5112 NETSTAT.EXE 5112 NETSTAT.EXE 5112 NETSTAT.EXE 5112 NETSTAT.EXE 5112 NETSTAT.EXE 5112 NETSTAT.EXE 5112 NETSTAT.EXE 5112 NETSTAT.EXE 5112 NETSTAT.EXE 5112 NETSTAT.EXE 5112 NETSTAT.EXE 5112 NETSTAT.EXE 5112 NETSTAT.EXE 5112 NETSTAT.EXE 5112 NETSTAT.EXE 5112 NETSTAT.EXE 5112 NETSTAT.EXE 5112 NETSTAT.EXE 5112 NETSTAT.EXE 5112 NETSTAT.EXE 5112 NETSTAT.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 1320 RegSvcs.exe 1320 RegSvcs.exe 1320 RegSvcs.exe 5112 NETSTAT.EXE 5112 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4476 0c90a502cf1d5e66b289b82a22fc1693.exe Token: SeDebugPrivilege 1320 RegSvcs.exe Token: SeDebugPrivilege 5112 NETSTAT.EXE -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3380 Explorer.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4476 wrote to memory of 1320 4476 0c90a502cf1d5e66b289b82a22fc1693.exe 105 PID 4476 wrote to memory of 1320 4476 0c90a502cf1d5e66b289b82a22fc1693.exe 105 PID 4476 wrote to memory of 1320 4476 0c90a502cf1d5e66b289b82a22fc1693.exe 105 PID 4476 wrote to memory of 1320 4476 0c90a502cf1d5e66b289b82a22fc1693.exe 105 PID 4476 wrote to memory of 1320 4476 0c90a502cf1d5e66b289b82a22fc1693.exe 105 PID 4476 wrote to memory of 1320 4476 0c90a502cf1d5e66b289b82a22fc1693.exe 105 PID 3380 wrote to memory of 5112 3380 Explorer.EXE 106 PID 3380 wrote to memory of 5112 3380 Explorer.EXE 106 PID 3380 wrote to memory of 5112 3380 Explorer.EXE 106 PID 5112 wrote to memory of 5048 5112 NETSTAT.EXE 108 PID 5112 wrote to memory of 5048 5112 NETSTAT.EXE 108 PID 5112 wrote to memory of 5048 5112 NETSTAT.EXE 108
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Users\Admin\AppData\Local\Temp\0c90a502cf1d5e66b289b82a22fc1693.exe"C:\Users\Admin\AppData\Local\Temp\0c90a502cf1d5e66b289b82a22fc1693.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1320
-
-
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵PID:5048
-
-