Analysis Overview
SHA256
12d89c6e8e3ef2ec6ae4fda7dce291a2418a51daa9eba44a583ced847c9e4e42
Threat Level: Known bad
The file 0c90a502cf1d5e66b289b82a22fc1693 was found to be: Known bad.
Malicious Activity Summary
Xloader
Xloader payload
CustAttr .NET packer
Suspicious use of SetThreadContext
Unsigned PE
Gathers network information
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-24 18:39
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-24 18:39
Reported
2023-12-25 08:46
Platform
win7-20231129-en
Max time kernel
148s
Max time network
122s
Command Line
Signatures
Xloader
CustAttr .NET packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xloader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1108 set thread context of 2760 | N/A | C:\Users\Admin\AppData\Local\Temp\0c90a502cf1d5e66b289b82a22fc1693.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| PID 2760 set thread context of 1380 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | C:\Windows\Explorer.EXE |
| PID 2488 set thread context of 1380 | N/A | C:\Windows\SysWOW64\ipconfig.exe | C:\Windows\Explorer.EXE |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\0c90a502cf1d5e66b289b82a22fc1693.exe
"C:\Users\Admin\AppData\Local\Temp\0c90a502cf1d5e66b289b82a22fc1693.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Network
Files
memory/1108-1-0x00000000747B0000-0x0000000074E9E000-memory.dmp
memory/1108-0-0x0000000000240000-0x000000000038C000-memory.dmp
memory/1108-2-0x00000000020A0000-0x00000000020E0000-memory.dmp
memory/1108-3-0x0000000000420000-0x0000000000432000-memory.dmp
memory/1108-4-0x00000000747B0000-0x0000000074E9E000-memory.dmp
memory/1108-5-0x00000000020A0000-0x00000000020E0000-memory.dmp
memory/1108-6-0x0000000005720000-0x00000000057BE000-memory.dmp
memory/1108-7-0x0000000000820000-0x000000000084E000-memory.dmp
memory/1380-16-0x0000000000240000-0x0000000000340000-memory.dmp
memory/1380-19-0x0000000006710000-0x0000000006833000-memory.dmp
memory/2760-18-0x0000000000140000-0x0000000000150000-memory.dmp
memory/2760-17-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2760-15-0x0000000000880000-0x0000000000B83000-memory.dmp
memory/1108-13-0x00000000747B0000-0x0000000074E9E000-memory.dmp
memory/2760-12-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2760-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2760-9-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2760-8-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2488-21-0x0000000000420000-0x000000000042A000-memory.dmp
memory/2488-22-0x0000000000080000-0x00000000000A8000-memory.dmp
memory/2488-23-0x0000000002060000-0x0000000002363000-memory.dmp
memory/2488-20-0x0000000000420000-0x000000000042A000-memory.dmp
memory/2488-24-0x0000000000080000-0x00000000000A8000-memory.dmp
memory/2488-26-0x0000000000430000-0x00000000004BF000-memory.dmp
memory/1380-28-0x0000000006710000-0x0000000006833000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-24 18:39
Reported
2023-12-25 08:47
Platform
win10v2004-20231215-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
Xloader
CustAttr .NET packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xloader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4476 set thread context of 1320 | N/A | C:\Users\Admin\AppData\Local\Temp\0c90a502cf1d5e66b289b82a22fc1693.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| PID 1320 set thread context of 3380 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | C:\Windows\Explorer.EXE |
| PID 5112 set thread context of 3380 | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | C:\Windows\Explorer.EXE |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0c90a502cf1d5e66b289b82a22fc1693.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\0c90a502cf1d5e66b289b82a22fc1693.exe
"C:\Users\Admin\AppData\Local\Temp\0c90a502cf1d5e66b289b82a22fc1693.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 148.177.190.20.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.produtos-servicos.website | udp |
| US | 8.8.8.8:53 | www.decayette.com | udp |
| US | 8.8.8.8:53 | www.beaconservicesuk.com | udp |
| US | 34.149.87.45:80 | www.beaconservicesuk.com | tcp |
| US | 8.8.8.8:53 | 45.87.149.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.flbtyc638.com | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.illoftapartments.com | udp |
| US | 8.8.8.8:53 | 169.117.168.52.in-addr.arpa | udp |
| US | 3.33.130.190:80 | www.illoftapartments.com | tcp |
| US | 8.8.8.8:53 | 190.130.33.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.jalenowens.com | udp |
| GB | 142.250.180.19:80 | www.jalenowens.com | tcp |
| US | 8.8.8.8:53 | 19.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.londonsashwindowsservices.com | udp |
| US | 8.8.8.8:53 | www.thomasjeffersonbyrd.com | udp |
| US | 76.223.67.189:80 | www.thomasjeffersonbyrd.com | tcp |
| US | 8.8.8.8:53 | 189.67.223.76.in-addr.arpa | udp |
Files
memory/4476-0-0x00000000749C0000-0x0000000075170000-memory.dmp
memory/4476-1-0x0000000000D80000-0x0000000000ECC000-memory.dmp
memory/4476-2-0x0000000005E40000-0x00000000063E4000-memory.dmp
memory/4476-3-0x0000000005930000-0x00000000059C2000-memory.dmp
memory/4476-4-0x0000000005AA0000-0x0000000005AB0000-memory.dmp
memory/4476-5-0x00000000058D0000-0x00000000058DA000-memory.dmp
memory/4476-6-0x0000000005BA0000-0x0000000005C3C000-memory.dmp
memory/4476-7-0x00000000059E0000-0x00000000059F2000-memory.dmp
memory/4476-8-0x00000000749C0000-0x0000000075170000-memory.dmp
memory/4476-9-0x0000000005AA0000-0x0000000005AB0000-memory.dmp
memory/4476-10-0x0000000006930000-0x00000000069CE000-memory.dmp
memory/4476-11-0x00000000052B0000-0x00000000052DE000-memory.dmp
memory/1320-12-0x0000000000400000-0x0000000000428000-memory.dmp
memory/4476-14-0x00000000749C0000-0x0000000075170000-memory.dmp
memory/1320-15-0x0000000001870000-0x0000000001BBA000-memory.dmp
memory/1320-17-0x0000000000400000-0x0000000000428000-memory.dmp
memory/1320-18-0x0000000001330000-0x0000000001340000-memory.dmp
memory/3380-19-0x00000000080C0000-0x0000000008226000-memory.dmp
memory/5112-20-0x0000000000020000-0x000000000002B000-memory.dmp
memory/5112-21-0x0000000000020000-0x000000000002B000-memory.dmp
memory/5112-22-0x0000000000440000-0x0000000000468000-memory.dmp
memory/5112-23-0x0000000000CF0000-0x000000000103A000-memory.dmp
memory/5112-25-0x0000000000440000-0x0000000000468000-memory.dmp
memory/3380-26-0x00000000080C0000-0x0000000008226000-memory.dmp
memory/5112-28-0x0000000000A20000-0x0000000000AAF000-memory.dmp
memory/3380-30-0x0000000008670000-0x00000000087CD000-memory.dmp
memory/3380-31-0x0000000008670000-0x00000000087CD000-memory.dmp
memory/3380-34-0x0000000008670000-0x00000000087CD000-memory.dmp