Analysis
-
max time kernel
146s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
24/12/2023, 19:48
Static task
static1
Behavioral task
behavioral1
Sample
0eb57a45752250a02951ac1fd7e79061.exe
Resource
win7-20231129-en
General
-
Target
0eb57a45752250a02951ac1fd7e79061.exe
-
Size
1.6MB
-
MD5
0eb57a45752250a02951ac1fd7e79061
-
SHA1
c5f35af89e31633b921f81ca037d37bc27a5d189
-
SHA256
a521b489989a9c3e92621174ec90982d6bbf04ddc074eff4feef54c18017418c
-
SHA512
1854fa87ef160023546d107fe391534ff6947196c4e89bc130619ffca5ad4ea91a6b6007f320de16e286c36ffc149c4e0a3db1cdc93225499c623b44ab329c61
-
SSDEEP
24576:phOc1xW5oaXpcB7mVSaccPuvcd5OGQT/1/0nS+7n4SYwqK4zf3RTsAHWAgqChJ+T:TAiecqBRNT4wgp/anPCfNQuiNB/e
Malware Config
Extracted
xloader
2.3
uisg
editions-doc.com
nbchengfei.com
adepojuolaoluwa.com
wereldsewoorden.com
sjstyles.com
indigo-cambodia.com
avrenue.com
decaturwilbert.com
tech-really.com
kimurayoshino.com
melocotonmx.com
njrxmjg.com
amandadoylecoach.com
miniaide.com
kocaeliescortalev.com
ycxshi.com
f4funda.com
126047cp.com
projecteutopia.com
masksforvoting.com
indi-cali.com
ingam.design
theneighborhoodmasterclass.com
brandstormmediagroup.com
soothinglanguages.com
msmoneymaximiser.com
yduc.net
daniellageorges.com
lvaceu.com
institutoamc.com
hare-sec.com
asd-miris.com
beton-9.com
morehigher.com
cobblestoneroads.com
falhro.com
skincaretrial1.info
insideajazzyminute.net
loginforce.com
alluviumtheater.com
forevercelebration2021.com
wajeofxcv.com
ycshwhcm.com
rustyroselondon.com
forestbathingguru.com
gourmetemarket.com
dna-home-testing.com
assaulttrucking.net
nourgamalyoussef.com
soujson.com
sorelsverige.com
tandooridhaba.com
hypovida.foundation
iregentos.info
bjornadal.info
okdiu.com
857wu.com
3g54.club
xfa80.com
betxtremer.com
autominingsystem.com
ilcarecontinuum.net
eventualitiesofcrime.com
bst-gebaeudereinigung.com
makarimusic2020.com
Signatures
-
Xloader payload 1 IoCs
resource yara_rule behavioral2/memory/4544-13-0x0000000000400000-0x0000000000428000-memory.dmp xloader -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4608 set thread context of 4544 4608 0eb57a45752250a02951ac1fd7e79061.exe 105 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4544 0eb57a45752250a02951ac1fd7e79061.exe 4544 0eb57a45752250a02951ac1fd7e79061.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4608 0eb57a45752250a02951ac1fd7e79061.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4608 wrote to memory of 4544 4608 0eb57a45752250a02951ac1fd7e79061.exe 105 PID 4608 wrote to memory of 4544 4608 0eb57a45752250a02951ac1fd7e79061.exe 105 PID 4608 wrote to memory of 4544 4608 0eb57a45752250a02951ac1fd7e79061.exe 105 PID 4608 wrote to memory of 4544 4608 0eb57a45752250a02951ac1fd7e79061.exe 105 PID 4608 wrote to memory of 4544 4608 0eb57a45752250a02951ac1fd7e79061.exe 105 PID 4608 wrote to memory of 4544 4608 0eb57a45752250a02951ac1fd7e79061.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\0eb57a45752250a02951ac1fd7e79061.exe"C:\Users\Admin\AppData\Local\Temp\0eb57a45752250a02951ac1fd7e79061.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Users\Admin\AppData\Local\Temp\0eb57a45752250a02951ac1fd7e79061.exe"C:\Users\Admin\AppData\Local\Temp\0eb57a45752250a02951ac1fd7e79061.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4544
-