Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
24/12/2023, 19:53
Static task
static1
Behavioral task
behavioral1
Sample
0f03eab5505bb4a4df99ccead0fc28f4.exe
Resource
win7-20231215-en
General
-
Target
0f03eab5505bb4a4df99ccead0fc28f4.exe
-
Size
1.0MB
-
MD5
0f03eab5505bb4a4df99ccead0fc28f4
-
SHA1
3b77986e8695f04266eb03393272a7fc66d5415d
-
SHA256
aaa40ee2b509dc2b3a2f12f62d70565c85eb9aa13a7efd43bb86cfba0a3e1a88
-
SHA512
bfa9cd5a58bae5db8331789fdee64e30127b74f4fee95360c2029e0fe35d864207d2dcf25e568dcfd7b5ac9929b56ad522ac8064607ad9216493a56d8dd3aab8
-
SSDEEP
24576:Dqz0NjVC/d3mK64J2R2CAkll97v7PPR67G:WcRK64JdC1lllzHo7
Malware Config
Extracted
xloader
2.3
ushb
shopcavo.com
spowerschool.com
freekylerittenhouse.info
wipe4all.com
wounded-deer.com
poetasamigosypensadores.com
qteap.com
car-bingo.com
selbaje.com
amigofincorp.com
dirty-underwear.com
theyongeseries.com
watertreeinc.com
gemmacarulla.com
lauramagni.com
darkfliks.com
jjayphoto.com
chinnanmotors.com
intentionaltalentsolutions.com
oxiaer.com
dianajhart.com
torbencoaching.com
courtierkabyle.com
lycp008.com
joelmartinsen.com
gmcworktrucksandvans.com
buntunm3.com
tigersonindonesia.com
le-houillier.com
artincomesecrets.com
kimptonharperhotel.com
multitraditional.com
deliciousnukes.com
glumoryous.com
amandaluna.art
salumaquiropraxia.com
domentemenegi19.com
qualicaterers.com
test-onboarding-3.com
wyzbank.info
resortatalpinecreek.com
m-midas.com
datnenhoalachn.com
21exclusive.com
auth2mobilescotia.com
sdmtreinamentos.com
sampleband.com
33dreamer.com
vinhcar.com
seswebsite.com
waaaghstore.com
templejc.space
sportsmanstoystore.com
serenityeternity.com
wxsocial.net
242927.com
neurodiversitysmart.net
handemo.online
dawnjarvisltd.com
hairstickies.com
lolymania.com
cocktailcrates.com
laboxfruits.com
ziyouxinqing.com
ossotasarim.com
Signatures
-
CustAttr .NET packer 1 IoCs
Detects CustAttr .NET packer in memory.
resource yara_rule behavioral2/memory/1568-8-0x0000000004B90000-0x0000000004BA2000-memory.dmp CustAttr -
Xloader payload 1 IoCs
resource yara_rule behavioral2/memory/1256-13-0x0000000000400000-0x0000000000428000-memory.dmp xloader -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1568 set thread context of 1256 1568 0f03eab5505bb4a4df99ccead0fc28f4.exe 102 -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1256 0f03eab5505bb4a4df99ccead0fc28f4.exe 1256 0f03eab5505bb4a4df99ccead0fc28f4.exe 1256 0f03eab5505bb4a4df99ccead0fc28f4.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1568 wrote to memory of 1256 1568 0f03eab5505bb4a4df99ccead0fc28f4.exe 102 PID 1568 wrote to memory of 1256 1568 0f03eab5505bb4a4df99ccead0fc28f4.exe 102 PID 1568 wrote to memory of 1256 1568 0f03eab5505bb4a4df99ccead0fc28f4.exe 102 PID 1568 wrote to memory of 1256 1568 0f03eab5505bb4a4df99ccead0fc28f4.exe 102 PID 1568 wrote to memory of 1256 1568 0f03eab5505bb4a4df99ccead0fc28f4.exe 102 PID 1568 wrote to memory of 1256 1568 0f03eab5505bb4a4df99ccead0fc28f4.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f03eab5505bb4a4df99ccead0fc28f4.exe"C:\Users\Admin\AppData\Local\Temp\0f03eab5505bb4a4df99ccead0fc28f4.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Users\Admin\AppData\Local\Temp\0f03eab5505bb4a4df99ccead0fc28f4.exe"C:\Users\Admin\AppData\Local\Temp\0f03eab5505bb4a4df99ccead0fc28f4.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1256
-