Analysis
-
max time kernel
122s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
24/12/2023, 20:52
Static task
static1
Behavioral task
behavioral1
Sample
1211e783a4c4d74c0705808877da506e.exe
Resource
win7-20231215-en
General
-
Target
1211e783a4c4d74c0705808877da506e.exe
-
Size
683KB
-
MD5
1211e783a4c4d74c0705808877da506e
-
SHA1
82fad96563b114986b5b309ea86c31d7b33929ee
-
SHA256
636593bf497bb7b2c4d58b2b82701b49ce14cedb4661cb997e900982c5293de1
-
SHA512
911bac00d2160af5535c4ecab5a68e0163c5f958e78e18d153ba199cc17786b2c61bb71bcaf659dbc3a34a3c40a7be5ffdd50c487d0cf0d5a5dfb412c3894451
-
SSDEEP
12288:vQoPU9FPU9Wi3YHUWfcCOsBgo0q4wMnmV04IQtM8ZBEbRUietdz6oBd:vQ7fcCOsBgo0q4wMnTQtM8Z+bqieTn
Malware Config
Extracted
xloader
2.3
p2io
essentiallyourscandles.com
cleanxcare.com
bigplatesmallwallet.com
iotcloud.technology
dmgt4m2g8y2uh.net
malcorinmobiliaria.com
thriveglucose.com
fuhaitongxin.com
magetu.info
pyithuhluttaw.net
myfavbutik.com
xzklrhy.com
anewdistraction.com
mercuryaid.net
thesoulrevitalist.com
swayam-moj.com
liminaltechnology.com
lucytime.com
alfenas.info
carmelodesign.com
newmopeds.com
cyrilgraze.com
ruhexuangou.com
trendbold.com
centergolosinas.com
leonardocarrillo.com
advancedaccessapplications.com
aideliveryrobot.com
defenestration.world
zgcbw.net
shopihy.com
3cheer.com
untylservice.com
totally-seo.com
cmannouncements.com
tpcgzwlpyggm.mobi
hfjxhs.com
balloon-artists.com
vectoroutlines.com
boogerstv.com
procircleacademy.com
tricqr.com
hazard-protection.com
buylocalclub.info
m678.xyz
hiddenwholesale.com
ololmychartlogin.com
redudiban.com
brunoecatarina.com
69-1hn7uc.net
zmzcrossrt.xyz
dreamcashbuyers.com
yunlimall.com
jonathan-mandt.com
painhut.com
pandemisorgugirisi-tr.com
sonderbach.net
kce0728com.net
austinpavingcompany.com
biztekno.com
rodriggi.com
micheldrake.com
foxwaybrasil.com
a3i7ufz4pt3.net
adultpeace.com
Signatures
-
CustAttr .NET packer 1 IoCs
Detects CustAttr .NET packer in memory.
resource yara_rule behavioral1/memory/2408-3-0x0000000000370000-0x0000000000382000-memory.dmp CustAttr -
Xloader payload 2 IoCs
resource yara_rule behavioral1/memory/2560-12-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral1/memory/2560-15-0x0000000000990000-0x0000000000C93000-memory.dmp xloader -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2408 set thread context of 2560 2408 1211e783a4c4d74c0705808877da506e.exe 30 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2560 1211e783a4c4d74c0705808877da506e.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2408 wrote to memory of 2560 2408 1211e783a4c4d74c0705808877da506e.exe 30 PID 2408 wrote to memory of 2560 2408 1211e783a4c4d74c0705808877da506e.exe 30 PID 2408 wrote to memory of 2560 2408 1211e783a4c4d74c0705808877da506e.exe 30 PID 2408 wrote to memory of 2560 2408 1211e783a4c4d74c0705808877da506e.exe 30 PID 2408 wrote to memory of 2560 2408 1211e783a4c4d74c0705808877da506e.exe 30 PID 2408 wrote to memory of 2560 2408 1211e783a4c4d74c0705808877da506e.exe 30 PID 2408 wrote to memory of 2560 2408 1211e783a4c4d74c0705808877da506e.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\1211e783a4c4d74c0705808877da506e.exe"C:\Users\Admin\AppData\Local\Temp\1211e783a4c4d74c0705808877da506e.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Users\Admin\AppData\Local\Temp\1211e783a4c4d74c0705808877da506e.exe"C:\Users\Admin\AppData\Local\Temp\1211e783a4c4d74c0705808877da506e.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2560
-