Analysis
-
max time kernel
146s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2023, 00:43
Static task
static1
Behavioral task
behavioral1
Sample
1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe
Resource
win7-20231215-en
General
-
Target
1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe
-
Size
1.2MB
-
MD5
1dce0fc0bcc3ed4f7af74bdaeef37a5f
-
SHA1
44db74becdf78474e7b4418cd24274b88410c02f
-
SHA256
e8bb9e81ed75437b45f90b1c65e3100c618090d66d7fa37f5208fedc6972f142
-
SHA512
55770eaac58703a98bb05f8da7b7357cd09b747de3dbb89f41fae380d6fa50ad5302398c8b8fffa18257b234e5f3e7a7a315bd0470f379720d34fd8b1e317f46
-
SSDEEP
24576:cxOsBgo0q4wMMBmCmTOUd+L6kLXWGmHUdR6B8w5+lx/2:cIoHMUmCm6Ud+zLXbmHVB8Bx+
Malware Config
Extracted
xloader
2.3
wten
largshomebuyers.com
hqs.xyz
stormvalleysoapco.com
coolsoftware.xyz
creditfitbootcamp.com
mdroc.com
cooperseyewear.com
mrleyos.com
apipacking.com
mtdivas.com
bim3dstudio.com
ngdnwgtsf.club
arknmhsc.com
expowe.icu
surfacesupplierscanada.com
thinbluelion.com
vbetmalaysia.com
christcarriers.com
easternshoreautobody.com
healthyvibrantandbeautiful.com
lacarerx.com
woofreelance.online
larkfam.com
worldambedkarsociety.com
cedeaccount.com
xn--qbt233i.xn--hxt814e
the-level.net
bhoomifoodsdaily.com
testjaycypes015.com
indiarmc.com
bestskiboat.com
blackmarkethn.com
watdomenren48.com
approvednursingdegreeca.com
oxystudio1.com
digitalaage.com
comingintopower.com
bhakti.exchange
msd.rest
rostig-brennend.com
techbotsoftware.com
abrosnm3.com
hamrharddrive.com
eglobaldirect.com
rollingrevenueroadmap.com
yourchanceisnow.com
supremeleas.com
roshanrajas.com
peppershare.net
augeware.com
kvperryman.com
electricvehiclesdetroit.com
dinhgianhadatdanang.com
dbd-cs.com
bfosterbeauty.com
maildeskserv.com
pickenshomesforless.com
hawrang.com
janinefowler.com
yz-wsly.com
cyberfamilydesignagency.com
shopchampagnetoast.com
in-homeaccountants.com
targetstudio.net
kolpath.com
Signatures
-
CustAttr .NET packer 1 IoCs
Detects CustAttr .NET packer in memory.
resource yara_rule behavioral2/memory/3264-8-0x00000000062F0000-0x0000000006302000-memory.dmp CustAttr -
Xloader payload 1 IoCs
resource yara_rule behavioral2/memory/4408-13-0x0000000000400000-0x0000000000428000-memory.dmp xloader -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3264 set thread context of 4408 3264 1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe 102 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4408 1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe 4408 1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3264 wrote to memory of 4408 3264 1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe 102 PID 3264 wrote to memory of 4408 3264 1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe 102 PID 3264 wrote to memory of 4408 3264 1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe 102 PID 3264 wrote to memory of 4408 3264 1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe 102 PID 3264 wrote to memory of 4408 3264 1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe 102 PID 3264 wrote to memory of 4408 3264 1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe"C:\Users\Admin\AppData\Local\Temp\1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Users\Admin\AppData\Local\Temp\1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe"C:\Users\Admin\AppData\Local\Temp\1dce0fc0bcc3ed4f7af74bdaeef37a5f.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4408
-