Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2023, 05:38
Static task
static1
Behavioral task
behavioral1
Sample
089176f8b75aeadbe1340475a97b64b3.exe
Resource
win7-20231129-en
General
-
Target
089176f8b75aeadbe1340475a97b64b3.exe
-
Size
587KB
-
MD5
089176f8b75aeadbe1340475a97b64b3
-
SHA1
750cefa894e5f6de4bca165835548b101bfc904e
-
SHA256
4adb1957fc3c427382fe6fa8daaa5af58bffd5aa251daaaa73604ec7355eadf5
-
SHA512
06d8faed66269213fdab47a7849e44b93e8411d1299987e3d381a8b2720f821010a03b0d9c3b26989971b9f8586d95f56bafbce06b787a85f835e15792f5f912
-
SSDEEP
12288:SOsBgo0q4wMdDe7zc4nR/2alBJ0pZ1J2qdHFNlMejiuDDGljcp0RQw0wp/:SOsBgo0q4wMd0Tn044pZ1AI7jxSCp2Qi
Malware Config
Extracted
xloader
2.3
c3sc
vnye2037.com
adopttongling.com
miss-bim.com
ylyqrbii.icu
iregentos.info
teseipropiedades.com
jsprimer.com
keepminkowicz.com
7999399.com
bdgooddq.com
komovnrebi.com
politicalswim.com
justokaydrawings.com
eglidons.com
ici-voyant.com
thirstymarketing.com
viajesyturismo360.com
shadesofshadow.com
learnenglishinceret.com
notnotdown.club
bbucollection.com
seawavesapparel.com
ujjjnkkok.com
dabuddhaboyz.com
perteprampram10.net
thecoconutsisters.com
bttjmy.com
victorialoraine.com
movilplaceperu.com
ergobaby-carriers.com
kelseywishart.design
vibesing.com
remedioscaserorecetas.com
rangerredplus.com
cocoframe.com
classicvineyardsundowner.com
cv62.xyz
growyourownbuildersllc.com
zowieweb.com
evoluere.com
customnetworks4u.com
kavacaburnaby.com
baisen-coffee.com
gruasdeacero.com
cookislandsmarine.com
sanfranciscotortuguero.com
magacarpinteria.com
cabal2tr.com
pasadenamoda.com
neoframestudios.com
shanghaiys.net
tfxcl88.com
elkuds.net
plazamiddleschool.com
punklotus.com
beptaoquan.com
globaltrainingmarketplace.net
master-tim.com
zz-ims.com
parallelplayonline.com
whatthefreightbrokers.net
divibezfashionboutique.com
lauraochoa.com
freshcutbouquets.com
myapology.world
Signatures
-
CustAttr .NET packer 1 IoCs
Detects CustAttr .NET packer in memory.
resource yara_rule behavioral2/memory/2000-7-0x0000000004E00000-0x0000000004E12000-memory.dmp CustAttr -
Xloader payload 1 IoCs
resource yara_rule behavioral2/memory/2168-11-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2000 set thread context of 2168 2000 089176f8b75aeadbe1340475a97b64b3.exe 103 -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2168 089176f8b75aeadbe1340475a97b64b3.exe 2168 089176f8b75aeadbe1340475a97b64b3.exe 2168 089176f8b75aeadbe1340475a97b64b3.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2000 wrote to memory of 2168 2000 089176f8b75aeadbe1340475a97b64b3.exe 103 PID 2000 wrote to memory of 2168 2000 089176f8b75aeadbe1340475a97b64b3.exe 103 PID 2000 wrote to memory of 2168 2000 089176f8b75aeadbe1340475a97b64b3.exe 103 PID 2000 wrote to memory of 2168 2000 089176f8b75aeadbe1340475a97b64b3.exe 103 PID 2000 wrote to memory of 2168 2000 089176f8b75aeadbe1340475a97b64b3.exe 103 PID 2000 wrote to memory of 2168 2000 089176f8b75aeadbe1340475a97b64b3.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\089176f8b75aeadbe1340475a97b64b3.exe"C:\Users\Admin\AppData\Local\Temp\089176f8b75aeadbe1340475a97b64b3.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Users\Admin\AppData\Local\Temp\089176f8b75aeadbe1340475a97b64b3.exe"C:\Users\Admin\AppData\Local\Temp\089176f8b75aeadbe1340475a97b64b3.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2168
-