Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2023, 07:04
Static task
static1
Behavioral task
behavioral1
Sample
0d7fb851c50ef26fc43c928641d6cf68.exe
Resource
win7-20231215-en
General
-
Target
0d7fb851c50ef26fc43c928641d6cf68.exe
-
Size
722KB
-
MD5
0d7fb851c50ef26fc43c928641d6cf68
-
SHA1
00ac9f1808e11e0e0d7494ecc3282d8a91ee6b29
-
SHA256
c05632d753a6edd803e0b666d5366ccaee29962d2600f886723f32a99262c4b0
-
SHA512
ec26effb427af9d43620b71e1438596275cb896f424062e4469bc6958f315ce39f6179338c5b4ed32443ff8857758b31d19bb0fee43b0585d97534fb7bb3eca7
-
SSDEEP
12288:gTkKKgqoB2COsBgo0q4wMGmITWGAB4NeiDcfB7MW9/vgHRN6Szo/6:gT3KVCOsBgo0q4wMeTWGDeiD47bHgHW9
Malware Config
Extracted
xloader
2.3
p2io
essentiallyourscandles.com
cleanxcare.com
bigplatesmallwallet.com
iotcloud.technology
dmgt4m2g8y2uh.net
malcorinmobiliaria.com
thriveglucose.com
fuhaitongxin.com
magetu.info
pyithuhluttaw.net
myfavbutik.com
xzklrhy.com
anewdistraction.com
mercuryaid.net
thesoulrevitalist.com
swayam-moj.com
liminaltechnology.com
lucytime.com
alfenas.info
carmelodesign.com
newmopeds.com
cyrilgraze.com
ruhexuangou.com
trendbold.com
centergolosinas.com
leonardocarrillo.com
advancedaccessapplications.com
aideliveryrobot.com
defenestration.world
zgcbw.net
shopihy.com
3cheer.com
untylservice.com
totally-seo.com
cmannouncements.com
tpcgzwlpyggm.mobi
hfjxhs.com
balloon-artists.com
vectoroutlines.com
boogerstv.com
procircleacademy.com
tricqr.com
hazard-protection.com
buylocalclub.info
m678.xyz
hiddenwholesale.com
ololmychartlogin.com
redudiban.com
brunoecatarina.com
69-1hn7uc.net
zmzcrossrt.xyz
dreamcashbuyers.com
yunlimall.com
jonathan-mandt.com
painhut.com
pandemisorgugirisi-tr.com
sonderbach.net
kce0728com.net
austinpavingcompany.com
biztekno.com
rodriggi.com
micheldrake.com
foxwaybrasil.com
a3i7ufz4pt3.net
adultpeace.com
Signatures
-
CustAttr .NET packer 1 IoCs
Detects CustAttr .NET packer in memory.
resource yara_rule behavioral2/memory/2656-8-0x0000000002580000-0x0000000002592000-memory.dmp CustAttr -
Xloader payload 1 IoCs
resource yara_rule behavioral2/memory/3544-13-0x0000000000400000-0x0000000000428000-memory.dmp xloader -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2656 set thread context of 3544 2656 0d7fb851c50ef26fc43c928641d6cf68.exe 104 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3544 0d7fb851c50ef26fc43c928641d6cf68.exe 3544 0d7fb851c50ef26fc43c928641d6cf68.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2656 wrote to memory of 3544 2656 0d7fb851c50ef26fc43c928641d6cf68.exe 104 PID 2656 wrote to memory of 3544 2656 0d7fb851c50ef26fc43c928641d6cf68.exe 104 PID 2656 wrote to memory of 3544 2656 0d7fb851c50ef26fc43c928641d6cf68.exe 104 PID 2656 wrote to memory of 3544 2656 0d7fb851c50ef26fc43c928641d6cf68.exe 104 PID 2656 wrote to memory of 3544 2656 0d7fb851c50ef26fc43c928641d6cf68.exe 104 PID 2656 wrote to memory of 3544 2656 0d7fb851c50ef26fc43c928641d6cf68.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d7fb851c50ef26fc43c928641d6cf68.exe"C:\Users\Admin\AppData\Local\Temp\0d7fb851c50ef26fc43c928641d6cf68.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Users\Admin\AppData\Local\Temp\0d7fb851c50ef26fc43c928641d6cf68.exe"C:\Users\Admin\AppData\Local\Temp\0d7fb851c50ef26fc43c928641d6cf68.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3544
-