Analysis Overview
SHA256
aaa40ee2b509dc2b3a2f12f62d70565c85eb9aa13a7efd43bb86cfba0a3e1a88
Threat Level: Known bad
The file 0f03eab5505bb4a4df99ccead0fc28f4 was found to be: Known bad.
Malicious Activity Summary
Xloader
Xloader payload
CustAttr .NET packer
Suspicious use of SetThreadContext
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-12-25 07:32
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-25 07:32
Reported
2023-12-25 19:54
Platform
win7-20231215-en
Max time kernel
121s
Max time network
126s
Command Line
Signatures
Xloader
CustAttr .NET packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xloader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1472 set thread context of 2612 | N/A | C:\Users\Admin\AppData\Local\Temp\0f03eab5505bb4a4df99ccead0fc28f4.exe | C:\Users\Admin\AppData\Local\Temp\0f03eab5505bb4a4df99ccead0fc28f4.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0f03eab5505bb4a4df99ccead0fc28f4.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0f03eab5505bb4a4df99ccead0fc28f4.exe
"C:\Users\Admin\AppData\Local\Temp\0f03eab5505bb4a4df99ccead0fc28f4.exe"
C:\Users\Admin\AppData\Local\Temp\0f03eab5505bb4a4df99ccead0fc28f4.exe
"C:\Users\Admin\AppData\Local\Temp\0f03eab5505bb4a4df99ccead0fc28f4.exe"
Network
Files
memory/1472-0-0x0000000000BA0000-0x0000000000CAE000-memory.dmp
memory/1472-1-0x0000000074260000-0x000000007494E000-memory.dmp
memory/1472-2-0x0000000004D30000-0x0000000004D70000-memory.dmp
memory/1472-3-0x00000000003D0000-0x00000000003E2000-memory.dmp
memory/1472-4-0x0000000074260000-0x000000007494E000-memory.dmp
memory/1472-5-0x0000000004D30000-0x0000000004D70000-memory.dmp
memory/1472-6-0x0000000005760000-0x00000000057D6000-memory.dmp
memory/1472-7-0x0000000000AF0000-0x0000000000B20000-memory.dmp
memory/2612-8-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2612-10-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2612-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2612-14-0x0000000000400000-0x0000000000428000-memory.dmp
memory/1472-15-0x0000000074260000-0x000000007494E000-memory.dmp
memory/2612-16-0x0000000000860000-0x0000000000B63000-memory.dmp
memory/2612-17-0x0000000000860000-0x0000000000B63000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-25 07:32
Reported
2023-12-25 19:54
Platform
win10v2004-20231215-en
Max time kernel
150s
Max time network
147s
Command Line
Signatures
Xloader
CustAttr .NET packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xloader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 232 set thread context of 1960 | N/A | C:\Users\Admin\AppData\Local\Temp\0f03eab5505bb4a4df99ccead0fc28f4.exe | C:\Users\Admin\AppData\Local\Temp\0f03eab5505bb4a4df99ccead0fc28f4.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0f03eab5505bb4a4df99ccead0fc28f4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0f03eab5505bb4a4df99ccead0fc28f4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0f03eab5505bb4a4df99ccead0fc28f4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0f03eab5505bb4a4df99ccead0fc28f4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0f03eab5505bb4a4df99ccead0fc28f4.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0f03eab5505bb4a4df99ccead0fc28f4.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0f03eab5505bb4a4df99ccead0fc28f4.exe
"C:\Users\Admin\AppData\Local\Temp\0f03eab5505bb4a4df99ccead0fc28f4.exe"
C:\Users\Admin\AppData\Local\Temp\0f03eab5505bb4a4df99ccead0fc28f4.exe
"C:\Users\Admin\AppData\Local\Temp\0f03eab5505bb4a4df99ccead0fc28f4.exe"
C:\Users\Admin\AppData\Local\Temp\0f03eab5505bb4a4df99ccead0fc28f4.exe
"C:\Users\Admin\AppData\Local\Temp\0f03eab5505bb4a4df99ccead0fc28f4.exe"
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.254.1.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.233.44.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.234.44.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.27.33.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.1.37.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.254.1.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.218.122.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.254.1.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 112.27.33.23.in-addr.arpa | udp |
| FR | 23.1.254.203:80 | tcp | |
| FR | 23.1.254.203:80 | tcp | |
| FR | 23.1.254.203:80 | tcp | |
| FR | 23.1.254.203:80 | tcp | |
| FR | 23.1.254.203:80 | tcp | |
| FR | 23.1.254.203:80 | tcp | |
| FR | 23.1.254.203:80 | tcp | |
| FR | 23.1.254.203:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 52.111.227.11:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| FR | 23.1.254.203:80 | tcp | |
| FR | 23.1.254.203:80 | tcp | |
| FR | 23.1.254.203:80 | tcp | |
| FR | 23.1.254.203:80 | tcp | |
| FR | 23.1.254.203:80 | tcp | |
| FR | 23.1.254.203:80 | tcp | |
| FR | 23.1.254.203:80 | tcp | |
| FR | 23.1.254.203:80 | tcp | |
| FR | 23.1.254.203:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 192.229.221.95:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| FR | 23.1.254.203:80 | tcp | |
| FR | 23.1.254.203:80 | tcp | |
| FR | 23.1.254.203:80 | tcp | |
| FR | 23.1.254.203:80 | tcp | |
| FR | 23.1.254.203:80 | tcp | |
| FR | 23.1.254.203:80 | tcp | |
| FR | 23.1.254.203:80 | tcp | |
| FR | 23.1.254.203:80 | tcp |
Files
memory/232-0-0x0000000000DC0000-0x0000000000ECE000-memory.dmp
memory/232-1-0x0000000074D40000-0x00000000754F0000-memory.dmp
memory/232-2-0x00000000058D0000-0x000000000596C000-memory.dmp
memory/232-3-0x0000000005F20000-0x00000000064C4000-memory.dmp
memory/232-4-0x0000000005970000-0x0000000005A02000-memory.dmp
memory/232-5-0x0000000005B70000-0x0000000005B80000-memory.dmp
memory/232-6-0x00000000058C0000-0x00000000058CA000-memory.dmp
memory/232-7-0x0000000005B80000-0x0000000005BD6000-memory.dmp
memory/232-8-0x0000000005D50000-0x0000000005D62000-memory.dmp
memory/232-9-0x0000000074D40000-0x00000000754F0000-memory.dmp
memory/232-10-0x0000000005B70000-0x0000000005B80000-memory.dmp
memory/232-11-0x00000000071E0000-0x0000000007256000-memory.dmp
memory/232-12-0x0000000007270000-0x00000000072A0000-memory.dmp
memory/1960-13-0x0000000000400000-0x0000000000428000-memory.dmp
memory/232-15-0x0000000074D40000-0x00000000754F0000-memory.dmp
memory/1960-16-0x0000000001B20000-0x0000000001E6A000-memory.dmp