Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
27/12/2023, 22:36
Static task
static1
Behavioral task
behavioral1
Sample
b8ae19595ed2b1c06372f904f28c8983.exe
Resource
win7-20231215-en
General
-
Target
b8ae19595ed2b1c06372f904f28c8983.exe
-
Size
703KB
-
MD5
b8ae19595ed2b1c06372f904f28c8983
-
SHA1
4a1255c9a563cca8f7fa8c5e466900dac63669c3
-
SHA256
2fbe2f9ceef4deca8b67d6cb32dc3cd8ebd422a95c24cf4392837f95ad560473
-
SHA512
8792c9aadb77edc94b50fde8d638df3b234e9ea00dc558a21789c2791de99afbbcb4dd375fdbb9d43f4b7fb96c2d6469814de9e52617e88e01ded2e63bdbbc21
-
SSDEEP
12288:9xZPU97PU9GkY3Mv5ux2BxOsBgo0q4wMbWDYSkijDWbA/AqBqDcibYvw/oyo/F3:9xAx2BxOsBgo0q4wMq79ScAoUcGEw+/F
Malware Config
Extracted
xloader
2.3
uqf5
suiddock.com
sweetgyalshop.com
puterigarden.com
orangestoreusa.com
prostirkarpat.com
ajierfoods.com
mindlablearning.com
factiive.net
beautifulbrokenhearts.com
direcionalreservapraca.com
tvhoki.com
themoderncoachinstitute.com
classactionwalgreens.com
haloog.com
sachinkaushik.com
daleearnhardtjrchevyvip.com
disconight.net
ocyslibes.icu
encounterfy.com
infamoudpapertrail.com
familie-grenda.info
bekhcorp.com
xn--svafilesi-vpb.com
beijingqie9.icu
altctrlelite.com
shrikedata.com
yovome.com
ydwl3.com
shanmo456.com
joinkaisartoto88.net
kaaboodallas.com
fcirectt.com
vowelmagic.com
warungsuntik.com
fscute.com
wildwolfadventures.com
soarshipping.com
dawnbreakers-guild.com
kettleinn.com
cocomaxinc.com
myriskxchange.net
kennethspencer.com
fedspring.net
ashleyjordanoutlaws.com
yntykn.club
scimpachannel.com
twistedimagecustoms.com
meisterdesk.com
semanadosucesso.com
madameofmiami.com
inblackburnhamlet.com
floridawindscreen.com
pagebypaigephotography.com
rentgreenroom.com
abrosnm3.com
neuronitpro.com
shopromesempire.com
jstrobe.com
xfr-redcon.com
mieducaciondigital.com
orangemasters.com
screengriot.com
sam-mcdonald.net
wilderstead.life
southernhighlandsnails.com
Signatures
-
CustAttr .NET packer 2 IoCs
Detects CustAttr .NET packer in memory.
resource yara_rule behavioral2/memory/2832-7-0x0000000002AE0000-0x0000000002AF2000-memory.dmp CustAttr behavioral2/memory/376-16-0x0000000001170000-0x00000000014BA000-memory.dmp CustAttr -
Xloader payload 1 IoCs
resource yara_rule behavioral2/memory/376-12-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2832 set thread context of 376 2832 b8ae19595ed2b1c06372f904f28c8983.exe 102 -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2832 b8ae19595ed2b1c06372f904f28c8983.exe 2832 b8ae19595ed2b1c06372f904f28c8983.exe 2832 b8ae19595ed2b1c06372f904f28c8983.exe 2832 b8ae19595ed2b1c06372f904f28c8983.exe 2832 b8ae19595ed2b1c06372f904f28c8983.exe 2832 b8ae19595ed2b1c06372f904f28c8983.exe 376 b8ae19595ed2b1c06372f904f28c8983.exe 376 b8ae19595ed2b1c06372f904f28c8983.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2832 b8ae19595ed2b1c06372f904f28c8983.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2832 wrote to memory of 2036 2832 b8ae19595ed2b1c06372f904f28c8983.exe 105 PID 2832 wrote to memory of 2036 2832 b8ae19595ed2b1c06372f904f28c8983.exe 105 PID 2832 wrote to memory of 2036 2832 b8ae19595ed2b1c06372f904f28c8983.exe 105 PID 2832 wrote to memory of 3852 2832 b8ae19595ed2b1c06372f904f28c8983.exe 104 PID 2832 wrote to memory of 3852 2832 b8ae19595ed2b1c06372f904f28c8983.exe 104 PID 2832 wrote to memory of 3852 2832 b8ae19595ed2b1c06372f904f28c8983.exe 104 PID 2832 wrote to memory of 3068 2832 b8ae19595ed2b1c06372f904f28c8983.exe 103 PID 2832 wrote to memory of 3068 2832 b8ae19595ed2b1c06372f904f28c8983.exe 103 PID 2832 wrote to memory of 3068 2832 b8ae19595ed2b1c06372f904f28c8983.exe 103 PID 2832 wrote to memory of 376 2832 b8ae19595ed2b1c06372f904f28c8983.exe 102 PID 2832 wrote to memory of 376 2832 b8ae19595ed2b1c06372f904f28c8983.exe 102 PID 2832 wrote to memory of 376 2832 b8ae19595ed2b1c06372f904f28c8983.exe 102 PID 2832 wrote to memory of 376 2832 b8ae19595ed2b1c06372f904f28c8983.exe 102 PID 2832 wrote to memory of 376 2832 b8ae19595ed2b1c06372f904f28c8983.exe 102 PID 2832 wrote to memory of 376 2832 b8ae19595ed2b1c06372f904f28c8983.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\b8ae19595ed2b1c06372f904f28c8983.exe"C:\Users\Admin\AppData\Local\Temp\b8ae19595ed2b1c06372f904f28c8983.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Users\Admin\AppData\Local\Temp\b8ae19595ed2b1c06372f904f28c8983.exe"C:\Users\Admin\AppData\Local\Temp\b8ae19595ed2b1c06372f904f28c8983.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:376
-
-
C:\Users\Admin\AppData\Local\Temp\b8ae19595ed2b1c06372f904f28c8983.exe"C:\Users\Admin\AppData\Local\Temp\b8ae19595ed2b1c06372f904f28c8983.exe"2⤵PID:3068
-
-
C:\Users\Admin\AppData\Local\Temp\b8ae19595ed2b1c06372f904f28c8983.exe"C:\Users\Admin\AppData\Local\Temp\b8ae19595ed2b1c06372f904f28c8983.exe"2⤵PID:3852
-
-
C:\Users\Admin\AppData\Local\Temp\b8ae19595ed2b1c06372f904f28c8983.exe"C:\Users\Admin\AppData\Local\Temp\b8ae19595ed2b1c06372f904f28c8983.exe"2⤵PID:2036
-