Analysis
-
max time kernel
134s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
27/12/2023, 22:57
Static task
static1
Behavioral task
behavioral1
Sample
b9b9932c5a7b698cb2d56cdf8b1223c8.exe
Resource
win7-20231129-en
General
-
Target
b9b9932c5a7b698cb2d56cdf8b1223c8.exe
-
Size
1.6MB
-
MD5
b9b9932c5a7b698cb2d56cdf8b1223c8
-
SHA1
e38d3f830cde75c3ecf0d7081f8f9054fe0cf12e
-
SHA256
bed07b0251d8d888bf2f397fbeca98f581aa8cbea1e460024dd0ecfdb14d0105
-
SHA512
47401b3b48257dc59d2dd490c9f27102cf77a35de146736ab88339f697e37632726710021d899a63e4cb0d687b699738072f4594dde7760d82d6fb65c6c10b8f
-
SSDEEP
24576:ZPT/2rW5oaXpcB7mVSaccPuvcd5OGQT/1/0nS+7n4SYwqK4zf3RTsAHWAgqChJ+B:dCyiecVBKSJT2mS+TdpNQuiNB/e
Malware Config
Extracted
xloader
2.3
dt9v
scandinavianview.com
120x600businessskyscraper.fail
livebigrace.com
fussygang.net
afiyetmarket.com
shopcerygensan.com
iregentos.info
anidonia.com
vtnywvebm.club
envcons.com
blackpharaohbeards.com
shortsnsuits.com
digitalvv.com
czechagents.com
texasadvancedsurgery.com
erhob.com
fastypro.com
singlemomsurvival.com
mohitiitr.com
airsoftoutlet.store
respondnetwork.com
gaessl.com
karyigit.com
nyprfirm.com
skinpubgmsx.com
transworld-pictures.uk
affiiliate.com
iamidealbeauty.com
appcps.com
raadiance-films.com
wineclubwebinar.com
cashcampfire.com
nkw.cool
cheapasdutch.com
dlsscd.com
a1classicfordparts.com
tellesfreitaspartners.com
active-measurement-tool.com
pasarmurah.net
wild0utkingz.com
breathepilatesyoga.kiwi
authenticmediaholdings.com
webforall.net
christaswart.com
no-reply-icloud.com
jogocertoptjc.com
amsterdamtownstoronto.com
kiralikmanliftkocaeli.com
vybrantjewels.com
zvgty-kgbh.xyz
christakimlickojones.com
machida-fuuzoku.info
betbasketballrich.com
creativeinkpress.com
ecoleibtissama.com
turvaisi.com
cho-ass.net
bellatalksmedia.com
on-your-left.com
ssgasi.com
funif.icu
thanksgivingalkathon2020.com
thehiltz.team
casinovulkan.bid
ameri.loans
Signatures
-
Xloader payload 1 IoCs
resource yara_rule behavioral2/memory/1388-13-0x0000000000400000-0x0000000000428000-memory.dmp xloader -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 228 set thread context of 1388 228 b9b9932c5a7b698cb2d56cdf8b1223c8.exe 99 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1388 b9b9932c5a7b698cb2d56cdf8b1223c8.exe 1388 b9b9932c5a7b698cb2d56cdf8b1223c8.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 228 b9b9932c5a7b698cb2d56cdf8b1223c8.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 228 wrote to memory of 1388 228 b9b9932c5a7b698cb2d56cdf8b1223c8.exe 99 PID 228 wrote to memory of 1388 228 b9b9932c5a7b698cb2d56cdf8b1223c8.exe 99 PID 228 wrote to memory of 1388 228 b9b9932c5a7b698cb2d56cdf8b1223c8.exe 99 PID 228 wrote to memory of 1388 228 b9b9932c5a7b698cb2d56cdf8b1223c8.exe 99 PID 228 wrote to memory of 1388 228 b9b9932c5a7b698cb2d56cdf8b1223c8.exe 99 PID 228 wrote to memory of 1388 228 b9b9932c5a7b698cb2d56cdf8b1223c8.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\b9b9932c5a7b698cb2d56cdf8b1223c8.exe"C:\Users\Admin\AppData\Local\Temp\b9b9932c5a7b698cb2d56cdf8b1223c8.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Users\Admin\AppData\Local\Temp\b9b9932c5a7b698cb2d56cdf8b1223c8.exe"C:\Users\Admin\AppData\Local\Temp\b9b9932c5a7b698cb2d56cdf8b1223c8.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1388
-