Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
28/12/2023, 00:36
Static task
static1
Behavioral task
behavioral1
Sample
bc8db9869cafb1a79072aca3b18ca3ad.exe
Resource
win7-20231129-en
General
-
Target
bc8db9869cafb1a79072aca3b18ca3ad.exe
-
Size
1.3MB
-
MD5
bc8db9869cafb1a79072aca3b18ca3ad
-
SHA1
98ff05f90f1c7bad85cc6a85d60fdff2cef8cb36
-
SHA256
8881345e69d32ff3178d762456a96927b45f0236e2ddf2ffcb57db02340c67bd
-
SHA512
1de92c8e160d330280494f71356284b8791f7cfb9c2e78ddfd52bd85b3ef9ede2d173ffa3d22e2819dabf5b868f19821a5385fd10065a21be1c2856cfe02ef4a
-
SSDEEP
24576:DJscW5oaXpcB7mVSaccPuvcd5OGQT/1/0nS+7n4SYwqK4zf3RTsAHWAgqChJ+huE:N6iecXqMQI8oEdqNQuiNB/e7
Malware Config
Extracted
xloader
2.3
h388
americangrindstone.com
qdy6.club
bestsecretrecipes.info
11restoran.com
mrhashtags.com
theexecutivestudio.com
levilatte.com
indiantrio.com
msdhigh.com
spartandiesel.com
soccersundays.com
eliteworldcars.com
superlemon001.com
greenlight.school
kuryeforum.xyz
abc-322.com
campbellretreat.com
argonmode.net
movievilla.info
brateix.info
prepping.store
fitlife.kitchen
strongerpayment.com
shab761.com
ourplayhousesc.com
cooperstandard-isg.info
thorntonhillshousecleaning.com
createnoasis.com
diamondrepm.com
iyeurt9dweb.xyz
in-a-best-world.net
ccxtx.com
pydyc.com
alohamonstera.com
mellairan.com
kamadenumilk.com
etoilebusinessgroup.com
hhyum.com
dxm-int.com
isbelleamore.com
ptmw420tours.com
minldsrvlceacvtlvty.net
parkavenue-mgmt.com
adventuresofavi.com
wolfecraft.com
tbkefuzhongxin.com
688699.net
joaniebaby.tips
motherearth-infinity-nature.com
ghouliani.com
sckhsm.com
diypoolpaint.sydney
kizinvanie.com
viajesybecas.online
unitedold.com
wjlst.com
petrotee.com
mada-gerd.xyz
jaegerma.com
thefinkelman.com
kalfalikustalik.com
chaodinhduongngucocbeone.net
innofit.site
campaigncomprehensive.com
innercriticarchetypes.com
Signatures
-
Xloader payload 1 IoCs
resource yara_rule behavioral2/memory/4792-13-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 540 set thread context of 4792 540 bc8db9869cafb1a79072aca3b18ca3ad.exe 103 -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 4792 bc8db9869cafb1a79072aca3b18ca3ad.exe 4792 bc8db9869cafb1a79072aca3b18ca3ad.exe 4792 bc8db9869cafb1a79072aca3b18ca3ad.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 540 bc8db9869cafb1a79072aca3b18ca3ad.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 540 wrote to memory of 4792 540 bc8db9869cafb1a79072aca3b18ca3ad.exe 103 PID 540 wrote to memory of 4792 540 bc8db9869cafb1a79072aca3b18ca3ad.exe 103 PID 540 wrote to memory of 4792 540 bc8db9869cafb1a79072aca3b18ca3ad.exe 103 PID 540 wrote to memory of 4792 540 bc8db9869cafb1a79072aca3b18ca3ad.exe 103 PID 540 wrote to memory of 4792 540 bc8db9869cafb1a79072aca3b18ca3ad.exe 103 PID 540 wrote to memory of 4792 540 bc8db9869cafb1a79072aca3b18ca3ad.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc8db9869cafb1a79072aca3b18ca3ad.exe"C:\Users\Admin\AppData\Local\Temp\bc8db9869cafb1a79072aca3b18ca3ad.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Users\Admin\AppData\Local\Temp\bc8db9869cafb1a79072aca3b18ca3ad.exe"C:\Users\Admin\AppData\Local\Temp\bc8db9869cafb1a79072aca3b18ca3ad.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4792
-