Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
28/12/2023, 00:59
Static task
static1
Behavioral task
behavioral1
Sample
bd4acec724764aff79889c171a7fa327.exe
Resource
win7-20231129-en
General
-
Target
bd4acec724764aff79889c171a7fa327.exe
-
Size
1.2MB
-
MD5
bd4acec724764aff79889c171a7fa327
-
SHA1
2bdfc8ae9840d7be4da6412fbdf5eb8c072ac048
-
SHA256
f922e5ed74050041bbdad3ab177c8c14d18c9147827b58e4bce90631c513cb6e
-
SHA512
6d0e92c6eef66136dfdc29f0dcc065481eb3697bc76153f9cdc820e9fde5429a5e45190570ef3bff4edc33d2803943328995b5543379ed5ee10837d76d6d4a5a
-
SSDEEP
24576:HUOsBgo0q4wM8BmCmTOUd+L6kyXWJP389UZAtRm0gtZL8W6Su:HdoHMkmCm6Ud+zyXy389qAfxgDvu
Malware Config
Extracted
xloader
2.3
h388
americangrindstone.com
qdy6.club
bestsecretrecipes.info
11restoran.com
mrhashtags.com
theexecutivestudio.com
levilatte.com
indiantrio.com
msdhigh.com
spartandiesel.com
soccersundays.com
eliteworldcars.com
superlemon001.com
greenlight.school
kuryeforum.xyz
abc-322.com
campbellretreat.com
argonmode.net
movievilla.info
brateix.info
prepping.store
fitlife.kitchen
strongerpayment.com
shab761.com
ourplayhousesc.com
cooperstandard-isg.info
thorntonhillshousecleaning.com
createnoasis.com
diamondrepm.com
iyeurt9dweb.xyz
in-a-best-world.net
ccxtx.com
pydyc.com
alohamonstera.com
mellairan.com
kamadenumilk.com
etoilebusinessgroup.com
hhyum.com
dxm-int.com
isbelleamore.com
ptmw420tours.com
minldsrvlceacvtlvty.net
parkavenue-mgmt.com
adventuresofavi.com
wolfecraft.com
tbkefuzhongxin.com
688699.net
joaniebaby.tips
motherearth-infinity-nature.com
ghouliani.com
sckhsm.com
diypoolpaint.sydney
kizinvanie.com
viajesybecas.online
unitedold.com
wjlst.com
petrotee.com
mada-gerd.xyz
jaegerma.com
thefinkelman.com
kalfalikustalik.com
chaodinhduongngucocbeone.net
innofit.site
campaigncomprehensive.com
innercriticarchetypes.com
Signatures
-
CustAttr .NET packer 1 IoCs
Detects CustAttr .NET packer in memory.
resource yara_rule behavioral1/memory/1680-3-0x0000000000460000-0x0000000000472000-memory.dmp CustAttr -
Xloader payload 1 IoCs
resource yara_rule behavioral1/memory/2608-12-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1680 set thread context of 2608 1680 bd4acec724764aff79889c171a7fa327.exe 29 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1680 bd4acec724764aff79889c171a7fa327.exe 2608 bd4acec724764aff79889c171a7fa327.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1680 bd4acec724764aff79889c171a7fa327.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1680 wrote to memory of 2684 1680 bd4acec724764aff79889c171a7fa327.exe 28 PID 1680 wrote to memory of 2684 1680 bd4acec724764aff79889c171a7fa327.exe 28 PID 1680 wrote to memory of 2684 1680 bd4acec724764aff79889c171a7fa327.exe 28 PID 1680 wrote to memory of 2684 1680 bd4acec724764aff79889c171a7fa327.exe 28 PID 1680 wrote to memory of 2608 1680 bd4acec724764aff79889c171a7fa327.exe 29 PID 1680 wrote to memory of 2608 1680 bd4acec724764aff79889c171a7fa327.exe 29 PID 1680 wrote to memory of 2608 1680 bd4acec724764aff79889c171a7fa327.exe 29 PID 1680 wrote to memory of 2608 1680 bd4acec724764aff79889c171a7fa327.exe 29 PID 1680 wrote to memory of 2608 1680 bd4acec724764aff79889c171a7fa327.exe 29 PID 1680 wrote to memory of 2608 1680 bd4acec724764aff79889c171a7fa327.exe 29 PID 1680 wrote to memory of 2608 1680 bd4acec724764aff79889c171a7fa327.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd4acec724764aff79889c171a7fa327.exe"C:\Users\Admin\AppData\Local\Temp\bd4acec724764aff79889c171a7fa327.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Users\Admin\AppData\Local\Temp\bd4acec724764aff79889c171a7fa327.exe"C:\Users\Admin\AppData\Local\Temp\bd4acec724764aff79889c171a7fa327.exe"2⤵PID:2684
-
-
C:\Users\Admin\AppData\Local\Temp\bd4acec724764aff79889c171a7fa327.exe"C:\Users\Admin\AppData\Local\Temp\bd4acec724764aff79889c171a7fa327.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2608
-