Analysis
-
max time kernel
148s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
28/12/2023, 00:59
Static task
static1
Behavioral task
behavioral1
Sample
bd4acec724764aff79889c171a7fa327.exe
Resource
win7-20231129-en
General
-
Target
bd4acec724764aff79889c171a7fa327.exe
-
Size
1.2MB
-
MD5
bd4acec724764aff79889c171a7fa327
-
SHA1
2bdfc8ae9840d7be4da6412fbdf5eb8c072ac048
-
SHA256
f922e5ed74050041bbdad3ab177c8c14d18c9147827b58e4bce90631c513cb6e
-
SHA512
6d0e92c6eef66136dfdc29f0dcc065481eb3697bc76153f9cdc820e9fde5429a5e45190570ef3bff4edc33d2803943328995b5543379ed5ee10837d76d6d4a5a
-
SSDEEP
24576:HUOsBgo0q4wM8BmCmTOUd+L6kyXWJP389UZAtRm0gtZL8W6Su:HdoHMkmCm6Ud+zyXy389qAfxgDvu
Malware Config
Extracted
xloader
2.3
h388
americangrindstone.com
qdy6.club
bestsecretrecipes.info
11restoran.com
mrhashtags.com
theexecutivestudio.com
levilatte.com
indiantrio.com
msdhigh.com
spartandiesel.com
soccersundays.com
eliteworldcars.com
superlemon001.com
greenlight.school
kuryeforum.xyz
abc-322.com
campbellretreat.com
argonmode.net
movievilla.info
brateix.info
prepping.store
fitlife.kitchen
strongerpayment.com
shab761.com
ourplayhousesc.com
cooperstandard-isg.info
thorntonhillshousecleaning.com
createnoasis.com
diamondrepm.com
iyeurt9dweb.xyz
in-a-best-world.net
ccxtx.com
pydyc.com
alohamonstera.com
mellairan.com
kamadenumilk.com
etoilebusinessgroup.com
hhyum.com
dxm-int.com
isbelleamore.com
ptmw420tours.com
minldsrvlceacvtlvty.net
parkavenue-mgmt.com
adventuresofavi.com
wolfecraft.com
tbkefuzhongxin.com
688699.net
joaniebaby.tips
motherearth-infinity-nature.com
ghouliani.com
sckhsm.com
diypoolpaint.sydney
kizinvanie.com
viajesybecas.online
unitedold.com
wjlst.com
petrotee.com
mada-gerd.xyz
jaegerma.com
thefinkelman.com
kalfalikustalik.com
chaodinhduongngucocbeone.net
innofit.site
campaigncomprehensive.com
innercriticarchetypes.com
Signatures
-
CustAttr .NET packer 1 IoCs
Detects CustAttr .NET packer in memory.
resource yara_rule behavioral2/memory/1196-8-0x0000000004E10000-0x0000000004E22000-memory.dmp CustAttr -
Xloader payload 1 IoCs
resource yara_rule behavioral2/memory/4300-12-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1196 set thread context of 4300 1196 bd4acec724764aff79889c171a7fa327.exe 101 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4300 bd4acec724764aff79889c171a7fa327.exe 4300 bd4acec724764aff79889c171a7fa327.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1196 wrote to memory of 4300 1196 bd4acec724764aff79889c171a7fa327.exe 101 PID 1196 wrote to memory of 4300 1196 bd4acec724764aff79889c171a7fa327.exe 101 PID 1196 wrote to memory of 4300 1196 bd4acec724764aff79889c171a7fa327.exe 101 PID 1196 wrote to memory of 4300 1196 bd4acec724764aff79889c171a7fa327.exe 101 PID 1196 wrote to memory of 4300 1196 bd4acec724764aff79889c171a7fa327.exe 101 PID 1196 wrote to memory of 4300 1196 bd4acec724764aff79889c171a7fa327.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd4acec724764aff79889c171a7fa327.exe"C:\Users\Admin\AppData\Local\Temp\bd4acec724764aff79889c171a7fa327.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Users\Admin\AppData\Local\Temp\bd4acec724764aff79889c171a7fa327.exe"C:\Users\Admin\AppData\Local\Temp\bd4acec724764aff79889c171a7fa327.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4300
-