Analysis
-
max time kernel
122s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
28/12/2023, 03:32
Static task
static1
Behavioral task
behavioral1
Sample
c04f70436cf53db113a202251a48c4a5.exe
Resource
win7-20231215-en
General
-
Target
c04f70436cf53db113a202251a48c4a5.exe
-
Size
1.3MB
-
MD5
c04f70436cf53db113a202251a48c4a5
-
SHA1
f677a68c0cf634372001f5506c6681e06e5120a9
-
SHA256
98308710dc37148bf2d9b00829e791e1b2eb92703e1cd80b13e9e1a58d751651
-
SHA512
3ea3b4d42e969595cf8a1309aa16aad8728a70a93101864e7a240101c8dcb166e11aec18b2130202b9e9da6d97d0ad96e58786f39a392ec12b04ebd228f76429
-
SSDEEP
24576:G3S/d3YKzks/ksNBRWSnlbLF8CRAd56w/PdGhopy8jhMN6ZNbZ:oKJBRfnFFZUoishopCN6ZNb
Malware Config
Extracted
xloader
2.3
c8ec
kingmeters.com
thawoman.com
cannabisinseconds.com
3966399.com
grabopolska.online
krystalpacifico.com
quibii.com
wangzhanceshi.online
blog-techtalks.com
refreshlightingcompany.com
justrightmap.net
sewabhartidelhi.com
noharminmasking.com
speedysignin.website
schwabinsttutional.com
carbon2algae.com
pateleprevention.com
techsavypinaki.com
onemindafrica.com
flowerpeony.com
luisitocarrion.online
utradhikari.com
iniyamedia.xyz
carininha.com
xcuseheqahee.com
osterwalder.swiss
brmteam.com
listotwarty.net
clearbraceshonoluluhi.com
healthsaha.com
urbanwealthbuilder.com
tougherthanhell.com
agouraahas.com
autotextmoney.com
ronfooproperty.com
roughntumbleadventures.com
coreelz.xyz
awakeandriseministry.com
ravexim3.com
gthai999.com
xn--uds17hya4f549f40d.net
diesel-diagnostics.com
wizponja.com
spiritcology.com
cqaddn.com
aqualogia.paris
bbscorpionrepel.com
namlongwaterpoint.com
tibetdy.com
mrgranparaiso.com
cands-services.com
grainedas.com
hsyl961.com
darylandyani.com
healthyremoteworking.com
zz3ddy.com
candocharters.com
peacemyanmar.com
auto-recruiting.net
millennialmediainc.com
fleetrepsusa.com
arneeverts.com
disorder-symptoms.com
militarychamberofcommerce.com
pourheloise.com
Signatures
-
CustAttr .NET packer 1 IoCs
Detects CustAttr .NET packer in memory.
resource yara_rule behavioral1/memory/2176-3-0x0000000000370000-0x0000000000382000-memory.dmp CustAttr -
Xloader payload 2 IoCs
resource yara_rule behavioral1/memory/2112-12-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral1/memory/2112-15-0x0000000000AC0000-0x0000000000DC3000-memory.dmp xloader -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2176 set thread context of 2112 2176 c04f70436cf53db113a202251a48c4a5.exe 30 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2112 c04f70436cf53db113a202251a48c4a5.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2176 wrote to memory of 2112 2176 c04f70436cf53db113a202251a48c4a5.exe 30 PID 2176 wrote to memory of 2112 2176 c04f70436cf53db113a202251a48c4a5.exe 30 PID 2176 wrote to memory of 2112 2176 c04f70436cf53db113a202251a48c4a5.exe 30 PID 2176 wrote to memory of 2112 2176 c04f70436cf53db113a202251a48c4a5.exe 30 PID 2176 wrote to memory of 2112 2176 c04f70436cf53db113a202251a48c4a5.exe 30 PID 2176 wrote to memory of 2112 2176 c04f70436cf53db113a202251a48c4a5.exe 30 PID 2176 wrote to memory of 2112 2176 c04f70436cf53db113a202251a48c4a5.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\c04f70436cf53db113a202251a48c4a5.exe"C:\Users\Admin\AppData\Local\Temp\c04f70436cf53db113a202251a48c4a5.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Users\Admin\AppData\Local\Temp\c04f70436cf53db113a202251a48c4a5.exe"C:\Users\Admin\AppData\Local\Temp\c04f70436cf53db113a202251a48c4a5.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2112
-