Analysis
-
max time kernel
146s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
28/12/2023, 03:20
Static task
static1
Behavioral task
behavioral1
Sample
bf743b8e013bea9379fa79b76aeaaf99.exe
Resource
win7-20231215-en
General
-
Target
bf743b8e013bea9379fa79b76aeaaf99.exe
-
Size
1.2MB
-
MD5
bf743b8e013bea9379fa79b76aeaaf99
-
SHA1
a178460c272800ac7692564661ccdf9f3483e615
-
SHA256
2a3c5d424e042d82f295aba4197bc052355cbea30b0fa9c419a1cd7fb6c2bc31
-
SHA512
f3594e336f95db27c1808749fa8bb9b74574545ab6417ee1c871a37c4027d0ffde7f64e591a36a9840786075d21be4ed55b142b84d761de13a343b9ff514ca9e
-
SSDEEP
24576:BgS/d3GKzksbksjVHjV/17sBrn8JUlP1fsy8jhMN6ZN7:AKVNZY78JIuCN6ZN7
Malware Config
Extracted
xloader
2.3
um8e
theypretend.com
hopeschildren.com
kuly.cloud
maniflexx.net
bedtimesocietyblog.com
spenglerwetlandpreserve.com
unity-play.net
bonap56.com
consciencevc.com
deluxeluxe.com
officialjuliep.com
cttrade.club
quietflyt.com
mcabspl.com
lippocaritahotel.com
tolanfilms.xyz
momenaagro.com
slingshotart.com
thefoundershuddle.com
mobilbaris.com
castlerockbotanicals.com
dautusim.com
tolteca.club
saddletaxweigh.info
oxydiumcorp.com
themiamadison.com
888luckys.net
brandsuggestion.com
jusdra.com
therios.net
helpushelpothersstore.com
pornometal.com
whejvrehj.com
ngzhaohern.com
slaskie.pro
heuristicadg.com
angrybird23blog.com
my-bmi.space
lufral.com
influenced-brands.com
vicdux.life
top1opp.com
techiedrill.com
sitedesing.com
bigtittylesbians.com
xspinworks14.com
alturadesingfit.com
venturivasiljevic.com
yxsj.info
yorkshirebridalmakeup.info
shopinnocenceeyejai.com
yinhangli.com
tickimumm.com
xn--939am40byoeizq.com
customerservuce.com
blendoriginal.com
freelancebizquiz.com
matjar-lik.com
bellaxxocosmetics.com
gxdazj.com
findbriefmarken.com
pubgevents1.com
metis.network
eternapure.net
jiltedowl.com
Signatures
-
CustAttr .NET packer 2 IoCs
Detects CustAttr .NET packer in memory.
resource yara_rule behavioral2/memory/456-7-0x00000000058A0000-0x00000000058B2000-memory.dmp CustAttr behavioral2/memory/1964-16-0x0000000001800000-0x0000000001B4A000-memory.dmp CustAttr -
Xloader payload 1 IoCs
resource yara_rule behavioral2/memory/1964-12-0x0000000000400000-0x0000000000428000-memory.dmp xloader -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 456 set thread context of 1964 456 bf743b8e013bea9379fa79b76aeaaf99.exe 102 -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 456 bf743b8e013bea9379fa79b76aeaaf99.exe 456 bf743b8e013bea9379fa79b76aeaaf99.exe 456 bf743b8e013bea9379fa79b76aeaaf99.exe 456 bf743b8e013bea9379fa79b76aeaaf99.exe 1964 bf743b8e013bea9379fa79b76aeaaf99.exe 1964 bf743b8e013bea9379fa79b76aeaaf99.exe 1964 bf743b8e013bea9379fa79b76aeaaf99.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 456 bf743b8e013bea9379fa79b76aeaaf99.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 456 wrote to memory of 4904 456 bf743b8e013bea9379fa79b76aeaaf99.exe 103 PID 456 wrote to memory of 4904 456 bf743b8e013bea9379fa79b76aeaaf99.exe 103 PID 456 wrote to memory of 4904 456 bf743b8e013bea9379fa79b76aeaaf99.exe 103 PID 456 wrote to memory of 1964 456 bf743b8e013bea9379fa79b76aeaaf99.exe 102 PID 456 wrote to memory of 1964 456 bf743b8e013bea9379fa79b76aeaaf99.exe 102 PID 456 wrote to memory of 1964 456 bf743b8e013bea9379fa79b76aeaaf99.exe 102 PID 456 wrote to memory of 1964 456 bf743b8e013bea9379fa79b76aeaaf99.exe 102 PID 456 wrote to memory of 1964 456 bf743b8e013bea9379fa79b76aeaaf99.exe 102 PID 456 wrote to memory of 1964 456 bf743b8e013bea9379fa79b76aeaaf99.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\bf743b8e013bea9379fa79b76aeaaf99.exe"C:\Users\Admin\AppData\Local\Temp\bf743b8e013bea9379fa79b76aeaaf99.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Users\Admin\AppData\Local\Temp\bf743b8e013bea9379fa79b76aeaaf99.exe"C:\Users\Admin\AppData\Local\Temp\bf743b8e013bea9379fa79b76aeaaf99.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1964
-
-
C:\Users\Admin\AppData\Local\Temp\bf743b8e013bea9379fa79b76aeaaf99.exe"C:\Users\Admin\AppData\Local\Temp\bf743b8e013bea9379fa79b76aeaaf99.exe"2⤵PID:4904
-