Analysis
-
max time kernel
146s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
29-12-2023 22:29
Static task
static1
Behavioral task
behavioral1
Sample
05a0edfd781368d1b62b066b5aadb278.exe
Resource
win7-20231215-en
General
-
Target
05a0edfd781368d1b62b066b5aadb278.exe
-
Size
967KB
-
MD5
05a0edfd781368d1b62b066b5aadb278
-
SHA1
cfd9740076f345776543d874d0705571618601c0
-
SHA256
bae8e6518524a6945339b3a0901e9ad43c03441000b239d777bf60e58eed6324
-
SHA512
5e2152bdbac47a23cc3d6c524a3c1fd897c51a28a5c17986af8b6679570c8a7b4f38b374836464f72eda59f8bbef873c46bed51bd21b77d974b0cc1f6c8b8610
-
SSDEEP
12288:EN+rQEDaNyW91w1P+fRyEOzM8KX8MYD7uwgGEtZ182+j4h:dr5DaNyW91wd+fRvOzpKzSywO182Vh
Malware Config
Extracted
xloader
2.3
k8b5
sardamedicals.com
reelectkendavis4council.com
coreconsultation.com
fajarazhary.com
mybitearner.com
brightpet.info
voicewithchoice.com
bailbondscompany.xyz
7133333333.com
delights.info
gawlvegdr.icu
sdqhpm.com
we2savvyok.com
primallifeathlete.com
gdsinglecell.com
isokineticmachines.com
smartneckrelax.com
gardenvintage.com
hiphopvolume.com
medicapoint.com
crybebe.com
elevatedgameplay.com
armespublishing.com
pathsiteofficial.com
xn--e-2fa.com
besoxie.com
pro-montage.com
smartsmsfloan.net
gafinstallations.com
osk2279.com
sexcam-live-sex.net
supermomsd.com
villa-sardi.com
nkb-webmart.com
vaaccidentdoctorsnearme.net
sewcialdistancesewing.com
smodery.com
mimik33.com
employeepremiumassistance.com
chenqixuan.com
whyyousuckatgolfmovie.com
scholarshdesk.xyz
suenosenescena.com
ombaked.com
growingbargains.com
growbigelite.com
michalwroblewski.online
selfpublishingprojectmgmt.com
salir.info
lutherdanavan.com
caraccidentlawyernearme.net
portraitverse.com
secure-alerts901.info
reviewscanada.com
andreasaction.com
mblinks.net
regulationtoshop.com
borderless-farm.com
excitingdailyshop.com
pawandalmia.net
greatplainsjane.com
operacionapoyo.com
26gibraltardrive.com
getportlandjustice.com
chongzhi365.com
Signatures
-
Xloader payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4372-11-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Suspicious use of SetThreadContext 1 IoCs
Processes:
05a0edfd781368d1b62b066b5aadb278.exedescription pid process target process PID 3248 set thread context of 4372 3248 05a0edfd781368d1b62b066b5aadb278.exe 05a0edfd781368d1b62b066b5aadb278.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
05a0edfd781368d1b62b066b5aadb278.exe05a0edfd781368d1b62b066b5aadb278.exepid process 3248 05a0edfd781368d1b62b066b5aadb278.exe 3248 05a0edfd781368d1b62b066b5aadb278.exe 4372 05a0edfd781368d1b62b066b5aadb278.exe 4372 05a0edfd781368d1b62b066b5aadb278.exe 4372 05a0edfd781368d1b62b066b5aadb278.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
05a0edfd781368d1b62b066b5aadb278.exedescription pid process Token: SeDebugPrivilege 3248 05a0edfd781368d1b62b066b5aadb278.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
05a0edfd781368d1b62b066b5aadb278.exedescription pid process target process PID 3248 wrote to memory of 5104 3248 05a0edfd781368d1b62b066b5aadb278.exe 05a0edfd781368d1b62b066b5aadb278.exe PID 3248 wrote to memory of 5104 3248 05a0edfd781368d1b62b066b5aadb278.exe 05a0edfd781368d1b62b066b5aadb278.exe PID 3248 wrote to memory of 5104 3248 05a0edfd781368d1b62b066b5aadb278.exe 05a0edfd781368d1b62b066b5aadb278.exe PID 3248 wrote to memory of 4372 3248 05a0edfd781368d1b62b066b5aadb278.exe 05a0edfd781368d1b62b066b5aadb278.exe PID 3248 wrote to memory of 4372 3248 05a0edfd781368d1b62b066b5aadb278.exe 05a0edfd781368d1b62b066b5aadb278.exe PID 3248 wrote to memory of 4372 3248 05a0edfd781368d1b62b066b5aadb278.exe 05a0edfd781368d1b62b066b5aadb278.exe PID 3248 wrote to memory of 4372 3248 05a0edfd781368d1b62b066b5aadb278.exe 05a0edfd781368d1b62b066b5aadb278.exe PID 3248 wrote to memory of 4372 3248 05a0edfd781368d1b62b066b5aadb278.exe 05a0edfd781368d1b62b066b5aadb278.exe PID 3248 wrote to memory of 4372 3248 05a0edfd781368d1b62b066b5aadb278.exe 05a0edfd781368d1b62b066b5aadb278.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\05a0edfd781368d1b62b066b5aadb278.exe"C:\Users\Admin\AppData\Local\Temp\05a0edfd781368d1b62b066b5aadb278.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Users\Admin\AppData\Local\Temp\05a0edfd781368d1b62b066b5aadb278.exe"C:\Users\Admin\AppData\Local\Temp\05a0edfd781368d1b62b066b5aadb278.exe"2⤵PID:5104
-
C:\Users\Admin\AppData\Local\Temp\05a0edfd781368d1b62b066b5aadb278.exe"C:\Users\Admin\AppData\Local\Temp\05a0edfd781368d1b62b066b5aadb278.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4372
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3248-6-0x00000000055A0000-0x000000000563C000-memory.dmpFilesize
624KB
-
memory/3248-0-0x0000000075380000-0x0000000075B30000-memory.dmpFilesize
7.7MB
-
memory/3248-2-0x00000000052B0000-0x00000000052C0000-memory.dmpFilesize
64KB
-
memory/3248-3-0x0000000005450000-0x00000000054E2000-memory.dmpFilesize
584KB
-
memory/3248-4-0x0000000005AA0000-0x0000000006044000-memory.dmpFilesize
5.6MB
-
memory/3248-5-0x0000000005430000-0x000000000544C000-memory.dmpFilesize
112KB
-
memory/3248-1-0x0000000000820000-0x0000000000918000-memory.dmpFilesize
992KB
-
memory/3248-7-0x0000000075380000-0x0000000075B30000-memory.dmpFilesize
7.7MB
-
memory/3248-10-0x0000000005A50000-0x0000000005AA2000-memory.dmpFilesize
328KB
-
memory/3248-9-0x00000000059C0000-0x0000000005A48000-memory.dmpFilesize
544KB
-
memory/3248-8-0x00000000052B0000-0x00000000052C0000-memory.dmpFilesize
64KB
-
memory/3248-14-0x0000000075380000-0x0000000075B30000-memory.dmpFilesize
7.7MB
-
memory/4372-13-0x0000000000EA0000-0x00000000011EA000-memory.dmpFilesize
3.3MB
-
memory/4372-11-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB