Analysis
-
max time kernel
145s -
max time network
65s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2023, 01:37
Static task
static1
Behavioral task
behavioral1
Sample
0a4ddea90ada454415de354a145261b1.exe
Resource
win7-20231215-en
General
-
Target
0a4ddea90ada454415de354a145261b1.exe
-
Size
581KB
-
MD5
0a4ddea90ada454415de354a145261b1
-
SHA1
900677d90fd5f1d3e5a848c58350a7b6e8a33a80
-
SHA256
42234fcc7d9c171b1a62a26f781384886d9c3059cf6adb7361b92a6968e79572
-
SHA512
9304c166b5028692cbef381f840a6a582765faeccdda5828f76be4e81cc0a4ce24edebdbd3a788bb92db521d4a8d80dd6be311fc38e1cb9237eb5d932dcf2a5d
-
SSDEEP
12288:1r3hIgyY6efEQlGYtcv1+YLy77I0qvivCsZFkc:1r38Ypc4tBYLa7tqvSCswc
Malware Config
Extracted
xloader
2.3
q3t0
xn--n8jh0ox33v9th.club
realestateactiongroup.com
theblackcottage.com
iptvfresh.com
firstseviceresidential.com
enhancemarketingsolutions.com
matchawali.com
lockedselfstorage.com
laurencervera.com
waffleicionados.com
ryanplumbingandmechanical.com
mahalabartlemathiassen.com
enter-flowers.com
berlinclick.com
pop.direct
dangeranimalsfounded.press
sweetwhiskerscreamery.com
acaciamultimedia.com
thejoyfulmark.com
bspceducation.com
1933ejaniceway.com
xn--infus-fsa.com
monumenthomes18.com
aiaipot.com
jenole.com
lvvmall.com
woodriverdelivers.com
cunerier.com
ztxwnqe.icu
bulletraces.store
qwgkj.com
painloss.online
kutyc.com
hitbars.space
yoursimplepropertysolution.com
jiuzuofang.com
mercadovdp.com
mentorlawgroup.com
myfoodylife.com
growthmindsetactivator.com
pussy888-pussy888.com
boozateria.com
binklo.com
thecarmasseur.com
aura-tic.com
protonselangorkl.com
inapickle.world
decktwelve.com
supasaj.com
domentemenegi57.net
aquifestas.com
liusco.com
andrewsteelsells.com
sppeconsult.com
rehabrunrate.info
fisherstransmission.com
hgai168.com
mattspears.com
ouchiworks.net
acbjewellery.com
lakesview.estate
bedrocktools.store
mecanico.guru
tribkart.com
northriverlawns.com
Signatures
-
Xloader payload 1 IoCs
resource yara_rule behavioral2/memory/412-3-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3700 set thread context of 412 3700 0a4ddea90ada454415de354a145261b1.exe 17 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 412 0a4ddea90ada454415de354a145261b1.exe 412 0a4ddea90ada454415de354a145261b1.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3700 0a4ddea90ada454415de354a145261b1.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3700 wrote to memory of 412 3700 0a4ddea90ada454415de354a145261b1.exe 17 PID 3700 wrote to memory of 412 3700 0a4ddea90ada454415de354a145261b1.exe 17 PID 3700 wrote to memory of 412 3700 0a4ddea90ada454415de354a145261b1.exe 17 PID 3700 wrote to memory of 412 3700 0a4ddea90ada454415de354a145261b1.exe 17
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a4ddea90ada454415de354a145261b1.exe"C:\Users\Admin\AppData\Local\Temp\0a4ddea90ada454415de354a145261b1.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Users\Admin\AppData\Local\Temp\0a4ddea90ada454415de354a145261b1.exe"C:\Users\Admin\AppData\Local\Temp\0a4ddea90ada454415de354a145261b1.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:412
-