Analysis Overview
SHA256
fabf4628b3813230d81f4c1a4991a0fe21550362177dd7b451e80c6a839b6814
Threat Level: Known bad
The file 0e2f9d545ac87b4e9762ca50e2bf15ab was found to be: Known bad.
Malicious Activity Summary
Xloader
CustAttr .NET packer
Xloader payload
Suspicious use of SetThreadContext
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-12-30 04:18
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-30 04:18
Reported
2023-12-31 19:19
Platform
win7-20231129-en
Max time kernel
148s
Max time network
118s
Command Line
Signatures
Xloader
CustAttr .NET packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xloader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1680 set thread context of 2564 | N/A | C:\Users\Admin\AppData\Local\Temp\0e2f9d545ac87b4e9762ca50e2bf15ab.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| PID 2564 set thread context of 1356 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | C:\Windows\Explorer.EXE |
| PID 2564 set thread context of 1356 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | C:\Windows\Explorer.EXE |
| PID 2960 set thread context of 1356 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\Explorer.EXE |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\0e2f9d545ac87b4e9762ca50e2bf15ab.exe
"C:\Users\Admin\AppData\Local\Temp\0e2f9d545ac87b4e9762ca50e2bf15ab.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Network
Files
memory/1680-1-0x00000000749F0000-0x00000000750DE000-memory.dmp
memory/1680-0-0x0000000000E80000-0x0000000000FCC000-memory.dmp
memory/1680-2-0x0000000004E10000-0x0000000004E50000-memory.dmp
memory/1680-3-0x00000000004F0000-0x0000000000502000-memory.dmp
memory/1680-4-0x00000000749F0000-0x00000000750DE000-memory.dmp
memory/1680-5-0x0000000004E10000-0x0000000004E50000-memory.dmp
memory/1680-6-0x00000000051D0000-0x000000000524C000-memory.dmp
memory/1680-7-0x0000000000B00000-0x0000000000B34000-memory.dmp
memory/2564-14-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1680-15-0x00000000749F0000-0x00000000750DE000-memory.dmp
memory/2564-20-0x0000000000170000-0x0000000000180000-memory.dmp
memory/1356-21-0x0000000006CA0000-0x0000000006E15000-memory.dmp
memory/2564-19-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1356-18-0x0000000003090000-0x0000000003190000-memory.dmp
memory/2564-16-0x0000000000A40000-0x0000000000D43000-memory.dmp
memory/2564-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2564-10-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2564-8-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1356-26-0x0000000007620000-0x0000000007778000-memory.dmp
memory/2564-25-0x00000000002B0000-0x00000000002C0000-memory.dmp
memory/2564-24-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2960-28-0x0000000049D60000-0x0000000049DAC000-memory.dmp
memory/2960-29-0x00000000001D0000-0x00000000001F9000-memory.dmp
memory/2960-30-0x0000000002330000-0x0000000002633000-memory.dmp
memory/2960-27-0x0000000049D60000-0x0000000049DAC000-memory.dmp
memory/2960-31-0x00000000001D0000-0x00000000001F9000-memory.dmp
memory/2960-32-0x00000000020B0000-0x000000000213F000-memory.dmp
memory/1356-34-0x0000000007620000-0x0000000007778000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-30 04:18
Reported
2023-12-31 19:19
Platform
win10v2004-20231222-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Xloader
CustAttr .NET packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xloader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2252 set thread context of 2168 | N/A | C:\Users\Admin\AppData\Local\Temp\0e2f9d545ac87b4e9762ca50e2bf15ab.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| PID 2168 set thread context of 3488 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | C:\Windows\Explorer.EXE |
| PID 4824 set thread context of 3488 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\Explorer.EXE |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0e2f9d545ac87b4e9762ca50e2bf15ab.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\0e2f9d545ac87b4e9762ca50e2bf15ab.exe
"C:\Users\Admin\AppData\Local\Temp\0e2f9d545ac87b4e9762ca50e2bf15ab.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.13.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.klanblog.com | udp |
| US | 8.8.8.8:53 | www.shivalikspiritualproducts.com | udp |
| US | 76.223.105.230:80 | www.shivalikspiritualproducts.com | tcp |
| US | 8.8.8.8:53 | 230.105.223.76.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.siteoficial-liquida.com | udp |
| US | 8.8.8.8:53 | www.capwisefin.com | udp |
| SG | 148.66.136.1:80 | www.capwisefin.com | tcp |
| US | 8.8.8.8:53 | 1.136.66.148.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.hanoharuka.com | udp |
| JP | 157.7.107.22:80 | www.hanoharuka.com | tcp |
| US | 8.8.8.8:53 | 22.107.7.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.smcenterbiz.com | udp |
| US | 162.253.34.182:80 | www.smcenterbiz.com | tcp |
| US | 8.8.8.8:53 | 182.34.253.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.oiop.online | udp |
| US | 8.8.8.8:53 | www.racketpark.com | udp |
| DE | 217.160.0.252:80 | www.racketpark.com | tcp |
| US | 8.8.8.8:53 | 252.0.160.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.kadrisells.com | udp |
| US | 8.8.8.8:53 | www.bodymoisturizer.online | udp |
Files
memory/2252-1-0x0000000074860000-0x0000000075010000-memory.dmp
memory/2252-0-0x0000000000DE0000-0x0000000000F2C000-memory.dmp
memory/2252-2-0x00000000058D0000-0x000000000596C000-memory.dmp
memory/2252-4-0x0000000005AA0000-0x0000000005B32000-memory.dmp
memory/2252-3-0x0000000005FB0000-0x0000000006554000-memory.dmp
memory/2252-5-0x0000000005C60000-0x0000000005C70000-memory.dmp
memory/2252-7-0x0000000005C70000-0x0000000005CC6000-memory.dmp
memory/2252-6-0x00000000059C0000-0x00000000059CA000-memory.dmp
memory/2252-8-0x0000000003370000-0x0000000003382000-memory.dmp
memory/2252-9-0x0000000074860000-0x0000000075010000-memory.dmp
memory/2252-10-0x0000000005C60000-0x0000000005C70000-memory.dmp
memory/2252-11-0x00000000073C0000-0x000000000743C000-memory.dmp
memory/2252-12-0x0000000007440000-0x0000000007474000-memory.dmp
memory/2168-13-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2252-15-0x0000000074860000-0x0000000075010000-memory.dmp
memory/2168-16-0x0000000001860000-0x0000000001BAA000-memory.dmp
memory/2168-18-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3488-20-0x00000000089A0000-0x0000000008AB2000-memory.dmp
memory/2168-19-0x0000000001380000-0x0000000001390000-memory.dmp
memory/4824-21-0x0000000000C20000-0x0000000000C34000-memory.dmp
memory/4824-23-0x0000000000C20000-0x0000000000C34000-memory.dmp
memory/4824-24-0x0000000000C50000-0x0000000000C79000-memory.dmp
memory/4824-25-0x0000000002E30000-0x000000000317A000-memory.dmp
memory/4824-26-0x0000000000C50000-0x0000000000C79000-memory.dmp
memory/4824-28-0x0000000002BA0000-0x0000000002C2F000-memory.dmp
memory/3488-29-0x00000000089A0000-0x0000000008AB2000-memory.dmp
memory/3488-32-0x0000000008AC0000-0x0000000008C08000-memory.dmp
memory/3488-33-0x0000000008AC0000-0x0000000008C08000-memory.dmp
memory/3488-36-0x0000000008AC0000-0x0000000008C08000-memory.dmp