Analysis
-
max time kernel
118s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
30/12/2023, 05:08
Static task
static1
Behavioral task
behavioral1
Sample
0f9ed47f1ffe3b1cd242b7872f4ce341.exe
Resource
win7-20231215-en
General
-
Target
0f9ed47f1ffe3b1cd242b7872f4ce341.exe
-
Size
260KB
-
MD5
0f9ed47f1ffe3b1cd242b7872f4ce341
-
SHA1
37c2b669d727b1aec796644c1f4f884f0ad86944
-
SHA256
d7abd3634174ad687ef4153f268667361c7177b73871c7dbd296659d918e0d36
-
SHA512
b739a86c7ba735fe40e7630603519d2383b7615ab5c96780138455496da804e19a3d8b3228afb98403b84cdf9b769b064af899f173dd044bd313b1e32d4a18bf
-
SSDEEP
6144:wM0XSGZqaz2EZTSBXSQOpkAVNGo2c/FejeqlbgMF:wfSGZzztOBXcpk2GogN
Malware Config
Extracted
xloader
2.3
c28h
xn--osegredodameditao-nqb9e.com
blakepleasant.com
midnightindulgence.com
lungx.com
goldenretrieversmn.com
thecapshooter.com
luxuryledlighting.com
coachlind.com
jewelryart-byirene.com
legacyvending.net
staffjet.info
geogest.com
okmulgeedream.center
mexicoifbbproleague.net
tomrings.com
kidsomia.com
learnwithalinguist.com
getboardsuited.com
aiyuc.com
wowmanship.com
zcw58736.com
brava94fm.com
mayuraindia.com
sportclever.com
elcars.info
citestpridom20200814092033.net
fleurtigresse.com
zfcai1688.com
glucosecur.com
hyrrp.com
naplesfloridalifestylehomes.com
elegantsuperfoods.com
manoircarlhanjess.com
ezprone.com
spirituallystrong.net
4acostleyst.com
connectedvpn.com
themetathought.com
cartscroll.com
toiletoshop.com
pop-down.space
winatlife-blog.com
progressglobe.com
shopcamera.net
jordanshoeweb.com
theuneducationofamerica.com
bubelu.net
foreignpal.com
courtdistribute.com
librettostay.com
7arfok.com
joannetaylorpr.com
realinvest-egy.com
cerachip.com
welcometoeverywhere.com
rifepackaging.com
alphameresa.com
gylvs.com
izmoo2-hoeiprotein-review.com
airpodanchor.com
conhecimentovivo.technology
cherrisesimon.com
mileybarcus.com
tubekhan.com
yourweddingscent.online
Signatures
-
Xloader payload 1 IoCs
resource yara_rule behavioral1/memory/2124-2-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1752 set thread context of 2124 1752 0f9ed47f1ffe3b1cd242b7872f4ce341.exe 29 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2124 0f9ed47f1ffe3b1cd242b7872f4ce341.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1752 0f9ed47f1ffe3b1cd242b7872f4ce341.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 1752 wrote to memory of 2124 1752 0f9ed47f1ffe3b1cd242b7872f4ce341.exe 29 PID 1752 wrote to memory of 2124 1752 0f9ed47f1ffe3b1cd242b7872f4ce341.exe 29 PID 1752 wrote to memory of 2124 1752 0f9ed47f1ffe3b1cd242b7872f4ce341.exe 29 PID 1752 wrote to memory of 2124 1752 0f9ed47f1ffe3b1cd242b7872f4ce341.exe 29 PID 1752 wrote to memory of 2124 1752 0f9ed47f1ffe3b1cd242b7872f4ce341.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f9ed47f1ffe3b1cd242b7872f4ce341.exe"C:\Users\Admin\AppData\Local\Temp\0f9ed47f1ffe3b1cd242b7872f4ce341.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Users\Admin\AppData\Local\Temp\0f9ed47f1ffe3b1cd242b7872f4ce341.exe"C:\Users\Admin\AppData\Local\Temp\0f9ed47f1ffe3b1cd242b7872f4ce341.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2124
-