Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2023, 06:30
Static task
static1
Behavioral task
behavioral1
Sample
PO_0008.exe
Resource
win7-20231215-en
General
-
Target
PO_0008.exe
-
Size
679KB
-
MD5
113286f80f81317488aa39f931bde38f
-
SHA1
e6c32240a28d90156493dd84360e083f0899ce36
-
SHA256
25a0902b3158cd4c095c68e6f549d8a8f26415037bf234c17b052fa70574caf3
-
SHA512
26007e3e7c671f24910b2734c49ac3b99ce19b62c4e2b6a309901189d8f7520dc5e0f070857c1979b3584bb2c4b351043a910b9010e60c9104fd38233b5e63be
-
SSDEEP
12288:SKqJZ4sLu1XsqA+aYX9fy+bVTuCv4xFlkyDZ6U+:T6ZhLuWqA5MLQxbdB+
Malware Config
Extracted
xloader
2.3
usvr
theblockmeatstore.com
drone-moment.com
srsfashionbd.com
kylayagerartwork.com
instagrams.tools
rosenwealth.com
indicraftsvilla.com
rswizard.com
irist.one
pubgclaimx14.com
thegeorgiahomefinder.com
unusualdog.com
kifayatikart.com
methodunit.net
bavarian-luxury.com
17391000.com
ipcsaveday.com
yael-b.com
pasionqueconecta.com
youngsvideography.com
absorbscratch.icu
nzrugbylife.info
inabellesolutions.com
applesoso.com
soshop365.com
viewmydiary.com
onemillionrosary.com
erotickykontakt.com
xn--yfr994dchc.net
quiltedpicturebooks.com
monteiromarquesadv.com
anugrahdayakencana.com
jz-fh.com
beijingjiadu.com
qdwentang.com
shandasden.com
xn--bckb2ercf4fxgsa3e.xyz
ecozoca.com
spiritsvest.com
pigsflycheap.com
onenationunderbread.com
bunganutlakecampingarea.com
deltafinancialgroup.net
glamsocialevents.com
sportzdestinations.com
memento-lagoon.com
nuvo-condos.com
urteiki.com
negociosconjuanceri.com
finescocms.com
simposiocpa.com
topelk.com
duetoboias.com
priormakers.net
impossibilitee.com
zombiguitar.com
conseilaffaires.com
ecrires.xyz
magetu.info
miracle-tone.com
quranvisor.com
thebabytemplate.com
wcarrillo.com
wallstmotorsports.com
microprojects.net
Signatures
-
Xloader payload 4 IoCs
resource yara_rule behavioral2/memory/4552-3-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral2/memory/4552-6-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral2/memory/972-12-0x0000000000A00000-0x0000000000A28000-memory.dmp xloader behavioral2/memory/972-14-0x0000000000A00000-0x0000000000A28000-memory.dmp xloader -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 688 set thread context of 4552 688 PO_0008.exe 88 PID 4552 set thread context of 3496 4552 PO_0008.exe 27 PID 972 set thread context of 3496 972 raserver.exe 27 -
Suspicious behavior: EnumeratesProcesses 63 IoCs
pid Process 4552 PO_0008.exe 4552 PO_0008.exe 4552 PO_0008.exe 4552 PO_0008.exe 972 raserver.exe 972 raserver.exe 972 raserver.exe 972 raserver.exe 972 raserver.exe 972 raserver.exe 972 raserver.exe 972 raserver.exe 972 raserver.exe 972 raserver.exe 972 raserver.exe 972 raserver.exe 972 raserver.exe 972 raserver.exe 972 raserver.exe 972 raserver.exe 972 raserver.exe 972 raserver.exe 972 raserver.exe 972 raserver.exe 972 raserver.exe 972 raserver.exe 972 raserver.exe 972 raserver.exe 972 raserver.exe 972 raserver.exe 972 raserver.exe 972 raserver.exe 972 raserver.exe 972 raserver.exe 972 raserver.exe 972 raserver.exe 972 raserver.exe 972 raserver.exe 972 raserver.exe 972 raserver.exe 972 raserver.exe 972 raserver.exe 972 raserver.exe 972 raserver.exe 972 raserver.exe 972 raserver.exe 972 raserver.exe 972 raserver.exe 972 raserver.exe 972 raserver.exe 972 raserver.exe 972 raserver.exe 972 raserver.exe 972 raserver.exe 972 raserver.exe 972 raserver.exe 972 raserver.exe 972 raserver.exe 972 raserver.exe 972 raserver.exe 972 raserver.exe 972 raserver.exe 972 raserver.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 688 PO_0008.exe 4552 PO_0008.exe 4552 PO_0008.exe 4552 PO_0008.exe 972 raserver.exe 972 raserver.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4552 PO_0008.exe Token: SeDebugPrivilege 972 raserver.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3496 Explorer.EXE 3496 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3496 Explorer.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 688 wrote to memory of 4552 688 PO_0008.exe 88 PID 688 wrote to memory of 4552 688 PO_0008.exe 88 PID 688 wrote to memory of 4552 688 PO_0008.exe 88 PID 688 wrote to memory of 4552 688 PO_0008.exe 88 PID 3496 wrote to memory of 972 3496 Explorer.EXE 92 PID 3496 wrote to memory of 972 3496 Explorer.EXE 92 PID 3496 wrote to memory of 972 3496 Explorer.EXE 92 PID 972 wrote to memory of 1524 972 raserver.exe 95 PID 972 wrote to memory of 1524 972 raserver.exe 95 PID 972 wrote to memory of 1524 972 raserver.exe 95
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Users\Admin\AppData\Local\Temp\PO_0008.exe"C:\Users\Admin\AppData\Local\Temp\PO_0008.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Users\Admin\AppData\Local\Temp\PO_0008.exe"C:\Users\Admin\AppData\Local\Temp\PO_0008.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4552
-
-
-
C:\Windows\SysWOW64\raserver.exe"C:\Windows\SysWOW64\raserver.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\PO_0008.exe"3⤵PID:1524
-
-