Analysis
-
max time kernel
144s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31-12-2023 12:10
Static task
static1
Behavioral task
behavioral1
Sample
35b7cbb59dc298466c90222309a6adb2.exe
Resource
win7-20231215-en
General
-
Target
35b7cbb59dc298466c90222309a6adb2.exe
-
Size
860KB
-
MD5
35b7cbb59dc298466c90222309a6adb2
-
SHA1
989158aa5c040d59bb9ed71f7807414d7b2a0b9c
-
SHA256
4ef05b7079b1bf345f4759f1969a44faef7e2735e5e92d3f84d778b988d4287e
-
SHA512
6abede088a65b31a53679228e4685c3dba9e3eee799b198bd4a28e27cba88a01f5ea908227306df4a944b3bcf7d952d617ac4f7eb3e8c7c1149c828ab13132e6
-
SSDEEP
12288:+kjipAqZZoR65AXwgFvuSS1IBATKqyUhhJq+PpuYSx++0r7xibjcUmxVHeQU7:woR6qgjuWvjSx++0rGjI/eZ
Malware Config
Extracted
xloader
2.3
b8eu
ppslide.com
savorysinsation.com
camilaediego2021.com
rstrunk.net
xianshikanxiyang.club
1borefruit.com
ay-danil.club
xamangxcoax.club
waltonunderwood.com
laurabissell.com
laurawmorrow.com
albamauto.net
usamlb.com
theoyays.com
freeitproject.com
jijiservice.com
ukcarpetclean.com
wc399.com
xn--pskrtmebeton-dlbc.online
exclusivemerchantsolutions.com
kkkc5.com
kakashis.club
minldsrvlceacvtlvty.net
tucantec.com
dreamlivehope.com
tayruaeco.com
wgaoutdoors.com
obersrock.com
notosickness.com
carporttube.com
customcbdgroup.com
vincentstreetdental.site
fidatosas.com
soft-drill.com
thelearningcountscompany.com
brateix.info
sexting-sites.com
wheredidmystokego.com
alorve.com
cataractmeds.com
purhenna.com
slicesystem.com
xn--v4q8fq9ps1clx5d774b.com
tuffysfight.com
dongtaykethop.cloud
thedesertwellness.com
maxridetubes.com
jungbo33.xyz
rokitrevs.com
fsoinc.com
bartelmefamily.com
greenresearch.farm
wws520.com
scoutandstellar.com
therachelfrankshow.com
rastrosomostodos.com
jqxfinance.com
escortsoslo.com
ocd-diesel.com
domainedelafrouardiere.com
9adamtech.com
omniheating.com
dpymenus.com
sellingonlineschool.com
yummylipz.net
Signatures
-
Xloader payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2872-12-0x0000000000400000-0x0000000000428000-memory.dmp xloader -
Suspicious use of SetThreadContext 1 IoCs
Processes:
35b7cbb59dc298466c90222309a6adb2.exedescription pid process target process PID 1304 set thread context of 2872 1304 35b7cbb59dc298466c90222309a6adb2.exe 35b7cbb59dc298466c90222309a6adb2.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
35b7cbb59dc298466c90222309a6adb2.exepid process 2872 35b7cbb59dc298466c90222309a6adb2.exe 2872 35b7cbb59dc298466c90222309a6adb2.exe 2872 35b7cbb59dc298466c90222309a6adb2.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
35b7cbb59dc298466c90222309a6adb2.exedescription pid process target process PID 1304 wrote to memory of 2872 1304 35b7cbb59dc298466c90222309a6adb2.exe 35b7cbb59dc298466c90222309a6adb2.exe PID 1304 wrote to memory of 2872 1304 35b7cbb59dc298466c90222309a6adb2.exe 35b7cbb59dc298466c90222309a6adb2.exe PID 1304 wrote to memory of 2872 1304 35b7cbb59dc298466c90222309a6adb2.exe 35b7cbb59dc298466c90222309a6adb2.exe PID 1304 wrote to memory of 2872 1304 35b7cbb59dc298466c90222309a6adb2.exe 35b7cbb59dc298466c90222309a6adb2.exe PID 1304 wrote to memory of 2872 1304 35b7cbb59dc298466c90222309a6adb2.exe 35b7cbb59dc298466c90222309a6adb2.exe PID 1304 wrote to memory of 2872 1304 35b7cbb59dc298466c90222309a6adb2.exe 35b7cbb59dc298466c90222309a6adb2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\35b7cbb59dc298466c90222309a6adb2.exe"C:\Users\Admin\AppData\Local\Temp\35b7cbb59dc298466c90222309a6adb2.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\35b7cbb59dc298466c90222309a6adb2.exe"C:\Users\Admin\AppData\Local\Temp\35b7cbb59dc298466c90222309a6adb2.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1304-8-0x0000000074A90000-0x0000000075240000-memory.dmpFilesize
7.7MB
-
memory/1304-6-0x0000000007B90000-0x0000000007C2C000-memory.dmpFilesize
624KB
-
memory/1304-3-0x0000000005260000-0x00000000052F2000-memory.dmpFilesize
584KB
-
memory/1304-4-0x00000000053A0000-0x00000000053B0000-memory.dmpFilesize
64KB
-
memory/1304-1-0x0000000074A90000-0x0000000075240000-memory.dmpFilesize
7.7MB
-
memory/1304-2-0x0000000005770000-0x0000000005D14000-memory.dmpFilesize
5.6MB
-
memory/1304-0-0x0000000000790000-0x000000000086E000-memory.dmpFilesize
888KB
-
memory/1304-7-0x0000000007B10000-0x0000000007B2A000-memory.dmpFilesize
104KB
-
memory/1304-5-0x0000000005310000-0x000000000531A000-memory.dmpFilesize
40KB
-
memory/1304-9-0x00000000053A0000-0x00000000053B0000-memory.dmpFilesize
64KB
-
memory/1304-10-0x0000000007D40000-0x0000000007DDA000-memory.dmpFilesize
616KB
-
memory/1304-11-0x0000000004C30000-0x0000000004C60000-memory.dmpFilesize
192KB
-
memory/1304-14-0x0000000074A90000-0x0000000075240000-memory.dmpFilesize
7.7MB
-
memory/2872-15-0x00000000013B0000-0x00000000016FA000-memory.dmpFilesize
3.3MB
-
memory/2872-12-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/2872-16-0x00000000013B0000-0x00000000016FA000-memory.dmpFilesize
3.3MB