Analysis
-
max time kernel
154s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
01-04-2024 19:04
Static task
static1
Behavioral task
behavioral1
Sample
dfw32m3.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
dfw32m3.exe
Resource
win10-20240221-en
Behavioral task
behavioral3
Sample
dfw32m3.exe
Resource
win10v2004-20240226-en
General
-
Target
dfw32m3.exe
-
Size
670KB
-
MD5
7806c7cd317fabbc77985b247167e596
-
SHA1
c269abf7258da4ee6481dae3c19d3b7a58b7f4ea
-
SHA256
b9b0ce10496a723998fd40bd2662d231e6135c465000d319b708736570d0bd09
-
SHA512
72e8d0ea6d8e53ed6faa481bde97277c41afff210ee7f09ef2acc5e3437969bbbe896d0c7d528d66ccd621b692dc136b52ecebaaf83d3e719d4c0a9f90f58b15
-
SSDEEP
12288:dshv3Ui0qubGxBeD9/PJ1w30mtp3We7CdPyW:i/UibuHZgpGe+dP
Malware Config
Extracted
xloader
2.5
pfrp
aodesai.store
sultrymilfs.com
gratisratio.com
syntheticloot.net
imnntomen.xyz
fantacyfreshwaterfishing.com
onesolutionasia.com
xn--laufgefhl-bocholt-82b.com
hausense.quest
broncomall.com
ioewur.xyz
wilsontennis.store
eleditorplatense.com
windowcompanynaperville.com
azuremodule.com
letziexpress.com
idtbc.com
herbalshishaflower.com
basementdwellersnft.com
28686ay.com
laloohome.com
xn--22c2bxc0b4e1al.com
riverlegacyelectric.com
tophil.net
2tina.com
intrinsicslash.com
molrik.space
groundedexplorer.com
dalong56.com
prestigemarbleimports.com
qeeab.com
asnntio.xyz
darkxfreegiveway.com
mgmdd.com
drtht.com
controle-fiscal.com
noblenimble.com
besasin09.com
ufitbeauty.com
holzmobil.eco
texasdominionrealty.com
monamodda.com
harmofranchising.com
tinyspout.com
hallohesselmann.com
monicaconary2086.com
ruiz-group.com
jamaludinsaputraaa.com
supportlgcopyright.com
you-smile.com
tallyapp.info
lalunagrife.store
cosareaction.com
trufflestance.com
prayershawls.store
uperionorthamerica.com
cqxbsdc.com
gothamstoneworks.com
thinkdelivery.net
grotevazen.com
sonaliandshazad.com
imnvr.com
digitaltradezone.com
api-findmy.xyz
25922727.com
Signatures
-
Xloader payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2296-18-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/2296-22-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/2884-28-0x0000000000080000-0x00000000000A9000-memory.dmp xloader behavioral1/memory/2884-30-0x0000000000080000-0x00000000000A9000-memory.dmp xloader -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 3068 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
dfw32m3.exedfw32m3.execmd.exedescription pid process target process PID 3048 set thread context of 2296 3048 dfw32m3.exe dfw32m3.exe PID 2296 set thread context of 1260 2296 dfw32m3.exe Explorer.EXE PID 2884 set thread context of 1260 2884 cmd.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
dfw32m3.exedfw32m3.execmd.exepid process 3048 dfw32m3.exe 3048 dfw32m3.exe 2296 dfw32m3.exe 2296 dfw32m3.exe 2884 cmd.exe 2884 cmd.exe 2884 cmd.exe 2884 cmd.exe 2884 cmd.exe 2884 cmd.exe 2884 cmd.exe 2884 cmd.exe 2884 cmd.exe 2884 cmd.exe 2884 cmd.exe 2884 cmd.exe 2884 cmd.exe 2884 cmd.exe 2884 cmd.exe 2884 cmd.exe 2884 cmd.exe 2884 cmd.exe 2884 cmd.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
dfw32m3.execmd.exepid process 2296 dfw32m3.exe 2296 dfw32m3.exe 2296 dfw32m3.exe 2884 cmd.exe 2884 cmd.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
dfw32m3.exedfw32m3.execmd.exedescription pid process Token: SeDebugPrivilege 3048 dfw32m3.exe Token: SeDebugPrivilege 2296 dfw32m3.exe Token: SeDebugPrivilege 2884 cmd.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
dfw32m3.exeExplorer.EXEcmd.exedescription pid process target process PID 3048 wrote to memory of 860 3048 dfw32m3.exe schtasks.exe PID 3048 wrote to memory of 860 3048 dfw32m3.exe schtasks.exe PID 3048 wrote to memory of 860 3048 dfw32m3.exe schtasks.exe PID 3048 wrote to memory of 860 3048 dfw32m3.exe schtasks.exe PID 3048 wrote to memory of 2296 3048 dfw32m3.exe dfw32m3.exe PID 3048 wrote to memory of 2296 3048 dfw32m3.exe dfw32m3.exe PID 3048 wrote to memory of 2296 3048 dfw32m3.exe dfw32m3.exe PID 3048 wrote to memory of 2296 3048 dfw32m3.exe dfw32m3.exe PID 3048 wrote to memory of 2296 3048 dfw32m3.exe dfw32m3.exe PID 3048 wrote to memory of 2296 3048 dfw32m3.exe dfw32m3.exe PID 3048 wrote to memory of 2296 3048 dfw32m3.exe dfw32m3.exe PID 1260 wrote to memory of 2884 1260 Explorer.EXE cmd.exe PID 1260 wrote to memory of 2884 1260 Explorer.EXE cmd.exe PID 1260 wrote to memory of 2884 1260 Explorer.EXE cmd.exe PID 1260 wrote to memory of 2884 1260 Explorer.EXE cmd.exe PID 2884 wrote to memory of 3068 2884 cmd.exe cmd.exe PID 2884 wrote to memory of 3068 2884 cmd.exe cmd.exe PID 2884 wrote to memory of 3068 2884 cmd.exe cmd.exe PID 2884 wrote to memory of 3068 2884 cmd.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Users\Admin\AppData\Local\Temp\dfw32m3.exe"C:\Users\Admin\AppData\Local\Temp\dfw32m3.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NovwaoBFfnCGA" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5ABD.tmp"3⤵
- Creates scheduled task(s)
PID:860 -
C:\Users\Admin\AppData\Local\Temp\dfw32m3.exe"C:\Users\Admin\AppData\Local\Temp\dfw32m3.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2296 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\dfw32m3.exe"3⤵
- Deletes itself
PID:3068