Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
01-04-2024 19:04
Static task
static1
Behavioral task
behavioral1
Sample
dfw32m3.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
dfw32m3.exe
Resource
win10-20240221-en
Behavioral task
behavioral3
Sample
dfw32m3.exe
Resource
win10v2004-20240226-en
General
-
Target
dfw32m3.exe
-
Size
670KB
-
MD5
7806c7cd317fabbc77985b247167e596
-
SHA1
c269abf7258da4ee6481dae3c19d3b7a58b7f4ea
-
SHA256
b9b0ce10496a723998fd40bd2662d231e6135c465000d319b708736570d0bd09
-
SHA512
72e8d0ea6d8e53ed6faa481bde97277c41afff210ee7f09ef2acc5e3437969bbbe896d0c7d528d66ccd621b692dc136b52ecebaaf83d3e719d4c0a9f90f58b15
-
SSDEEP
12288:dshv3Ui0qubGxBeD9/PJ1w30mtp3We7CdPyW:i/UibuHZgpGe+dP
Malware Config
Extracted
xloader
2.5
pfrp
aodesai.store
sultrymilfs.com
gratisratio.com
syntheticloot.net
imnntomen.xyz
fantacyfreshwaterfishing.com
onesolutionasia.com
xn--laufgefhl-bocholt-82b.com
hausense.quest
broncomall.com
ioewur.xyz
wilsontennis.store
eleditorplatense.com
windowcompanynaperville.com
azuremodule.com
letziexpress.com
idtbc.com
herbalshishaflower.com
basementdwellersnft.com
28686ay.com
laloohome.com
xn--22c2bxc0b4e1al.com
riverlegacyelectric.com
tophil.net
2tina.com
intrinsicslash.com
molrik.space
groundedexplorer.com
dalong56.com
prestigemarbleimports.com
qeeab.com
asnntio.xyz
darkxfreegiveway.com
mgmdd.com
drtht.com
controle-fiscal.com
noblenimble.com
besasin09.com
ufitbeauty.com
holzmobil.eco
texasdominionrealty.com
monamodda.com
harmofranchising.com
tinyspout.com
hallohesselmann.com
monicaconary2086.com
ruiz-group.com
jamaludinsaputraaa.com
supportlgcopyright.com
you-smile.com
tallyapp.info
lalunagrife.store
cosareaction.com
trufflestance.com
prayershawls.store
uperionorthamerica.com
cqxbsdc.com
gothamstoneworks.com
thinkdelivery.net
grotevazen.com
sonaliandshazad.com
imnvr.com
digitaltradezone.com
api-findmy.xyz
25922727.com
Signatures
-
Xloader payload 4 IoCs
Processes:
resource yara_rule behavioral3/memory/2164-16-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral3/memory/2164-21-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral3/memory/3476-26-0x0000000000B10000-0x0000000000B39000-memory.dmp xloader behavioral3/memory/3476-28-0x0000000000B10000-0x0000000000B39000-memory.dmp xloader -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
dfw32m3.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation dfw32m3.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
dfw32m3.exedfw32m3.execmstp.exedescription pid process target process PID 5068 set thread context of 2164 5068 dfw32m3.exe dfw32m3.exe PID 2164 set thread context of 3508 2164 dfw32m3.exe Explorer.EXE PID 3476 set thread context of 3508 3476 cmstp.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 50 IoCs
Processes:
dfw32m3.exedfw32m3.execmstp.exepid process 5068 dfw32m3.exe 5068 dfw32m3.exe 5068 dfw32m3.exe 5068 dfw32m3.exe 2164 dfw32m3.exe 2164 dfw32m3.exe 2164 dfw32m3.exe 2164 dfw32m3.exe 3476 cmstp.exe 3476 cmstp.exe 3476 cmstp.exe 3476 cmstp.exe 3476 cmstp.exe 3476 cmstp.exe 3476 cmstp.exe 3476 cmstp.exe 3476 cmstp.exe 3476 cmstp.exe 3476 cmstp.exe 3476 cmstp.exe 3476 cmstp.exe 3476 cmstp.exe 3476 cmstp.exe 3476 cmstp.exe 3476 cmstp.exe 3476 cmstp.exe 3476 cmstp.exe 3476 cmstp.exe 3476 cmstp.exe 3476 cmstp.exe 3476 cmstp.exe 3476 cmstp.exe 3476 cmstp.exe 3476 cmstp.exe 3476 cmstp.exe 3476 cmstp.exe 3476 cmstp.exe 3476 cmstp.exe 3476 cmstp.exe 3476 cmstp.exe 3476 cmstp.exe 3476 cmstp.exe 3476 cmstp.exe 3476 cmstp.exe 3476 cmstp.exe 3476 cmstp.exe 3476 cmstp.exe 3476 cmstp.exe 3476 cmstp.exe 3476 cmstp.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
dfw32m3.execmstp.exepid process 2164 dfw32m3.exe 2164 dfw32m3.exe 2164 dfw32m3.exe 3476 cmstp.exe 3476 cmstp.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
dfw32m3.exedfw32m3.exeExplorer.EXEcmstp.exedescription pid process Token: SeDebugPrivilege 5068 dfw32m3.exe Token: SeDebugPrivilege 2164 dfw32m3.exe Token: SeShutdownPrivilege 3508 Explorer.EXE Token: SeCreatePagefilePrivilege 3508 Explorer.EXE Token: SeDebugPrivilege 3476 cmstp.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3508 Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
dfw32m3.exeExplorer.EXEcmstp.exedescription pid process target process PID 5068 wrote to memory of 928 5068 dfw32m3.exe schtasks.exe PID 5068 wrote to memory of 928 5068 dfw32m3.exe schtasks.exe PID 5068 wrote to memory of 928 5068 dfw32m3.exe schtasks.exe PID 5068 wrote to memory of 3244 5068 dfw32m3.exe dfw32m3.exe PID 5068 wrote to memory of 3244 5068 dfw32m3.exe dfw32m3.exe PID 5068 wrote to memory of 3244 5068 dfw32m3.exe dfw32m3.exe PID 5068 wrote to memory of 2164 5068 dfw32m3.exe dfw32m3.exe PID 5068 wrote to memory of 2164 5068 dfw32m3.exe dfw32m3.exe PID 5068 wrote to memory of 2164 5068 dfw32m3.exe dfw32m3.exe PID 5068 wrote to memory of 2164 5068 dfw32m3.exe dfw32m3.exe PID 5068 wrote to memory of 2164 5068 dfw32m3.exe dfw32m3.exe PID 5068 wrote to memory of 2164 5068 dfw32m3.exe dfw32m3.exe PID 3508 wrote to memory of 3476 3508 Explorer.EXE cmstp.exe PID 3508 wrote to memory of 3476 3508 Explorer.EXE cmstp.exe PID 3508 wrote to memory of 3476 3508 Explorer.EXE cmstp.exe PID 3476 wrote to memory of 4684 3476 cmstp.exe cmd.exe PID 3476 wrote to memory of 4684 3476 cmstp.exe cmd.exe PID 3476 wrote to memory of 4684 3476 cmstp.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Users\Admin\AppData\Local\Temp\dfw32m3.exe"C:\Users\Admin\AppData\Local\Temp\dfw32m3.exe"2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NovwaoBFfnCGA" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCED9.tmp"3⤵
- Creates scheduled task(s)
PID:928 -
C:\Users\Admin\AppData\Local\Temp\dfw32m3.exe"C:\Users\Admin\AppData\Local\Temp\dfw32m3.exe"3⤵PID:3244
-
C:\Users\Admin\AppData\Local\Temp\dfw32m3.exe"C:\Users\Admin\AppData\Local\Temp\dfw32m3.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2164 -
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\dfw32m3.exe"3⤵PID:4684