Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
01-04-2024 19:04
Static task
static1
Behavioral task
behavioral1
Sample
dfw32m3.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
dfw32m3.exe
Resource
win10-20240221-en
Behavioral task
behavioral3
Sample
dfw32m3.exe
Resource
win10v2004-20240226-en
General
-
Target
dfw32m3.exe
-
Size
670KB
-
MD5
7806c7cd317fabbc77985b247167e596
-
SHA1
c269abf7258da4ee6481dae3c19d3b7a58b7f4ea
-
SHA256
b9b0ce10496a723998fd40bd2662d231e6135c465000d319b708736570d0bd09
-
SHA512
72e8d0ea6d8e53ed6faa481bde97277c41afff210ee7f09ef2acc5e3437969bbbe896d0c7d528d66ccd621b692dc136b52ecebaaf83d3e719d4c0a9f90f58b15
-
SSDEEP
12288:dshv3Ui0qubGxBeD9/PJ1w30mtp3We7CdPyW:i/UibuHZgpGe+dP
Malware Config
Extracted
xloader
2.5
pfrp
aodesai.store
sultrymilfs.com
gratisratio.com
syntheticloot.net
imnntomen.xyz
fantacyfreshwaterfishing.com
onesolutionasia.com
xn--laufgefhl-bocholt-82b.com
hausense.quest
broncomall.com
ioewur.xyz
wilsontennis.store
eleditorplatense.com
windowcompanynaperville.com
azuremodule.com
letziexpress.com
idtbc.com
herbalshishaflower.com
basementdwellersnft.com
28686ay.com
laloohome.com
xn--22c2bxc0b4e1al.com
riverlegacyelectric.com
tophil.net
2tina.com
intrinsicslash.com
molrik.space
groundedexplorer.com
dalong56.com
prestigemarbleimports.com
qeeab.com
asnntio.xyz
darkxfreegiveway.com
mgmdd.com
drtht.com
controle-fiscal.com
noblenimble.com
besasin09.com
ufitbeauty.com
holzmobil.eco
texasdominionrealty.com
monamodda.com
harmofranchising.com
tinyspout.com
hallohesselmann.com
monicaconary2086.com
ruiz-group.com
jamaludinsaputraaa.com
supportlgcopyright.com
you-smile.com
tallyapp.info
lalunagrife.store
cosareaction.com
trufflestance.com
prayershawls.store
uperionorthamerica.com
cqxbsdc.com
gothamstoneworks.com
thinkdelivery.net
grotevazen.com
sonaliandshazad.com
imnvr.com
digitaltradezone.com
api-findmy.xyz
25922727.com
Signatures
-
Xloader payload 5 IoCs
Processes:
resource yara_rule behavioral4/memory/2868-16-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral4/memory/2868-23-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral4/memory/2868-25-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral4/memory/2564-31-0x0000000000BC0000-0x0000000000BE9000-memory.dmp xloader behavioral4/memory/2564-33-0x0000000000BC0000-0x0000000000BE9000-memory.dmp xloader -
Suspicious use of SetThreadContext 4 IoCs
Processes:
dfw32m3.exedfw32m3.exemstsc.exedescription pid process target process PID 2168 set thread context of 2868 2168 dfw32m3.exe dfw32m3.exe PID 2868 set thread context of 3372 2868 dfw32m3.exe Explorer.EXE PID 2868 set thread context of 3372 2868 dfw32m3.exe Explorer.EXE PID 2564 set thread context of 3372 2564 mstsc.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 46 IoCs
Processes:
dfw32m3.exedfw32m3.exemstsc.exepid process 2168 dfw32m3.exe 2168 dfw32m3.exe 2868 dfw32m3.exe 2868 dfw32m3.exe 2868 dfw32m3.exe 2868 dfw32m3.exe 2868 dfw32m3.exe 2868 dfw32m3.exe 2564 mstsc.exe 2564 mstsc.exe 2564 mstsc.exe 2564 mstsc.exe 2564 mstsc.exe 2564 mstsc.exe 2564 mstsc.exe 2564 mstsc.exe 2564 mstsc.exe 2564 mstsc.exe 2564 mstsc.exe 2564 mstsc.exe 2564 mstsc.exe 2564 mstsc.exe 2564 mstsc.exe 2564 mstsc.exe 2564 mstsc.exe 2564 mstsc.exe 2564 mstsc.exe 2564 mstsc.exe 2564 mstsc.exe 2564 mstsc.exe 2564 mstsc.exe 2564 mstsc.exe 2564 mstsc.exe 2564 mstsc.exe 2564 mstsc.exe 2564 mstsc.exe 2564 mstsc.exe 2564 mstsc.exe 2564 mstsc.exe 2564 mstsc.exe 2564 mstsc.exe 2564 mstsc.exe 2564 mstsc.exe 2564 mstsc.exe 2564 mstsc.exe 2564 mstsc.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
dfw32m3.exemstsc.exepid process 2868 dfw32m3.exe 2868 dfw32m3.exe 2868 dfw32m3.exe 2868 dfw32m3.exe 2564 mstsc.exe 2564 mstsc.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
dfw32m3.exedfw32m3.exeExplorer.EXEmstsc.exedescription pid process Token: SeDebugPrivilege 2168 dfw32m3.exe Token: SeDebugPrivilege 2868 dfw32m3.exe Token: SeShutdownPrivilege 3372 Explorer.EXE Token: SeCreatePagefilePrivilege 3372 Explorer.EXE Token: SeDebugPrivilege 2564 mstsc.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
dfw32m3.exeExplorer.EXEmstsc.exedescription pid process target process PID 2168 wrote to memory of 1844 2168 dfw32m3.exe schtasks.exe PID 2168 wrote to memory of 1844 2168 dfw32m3.exe schtasks.exe PID 2168 wrote to memory of 1844 2168 dfw32m3.exe schtasks.exe PID 2168 wrote to memory of 2868 2168 dfw32m3.exe dfw32m3.exe PID 2168 wrote to memory of 2868 2168 dfw32m3.exe dfw32m3.exe PID 2168 wrote to memory of 2868 2168 dfw32m3.exe dfw32m3.exe PID 2168 wrote to memory of 2868 2168 dfw32m3.exe dfw32m3.exe PID 2168 wrote to memory of 2868 2168 dfw32m3.exe dfw32m3.exe PID 2168 wrote to memory of 2868 2168 dfw32m3.exe dfw32m3.exe PID 3372 wrote to memory of 2564 3372 Explorer.EXE mstsc.exe PID 3372 wrote to memory of 2564 3372 Explorer.EXE mstsc.exe PID 3372 wrote to memory of 2564 3372 Explorer.EXE mstsc.exe PID 2564 wrote to memory of 4056 2564 mstsc.exe cmd.exe PID 2564 wrote to memory of 4056 2564 mstsc.exe cmd.exe PID 2564 wrote to memory of 4056 2564 mstsc.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Users\Admin\AppData\Local\Temp\dfw32m3.exe"C:\Users\Admin\AppData\Local\Temp\dfw32m3.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NovwaoBFfnCGA" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFFAD.tmp"3⤵
- Creates scheduled task(s)
PID:1844 -
C:\Users\Admin\AppData\Local\Temp\dfw32m3.exe"C:\Users\Admin\AppData\Local\Temp\dfw32m3.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2868 -
C:\Windows\SysWOW64\mstsc.exe"C:\Windows\SysWOW64\mstsc.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\dfw32m3.exe"3⤵PID:4056