Analysis
-
max time kernel
148s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03-04-2024 03:46
Static task
static1
Behavioral task
behavioral1
Sample
(RG25LGSJ).exe
Resource
win7-20240221-en
General
-
Target
(RG25LGSJ).exe
-
Size
645KB
-
MD5
af581caf268f7ad9def31b477f8349a3
-
SHA1
02e41c7fdb8d32c8f764a16913bd7afa44a7d0c9
-
SHA256
bec65782844355875f88723419b44dc543ba07b83c8a339036f79e39364493c6
-
SHA512
7c77a374c6b5cbd812a754aa28d7e09c03881bd1742e412701c7ab235b01cf65395ba0c87d23a85f0bf7877e82db6ed4a5971b62b5487bf03f4ebaa01c09d70a
-
SSDEEP
6144:7Re+8T84g/mBpd8qV2A8RwR1zAd2pxKF5eEnTSab5UAVZV7TrUynqCCdr0yNukaP:72TOmxDgA+KY2/en7UOV1qCfF
Malware Config
Extracted
xloader
2.5
gnui
himalayanwanderwoods.com
finvi.guru
iphone13promax.show
rpfcomunicacao.com
inemilia.com
blboutiqueexchange.com
sukiller.com
tzwa.net
noemiklein.com
upscalepklptp.xyz
unboxk.com
greatamericanlandworks.com
bataperu.com
estebanacostapeugeot.com
gombc-a02.com
642541.com
13f465.com
jskswj.com
hibar.xyz
eltool.net
theblackholelab.com
portcities.website
kfvmj.com
ausawarenesscodeday.com
inmobiliarianelecasa.com
supportowlph.com
dj6688i.com
mujinrj.com
adamelsouk.com
mangiamosgt.com
tokomodern.xyz
transfersound.com
shinei-ako-recruit.com
z9l2.com
apqcwl.com
everythingsamsung.com
torunavukatlikburosu.com
szfalr.com
csyein.com
momentbetong.com
zkimax.com
wiggytv.xyz
jaguarshield.com
drmitnick.com
xc6315.com
pacelicensedelectrician.com
bigbigsea.com
712861.com
hcato.xyz
things4cars.xyz
moukse.com
heyprogrammers.com
hualisudi.com
elcyork.com
icpbunny.com
goldeasolutions.com
kidsbydesign.online
auxiliacapitalpartnersllc.com
silverbackfinance.com
hitsduo.com
marganneglasser.com
kare-furniture.com
inatividigitali.com
maxicashprogtr.xyz
hottorchlighter.com
Signatures
-
Xloader payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/3032-9-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/3032-13-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/2856-19-0x00000000000A0000-0x00000000000C9000-memory.dmp xloader behavioral1/memory/2856-21-0x00000000000A0000-0x00000000000C9000-memory.dmp xloader -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2724 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
(RG25LGSJ).exe(RG25LGSJ).exechkdsk.exedescription pid process target process PID 2972 set thread context of 3032 2972 (RG25LGSJ).exe (RG25LGSJ).exe PID 3032 set thread context of 1248 3032 (RG25LGSJ).exe Explorer.EXE PID 2856 set thread context of 1248 2856 chkdsk.exe Explorer.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
chkdsk.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
(RG25LGSJ).exechkdsk.exepid process 3032 (RG25LGSJ).exe 3032 (RG25LGSJ).exe 2856 chkdsk.exe 2856 chkdsk.exe 2856 chkdsk.exe 2856 chkdsk.exe 2856 chkdsk.exe 2856 chkdsk.exe 2856 chkdsk.exe 2856 chkdsk.exe 2856 chkdsk.exe 2856 chkdsk.exe 2856 chkdsk.exe 2856 chkdsk.exe 2856 chkdsk.exe 2856 chkdsk.exe 2856 chkdsk.exe 2856 chkdsk.exe 2856 chkdsk.exe 2856 chkdsk.exe 2856 chkdsk.exe 2856 chkdsk.exe 2856 chkdsk.exe 2856 chkdsk.exe 2856 chkdsk.exe 2856 chkdsk.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
(RG25LGSJ).exechkdsk.exepid process 3032 (RG25LGSJ).exe 3032 (RG25LGSJ).exe 3032 (RG25LGSJ).exe 2856 chkdsk.exe 2856 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
(RG25LGSJ).exechkdsk.exedescription pid process Token: SeDebugPrivilege 3032 (RG25LGSJ).exe Token: SeDebugPrivilege 2856 chkdsk.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
(RG25LGSJ).exeExplorer.EXEchkdsk.exedescription pid process target process PID 2972 wrote to memory of 3032 2972 (RG25LGSJ).exe (RG25LGSJ).exe PID 2972 wrote to memory of 3032 2972 (RG25LGSJ).exe (RG25LGSJ).exe PID 2972 wrote to memory of 3032 2972 (RG25LGSJ).exe (RG25LGSJ).exe PID 2972 wrote to memory of 3032 2972 (RG25LGSJ).exe (RG25LGSJ).exe PID 2972 wrote to memory of 3032 2972 (RG25LGSJ).exe (RG25LGSJ).exe PID 2972 wrote to memory of 3032 2972 (RG25LGSJ).exe (RG25LGSJ).exe PID 2972 wrote to memory of 3032 2972 (RG25LGSJ).exe (RG25LGSJ).exe PID 1248 wrote to memory of 2856 1248 Explorer.EXE chkdsk.exe PID 1248 wrote to memory of 2856 1248 Explorer.EXE chkdsk.exe PID 1248 wrote to memory of 2856 1248 Explorer.EXE chkdsk.exe PID 1248 wrote to memory of 2856 1248 Explorer.EXE chkdsk.exe PID 2856 wrote to memory of 2724 2856 chkdsk.exe cmd.exe PID 2856 wrote to memory of 2724 2856 chkdsk.exe cmd.exe PID 2856 wrote to memory of 2724 2856 chkdsk.exe cmd.exe PID 2856 wrote to memory of 2724 2856 chkdsk.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Users\Admin\AppData\Local\Temp\(RG25LGSJ).exe"C:\Users\Admin\AppData\Local\Temp\(RG25LGSJ).exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Users\Admin\AppData\Local\Temp\(RG25LGSJ).exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3032 -
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\(RG25LGSJ).exe"3⤵
- Deletes itself
PID:2724