Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
03-04-2024 03:46
Static task
static1
Behavioral task
behavioral1
Sample
(RG25LGSJ).exe
Resource
win7-20240221-en
General
-
Target
(RG25LGSJ).exe
-
Size
645KB
-
MD5
af581caf268f7ad9def31b477f8349a3
-
SHA1
02e41c7fdb8d32c8f764a16913bd7afa44a7d0c9
-
SHA256
bec65782844355875f88723419b44dc543ba07b83c8a339036f79e39364493c6
-
SHA512
7c77a374c6b5cbd812a754aa28d7e09c03881bd1742e412701c7ab235b01cf65395ba0c87d23a85f0bf7877e82db6ed4a5971b62b5487bf03f4ebaa01c09d70a
-
SSDEEP
6144:7Re+8T84g/mBpd8qV2A8RwR1zAd2pxKF5eEnTSab5UAVZV7TrUynqCCdr0yNukaP:72TOmxDgA+KY2/en7UOV1qCfF
Malware Config
Extracted
xloader
2.5
gnui
himalayanwanderwoods.com
finvi.guru
iphone13promax.show
rpfcomunicacao.com
inemilia.com
blboutiqueexchange.com
sukiller.com
tzwa.net
noemiklein.com
upscalepklptp.xyz
unboxk.com
greatamericanlandworks.com
bataperu.com
estebanacostapeugeot.com
gombc-a02.com
642541.com
13f465.com
jskswj.com
hibar.xyz
eltool.net
theblackholelab.com
portcities.website
kfvmj.com
ausawarenesscodeday.com
inmobiliarianelecasa.com
supportowlph.com
dj6688i.com
mujinrj.com
adamelsouk.com
mangiamosgt.com
tokomodern.xyz
transfersound.com
shinei-ako-recruit.com
z9l2.com
apqcwl.com
everythingsamsung.com
torunavukatlikburosu.com
szfalr.com
csyein.com
momentbetong.com
zkimax.com
wiggytv.xyz
jaguarshield.com
drmitnick.com
xc6315.com
pacelicensedelectrician.com
bigbigsea.com
712861.com
hcato.xyz
things4cars.xyz
moukse.com
heyprogrammers.com
hualisudi.com
elcyork.com
icpbunny.com
goldeasolutions.com
kidsbydesign.online
auxiliacapitalpartnersllc.com
silverbackfinance.com
hitsduo.com
marganneglasser.com
kare-furniture.com
inatividigitali.com
maxicashprogtr.xyz
hottorchlighter.com
Signatures
-
Xloader payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4124-6-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/4124-11-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/1192-16-0x00000000001C0000-0x00000000001E9000-memory.dmp xloader behavioral2/memory/1192-18-0x00000000001C0000-0x00000000001E9000-memory.dmp xloader -
Suspicious use of SetThreadContext 3 IoCs
Processes:
(RG25LGSJ).exe(RG25LGSJ).exeNETSTAT.EXEdescription pid process target process PID 776 set thread context of 4124 776 (RG25LGSJ).exe (RG25LGSJ).exe PID 4124 set thread context of 3576 4124 (RG25LGSJ).exe Explorer.EXE PID 1192 set thread context of 3576 1192 NETSTAT.EXE Explorer.EXE -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 1192 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 52 IoCs
Processes:
(RG25LGSJ).exeNETSTAT.EXEpid process 4124 (RG25LGSJ).exe 4124 (RG25LGSJ).exe 4124 (RG25LGSJ).exe 4124 (RG25LGSJ).exe 1192 NETSTAT.EXE 1192 NETSTAT.EXE 1192 NETSTAT.EXE 1192 NETSTAT.EXE 1192 NETSTAT.EXE 1192 NETSTAT.EXE 1192 NETSTAT.EXE 1192 NETSTAT.EXE 1192 NETSTAT.EXE 1192 NETSTAT.EXE 1192 NETSTAT.EXE 1192 NETSTAT.EXE 1192 NETSTAT.EXE 1192 NETSTAT.EXE 1192 NETSTAT.EXE 1192 NETSTAT.EXE 1192 NETSTAT.EXE 1192 NETSTAT.EXE 1192 NETSTAT.EXE 1192 NETSTAT.EXE 1192 NETSTAT.EXE 1192 NETSTAT.EXE 1192 NETSTAT.EXE 1192 NETSTAT.EXE 1192 NETSTAT.EXE 1192 NETSTAT.EXE 1192 NETSTAT.EXE 1192 NETSTAT.EXE 1192 NETSTAT.EXE 1192 NETSTAT.EXE 1192 NETSTAT.EXE 1192 NETSTAT.EXE 1192 NETSTAT.EXE 1192 NETSTAT.EXE 1192 NETSTAT.EXE 1192 NETSTAT.EXE 1192 NETSTAT.EXE 1192 NETSTAT.EXE 1192 NETSTAT.EXE 1192 NETSTAT.EXE 1192 NETSTAT.EXE 1192 NETSTAT.EXE 1192 NETSTAT.EXE 1192 NETSTAT.EXE 1192 NETSTAT.EXE 1192 NETSTAT.EXE 1192 NETSTAT.EXE 1192 NETSTAT.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
(RG25LGSJ).exeNETSTAT.EXEpid process 4124 (RG25LGSJ).exe 4124 (RG25LGSJ).exe 4124 (RG25LGSJ).exe 1192 NETSTAT.EXE 1192 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
(RG25LGSJ).exeNETSTAT.EXEdescription pid process Token: SeDebugPrivilege 4124 (RG25LGSJ).exe Token: SeDebugPrivilege 1192 NETSTAT.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3576 Explorer.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
(RG25LGSJ).exeExplorer.EXENETSTAT.EXEdescription pid process target process PID 776 wrote to memory of 4124 776 (RG25LGSJ).exe (RG25LGSJ).exe PID 776 wrote to memory of 4124 776 (RG25LGSJ).exe (RG25LGSJ).exe PID 776 wrote to memory of 4124 776 (RG25LGSJ).exe (RG25LGSJ).exe PID 776 wrote to memory of 4124 776 (RG25LGSJ).exe (RG25LGSJ).exe PID 776 wrote to memory of 4124 776 (RG25LGSJ).exe (RG25LGSJ).exe PID 776 wrote to memory of 4124 776 (RG25LGSJ).exe (RG25LGSJ).exe PID 3576 wrote to memory of 1192 3576 Explorer.EXE NETSTAT.EXE PID 3576 wrote to memory of 1192 3576 Explorer.EXE NETSTAT.EXE PID 3576 wrote to memory of 1192 3576 Explorer.EXE NETSTAT.EXE PID 1192 wrote to memory of 1152 1192 NETSTAT.EXE cmd.exe PID 1192 wrote to memory of 1152 1192 NETSTAT.EXE cmd.exe PID 1192 wrote to memory of 1152 1192 NETSTAT.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3576 -
C:\Users\Admin\AppData\Local\Temp\(RG25LGSJ).exe"C:\Users\Admin\AppData\Local\Temp\(RG25LGSJ).exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Users\Admin\AppData\Local\Temp\(RG25LGSJ).exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4124 -
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\(RG25LGSJ).exe"3⤵PID:1152