Analysis
-
max time kernel
145s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
11-07-2024 21:00
Static task
static1
Behavioral task
behavioral1
Sample
PO-001021521.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
PO-001021521.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral5
Sample
1gbwwte3logn.dll
Resource
win7-20240705-en
Behavioral task
behavioral6
Sample
1gbwwte3logn.dll
Resource
win10v2004-20240709-en
General
-
Target
PO-001021521.exe
-
Size
286KB
-
MD5
b906a265b5e3a8afb18f2d336319ca86
-
SHA1
1f7b2432b7425828ae800a67313d75e30e3076a2
-
SHA256
0a2e7c9ad53b5355f4f723912d07f9dae7d1e2d72ac62758cdc44196f124945e
-
SHA512
7b4095b9f72ebf2b5ed67de9e4d28b37ff9ecc2d9178bd8fa3894cdbb49f637582af74f58c7e03e00446c4c7f8fe435bc7e65a6fa27599bfc4291c2f2480aa30
-
SSDEEP
6144:AqjI6KE6IeyEZBEh/7fsCMH2qKZsQTZVPSt:NDKE6kxhaH2hZ/q
Malware Config
Extracted
xloader
2.3
gzcj
localzhops.com
cfsb114.com
sweetiefilms.com
cyclewatts.com
bubblesportsevent.com
halloween-r-us.com
rcdzsm.com
reelatioens.com
uniquegranitebenefits.com
chainlinkdex.com
topcoolhlist.com
ivy-apps.com
shopmajesticqueendom.com
ddiesels.com
ventajuguetessexuales.online
daylight93245.com
heiyingxitong.com
personalfashion.guru
usadrugfree.com
beyondcareersuccess.com
materialdomain.com
jqzb888.com
giftflip.net
bmoshiach.com
ceo-studios.com
luohongwei.com
precommgateway.com
btc-360.com
stillalive2021.com
856381033.xyz
ausensports.com
stard.company
tuasistentelod.com
vedrev.digital
phstreetwear.com
madeinarcade.com
bianchitravelagency.com
altadenalife.church
jointo-netflix.com
virginjourney.com
pushyourgrowth.com
bostonm.info
bakedskins.com
seodrift.com
parchedfoodworks.com
cookingwithgrandpa.net
oilandgasemployeesllc.com
carpetcleaningit.com
qualityhomerr.com
dastkhat.info
outlandsolar.com
healthyhappyprosperous.life
cbdheaquarter.com
consunercardaccess.com
dazzlingdivashop.com
ajdbdevelopment.com
biancopantry.com
fundiscoveries.com
erlangonzales.coach
atelier3pen.com
haciendalosarcosmexgrill.com
mjtribebusiness.com
gabotrust.website
8fortherstatka.com
hepnos.com
Signatures
-
Xloader payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2552-13-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/2552-16-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/2700-23-0x00000000000B0000-0x00000000000D9000-memory.dmp xloader -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2468 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
PO-001021521.exepid process 2412 PO-001021521.exe 2412 PO-001021521.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
PO-001021521.exePO-001021521.execscript.exedescription pid process target process PID 2412 set thread context of 2552 2412 PO-001021521.exe PO-001021521.exe PID 2552 set thread context of 1208 2552 PO-001021521.exe Explorer.EXE PID 2700 set thread context of 1208 2700 cscript.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 35 IoCs
Processes:
PO-001021521.exePO-001021521.execscript.exepid process 2412 PO-001021521.exe 2412 PO-001021521.exe 2412 PO-001021521.exe 2412 PO-001021521.exe 2552 PO-001021521.exe 2552 PO-001021521.exe 2700 cscript.exe 2700 cscript.exe 2700 cscript.exe 2700 cscript.exe 2700 cscript.exe 2700 cscript.exe 2700 cscript.exe 2700 cscript.exe 2700 cscript.exe 2700 cscript.exe 2700 cscript.exe 2700 cscript.exe 2700 cscript.exe 2700 cscript.exe 2700 cscript.exe 2700 cscript.exe 2700 cscript.exe 2700 cscript.exe 2700 cscript.exe 2700 cscript.exe 2700 cscript.exe 2700 cscript.exe 2700 cscript.exe 2700 cscript.exe 2700 cscript.exe 2700 cscript.exe 2700 cscript.exe 2700 cscript.exe 2700 cscript.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
PO-001021521.exePO-001021521.execscript.exepid process 2412 PO-001021521.exe 2552 PO-001021521.exe 2552 PO-001021521.exe 2552 PO-001021521.exe 2700 cscript.exe 2700 cscript.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PO-001021521.execscript.exedescription pid process Token: SeDebugPrivilege 2552 PO-001021521.exe Token: SeDebugPrivilege 2700 cscript.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
PO-001021521.exeExplorer.EXEcscript.exedescription pid process target process PID 2412 wrote to memory of 2552 2412 PO-001021521.exe PO-001021521.exe PID 2412 wrote to memory of 2552 2412 PO-001021521.exe PO-001021521.exe PID 2412 wrote to memory of 2552 2412 PO-001021521.exe PO-001021521.exe PID 2412 wrote to memory of 2552 2412 PO-001021521.exe PO-001021521.exe PID 2412 wrote to memory of 2552 2412 PO-001021521.exe PO-001021521.exe PID 1208 wrote to memory of 2700 1208 Explorer.EXE cscript.exe PID 1208 wrote to memory of 2700 1208 Explorer.EXE cscript.exe PID 1208 wrote to memory of 2700 1208 Explorer.EXE cscript.exe PID 1208 wrote to memory of 2700 1208 Explorer.EXE cscript.exe PID 2700 wrote to memory of 2468 2700 cscript.exe cmd.exe PID 2700 wrote to memory of 2468 2700 cscript.exe cmd.exe PID 2700 wrote to memory of 2468 2700 cscript.exe cmd.exe PID 2700 wrote to memory of 2468 2700 cscript.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Users\Admin\AppData\Local\Temp\PO-001021521.exe"C:\Users\Admin\AppData\Local\Temp\PO-001021521.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Users\Admin\AppData\Local\Temp\PO-001021521.exe"C:\Users\Admin\AppData\Local\Temp\PO-001021521.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2552 -
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\PO-001021521.exe"3⤵
- Deletes itself
PID:2468
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5558a057a766736289b2da31eab04db53
SHA1ab48d1f8acdae775a154566fe7152c04eb6a7d1b
SHA256b4607d330754a557a009ce50c3ab252743b269fca2fa99500ec58570e393b699
SHA512d582be64cd5edf6fe608a25cb8661c5e97502b2afe817d6b3c8f7144c8c1e078afb94ce826c4bbdc35ee72cc7702d4920e00da02021418465856cd460a81d79f
-
Filesize
11KB
MD5fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c