Analysis
-
max time kernel
48s -
max time network
24s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
27-07-2024 22:50
Static task
static1
Behavioral task
behavioral1
Sample
10b55b038f70d21f31cd55f787d44ae0N.exe
Resource
win7-20240704-en
General
-
Target
10b55b038f70d21f31cd55f787d44ae0N.exe
-
Size
743KB
-
MD5
10b55b038f70d21f31cd55f787d44ae0
-
SHA1
8ffb7bd8228f943c54e5137f1894dc6c8b4a54d3
-
SHA256
6a648e78826c4e2e6a4c1f984c91cbedadf14344383306d023f4730d481bce05
-
SHA512
86855a81e92af79055d141f52b73305734763cda1ca4602709e88e819c0e6b6b432bd60b24bde53d07081e2ad20a24dce62e502417be1f6bb665b55f62dea963
-
SSDEEP
12288:zlqyqREeIzk+ZkO+SaTu8psEd7zp5I56IW3B2kb+tqYtkmJ1M:zNeIzJZkO5qsoPva6hEOsqOk0
Malware Config
Extracted
xloader
2.5
hfhf
ddhh9500.com
lesterkwilson.store
southasianrepublicans.com
azumo.xyz
emptycc.net
lelasthriftboutique.com
redis76.com
marinebelaroi.com
hallibrewerproductions.com
elevareassessoria.com
haozhugou.com
anti-ragebot.com
bardo.xyz
dryerventmastersllc.com
qmhdxu.biz
getgoldentoday.com
crippledom.com
primedispatchers.com
052et.xyz
h2adubai.com
coolspanishlikeyou.com
medyncity.store
zahediseresht.com
oliviasnowceramics.com
techis-ichiro.com
shoppingindia.tech
actpress.net
p2psite.net
emplealegal.com
moriwafuu.website
assetmortgagenc.com
newbalancepeak.xyz
xn--ruilnhen-f2a67a660z.com
loveyoumoreboutique.com
vnethotspot.online
theadaptiveadvantage.com
gobestbooks.com
baileys.pet
searchwebnetwork.online
s-thtv.com
nowuckas.top
badkyker.quest
xmqzyz.com
keennook.com
fisocialmedia.com
special-controls.online
xiphiasys.com
gonorthindianbites.com
cqmogj.com
capgeminimerchandise.com
gextop.com
822941.com
azzawisynapses.com
biyell.com
magnauniversity.com
wofmyhome.online
yourchariott.com
escortworks.xyz
balancethekeytoeverything.com
marypetshop.com
universitetrading.com
finessetrades.com
luxalbridi.com
explorebrowser.com
cbrevival.com
Signatures
-
Xloader payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2864-8-0x0000000004300000-0x0000000004329000-memory.dmp xloader -
Suspicious use of SetThreadContext 1 IoCs
Processes:
10b55b038f70d21f31cd55f787d44ae0N.exedescription pid Process procid_target PID 2864 set thread context of 2668 2864 10b55b038f70d21f31cd55f787d44ae0N.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
10b55b038f70d21f31cd55f787d44ae0N.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 10b55b038f70d21f31cd55f787d44ae0N.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
10b55b038f70d21f31cd55f787d44ae0N.exe10b55b038f70d21f31cd55f787d44ae0N.exepid Process 2864 10b55b038f70d21f31cd55f787d44ae0N.exe 2864 10b55b038f70d21f31cd55f787d44ae0N.exe 2668 10b55b038f70d21f31cd55f787d44ae0N.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
10b55b038f70d21f31cd55f787d44ae0N.exedescription pid Process Token: SeDebugPrivilege 2864 10b55b038f70d21f31cd55f787d44ae0N.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
10b55b038f70d21f31cd55f787d44ae0N.exedescription pid Process procid_target PID 2864 wrote to memory of 2720 2864 10b55b038f70d21f31cd55f787d44ae0N.exe 30 PID 2864 wrote to memory of 2720 2864 10b55b038f70d21f31cd55f787d44ae0N.exe 30 PID 2864 wrote to memory of 2720 2864 10b55b038f70d21f31cd55f787d44ae0N.exe 30 PID 2864 wrote to memory of 2720 2864 10b55b038f70d21f31cd55f787d44ae0N.exe 30 PID 2864 wrote to memory of 2668 2864 10b55b038f70d21f31cd55f787d44ae0N.exe 31 PID 2864 wrote to memory of 2668 2864 10b55b038f70d21f31cd55f787d44ae0N.exe 31 PID 2864 wrote to memory of 2668 2864 10b55b038f70d21f31cd55f787d44ae0N.exe 31 PID 2864 wrote to memory of 2668 2864 10b55b038f70d21f31cd55f787d44ae0N.exe 31 PID 2864 wrote to memory of 2668 2864 10b55b038f70d21f31cd55f787d44ae0N.exe 31 PID 2864 wrote to memory of 2668 2864 10b55b038f70d21f31cd55f787d44ae0N.exe 31 PID 2864 wrote to memory of 2668 2864 10b55b038f70d21f31cd55f787d44ae0N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\10b55b038f70d21f31cd55f787d44ae0N.exe"C:\Users\Admin\AppData\Local\Temp\10b55b038f70d21f31cd55f787d44ae0N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Users\Admin\AppData\Local\Temp\10b55b038f70d21f31cd55f787d44ae0N.exe"C:\Users\Admin\AppData\Local\Temp\10b55b038f70d21f31cd55f787d44ae0N.exe"2⤵PID:2720
-
-
C:\Users\Admin\AppData\Local\Temp\10b55b038f70d21f31cd55f787d44ae0N.exe"C:\Users\Admin\AppData\Local\Temp\10b55b038f70d21f31cd55f787d44ae0N.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2668
-