Analysis Overview
SHA256
656cb950e3811873a4659d8057e39a78d9eb44df652b691ebc027f2cf7a325f5
Threat Level: Known bad
The file 656cb950e3811873a4659d8057e39a78d9eb44df652b691ebc027f2cf7a325f5 was found to be: Known bad.
Malicious Activity Summary
Xloader family
Xloader payload
Xloader
Xloader payload
Deletes itself
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-21 19:50
Signatures
Xloader family
Xloader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-21 19:50
Reported
2024-11-21 19:53
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Xloader
Xloader family
Xloader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3396 set thread context of 3592 | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | C:\Windows\Explorer.EXE |
| PID 3064 set thread context of 3592 | N/A | C:\Windows\SysWOW64\mstsc.exe | C:\Windows\Explorer.EXE |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mstsc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mstsc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mstsc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\mstsc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3592 wrote to memory of 3064 | N/A | C:\Windows\Explorer.EXE | C:\Windows\SysWOW64\mstsc.exe |
| PID 3592 wrote to memory of 3064 | N/A | C:\Windows\Explorer.EXE | C:\Windows\SysWOW64\mstsc.exe |
| PID 3592 wrote to memory of 3064 | N/A | C:\Windows\Explorer.EXE | C:\Windows\SysWOW64\mstsc.exe |
| PID 3064 wrote to memory of 2076 | N/A | C:\Windows\SysWOW64\mstsc.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3064 wrote to memory of 2076 | N/A | C:\Windows\SysWOW64\mstsc.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3064 wrote to memory of 2076 | N/A | C:\Windows\SysWOW64\mstsc.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\bin.exe
"C:\Users\Admin\AppData\Local\Temp\bin.exe"
C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\bin.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.guktree.com | udp |
| US | 8.8.8.8:53 | www.bhartiyabrand.com | udp |
| US | 8.8.8.8:53 | www.jamiewaack.com | udp |
| US | 8.8.8.8:53 | www.chabakaton.com | udp |
| US | 8.8.8.8:53 | www.mikeg.productions | udp |
| US | 8.8.8.8:53 | www.saniyahair.com | udp |
| US | 8.8.8.8:53 | www.phomepee.com | udp |
| US | 8.8.8.8:53 | www.htwengenharia.com | udp |
| US | 216.239.32.21:80 | www.htwengenharia.com | tcp |
| US | 8.8.8.8:53 | 21.32.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.yiangosa.com | udp |
| US | 8.8.8.8:53 | www.sjj-1688.com | udp |
| HK | 45.199.18.24:80 | www.sjj-1688.com | tcp |
| US | 8.8.8.8:53 | 96.36.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.escortbd.com | udp |
| US | 103.224.212.215:80 | www.escortbd.com | tcp |
| US | 8.8.8.8:53 | 215.212.224.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.shoppinkksugar.com | udp |
| US | 8.8.8.8:53 | www.theseventhgateway.com | udp |
| US | 15.197.148.33:80 | www.theseventhgateway.com | tcp |
| US | 8.8.8.8:53 | 33.148.197.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.castroarchitects.com | udp |
| US | 8.8.8.8:53 | www.viruslow.com | udp |
| DE | 91.195.240.19:80 | www.viruslow.com | tcp |
| US | 8.8.8.8:53 | 19.240.195.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.guktree.com | udp |
| US | 8.8.8.8:53 | www.bhartiyabrand.com | udp |
| US | 8.8.8.8:53 | www.jamiewaack.com | udp |
| US | 8.8.8.8:53 | www.chabakaton.com | udp |
| US | 8.8.8.8:53 | www.mikeg.productions | udp |
Files
memory/3396-0-0x0000000000C90000-0x0000000000FDA000-memory.dmp
memory/3396-2-0x0000000000AB0000-0x0000000000AD8000-memory.dmp
memory/3396-1-0x0000000000ACD000-0x0000000000ACE000-memory.dmp
memory/3592-3-0x0000000007B70000-0x0000000007C7D000-memory.dmp
memory/3064-4-0x0000000000150000-0x000000000028A000-memory.dmp
memory/3064-6-0x0000000000150000-0x000000000028A000-memory.dmp
memory/3064-7-0x0000000000390000-0x00000000003B8000-memory.dmp
memory/3592-8-0x0000000007B70000-0x0000000007C7D000-memory.dmp
memory/3592-12-0x0000000007C80000-0x0000000007D6C000-memory.dmp
memory/3592-13-0x0000000007C80000-0x0000000007D6C000-memory.dmp
memory/3592-15-0x0000000007C80000-0x0000000007D6C000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-21 19:50
Reported
2024-11-21 19:53
Platform
win7-20241010-en
Max time kernel
146s
Max time network
125s
Command Line
Signatures
Xloader
Xloader family
Xloader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2884 set thread context of 1188 | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | C:\Windows\Explorer.EXE |
| PID 2884 set thread context of 1188 | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | C:\Windows\Explorer.EXE |
| PID 2784 set thread context of 1188 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\Explorer.EXE |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2884 wrote to memory of 2784 | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2884 wrote to memory of 2784 | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2884 wrote to memory of 2784 | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2884 wrote to memory of 2784 | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2784 wrote to memory of 3064 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2784 wrote to memory of 3064 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2784 wrote to memory of 3064 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2784 wrote to memory of 3064 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\bin.exe
"C:\Users\Admin\AppData\Local\Temp\bin.exe"
C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\bin.exe"
Network
Files
memory/2884-0-0x0000000000780000-0x0000000000A83000-memory.dmp
memory/2884-1-0x0000000000F8D000-0x0000000000F8E000-memory.dmp
memory/2884-2-0x0000000000F70000-0x0000000000F98000-memory.dmp
memory/1188-3-0x00000000037B0000-0x00000000038B0000-memory.dmp
memory/1188-4-0x0000000007200000-0x0000000007334000-memory.dmp
memory/2884-5-0x0000000000F8D000-0x0000000000F8E000-memory.dmp
memory/2884-6-0x0000000000F70000-0x0000000000F98000-memory.dmp
memory/1188-7-0x0000000007200000-0x0000000007334000-memory.dmp
memory/1188-8-0x0000000007340000-0x0000000007495000-memory.dmp
memory/2784-10-0x000000004A7E0000-0x000000004A82C000-memory.dmp
memory/2784-9-0x000000004A7E0000-0x000000004A82C000-memory.dmp
memory/1188-11-0x0000000007340000-0x0000000007495000-memory.dmp
memory/2784-12-0x0000000000080000-0x00000000000A8000-memory.dmp