Analysis Overview
SHA256
752966b8834739951d9ca0e169f7750b7d74363db3fb9e1af55ab44e692ad578
Threat Level: Known bad
The file 752966b8834739951d9ca0e169f7750b7d74363db3fb9e1af55ab44e692ad578 was found to be: Known bad.
Malicious Activity Summary
Xloader
Xloader family
Xloader payload
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Scheduled Task/Job: Scheduled Task
Gathers network information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-21 19:52
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-21 19:52
Reported
2024-11-21 19:55
Platform
win7-20240903-en
Max time kernel
148s
Max time network
20s
Command Line
Signatures
Xloader
Xloader family
Xloader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 880 set thread context of 2868 | N/A | C:\Users\Admin\AppData\Local\Temp\81b66d8cf175ecdcfdbb113d8e020aadef3537b7060ec4f2588cb81724a69e3a.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| PID 2868 set thread context of 1236 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | C:\Windows\Explorer.EXE |
| PID 2340 set thread context of 1236 | N/A | C:\Windows\SysWOW64\cscript.exe | C:\Windows\Explorer.EXE |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\81b66d8cf175ecdcfdbb113d8e020aadef3537b7060ec4f2588cb81724a69e3a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cscript.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\81b66d8cf175ecdcfdbb113d8e020aadef3537b7060ec4f2588cb81724a69e3a.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\cscript.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\81b66d8cf175ecdcfdbb113d8e020aadef3537b7060ec4f2588cb81724a69e3a.exe
"C:\Users\Admin\AppData\Local\Temp\81b66d8cf175ecdcfdbb113d8e020aadef3537b7060ec4f2588cb81724a69e3a.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\jDocKhQ.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jDocKhQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF1E.tmp"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Network
Files
memory/880-0-0x00000000746EE000-0x00000000746EF000-memory.dmp
memory/880-1-0x0000000001390000-0x0000000001460000-memory.dmp
memory/880-2-0x00000000746E0000-0x0000000074DCE000-memory.dmp
memory/880-3-0x00000000005E0000-0x00000000005F6000-memory.dmp
memory/880-4-0x00000000746EE000-0x00000000746EF000-memory.dmp
memory/880-5-0x00000000746E0000-0x0000000074DCE000-memory.dmp
memory/880-6-0x0000000000650000-0x000000000065A000-memory.dmp
memory/880-7-0x00000000059A0000-0x0000000005A46000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpF1E.tmp
| MD5 | 5cb1cde5f7371d59d9c2c2b0c7be3b13 |
| SHA1 | 29fbd1544a4e82144f5cfb9d0ad67ab7b2bdca2a |
| SHA256 | 0113dbbd9795205d4fa0f8e9c314e3b35f7dbea03c25dabdb9ebf83e02f1140d |
| SHA512 | 947c8a04c34ae8ae3ac82cec90dc02029eff170a3dce5dd54d5248c0e5bf778f1cea77c8f0e5ba05acf0a3a852efd5705e9a3472aa39236fc1e51917a23fa981 |
memory/880-15-0x0000000005F70000-0x0000000005FE0000-memory.dmp
memory/2868-16-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2868-18-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2868-21-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2868-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/880-22-0x00000000746E0000-0x0000000074DCE000-memory.dmp
memory/2340-24-0x0000000000A20000-0x0000000000A42000-memory.dmp
memory/2340-25-0x0000000000170000-0x000000000019B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-21 19:52
Reported
2024-11-21 19:55
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Xloader
Xloader family
Xloader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\81b66d8cf175ecdcfdbb113d8e020aadef3537b7060ec4f2588cb81724a69e3a.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3976 set thread context of 1748 | N/A | C:\Users\Admin\AppData\Local\Temp\81b66d8cf175ecdcfdbb113d8e020aadef3537b7060ec4f2588cb81724a69e3a.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| PID 1748 set thread context of 3540 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | C:\Windows\Explorer.EXE |
| PID 1748 set thread context of 3540 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | C:\Windows\Explorer.EXE |
| PID 3552 set thread context of 3540 | N/A | C:\Windows\SysWOW64\ipconfig.exe | C:\Windows\Explorer.EXE |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\81b66d8cf175ecdcfdbb113d8e020aadef3537b7060ec4f2588cb81724a69e3a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\81b66d8cf175ecdcfdbb113d8e020aadef3537b7060ec4f2588cb81724a69e3a.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\81b66d8cf175ecdcfdbb113d8e020aadef3537b7060ec4f2588cb81724a69e3a.exe
"C:\Users\Admin\AppData\Local\Temp\81b66d8cf175ecdcfdbb113d8e020aadef3537b7060ec4f2588cb81724a69e3a.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\jDocKhQ.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jDocKhQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5D1F.tmp"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.36.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.gregoryzeitler.com | udp |
| US | 3.131.150.69:80 | www.gregoryzeitler.com | tcp |
| US | 8.8.8.8:53 | 69.150.131.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.e-powair.com | udp |
| US | 8.8.8.8:53 | www.koalaglen.com | udp |
| US | 8.8.8.8:53 | www.wiresofteflon.com | udp |
| US | 99.83.176.46:80 | www.wiresofteflon.com | tcp |
| US | 8.8.8.8:53 | 46.176.83.99.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.razaancreates.com | udp |
| US | 8.8.8.8:53 | www.berendsit.com | udp |
| US | 8.8.8.8:53 | www.sfbayraw.net | udp |
| US | 206.188.193.213:80 | www.sfbayraw.net | tcp |
| US | 8.8.8.8:53 | 213.193.188.206.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.3559.fyi | udp |
| US | 8.8.8.8:53 | www.yndzjs.com | udp |
| US | 8.8.8.8:53 | www.dj-mary.com | udp |
| US | 8.8.8.8:53 | www.gurulotaska.com | udp |
Files
memory/3976-0-0x000000007468E000-0x000000007468F000-memory.dmp
memory/3976-1-0x0000000000340000-0x0000000000410000-memory.dmp
memory/3976-2-0x0000000005480000-0x0000000005A24000-memory.dmp
memory/3976-3-0x0000000004DD0000-0x0000000004E62000-memory.dmp
memory/3976-4-0x0000000004EB0000-0x0000000004EBA000-memory.dmp
memory/3976-5-0x0000000074680000-0x0000000074E30000-memory.dmp
memory/3976-6-0x0000000006140000-0x00000000061DC000-memory.dmp
memory/3976-7-0x0000000004F70000-0x0000000004F86000-memory.dmp
memory/3976-8-0x000000007468E000-0x000000007468F000-memory.dmp
memory/3976-9-0x0000000074680000-0x0000000074E30000-memory.dmp
memory/3976-10-0x0000000006120000-0x000000000612A000-memory.dmp
memory/3976-11-0x0000000007E30000-0x0000000007ED6000-memory.dmp
memory/1672-16-0x00000000023A0000-0x00000000023D6000-memory.dmp
memory/1672-18-0x0000000074680000-0x0000000074E30000-memory.dmp
memory/1672-17-0x0000000004E50000-0x0000000005478000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp5D1F.tmp
| MD5 | 0a89311ba22c912a0c35225233aea433 |
| SHA1 | 0e73992b5a8f7fb84a8abc7d150afecd7a4743be |
| SHA256 | 7b0ca00c180f1ec28e4afd90db7f1360d7dba54000a66d87f29e398bbbc86f1b |
| SHA512 | 6b14a6fe2be38d784ba96c45f7029ea7cbed21813e2eb6b41b76bbf462b7cbc3f9ed258f751f93f5c7a0042a31c2c36ff7c39e3a8155fc230966b0a84e6e5cd3 |
memory/1672-20-0x0000000074680000-0x0000000074E30000-memory.dmp
memory/3976-21-0x0000000007FD0000-0x0000000008040000-memory.dmp
memory/1672-22-0x0000000004D40000-0x0000000004D62000-memory.dmp
memory/1748-25-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1672-24-0x0000000005480000-0x00000000054E6000-memory.dmp
memory/1672-23-0x0000000004DE0000-0x0000000004E46000-memory.dmp
memory/1672-26-0x0000000074680000-0x0000000074E30000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c3wp3h23.orp.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1672-33-0x0000000005680000-0x00000000059D4000-memory.dmp
memory/1748-39-0x0000000001060000-0x00000000013AA000-memory.dmp
memory/3976-38-0x0000000074680000-0x0000000074E30000-memory.dmp
memory/1672-40-0x0000000005CD0000-0x0000000005CEE000-memory.dmp
memory/1672-41-0x00000000060B0000-0x00000000060FC000-memory.dmp
memory/3540-45-0x0000000008960000-0x0000000008B00000-memory.dmp
memory/1748-44-0x0000000001010000-0x0000000001021000-memory.dmp
memory/1748-43-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1672-46-0x000000007EFF0000-0x000000007F000000-memory.dmp
memory/1672-47-0x00000000062A0000-0x00000000062D2000-memory.dmp
memory/1672-48-0x0000000074F10000-0x0000000074F5C000-memory.dmp
memory/1672-58-0x0000000002460000-0x0000000002470000-memory.dmp
memory/1672-59-0x0000000006280000-0x000000000629E000-memory.dmp
memory/1672-60-0x0000000006EA0000-0x0000000006F43000-memory.dmp
memory/1672-61-0x0000000007630000-0x0000000007CAA000-memory.dmp
memory/1672-62-0x0000000006FF0000-0x000000000700A000-memory.dmp
memory/1672-63-0x0000000007060000-0x000000000706A000-memory.dmp
memory/1672-64-0x0000000007270000-0x0000000007306000-memory.dmp
memory/1672-65-0x00000000071F0000-0x0000000007201000-memory.dmp
memory/1672-66-0x0000000007220000-0x000000000722E000-memory.dmp
memory/1672-67-0x0000000007230000-0x0000000007244000-memory.dmp
memory/1672-68-0x0000000007330000-0x000000000734A000-memory.dmp
memory/1672-69-0x0000000007310000-0x0000000007318000-memory.dmp
memory/1672-70-0x0000000074680000-0x0000000074E30000-memory.dmp
memory/1672-73-0x0000000074680000-0x0000000074E30000-memory.dmp
memory/1748-75-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3540-76-0x0000000008960000-0x0000000008B00000-memory.dmp
memory/3552-77-0x00000000001D0000-0x00000000001DB000-memory.dmp
memory/3552-78-0x0000000000600000-0x000000000062B000-memory.dmp
memory/3540-82-0x0000000008CD0000-0x0000000008DE5000-memory.dmp