Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
21-11-2024 20:42
Static task
static1
Behavioral task
behavioral1
Sample
FACTURA.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
FACTURA.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/772vhhojj684oi.dll
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/772vhhojj684oi.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
URGENT Request for Quotation.pdf.exe
Resource
win7-20240903-en
General
-
Target
$PLUGINSDIR/772vhhojj684oi.dll
-
Size
5KB
-
MD5
5e3d3dadd742c63f01034fb9175caef2
-
SHA1
a3c3cdd8ba24655f36ef248678efe1fade8bc6e8
-
SHA256
c5e4e3bca252502d2c1b4dd9af51de6f14f495b97965e6f0cb9689ce2501afe1
-
SHA512
6d19e6f22dd4442baf620111e4370ebe83acde452240dfb171c6492051f9cbede8d1c0a7de538d012e20ef98e07d61ed1e126050a890425f4a868f27a4d66440
-
SSDEEP
96:EBxUgFl44+MRTXtEm1Rtwz6SJtxuR3kx:E1lRTv1Rtwz6
Malware Config
Extracted
xloader
2.3
u8nw
constructionjadams.com
organicwellnessfarm.com
beautiful.tours
medvows.com
foxparanormal.com
fsmxmc.com
graniterealestategroup.net
qgi1.com
astrologicsolutions.com
rafbar.com
bastiontools.net
emotist.com
stacyleets.com
bloodtypealpha.com
healtybenenfitsplus.com
vavadadoa3.com
chefbenhk.com
dotgz.com
xn--z4qm188e645c.com
ethyi.com
farrellforcouncil.com
everythingcornea.com
pensje.net
haichuanxin.com
codeproper.com
beautyblvdca.com
namastecarrier.com
xtrator.com
alphabrainbalancing.com
sensationalcleaningservices.net
magistv.info
shotsbynox.com
zioninfosystems.net
yourstoryplace.com
ebmulla.com
turkeyvisa-government.com
albertsonsolutions.com
7brochasmagicas.com
revolutiontourselsalvador.com
eastboundanddowntrucking.com
jkskylights.com
ultimatepoolwater.com
diurr.com
investmentfocused.com
dogscanstay.com
inov8digital.com
paragoncraftevents.com
reservesunbeds.com
melaniesalascosmetics.com
vissito.com
axolc-upoc.xyz
customessayjojo.com
kladki.com
online-securegov.com
xn--demirelik-u3a.com
plgmap.com
contorig2.com
dgyzgs8.com
valuedmind.com
sanacolitademarijuana.com
xn--6j1bs50berk.com
labkitsforstudents.com
lifehakershagirl.online
candidanddevout.com
onyxcomputing.com
Signatures
-
Xloader family
-
Xloader payload 3 IoCs
resource yara_rule behavioral3/memory/2360-1-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral3/memory/2360-4-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral3/memory/2360-8-0x0000000000400000-0x0000000000429000-memory.dmp xloader -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2432 set thread context of 2360 2432 rundll32.exe 31 PID 2360 set thread context of 1204 2360 rundll32.exe 21 PID 2360 set thread context of 1204 2360 rundll32.exe 21 -
Program crash 1 IoCs
pid pid_target Process procid_target 2840 2152 WerFault.exe 33 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2360 rundll32.exe 2360 rundll32.exe 2360 rundll32.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 2432 rundll32.exe 2360 rundll32.exe 2360 rundll32.exe 2360 rundll32.exe 2360 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2360 rundll32.exe Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 3036 wrote to memory of 2432 3036 rundll32.exe 30 PID 3036 wrote to memory of 2432 3036 rundll32.exe 30 PID 3036 wrote to memory of 2432 3036 rundll32.exe 30 PID 3036 wrote to memory of 2432 3036 rundll32.exe 30 PID 3036 wrote to memory of 2432 3036 rundll32.exe 30 PID 3036 wrote to memory of 2432 3036 rundll32.exe 30 PID 3036 wrote to memory of 2432 3036 rundll32.exe 30 PID 2432 wrote to memory of 2360 2432 rundll32.exe 31 PID 2432 wrote to memory of 2360 2432 rundll32.exe 31 PID 2432 wrote to memory of 2360 2432 rundll32.exe 31 PID 2432 wrote to memory of 2360 2432 rundll32.exe 31 PID 2432 wrote to memory of 2360 2432 rundll32.exe 31 PID 2432 wrote to memory of 2360 2432 rundll32.exe 31 PID 2432 wrote to memory of 2360 2432 rundll32.exe 31 PID 2432 wrote to memory of 2360 2432 rundll32.exe 31 PID 2360 wrote to memory of 2152 2360 rundll32.exe 33 PID 2360 wrote to memory of 2152 2360 rundll32.exe 33 PID 2360 wrote to memory of 2152 2360 rundll32.exe 33 PID 2360 wrote to memory of 2152 2360 rundll32.exe 33 PID 2360 wrote to memory of 2152 2360 rundll32.exe 33 PID 2360 wrote to memory of 2152 2360 rundll32.exe 33 PID 2360 wrote to memory of 2152 2360 rundll32.exe 33 PID 2152 wrote to memory of 2840 2152 msiexec.exe 34 PID 2152 wrote to memory of 2840 2152 msiexec.exe 34 PID 2152 wrote to memory of 2840 2152 msiexec.exe 34 PID 2152 wrote to memory of 2840 2152 msiexec.exe 34
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1204 -
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\772vhhojj684oi.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\772vhhojj684oi.dll,#13⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\772vhhojj684oi.dll,#14⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 2686⤵
- Program crash
PID:2840
-
-
-
-
-