Analysis
-
max time kernel
40s -
max time network
42s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-12-2024 13:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
00094C5F5F67E1A091DDBDF88EA507BAE9EE4BDB06A0306E27BA4B9285C6E13B.exe
Resource
win7-20240729-en
windows7-x64
3 signatures
150 seconds
General
-
Target
00094C5F5F67E1A091DDBDF88EA507BAE9EE4BDB06A0306E27BA4B9285C6E13B.exe
-
Size
857KB
-
MD5
db0596af906c0293eeb802af1bc3ba4c
-
SHA1
60540d0eedf061c4b22a3144f36cc8a23dfaab9c
-
SHA256
00094c5f5f67e1a091ddbdf88ea507bae9ee4bdb06a0306e27ba4b9285c6e13b
-
SHA512
032eadb161523bd15650823bc9b50e51c3d73d8c247c489199cfa800511cecf5568bdb7b5531acf430973a8b5cd0cd109087c85446311486c0b23575fdc7f4ed
-
SSDEEP
12288:Pay+JMdzTJnZU55m7hDZ/JY1JKuqMs5JPxpn8RzgiH59UhSY:iTJs/vUulYyuNs5Jxpn8RHZ
Malware Config
Extracted
Family
xloader
Version
2.5
Campaign
ahge
Decoy
zlh.biz
suddennnnnnnnnnnn11.xyz
okanliving.com
shopeuphoricapparel.com
hcifo.com
haciendalosangeleslaguna.com
shineshaft.online
monclerjacketsusa.biz
uwuplay.com
psychicdeb.com
adonlet.com
theprogressivehomesteaders.com
ammaninstitute.com
sqpod.com
tropicbaywatergardens.net
yna901.net
3christinez.online
tastemon.com
karansabberwal.com
delegif.xyz
oceanfired.com
naturalnp.com
lichnii-kabinet.online
typetentfilm.xyz
lkw-boss.com
iwanttobesued.com
hfmfzj.com
tatorbox.com
milderrizene.quest
txperformingarts.com
xxgwe.com
marjaye.biz
noonis.online
rossmcdonnell.photography
nachhaltigkeit-club.com
ybigou.com
starbeckpart.com
atservices-co.net
rw93.xyz
pandacoffeebrand.com
nekosdailylife.com
luxuryhotelnearme.com
louiselamontagne.com
sirikwanknife.com
cigarocks.com
piteucozinhafetiva.com
whoreal.net
354aresbet.com
beauty-rec.com
eimakoia.xyz
pekavar.com
happyteedesigns.com
dropdamla.com
171diproad.com
findcasinoslots.com
theboys.one
afrcansextrip.com
piecebin.com
istanbulpetplastik.com
ferfresh.com
rotaryclubvaranasi.com
simplepathfinanacial.com
casatequisslp.com
zloto.store
amisaar.com
Signatures
-
Xloader family
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions 00094C5F5F67E1A091DDBDF88EA507BAE9EE4BDB06A0306E27BA4B9285C6E13B.exe -
Xloader payload 3 IoCs
resource yara_rule behavioral2/memory/4036-8-0x0000000000400000-0x000000000042A000-memory.dmp xloader behavioral2/memory/4036-11-0x0000000000400000-0x000000000042A000-memory.dmp xloader behavioral2/memory/2816-34-0x0000000000780000-0x00000000007A9000-memory.dmp xloader -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools 00094C5F5F67E1A091DDBDF88EA507BAE9EE4BDB06A0306E27BA4B9285C6E13B.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 00094C5F5F67E1A091DDBDF88EA507BAE9EE4BDB06A0306E27BA4B9285C6E13B.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 00094C5F5F67E1A091DDBDF88EA507BAE9EE4BDB06A0306E27BA4B9285C6E13B.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 00094C5F5F67E1A091DDBDF88EA507BAE9EE4BDB06A0306E27BA4B9285C6E13B.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 00094C5F5F67E1A091DDBDF88EA507BAE9EE4BDB06A0306E27BA4B9285C6E13B.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1956 set thread context of 4036 1956 00094C5F5F67E1A091DDBDF88EA507BAE9EE4BDB06A0306E27BA4B9285C6E13B.exe 86 PID 4036 set thread context of 3540 4036 recover.exe 56 PID 2816 set thread context of 3540 2816 wlanext.exe 56 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00094C5F5F67E1A091DDBDF88EA507BAE9EE4BDB06A0306E27BA4B9285C6E13B.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language recover.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wlanext.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1956 00094C5F5F67E1A091DDBDF88EA507BAE9EE4BDB06A0306E27BA4B9285C6E13B.exe 1956 00094C5F5F67E1A091DDBDF88EA507BAE9EE4BDB06A0306E27BA4B9285C6E13B.exe 1956 00094C5F5F67E1A091DDBDF88EA507BAE9EE4BDB06A0306E27BA4B9285C6E13B.exe 1956 00094C5F5F67E1A091DDBDF88EA507BAE9EE4BDB06A0306E27BA4B9285C6E13B.exe 1956 00094C5F5F67E1A091DDBDF88EA507BAE9EE4BDB06A0306E27BA4B9285C6E13B.exe 1956 00094C5F5F67E1A091DDBDF88EA507BAE9EE4BDB06A0306E27BA4B9285C6E13B.exe 1956 00094C5F5F67E1A091DDBDF88EA507BAE9EE4BDB06A0306E27BA4B9285C6E13B.exe 1956 00094C5F5F67E1A091DDBDF88EA507BAE9EE4BDB06A0306E27BA4B9285C6E13B.exe 1956 00094C5F5F67E1A091DDBDF88EA507BAE9EE4BDB06A0306E27BA4B9285C6E13B.exe 1956 00094C5F5F67E1A091DDBDF88EA507BAE9EE4BDB06A0306E27BA4B9285C6E13B.exe 4036 recover.exe 4036 recover.exe 4036 recover.exe 4036 recover.exe 1956 00094C5F5F67E1A091DDBDF88EA507BAE9EE4BDB06A0306E27BA4B9285C6E13B.exe 1956 00094C5F5F67E1A091DDBDF88EA507BAE9EE4BDB06A0306E27BA4B9285C6E13B.exe 2816 wlanext.exe 2816 wlanext.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 2816 wlanext.exe 2816 wlanext.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 2816 wlanext.exe 2816 wlanext.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 2816 wlanext.exe 2816 wlanext.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 2816 wlanext.exe 2816 wlanext.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 2816 wlanext.exe 2816 wlanext.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 2816 wlanext.exe 2816 wlanext.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3540 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 4036 recover.exe 4036 recover.exe 4036 recover.exe 2816 wlanext.exe 2816 wlanext.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
description pid Process Token: SeDebugPrivilege 1956 00094C5F5F67E1A091DDBDF88EA507BAE9EE4BDB06A0306E27BA4B9285C6E13B.exe Token: SeDebugPrivilege 4036 recover.exe Token: SeShutdownPrivilege 3540 Explorer.EXE Token: SeCreatePagefilePrivilege 3540 Explorer.EXE Token: SeShutdownPrivilege 3540 Explorer.EXE Token: SeCreatePagefilePrivilege 3540 Explorer.EXE Token: SeDebugPrivilege 2816 wlanext.exe Token: SeDebugPrivilege 3168 taskmgr.exe Token: SeSystemProfilePrivilege 3168 taskmgr.exe Token: SeCreateGlobalPrivilege 3168 taskmgr.exe Token: SeShutdownPrivilege 3540 Explorer.EXE Token: SeCreatePagefilePrivilege 3540 Explorer.EXE Token: SeShutdownPrivilege 3540 Explorer.EXE Token: SeCreatePagefilePrivilege 3540 Explorer.EXE Token: SeShutdownPrivilege 3540 Explorer.EXE Token: SeCreatePagefilePrivilege 3540 Explorer.EXE Token: SeShutdownPrivilege 3540 Explorer.EXE Token: SeCreatePagefilePrivilege 3540 Explorer.EXE -
Suspicious use of FindShellTrayWindow 48 IoCs
pid Process 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3540 Explorer.EXE 3540 Explorer.EXE 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe -
Suspicious use of SendNotifyMessage 47 IoCs
pid Process 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3540 Explorer.EXE 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe 3168 taskmgr.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1956 wrote to memory of 4300 1956 00094C5F5F67E1A091DDBDF88EA507BAE9EE4BDB06A0306E27BA4B9285C6E13B.exe 85 PID 1956 wrote to memory of 4300 1956 00094C5F5F67E1A091DDBDF88EA507BAE9EE4BDB06A0306E27BA4B9285C6E13B.exe 85 PID 1956 wrote to memory of 4300 1956 00094C5F5F67E1A091DDBDF88EA507BAE9EE4BDB06A0306E27BA4B9285C6E13B.exe 85 PID 1956 wrote to memory of 4036 1956 00094C5F5F67E1A091DDBDF88EA507BAE9EE4BDB06A0306E27BA4B9285C6E13B.exe 86 PID 1956 wrote to memory of 4036 1956 00094C5F5F67E1A091DDBDF88EA507BAE9EE4BDB06A0306E27BA4B9285C6E13B.exe 86 PID 1956 wrote to memory of 4036 1956 00094C5F5F67E1A091DDBDF88EA507BAE9EE4BDB06A0306E27BA4B9285C6E13B.exe 86 PID 1956 wrote to memory of 4036 1956 00094C5F5F67E1A091DDBDF88EA507BAE9EE4BDB06A0306E27BA4B9285C6E13B.exe 86 PID 1956 wrote to memory of 4036 1956 00094C5F5F67E1A091DDBDF88EA507BAE9EE4BDB06A0306E27BA4B9285C6E13B.exe 86 PID 1956 wrote to memory of 4036 1956 00094C5F5F67E1A091DDBDF88EA507BAE9EE4BDB06A0306E27BA4B9285C6E13B.exe 86 PID 1956 wrote to memory of 4036 1956 00094C5F5F67E1A091DDBDF88EA507BAE9EE4BDB06A0306E27BA4B9285C6E13B.exe 86 PID 3540 wrote to memory of 2816 3540 Explorer.EXE 87 PID 3540 wrote to memory of 2816 3540 Explorer.EXE 87 PID 3540 wrote to memory of 2816 3540 Explorer.EXE 87 PID 2816 wrote to memory of 412 2816 wlanext.exe 89 PID 2816 wrote to memory of 412 2816 wlanext.exe 89 PID 2816 wrote to memory of 412 2816 wlanext.exe 89 PID 3540 wrote to memory of 3168 3540 Explorer.EXE 91 PID 3540 wrote to memory of 3168 3540 Explorer.EXE 91 PID 3168 wrote to memory of 4948 3168 taskmgr.exe 103 PID 3168 wrote to memory of 4948 3168 taskmgr.exe 103
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Users\Admin\AppData\Local\Temp\00094C5F5F67E1A091DDBDF88EA507BAE9EE4BDB06A0306E27BA4B9285C6E13B.exe"C:\Users\Admin\AppData\Local\Temp\00094C5F5F67E1A091DDBDF88EA507BAE9EE4BDB06A0306E27BA4B9285C6E13B.exe"2⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\ARP.EXE"C:\Windows\SysWOW64\ARP.EXE"3⤵PID:4300
-
-
C:\Windows\SysWOW64\recover.exe"C:\Windows\SysWOW64\recover.exe"3⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4036
-
-
-
C:\Windows\SysWOW64\wlanext.exe"C:\Windows\SysWOW64\wlanext.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\recover.exe"3⤵
- System Location Discovery: System Language Discovery
PID:412
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /42⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵PID:4948
-
-