Overview

overview

10

Static

static

winlog.exe

windows7_x64

10

winlog.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    19-01-2021 08:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    winlog.exe

  • Size

    931KB

  • MD5

    b75247013200d602f98dc3801d2bde2f

  • SHA1

    3327c5cd3ecd636b72c335166fe709b955a32285

  • SHA256

    8fe13da45a5732ae42c27687b9cf9105a3f2028857729bdfbe3ae31514a6b298

  • SHA512

    aa0b977c81b0e97433e61e21cc1e13cbc8821b5ff4d0b3e7554519051139dc661b4c9c0d8e99a6ff4148968d9f04653c85b411944f42fec29bdd4c70228229f9

Score
10/10
formbookxloaderloaderratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.learnhour.net/eaud/

Decoy

modshiro.com

mademarketingoss.com

austinjourls.info

wayupteam.com

crossingfinger.com

interseptors.com

gigashit.com

livetigo.com

halamankuningindonesia.com

windhammills.com

aylinahmet.com

mbacexonan.website

shopboxbarcelona.com

youyeslive.com

coonlinesportsbooks.com

guorunme.com

putlocker2.site

pencueaidnetwork.com

likevector.com

vulcanudachi-proclub.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 3 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1244
    • C:\Users\Admin\AppData\Local\Temp\winlog.exe
      "C:\Users\Admin\AppData\Local\Temp\winlog.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:296
      • C:\Users\Admin\AppData\Local\Temp\winlog.exe
        "{path}"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1676
    • C:\Windows\SysWOW64\chkdsk.exe
      "C:\Windows\SysWOW64\chkdsk.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1020
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\winlog.exe"
        3⤵
        • Deletes itself
        PID:772

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/296-2-0x00000000748D0000-0x0000000074FBE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/296-3-0x0000000000B20000-0x0000000000B21000-memory.dmp
    Filesize

    4KB

    Download
  • memory/296-5-0x00000000043C0000-0x00000000043C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/296-6-0x0000000000640000-0x000000000064E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/296-7-0x0000000004B90000-0x0000000004BD8000-memory.dmp
    Filesize

    288KB

    Download
  • memory/772-17-0x0000000000000000-mapping.dmp
    Download
  • memory/1020-16-0x0000000000080000-0x00000000000A8000-memory.dmp
    Filesize

    160KB

    Download
  • memory/1020-14-0x0000000000000000-mapping.dmp
    Download
  • memory/1020-15-0x0000000000570000-0x0000000000577000-memory.dmp
    Filesize

    28KB

    Download
  • memory/1020-18-0x00000000020B0000-0x00000000023B3000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1020-19-0x0000000000340000-0x00000000003CF000-memory.dmp
    Filesize

    572KB

    Download
  • memory/1244-13-0x0000000006F90000-0x000000000710A000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/1244-20-0x00000000074B0000-0x0000000007603000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/1676-11-0x0000000000160000-0x0000000000170000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1676-12-0x0000000000C10000-0x0000000000F13000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1676-9-0x000000000041D030-mapping.dmp
    Download
  • memory/1676-8-0x0000000000400000-0x0000000000428000-memory.dmp
    Filesize

    160KB

    Download