Overview

overview

10

Static

static

1

PO7321.exe

windows7_x64

10

PO7321.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    08-04-2021 07:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO7321.exe

  • Size

    562KB

  • MD5

    774eca4068dce6d3db505c49af0a516e

  • SHA1

    7708d1ed2bb3166bf74d0e92ac95bb8e379e1cf4

  • SHA256

    3a96891372a8578aab18d70a377d68a795ab2f92c4c97c5f0986d7f1006490d1

  • SHA512

    b9534efd5b6d87f87cc5a83f3e8a8875600f059bcfef60daa5526908cb0414d291682953cae75fab6c48805cfa9f5711f2b6dac04b299741a78a71f82b3954e0

Score
10/10
xloaderloaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.013y.com/pnqr/

Decoy

bullexch9.com

hiiidesigns.com

yosapark-gakuenmae.com

movementinspires.com

orlandas.com

flowga.world

opende.info

jiconic.com

selviclothingco.com

herbalmedicineresearch.com

contex33.xyz

riord.com

alchemistslibrary.com

ecalyte.com

tutu119.com

61ue00.com

properwayllc.com

tamitoe.com

adacompliantsoftware.com

deliabe.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 2 IoCs
    rat
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:2984
    • C:\Users\Admin\AppData\Local\Temp\PO7321.exe
      "C:\Users\Admin\AppData\Local\Temp\PO7321.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1176
      • C:\Users\Admin\AppData\Local\Temp\PO7321.exe
        "C:\Users\Admin\AppData\Local\Temp\PO7321.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1684
    • C:\Windows\SysWOW64\ipconfig.exe
      "C:\Windows\SysWOW64\ipconfig.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Gathers network information
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:376
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\PO7321.exe"
        3⤵
          PID:2768

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Command-Line Interface

    1
    T1059

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\nsi6901.tmp\57cmo2.dll
      MD5

      7418f8dc5479eeb371264cf36b4cf551

      SHA1

      40401572084a68334c508d98bf10aaa5a199bdc5

      SHA256

      c5adce72a02aafb28dab7c360b1f5555bdedfe1d9d97bda574b6d9d29377bda0

      SHA512

      95d76945159a4e25440281d4c361f3672798c0129aa0cdc18f187e98df90e499d30da80c6c9d8e3ae5cbebc9b98084b8cf10e3716f88e042140e07c80ca7406b

      Download Submit
    • memory/376-10-0x0000000000000000-mapping.dmp
      Download
    • memory/376-17-0x0000000003120000-0x00000000031AF000-memory.dmp
      Filesize

      572KB

      Download
    • memory/376-14-0x0000000003390000-0x00000000036B0000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/376-13-0x0000000000930000-0x0000000000958000-memory.dmp
      Filesize

      160KB

      Download
    • memory/376-12-0x0000000000D80000-0x0000000000D8B000-memory.dmp
      Filesize

      44KB

      Download
    • memory/1176-4-0x0000000002680000-0x0000000002682000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1684-5-0x0000000000400000-0x0000000000428000-memory.dmp
      Filesize

      160KB

      Download
    • memory/1684-7-0x0000000000AE0000-0x0000000000E00000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/1684-8-0x0000000000670000-0x0000000000680000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1684-3-0x000000000041D020-mapping.dmp
      Download
    • memory/2768-11-0x0000000000000000-mapping.dmp
      Download
    • memory/2984-9-0x0000000002CE0000-0x0000000002DAA000-memory.dmp
      Filesize

      808KB

      Download
    • memory/2984-18-0x0000000005330000-0x0000000005433000-memory.dmp
      Filesize

      1.0MB

      Download