Overview

overview

10

Static

static

1

raw f.exe

windows7_x64

10

raw f.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    30-04-2021 08:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    raw f.exe

  • Size

    208KB

  • MD5

    319f554641bef914792208e976030780

  • SHA1

    111fd72e1f312727754f784a0da9b1a98fb4a00b

  • SHA256

    ec2271f9e6e57b84cae0e6df2af197a02133e5644d55eb3d2be373681397f919

  • SHA512

    a3f900284c9295e3378f291e41b7ddec4316c6916ba54b8fb7f448acda4c44bf9ec0331287a03b719ff451e9380b9a790cb7a60cb926103a97cd8617b3c2be6b

Score
10/10
xloaderloaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.citestaccnt1597666144.com/ud9e/

Decoy

casezs.com

gascubby.com

pekodains.com

superskosh.com

avktinfracon.com

slink.finance

thegreathopeofearth.com

thebattleofthestars.com

utmxpxq.icu

mamaandbabycleaningservice.com

officialtimelessbeauty.com

keeper.network

leyingcp.com

helpforharrysheroes.com

cohenforleehealthboard.com

wsilhavy.net

logisticsconsultinglimited.com

btechnician.com

dynamicpersiankitten.com

nuplaz.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 2 IoCs
    rat
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1196
    • C:\Users\Admin\AppData\Local\Temp\raw f.exe
      "C:\Users\Admin\AppData\Local\Temp\raw f.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1748
      • C:\Users\Admin\AppData\Local\Temp\raw f.exe
        "C:\Users\Admin\AppData\Local\Temp\raw f.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1972
    • C:\Windows\SysWOW64\wlanext.exe
      "C:\Windows\SysWOW64\wlanext.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1712
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\raw f.exe"
        3⤵
        • Deletes itself
        PID:1312

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nsnD1D.tmp\kmz6hm1h6.dll
    MD5

    b937f8200c5d612b33a43dd0b6d64876

    SHA1

    8545ea96f096b6f51021c2318bddaf7862d4aca0

    SHA256

    fd88cde6d3171f1f9ce43388c9a7994475785fbb4897e4e1c7a64025217f0530

    SHA512

    fcc86a5d75d8c1db30e6b8bb720d3ddc7e8e7944c75f4c342ef6649334afd529d5e0bd0426d9434ce547b3d3bd5e6937dd32d2726fbe60d35f3768b651aea90a

    Download Submit

  • memory/1196-73-0x0000000009090000-0x0000000009213000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1196-66-0x0000000006F60000-0x00000000070A6000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1312-70-0x0000000000000000-mapping.dmp

    Download

  • memory/1712-68-0x00000000004E0000-0x00000000004F6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1712-72-0x0000000000410000-0x000000000049F000-memory.dmp

    Filesize

    572KB

    Download

  • memory/1712-71-0x0000000001EE0000-0x00000000021E3000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/1712-69-0x0000000000080000-0x00000000000A9000-memory.dmp

    Filesize

    164KB

    Download

  • memory/1712-67-0x0000000000000000-mapping.dmp

    Download

  • memory/1748-62-0x00000000004E0000-0x00000000004E2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1748-59-0x00000000757E1000-0x00000000757E3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1972-65-0x00000000002A0000-0x00000000002B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1972-64-0x0000000000950000-0x0000000000C53000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/1972-63-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/1972-61-0x000000000041D110-mapping.dmp

    Download