Overview

overview

10

Static

static

1

raw f.exe

windows7_x64

10

raw f.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    146s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    30-04-2021 08:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    raw f.exe

  • Size

    208KB

  • MD5

    319f554641bef914792208e976030780

  • SHA1

    111fd72e1f312727754f784a0da9b1a98fb4a00b

  • SHA256

    ec2271f9e6e57b84cae0e6df2af197a02133e5644d55eb3d2be373681397f919

  • SHA512

    a3f900284c9295e3378f291e41b7ddec4316c6916ba54b8fb7f448acda4c44bf9ec0331287a03b719ff451e9380b9a790cb7a60cb926103a97cd8617b3c2be6b

Score
10/10
xloaderloaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.citestaccnt1597666144.com/ud9e/

Decoy

casezs.com

gascubby.com

pekodains.com

superskosh.com

avktinfracon.com

slink.finance

thegreathopeofearth.com

thebattleofthestars.com

utmxpxq.icu

mamaandbabycleaningservice.com

officialtimelessbeauty.com

keeper.network

leyingcp.com

helpforharrysheroes.com

cohenforleehealthboard.com

wsilhavy.net

logisticsconsultinglimited.com

btechnician.com

dynamicpersiankitten.com

nuplaz.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 2 IoCs
    rat
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3052
    • C:\Users\Admin\AppData\Local\Temp\raw f.exe
      "C:\Users\Admin\AppData\Local\Temp\raw f.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:904
      • C:\Users\Admin\AppData\Local\Temp\raw f.exe
        "C:\Users\Admin\AppData\Local\Temp\raw f.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:580
    • C:\Windows\SysWOW64\cscript.exe
      "C:\Windows\SysWOW64\cscript.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2844
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\raw f.exe"
        3⤵
          PID:1308

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\nsi9A92.tmp\kmz6hm1h6.dll
      MD5

      b937f8200c5d612b33a43dd0b6d64876

      SHA1

      8545ea96f096b6f51021c2318bddaf7862d4aca0

      SHA256

      fd88cde6d3171f1f9ce43388c9a7994475785fbb4897e4e1c7a64025217f0530

      SHA512

      fcc86a5d75d8c1db30e6b8bb720d3ddc7e8e7944c75f4c342ef6649334afd529d5e0bd0426d9434ce547b3d3bd5e6937dd32d2726fbe60d35f3768b651aea90a

      Download Submit
    • memory/580-120-0x00000000009D0000-0x0000000000CF0000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/580-117-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

      Download
    • memory/580-118-0x00000000009B0000-0x00000000009C0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/580-115-0x000000000041D110-mapping.dmp
      Download
    • memory/904-116-0x0000000002FD0000-0x0000000002FF3000-memory.dmp
      Filesize

      140KB

      Download
    • memory/1308-124-0x0000000000000000-mapping.dmp
      Download
    • memory/2844-121-0x0000000000000000-mapping.dmp
      Download
    • memory/2844-122-0x00000000001D0000-0x00000000001F7000-memory.dmp
      Filesize

      156KB

      Download
    • memory/2844-123-0x0000000002C00000-0x0000000002C29000-memory.dmp
      Filesize

      164KB

      Download
    • memory/2844-125-0x00000000045F0000-0x0000000004910000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/2844-126-0x0000000004440000-0x00000000044CF000-memory.dmp
      Filesize

      572KB

      Download
    • memory/3052-119-0x0000000002680000-0x0000000002746000-memory.dmp
      Filesize

      792KB

      Download
    • memory/3052-127-0x0000000004C80000-0x0000000004D77000-memory.dmp
      Filesize

      988KB

      Download