Analysis

  • max time kernel
    12s
  • max time network
    116s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    30-04-2021 07:56

General

  • Target

    SecuriteInfo.com.W32.AIDetect.malware2.23778.32013.exe

  • Size

    208KB

  • MD5

    cc10e107d3dda5d8f78c1ecbd1cb5b2a

  • SHA1

    f84f5268842991d4db24093bad17539bee29cb54

  • SHA256

    5191f6a6fc1500632342d4820e8abd7c1d32c105f56399a2cece4e4db1fa77bb

  • SHA512

    3aa55bbcb41b4daa54ed6e233f612458d3797b6605a99b5e2956ff2f9e52e21c13ee2ac868e4cef221c7a5836aed6e865ebedfafacb09ce9f85f1cfb9eee9e01

Score
10/10

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.onyxcomputing.com/u8nw/

Decoy

constructionjadams.com

organicwellnessfarm.com

beautiful.tours

medvows.com

foxparanormal.com

fsmxmc.com

graniterealestategroup.net

qgi1.com

astrologicsolutions.com

rafbar.com

bastiontools.net

emotist.com

stacyleets.com

bloodtypealpha.com

healtybenenfitsplus.com

vavadadoa3.com

chefbenhk.com

dotgz.com

xn--z4qm188e645c.com

ethyi.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • Xloader Payload 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetect.malware2.23778.32013.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetect.malware2.23778.32013.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:3652
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetect.malware2.23778.32013.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetect.malware2.23778.32013.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1904

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nsg1758.tmp\7e0z9hnasfwt.dll

    MD5

    e3e6c2219d9d342cff133a8fa512b2af

    SHA1

    d521b781cfddce16011c4c8c71da69f2baafd0e0

    SHA256

    ea82ec84d3fd7d52e55de18b097591ec2f8c7a995e89a27069fef571e90bc189

    SHA512

    54e1d626b39dea8723682eb7902567a47897cb959e90988e093795eedd9accb535b844e920fac318bc189361a624a9f937b5d5c84f4f03a156c60a1e836d2434

  • memory/1904-116-0x000000000041D0C0-mapping.dmp

  • memory/1904-118-0x0000000000AF0000-0x0000000000E10000-memory.dmp

    Filesize

    3.1MB

  • memory/1904-117-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/3652-115-0x0000000000700000-0x0000000000702000-memory.dmp

    Filesize

    8KB