Analysis

  • max time kernel
    4s
  • max time network
    8s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    03-05-2021 12:06

General

  • Target

    2833ffeca48c46759cb0d4c984e81a9b69614c368bf0052600786e55fd534d67.exe

  • Size

    207KB

  • MD5

    716f61cba6d08cd0c1904bcc827b56a0

  • SHA1

    357a1acb28174392e191716972537555790ae792

  • SHA256

    2833ffeca48c46759cb0d4c984e81a9b69614c368bf0052600786e55fd534d67

  • SHA512

    6b392de718dca8d95b05f06a466b9e52ad0f757fef81a6237b541563f60cb2238ea5f451fe6ed4ca1edb9ba8af14318ea3c6d6708e456273544ddfdd5328d24e

Score
10/10

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.stonescapes1.com/de92/

Decoy

zindaginews.com

tyelevator.com

schustermaninterests.com

algemixdelchef.com

doubscollectivites.com

e-butchery.com

hellbentmask.com

jumbpprivacy.com

teeniestiedye.com

playfulartwork.com

desertvacahs.com

w5470-hed.net

nepalearningpods.com

smoothandsleek.com

thecannaglow.com

torrentkittyla.com

industrytoyou.com

raquelvargas.net

rlc-nc.net

cryptoprises.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • Xloader Payload 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2833ffeca48c46759cb0d4c984e81a9b69614c368bf0052600786e55fd534d67.exe
    "C:\Users\Admin\AppData\Local\Temp\2833ffeca48c46759cb0d4c984e81a9b69614c368bf0052600786e55fd534d67.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1992
    • C:\Users\Admin\AppData\Local\Temp\2833ffeca48c46759cb0d4c984e81a9b69614c368bf0052600786e55fd534d67.exe
      "C:\Users\Admin\AppData\Local\Temp\2833ffeca48c46759cb0d4c984e81a9b69614c368bf0052600786e55fd534d67.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1844

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nsx5D7D.tmp\shsmack.dll

    MD5

    754f65f8025460256126f94d880be78e

    SHA1

    888427853b9b5d919423eaabe8be2fb126a80203

    SHA256

    4f70280ff2a0811ddcb7fee2893d432e78234f8121f83c8d51f4ad3f0caaa75d

    SHA512

    3a1079624bc0b56f14e9b991540d9f8e8ef8085d8b133eb340a0320f6db4a44ecbec778be29cf0bf175c9479b1c88dc0d30b8458750983fbe08229c89cbb197a

  • memory/1844-61-0x000000000041D010-mapping.dmp

  • memory/1844-63-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

  • memory/1844-64-0x0000000000730000-0x0000000000A33000-memory.dmp

    Filesize

    3.0MB

  • memory/1992-59-0x0000000075B31000-0x0000000075B33000-memory.dmp

    Filesize

    8KB

  • memory/1992-62-0x00000000002D0000-0x00000000002D2000-memory.dmp

    Filesize

    8KB