Analysis

  • max time kernel
    23s
  • max time network
    25s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    03-05-2021 08:51

General

  • Target

    fb6c841478354f42dd2baa5e0b617dff.exe

  • Size

    207KB

  • MD5

    fb6c841478354f42dd2baa5e0b617dff

  • SHA1

    c1d1212b6e7cae77ae2d617f461a7d6003cb6c6c

  • SHA256

    b55552391ee123f26e577b412c0df78bd0a59644ec510d1e7e708feff12a2abb

  • SHA512

    49fdaae6792f72de12b4303c4a1874a99e7d1c69bb32cb37d59d9e207e693cdf90612f5ec8278cd7e1cb8c1d1dcd8124b7f66165ed6730ab5c1ec0e8cc8dddb8

Score
10/10

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.montcoimmigrationlawyer.com/uoe8/

Decoy

chalance.design

certifiedlaywernj.com

bsbgraphic.com

caeka.com

zagorafinancial.com

cvingenieriacivil.net

mojilifenoosa.com

bucktheherd.net

sparkmonic.com

catherineandwilson.com

cdefenders.com

intersp.net

santoriniimpressivetours.net

arkansaspaymentrelief.com

tewab.com

bjzjgjg.com

michgoliki.com

oallahplease.com

plaisterpress.com

redyroblx.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • Xloader Payload 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fb6c841478354f42dd2baa5e0b617dff.exe
    "C:\Users\Admin\AppData\Local\Temp\fb6c841478354f42dd2baa5e0b617dff.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:340
    • C:\Users\Admin\AppData\Local\Temp\fb6c841478354f42dd2baa5e0b617dff.exe
      "C:\Users\Admin\AppData\Local\Temp\fb6c841478354f42dd2baa5e0b617dff.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1348

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nsi8ECA.tmp\ynuec.dll

    MD5

    40ad901ded07128f45c05b24c6aee1e0

    SHA1

    cdf241938b7e2574ad66ced23de599dc7e523bc8

    SHA256

    15e60d9e5fa792cd5cc27efc82d3f678cb4b75e28db4ae0161674f48f91977ab

    SHA512

    b21ab6c90e1bde8ffeb96eedc9ac580eb33a13489dc2d786951fd976034b55d36b28bb720efdbdf30437848ac57c6d5844678a0896c219e85fe71a462904b0d3

  • memory/340-59-0x00000000750C1000-0x00000000750C3000-memory.dmp

    Filesize

    8KB

  • memory/340-62-0x0000000000640000-0x0000000000642000-memory.dmp

    Filesize

    8KB

  • memory/1348-61-0x000000000041D0A0-mapping.dmp

  • memory/1348-63-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/1348-64-0x0000000000700000-0x0000000000A03000-memory.dmp

    Filesize

    3.0MB