Overview

overview

10

Static

static

1

WaybillDoc...df.exe

windows7_x64

10

WaybillDoc...df.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    146s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    03-05-2021 06:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    WaybillDoc_7349796565.pdf.exe

  • Size

    386KB

  • MD5

    4065ba5a51d8e109af60298b49a2b6bf

  • SHA1

    46f7537eacf69958713d9726baa78f4e1061ad96

  • SHA256

    a493b139543bd582271914a75e9105f38a73217871bf859651fa9e67cc94954b

  • SHA512

    84fe83e97a070ca3dc5437b55671180c07f27355dcbfedd351a3f1e6a63434cf92aedd1003d6369aefc7396e09f7c732bef9fe7525661c6ff6328b849c3e4ffa

Score
10/10
xloaderloaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.richgranddad.com/sbqi/

Decoy

wishesandmessages.com

core4rewards.com

goldenmilkmg.com

mayursethi.com

amrustore.com

retaboo.com

cabinwell.com

puneripunekar.com

premiernmhomes.com

europaeducationgroup.cat

passiveprofitsuccess.com

austincitylegacy.net

authenticshoppeco.com

netyeba.net

taichiforwellbeingonline.com

desichefs.com

ariaronakparseh.com

workelop.com

theestellawear.com

cunerier.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 2 IoCs
    rat
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:2492
    • C:\Users\Admin\AppData\Local\Temp\WaybillDoc_7349796565.pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\WaybillDoc_7349796565.pdf.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:4048
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\WaybillDoc_7349796565.pdf.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1156
    • C:\Windows\SysWOW64\chkdsk.exe
      "C:\Windows\SysWOW64\chkdsk.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2184
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\SysWOW64\svchost.exe"
        3⤵
          PID:1968

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\nsf7E7.tmp\vc6y6ftlsb1mazr.dll
      MD5

      72daf424436674bb55a9302ae2a3d037

      SHA1

      3912704b07ad2e73ca47ddac3fa6b94f34bb33dd

      SHA256

      7b27e22aae3bda8da5ec3d47973434247798186d78c772b4f16450fcf60cf93b

      SHA512

      cd316348ab646f0c901891f3f02605f3520154dd309e5f6797f72bf43c0fd97aafade05a5432f29fb1af8ae5e3b23d1e3e8dfaa3ddde1704b89ca07e3d9fcdfa

      Download Submit

    • memory/1156-122-0x0000000003100000-0x000000000324A000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/1156-116-0x000000000041D000-mapping.dmp

      Download

    • memory/1156-119-0x0000000000400000-0x0000000000428000-memory.dmp

      Filesize

      160KB

      Download

    • memory/1156-120-0x0000000003690000-0x00000000039B0000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1968-126-0x0000000000000000-mapping.dmp

      Download

    • memory/2184-123-0x0000000000000000-mapping.dmp

      Download

    • memory/2184-124-0x0000000001280000-0x000000000128A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2184-125-0x00000000003B0000-0x00000000003D8000-memory.dmp

      Filesize

      160KB

      Download

    • memory/2184-127-0x0000000000C00000-0x0000000000F20000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2184-128-0x0000000000950000-0x00000000009DF000-memory.dmp

      Filesize

      572KB

      Download

    • memory/2492-121-0x00000000058D0000-0x00000000059D9000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2492-129-0x00000000059F0000-0x0000000005B47000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/4048-115-0x00000000024C0000-0x00000000024C2000-memory.dmp

      Filesize

      8KB

      Download