Overview

overview

10

Static

static

1

file.exe

windows7_x64

10

file.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    03-05-2021 05:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    207KB

  • MD5

    849068f05dc88d85058a3097c1679248

  • SHA1

    072f1feb4eda0ef732007d5e0c783738e3803ca4

  • SHA256

    a50394b33bb3fcf6c7413c2d5ba949329430d46b8e8870a9e26b8c65abd8598d

  • SHA512

    83e55e4807dcb18eacede1999014f977324eb217e5de556c7c2537ccb1c95f00fbd1285a1a9cc406934ee485d6c55ec20e579d7117c1f908991b251456b068bf

Score
10/10
xloaderloaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.citestaccnt1597666144.com/ud9e/

Decoy

casezs.com

gascubby.com

pekodains.com

superskosh.com

avktinfracon.com

slink.finance

thegreathopeofearth.com

thebattleofthestars.com

utmxpxq.icu

mamaandbabycleaningservice.com

officialtimelessbeauty.com

keeper.network

leyingcp.com

helpforharrysheroes.com

cohenforleehealthboard.com

wsilhavy.net

logisticsconsultinglimited.com

btechnician.com

dynamicpersiankitten.com

nuplaz.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 2 IoCs
    rat
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3052
    • C:\Users\Admin\AppData\Local\Temp\file.exe
      "C:\Users\Admin\AppData\Local\Temp\file.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1736
      • C:\Users\Admin\AppData\Local\Temp\file.exe
        "C:\Users\Admin\AppData\Local\Temp\file.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1468
    • C:\Windows\SysWOW64\autoconv.exe
      "C:\Windows\SysWOW64\autoconv.exe"
      2⤵
        PID:1816
      • C:\Windows\SysWOW64\autoconv.exe
        "C:\Windows\SysWOW64\autoconv.exe"
        2⤵
          PID:1916
        • C:\Windows\SysWOW64\autoconv.exe
          "C:\Windows\SysWOW64\autoconv.exe"
          2⤵
            PID:1824
          • C:\Windows\SysWOW64\autoconv.exe
            "C:\Windows\SysWOW64\autoconv.exe"
            2⤵
              PID:1912
            • C:\Windows\SysWOW64\chkdsk.exe
              "C:\Windows\SysWOW64\chkdsk.exe"
              2⤵
              • Suspicious use of SetThreadContext
              • Enumerates system info in registry
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3520
              • C:\Windows\SysWOW64\cmd.exe
                /c del "C:\Users\Admin\AppData\Local\Temp\file.exe"
                3⤵
                  PID:2264

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • \Users\Admin\AppData\Local\Temp\nsi1024.tmp\mc43.dll
              MD5

              d88c8fbddb7b7fb0589f0af4f75cb83c

              SHA1

              a4e0d0662e4a6723d1d0f62df4c29e62fcc318b2

              SHA256

              ddb760b4794d7d60c1324768d4d5271a5c3532eff72f219832105a6de798f2b7

              SHA512

              fef9ae08638481178ae24bc982e3d6cf9657bd9b062daafae904a01b923013e83bd59589f93618d8a809acc7d6a7dafcebb4e14e82aa750bb34b6c4a28b9294b

              Download Submit

            • memory/1468-121-0x00000000006F0000-0x0000000000700000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1468-118-0x0000000000600000-0x0000000000610000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1468-119-0x0000000000B80000-0x0000000000EA0000-memory.dmp

              Filesize

              3.1MB

              Download

            • memory/1468-117-0x0000000000400000-0x0000000000429000-memory.dmp

              Filesize

              164KB

              Download

            • memory/1468-116-0x000000000041D110-mapping.dmp

              Download

            • memory/1736-115-0x00000000030B0000-0x00000000030B2000-memory.dmp

              Filesize

              8KB

              Download

            • memory/2264-126-0x0000000000000000-mapping.dmp

              Download

            • memory/3052-120-0x0000000004FD0000-0x0000000005145000-memory.dmp

              Filesize

              1.5MB

              Download

            • memory/3052-122-0x0000000002AD0000-0x0000000002BBC000-memory.dmp

              Filesize

              944KB

              Download

            • memory/3052-129-0x0000000005150000-0x0000000005210000-memory.dmp

              Filesize

              768KB

              Download

            • memory/3520-123-0x0000000000000000-mapping.dmp

              Download

            • memory/3520-124-0x0000000000950000-0x000000000095A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/3520-127-0x0000000004C00000-0x0000000004CAE000-memory.dmp

              Filesize

              696KB

              Download

            • memory/3520-128-0x0000000004FB0000-0x000000000503F000-memory.dmp

              Filesize

              572KB

              Download

            • memory/3520-125-0x0000000000850000-0x0000000000879000-memory.dmp

              Filesize

              164KB

              Download