Overview

overview

10

Static

static

1

P.O.exe

windows7_x64

10

P.O.exe

windows10_x64

10

Analysis

  • max time kernel
    154s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    05-05-2021 19:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    P.O.exe

  • Size

    207KB

  • MD5

    eb71efe60cabc2d6aa9a49a82a4ded77

  • SHA1

    c188402835e985adac142eee6e0b31fd4c0c0ae6

  • SHA256

    9b70fcd07ba7d3dcef17f3b28cf75e304840a67e8611dc149744215f8483066d

  • SHA512

    3654b1ff3b57ca883b6fc6d086a8c90654f3e59f2efbe7341677ac85216bc8c1d2bc448940081eb9852f10f43a51d71f4eeef05445e046b9726108f792bdc1c2

Score
10/10
xloaderloaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.onyxcomputing.com/u8nw/

Decoy

constructionjadams.com

organicwellnessfarm.com

beautiful.tours

medvows.com

foxparanormal.com

fsmxmc.com

graniterealestategroup.net

qgi1.com

astrologicsolutions.com

rafbar.com

bastiontools.net

emotist.com

stacyleets.com

bloodtypealpha.com

healtybenenfitsplus.com

vavadadoa3.com

chefbenhk.com

dotgz.com

xn--z4qm188e645c.com

ethyi.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 2 IoCs
    rat
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1196
    • C:\Users\Admin\AppData\Local\Temp\P.O.exe
      "C:\Users\Admin\AppData\Local\Temp\P.O.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1304
      • C:\Users\Admin\AppData\Local\Temp\P.O.exe
        "C:\Users\Admin\AppData\Local\Temp\P.O.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2040
    • C:\Windows\SysWOW64\cmmon32.exe
      "C:\Windows\SysWOW64\cmmon32.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:316
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\P.O.exe"
        3⤵
        • Deletes itself
        PID:524

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nsn6E4F.tmp\b0xkyuw645iggtc.dll
    MD5

    2919e2af8bb7f84e49c7b8a2eeea5ce2

    SHA1

    6c039175895e89dbcebd2c6137704e10f7257fd4

    SHA256

    615a7c9635e83ef8fe9040d0f37b9f96fa28fbb9333cfd52a1ee3d74ef195904

    SHA512

    122c9afb6826b67501cf5cefa13bbb7a9a50fea3011662a767655ce545d3a3d999593c490dbf1ce9b632e759b2576a587c9ab48f1a2da5c3d410f92b05631650

    Download Submit
  • memory/316-72-0x0000000000140000-0x000000000014D000-memory.dmp
    Filesize

    52KB

    Download
  • memory/316-75-0x0000000001D70000-0x0000000001DFF000-memory.dmp
    Filesize

    572KB

    Download
  • memory/316-74-0x0000000001F30000-0x0000000002233000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/316-73-0x0000000000080000-0x00000000000A9000-memory.dmp
    Filesize

    164KB

    Download
  • memory/316-70-0x0000000000000000-mapping.dmp
    Download
  • memory/524-71-0x0000000000000000-mapping.dmp
    Download
  • memory/1196-76-0x0000000006F40000-0x000000000705C000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1196-67-0x0000000004280000-0x000000000437A000-memory.dmp
    Filesize

    1000KB

    Download
  • memory/1196-69-0x0000000006490000-0x00000000065AF000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1304-62-0x00000000003E0000-0x00000000003E2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1304-60-0x0000000075AD1000-0x0000000075AD3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2040-65-0x00000000008C0000-0x0000000000BC3000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/2040-68-0x0000000000360000-0x0000000000370000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2040-66-0x0000000000270000-0x0000000000280000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2040-64-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/2040-63-0x000000000041D0C0-mapping.dmp
    Download