Overview

overview

10

Static

static

tgix.exe

windows7_x64

10

tgix.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    06-05-2021 14:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tgix.exe

  • Size

    1.1MB

  • MD5

    2e3f9f38f7cb188b1f25028061c75724

  • SHA1

    6fcc9441c9738e854d38e21a92a2a211049dc612

  • SHA256

    b356ada562e3300d6a94806979b8920abbae8b40ff9ce89b5f5c2a10e0f970b0

  • SHA512

    046ccf12497f5a63a1033b83ecd0a390e1eb088d9bcb5636163b1bb4b5d4a1b04532c7497a27a18b01a6a70739bb72b211376e99bb3b5572a7ba83766ab75550

Score
10/10
xloaderloaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.liancaiwangv5.com/oerg/

Decoy

brightly-common.com

petwellness.pet

oldhamluxury.com

cmpembroidery.com

physicalrobot.com

irynazumba.com

testyourself11.com

theblacksportswoman.com

mottestertraining.agency

confrontinghate.info

tamiigun.com

pod14.club

implementnowsolutions.net

letsdance.website

cashforkeysdz.net

grupoprotecsasac.com

kol-lek-tiv.net

funeralhomesmaroail.com

lwfunding.com

junkglobal.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2416
    • C:\Users\Admin\AppData\Local\Temp\tgix.exe
      "C:\Users\Admin\AppData\Local\Temp\tgix.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4432
      • C:\Users\Admin\AppData\Local\Temp\tgix.exe
        "C:\Users\Admin\AppData\Local\Temp\tgix.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:3600
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\SysWOW64\wscript.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1020
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\tgix.exe"
        3⤵
          PID:4000

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1020-124-0x0000000003370000-0x0000000003398000-memory.dmp
      Filesize

      160KB

      Download
    • memory/1020-121-0x0000000000000000-mapping.dmp
      Download
    • memory/1020-123-0x0000000000DB0000-0x0000000000DD7000-memory.dmp
      Filesize

      156KB

      Download
    • memory/1020-125-0x0000000005380000-0x00000000056A0000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/1020-126-0x0000000005200000-0x000000000528F000-memory.dmp
      Filesize

      572KB

      Download
    • memory/2416-120-0x00000000069B0000-0x0000000006ACB000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/2416-127-0x0000000005860000-0x00000000059A9000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/3600-116-0x000000000041D050-mapping.dmp
      Download
    • memory/3600-115-0x0000000000400000-0x0000000000428000-memory.dmp
      Filesize

      160KB

      Download
    • memory/3600-118-0x00000000010A0000-0x00000000013C0000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/3600-119-0x0000000000C80000-0x0000000000C90000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4000-122-0x0000000000000000-mapping.dmp
      Download
    • memory/4432-114-0x0000000003140000-0x0000000003141000-memory.dmp
      Filesize

      4KB

      Download