Overview

overview

10

Static

static

REVISED ORDER.exe

windows7_x64

10

REVISED ORDER.exe

windows10_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    06-05-2021 11:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    REVISED ORDER.exe

  • Size

    985KB

  • MD5

    61f942cbb67b5a5de8f72dfe65227175

  • SHA1

    45271b8b2797e1232efe813d9d34e9ca9c7564a4

  • SHA256

    979a3e20b43d1aad57018b9c867e4bde7606d0515c9c71b2050b02c0b5e5fd10

  • SHA512

    f6448602b457f455e3da9f8e2c30c5d0062ed81c10b420f180a6ba7b7c4fa5dd3eef4cfc95db68a476d27ee40bb6bb86a4a8b55b4fedea87ada32ba87ddb80f7

Score
10/10
xloaderloaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.athomecp.com/owws/

Decoy

trolljoke.com

contex3.info

jabashir51.com

brittand.com

djaya.asia

lab-wealth.com

greyfriararabians.com

oxfordhabits.com

softwaresreports.info

abjms.com

winsteadarchitecture.com

brucerolfsboulder.com

unitytribune.com

cyjulebu.com

abaplants.com

theexerciseforyou.com

codigodebarrasser.com

barbicanroadproductions.com

sportenango.com

hostsnc.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 3 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1256
    • C:\Users\Admin\AppData\Local\Temp\REVISED ORDER.exe
      "C:\Users\Admin\AppData\Local\Temp\REVISED ORDER.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:788
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aBUqpPcrdY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp844D.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:1632
      • C:\Users\Admin\AppData\Local\Temp\REVISED ORDER.exe
        "{path}"
        3⤵
          PID:332
        • C:\Users\Admin\AppData\Local\Temp\REVISED ORDER.exe
          "{path}"
          3⤵
            PID:544
          • C:\Users\Admin\AppData\Local\Temp\REVISED ORDER.exe
            "{path}"
            3⤵
              PID:968
            • C:\Users\Admin\AppData\Local\Temp\REVISED ORDER.exe
              "{path}"
              3⤵
                PID:1764
              • C:\Users\Admin\AppData\Local\Temp\REVISED ORDER.exe
                "{path}"
                3⤵
                • Suspicious use of SetThreadContext
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: MapViewOfSection
                • Suspicious use of AdjustPrivilegeToken
                PID:796
            • C:\Windows\SysWOW64\control.exe
              "C:\Windows\SysWOW64\control.exe"
              2⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1232
              • C:\Windows\SysWOW64\cmd.exe
                /c del "C:\Users\Admin\AppData\Local\Temp\REVISED ORDER.exe"
                3⤵
                • Deletes itself
                PID:760

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Scheduled Task

          1
          T1053

          Persistence

          Scheduled Task

          1
          T1053

          Privilege Escalation

          Scheduled Task

          1
          T1053

          Defense Evasion

          Credential Access

          Discovery

          System Information Discovery

          1
          T1082

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\tmp844D.tmp
            MD5

            0c3aed9b5afdcd71dca5d614c56064d9

            SHA1

            a93d5b02764f87e1b5f3f993f32c73dedc02f075

            SHA256

            45790da5c41a18899ed398002bbfca251cdcd83e6bba8093d1b5997f1801d1f4

            SHA512

            57d30f0e9c4346e0d1e3b686e7cc38bb194730859db6274ac5df38fc142faa8d34d74e3069efb0c20059e48cc1c48abfb9a6a58444a8c800a84e1731b04976f6

            Download Submit
          • memory/760-77-0x0000000000000000-mapping.dmp
            Download
          • memory/788-59-0x0000000000040000-0x0000000000041000-memory.dmp
            Filesize

            4KB

            Download
          • memory/788-61-0x00000000006E0000-0x00000000006E1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/788-62-0x00000000005F0000-0x00000000005FE000-memory.dmp
            Filesize

            56KB

            Download
          • memory/788-63-0x0000000004F70000-0x0000000005000000-memory.dmp
            Filesize

            576KB

            Download
          • memory/788-64-0x0000000001F20000-0x0000000001F60000-memory.dmp
            Filesize

            256KB

            Download
          • memory/796-68-0x000000000041CFF0-mapping.dmp
            Download
          • memory/796-67-0x0000000000400000-0x0000000000428000-memory.dmp
            Filesize

            160KB

            Download
          • memory/796-70-0x0000000000A00000-0x0000000000D03000-memory.dmp
            Filesize

            3.0MB

            Download
          • memory/796-71-0x00000000002C0000-0x00000000002D0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/1232-76-0x0000000000080000-0x00000000000A8000-memory.dmp
            Filesize

            160KB

            Download
          • memory/1232-73-0x0000000000000000-mapping.dmp
            Download
          • memory/1232-74-0x0000000075A71000-0x0000000075A73000-memory.dmp
            Filesize

            8KB

            Download
          • memory/1232-75-0x0000000000200000-0x000000000021F000-memory.dmp
            Filesize

            124KB

            Download
          • memory/1232-78-0x0000000001ED0000-0x00000000021D3000-memory.dmp
            Filesize

            3.0MB

            Download
          • memory/1232-79-0x0000000001DE0000-0x0000000001E6F000-memory.dmp
            Filesize

            572KB

            Download
          • memory/1256-72-0x0000000006640000-0x00000000067C2000-memory.dmp
            Filesize

            1.5MB

            Download
          • memory/1256-80-0x0000000007010000-0x0000000007184000-memory.dmp
            Filesize

            1.5MB

            Download
          • memory/1632-65-0x0000000000000000-mapping.dmp
            Download