Overview

overview

10

Static

static

1

PO.exe

windows7_x64

10

PO.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    162s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    24-06-2021 12:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO.exe

  • Size

    225KB

  • MD5

    42a437dc06eea16fa8adaa67e08091d4

  • SHA1

    4e3ecf96e002babd033d12183493e45747a179b4

  • SHA256

    660708a7f99d26de87386ca21682b96179f16f2dbc67578a704cb94d78e9848f

  • SHA512

    0dc7c2308ccdd6e31e9fc1f31d06dc1113a5153cd6cdd71094e08f216fbbc62af0775b404cbb12b03eeb4ab6f59c92930c0404ac136d94ccd7f711bc9c6bfe44

Score
10/10
xloaderloaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.mertztaxprep.com/ubuq/

Decoy

lockielan.com

maltaprefix.icu

smarteryou6g1.club

paulinequinonero.com

bluezonephysiotherapy.com

xbikinix.com

kleverfilms.com

zsintion60.com

clawlabs.com

promositransvision.com

toesinthesandwedding.com

superkiski.com

2385jsdfndsd.life

consultingthehive.com

blockchainskillslab.com

zeuzcreative.com

szkemijx.com

mikenewellhomes.com

xywehwpibm.net

forevervalley.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 2 IoCs
    rat
  • Loads dropped DLL 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2504
    • C:\Users\Admin\AppData\Local\Temp\PO.exe
      "C:\Users\Admin\AppData\Local\Temp\PO.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:3980
      • C:\Users\Admin\AppData\Local\Temp\PO.exe
        "C:\Users\Admin\AppData\Local\Temp\PO.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2328
    • C:\Windows\SysWOW64\NETSTAT.EXE
      "C:\Windows\SysWOW64\NETSTAT.EXE"
      2⤵
      • Suspicious use of SetThreadContext
      • Gathers network information
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2756
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\PO.exe"
        3⤵
          PID:3392

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Command-Line Interface

    1
    T1059

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\nsb6365.tmp\System.dll
      MD5

      56a321bd011112ec5d8a32b2f6fd3231

      SHA1

      df20e3a35a1636de64df5290ae5e4e7572447f78

      SHA256

      bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1

      SHA512

      5354890cbc53ce51081a78c64ba9c4c8c4dc9e01141798c1e916e19c5776dac7c82989fad0f08c73e81aaba332dad81205f90d0663119af45550b97b338b9cc3

      Download Submit
    • \Users\Admin\AppData\Local\Temp\nsb6365.tmp\System.dll
      MD5

      56a321bd011112ec5d8a32b2f6fd3231

      SHA1

      df20e3a35a1636de64df5290ae5e4e7572447f78

      SHA256

      bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1

      SHA512

      5354890cbc53ce51081a78c64ba9c4c8c4dc9e01141798c1e916e19c5776dac7c82989fad0f08c73e81aaba332dad81205f90d0663119af45550b97b338b9cc3

      Download Submit
    • memory/2328-116-0x000000000041D010-mapping.dmp
      Download
    • memory/2328-117-0x0000000000400000-0x0000000000428000-memory.dmp
      Filesize

      160KB

      Download
    • memory/2328-118-0x0000000000B20000-0x0000000000E40000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/2328-119-0x0000000000580000-0x00000000006CA000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2504-120-0x0000000004E00000-0x0000000004F0B000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/2504-127-0x0000000004F20000-0x0000000005064000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2756-121-0x0000000000000000-mapping.dmp
      Download
    • memory/2756-124-0x0000000000CA0000-0x0000000000CC8000-memory.dmp
      Filesize

      160KB

      Download
    • memory/2756-123-0x0000000000F90000-0x0000000000F9B000-memory.dmp
      Filesize

      44KB

      Download
    • memory/2756-125-0x0000000003430000-0x0000000003750000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/2756-126-0x0000000003280000-0x000000000330F000-memory.dmp
      Filesize

      572KB

      Download
    • memory/3392-122-0x0000000000000000-mapping.dmp
      Download