Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
27-07-2021 16:22
General
-
Target
SOA.exe
-
Size
896KB
-
MD5
23d890e7a25c8a51bfcec1939a20a7e9
-
SHA1
0193e5561521c2beac81ef0e3141fe0f93f7e9b7
-
SHA256
ddc1d5dd3d2d2a64d1d3e7586023715a1da59c30af9682843d326e0f16f12632
-
SHA512
fcb819f6537a4829b2a5d3e605370c6991bfbd189abcc8cc786ef446060e5ced93da6f38a2b4dd6477ac6ad5712ece89bae495bbfc52debb1889f0f4a69c6c8e
Malware Config
Extracted
xloader
2.3
http://www.cannabisoutletonline.com/n86i/
purpose-guide.com
averyshairco.com
blockchain-365.com
jismlmuu.icu
famosobambino.com
firstclasstruckingny.com
oracleoftheinternet.com
alliesdispatchlogistics.com
salten2.com
bfactivator.com
jgc40.com
nanninghao.com
eigorilla.info
predies.com
dmzg-cn.net
registratetexas.com
maxifina-aprovado.com
mdqqy-dliv.xyz
annurenterprise.com
dongtrunghathaovanphuc.com
Signatures
-
Xloader
Xloader is a rebranded version of Formbook malware.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 48 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SOA.exe"C:\Users\Admin\AppData\Local\Temp\SOA.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SOA.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\msdt.exe"C:\Windows\SysWOW64\msdt.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\SOA.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1112-131-0x0000000000000000-mapping.dmp
-
memory/2116-135-0x0000000004740000-0x00000000047D0000-memory.dmpFilesize
576KB
-
memory/2116-134-0x00000000047F0000-0x0000000004B10000-memory.dmpFilesize
3.1MB
-
memory/2116-133-0x0000000002BD0000-0x0000000002BF9000-memory.dmpFilesize
164KB
-
memory/2116-132-0x00000000002E0000-0x0000000000453000-memory.dmpFilesize
1.4MB
-
memory/2116-130-0x0000000000000000-mapping.dmp
-
memory/3008-129-0x0000000002CA0000-0x0000000002D59000-memory.dmpFilesize
740KB
-
memory/3008-136-0x0000000005280000-0x0000000005380000-memory.dmpFilesize
1024KB
-
memory/3120-125-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/3120-127-0x00000000017E0000-0x0000000001B00000-memory.dmpFilesize
3.1MB
-
memory/3120-128-0x0000000001250000-0x000000000139A000-memory.dmpFilesize
1.3MB
-
memory/3120-126-0x000000000041D060-mapping.dmp
-
memory/3972-122-0x0000000007740000-0x0000000007741000-memory.dmpFilesize
4KB
-
memory/3972-114-0x0000000000920000-0x0000000000921000-memory.dmpFilesize
4KB
-
memory/3972-123-0x0000000005960000-0x00000000059DA000-memory.dmpFilesize
488KB
-
memory/3972-124-0x00000000058D0000-0x00000000058FA000-memory.dmpFilesize
168KB
-
memory/3972-121-0x0000000006290000-0x0000000006292000-memory.dmpFilesize
8KB
-
memory/3972-120-0x0000000005360000-0x0000000005361000-memory.dmpFilesize
4KB
-
memory/3972-119-0x0000000005310000-0x0000000005311000-memory.dmpFilesize
4KB
-
memory/3972-118-0x00000000053C0000-0x00000000053C1000-memory.dmpFilesize
4KB
-
memory/3972-117-0x0000000009BA0000-0x0000000009BA1000-memory.dmpFilesize
4KB
-
memory/3972-116-0x0000000005290000-0x00000000052E9000-memory.dmpFilesize
356KB