Analysis

  • max time kernel
    148s
  • max time network
    193s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    30-07-2021 15:25

General

  • Target

    USD $.exe

  • Size

    1.0MB

  • MD5

    7098068c07032900ff073b55a8ad8e0b

  • SHA1

    5bdda0bc06b935689f29d55b297d0523d82c6bfa

  • SHA256

    2d7aac32ea8a8329262ead70ec2f030c1a4061e4edafdf03e605bb9ce606836e

  • SHA512

    c5568a37cd6cfa600af5742acd1143d434035e2b5d7caa515ccbf182c6f72030e28a3562ee9f5e9341bcc5aeef45f498434fb8ff6835bc07c04220440d0aaf39

Score
10/10

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.panyu-qqbaby.com/weni/

Decoy

sdmdwang.com

konversationswithkoshie.net

carap.club

eagldeream.com

856380585.xyz

elgallocoffee.com

magetu.info

lovertons.com

theichallenge.com

advancedautorepairsonline.com

wingsstyling.info

tapdaugusta.com

wiloasbanhsgtarewdasc.solutions

donjrisdumb.com

experienceddoctor.com

cloverhillconsultants.com

underwear.show

karensgonewild2020.com

arodsr.com

thefucktardmanual.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • Xloader Payload 3 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1288
    • C:\Users\Admin\AppData\Local\Temp\USD $.exe
      "C:\Users\Admin\AppData\Local\Temp\USD $.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1908
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "{path}"
        3⤵
          PID:524
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "{path}"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:672
      • C:\Windows\SysWOW64\cmmon32.exe
        "C:\Windows\SysWOW64\cmmon32.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1032
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          3⤵
            PID:1484

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/672-71-0x00000000002B0000-0x00000000002C0000-memory.dmp

        Filesize

        64KB

      • memory/672-66-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

      • memory/672-69-0x00000000001C0000-0x00000000001D0000-memory.dmp

        Filesize

        64KB

      • memory/672-68-0x0000000000AD0000-0x0000000000DD3000-memory.dmp

        Filesize

        3.0MB

      • memory/672-67-0x000000000041D000-mapping.dmp

      • memory/1032-78-0x0000000000680000-0x000000000070F000-memory.dmp

        Filesize

        572KB

      • memory/1032-77-0x0000000001F80000-0x0000000002283000-memory.dmp

        Filesize

        3.0MB

      • memory/1032-75-0x00000000005F0000-0x00000000005FD000-memory.dmp

        Filesize

        52KB

      • memory/1032-80-0x0000000074FB1000-0x0000000074FB3000-memory.dmp

        Filesize

        8KB

      • memory/1032-76-0x0000000000080000-0x00000000000A8000-memory.dmp

        Filesize

        160KB

      • memory/1032-73-0x0000000000000000-mapping.dmp

      • memory/1288-72-0x0000000006AE0000-0x0000000006BB7000-memory.dmp

        Filesize

        860KB

      • memory/1288-70-0x0000000004A20000-0x0000000004B4C000-memory.dmp

        Filesize

        1.2MB

      • memory/1288-79-0x0000000007090000-0x00000000071DE000-memory.dmp

        Filesize

        1.3MB

      • memory/1484-74-0x0000000000000000-mapping.dmp

      • memory/1908-64-0x0000000007490000-0x0000000007516000-memory.dmp

        Filesize

        536KB

      • memory/1908-62-0x00000000071F0000-0x00000000071F1000-memory.dmp

        Filesize

        4KB

      • memory/1908-65-0x0000000000710000-0x0000000000746000-memory.dmp

        Filesize

        216KB

      • memory/1908-60-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

        Filesize

        4KB

      • memory/1908-63-0x00000000002C0000-0x00000000002C2000-memory.dmp

        Filesize

        8KB