Overview

overview

10

Static

static

grace $.exe

windows7_x64

10

grace $.exe

windows10_x64

10

Analysis

  • max time kernel
    303s
  • max time network
    311s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    03-09-2021 04:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    grace $.exe

  • Size

    482KB

  • MD5

    beee308b51db0c02f8eeebf7d2773a6d

  • SHA1

    4df5d609ea5b05dfcba4b9e51120a10374f7d450

  • SHA256

    7af335cb2a2646ddadf12f730585a217523da868aaeb12ba621b367c1b942693

  • SHA512

    d0665aa70d1c1116a36c296bc49ec4b474a086d9741d3439f8b0fe4c8f054ae8ab1d5610b4e4e74758c25947054a569e5b897822e2859c8595b00dc69015a63b

Score
10/10
xloadert75floaderpersistenceratsuricata

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

t75f

C2

http://www.vertexnailsblaine.com/t75f/

Decoy

onegolfsydney.com

kaizensportscoaching.com

mliacbjv.icu

rinstech.net

midas-parts.com

istmenian.com

ibrahimpike.com

herbspaces.com

gentleman4higher.com

workabusiness.com

isabusive.website

222555dy.com

lwhyzhzb.xyz

gabrielabravoillanes.com

hearthomelife.com

buildswealth.com

printitaz.com

l-mventures.com

baincot3.com

nstaq-labs.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

    suricata: ET MALWARE FormBook CnC Checkin (POST) M2

    suricata
  • Xloader Payload 3 IoCs
    rat
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Drops file in Program Files directory
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3052
    • C:\Users\Admin\AppData\Local\Temp\grace $.exe
      "C:\Users\Admin\AppData\Local\Temp\grace $.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:640
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
          PID:1572
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:3240
      • C:\Windows\SysWOW64\chkdsk.exe
        "C:\Windows\SysWOW64\chkdsk.exe"
        2⤵
        • Adds policy Run key to start application
        • Suspicious use of SetThreadContext
        • Drops file in Program Files directory
        • Enumerates system info in registry
        • Modifies Internet Explorer settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1928
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          3⤵
            PID:1896
          • C:\Program Files\Mozilla Firefox\Firefox.exe
            "C:\Program Files\Mozilla Firefox\Firefox.exe"
            3⤵
              PID:504
          • C:\Program Files (x86)\Bf8fdu\bj1pqbmxwfkdhxtx.exe
            "C:\Program Files (x86)\Bf8fdu\bj1pqbmxwfkdhxtx.exe"
            2⤵
            • Executes dropped EXE
            PID:1680

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        2
        T1112

        Credential Access

        Discovery

        Query Registry

        1
        T1012

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Bf8fdu\bj1pqbmxwfkdhxtx.exe
          MD5

          0e06054beb13192588e745ee63a84173

          SHA1

          30b7d4d1277bafd04a83779fd566a1f834a8d113

          SHA256

          c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

          SHA512

          251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

          Download Submit
        • C:\Program Files (x86)\Bf8fdu\bj1pqbmxwfkdhxtx.exe
          MD5

          0e06054beb13192588e745ee63a84173

          SHA1

          30b7d4d1277bafd04a83779fd566a1f834a8d113

          SHA256

          c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

          SHA512

          251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

          Download Submit
        • memory/504-136-0x0000000000000000-mapping.dmp
          Download
        • memory/504-144-0x000001B708E00000-0x000001B708EF5000-memory.dmp
          Filesize

          980KB

          Download
        • memory/504-143-0x00007FF7B2F80000-0x00007FF7B3013000-memory.dmp
          Filesize

          588KB

          Download
        • memory/640-122-0x00000000076E0000-0x000000000773F000-memory.dmp
          Filesize

          380KB

          Download
        • memory/640-118-0x0000000005330000-0x0000000005331000-memory.dmp
          Filesize

          4KB

          Download
        • memory/640-114-0x0000000000930000-0x0000000000931000-memory.dmp
          Filesize

          4KB

          Download
        • memory/640-123-0x0000000009F30000-0x0000000009F5A000-memory.dmp
          Filesize

          168KB

          Download
        • memory/640-116-0x0000000005820000-0x0000000005821000-memory.dmp
          Filesize

          4KB

          Download
        • memory/640-117-0x00000000053C0000-0x00000000053C1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/640-121-0x00000000056B0000-0x00000000056C6000-memory.dmp
          Filesize

          88KB

          Download
        • memory/640-120-0x0000000007750000-0x0000000007751000-memory.dmp
          Filesize

          4KB

          Download
        • memory/640-119-0x0000000005320000-0x000000000581E000-memory.dmp
          Filesize

          5.0MB

          Download
        • memory/1680-141-0x0000000002BB0000-0x0000000002BB1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1680-140-0x0000000000840000-0x0000000000841000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1680-137-0x0000000000000000-mapping.dmp
          Download
        • memory/1680-142-0x0000000000E50000-0x0000000000E51000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1896-130-0x0000000000000000-mapping.dmp
          Download
        • memory/1928-133-0x0000000005090000-0x00000000053B0000-memory.dmp
          Filesize

          3.1MB

          Download
        • memory/1928-134-0x0000000004F80000-0x000000000500F000-memory.dmp
          Filesize

          572KB

          Download
        • memory/1928-131-0x0000000000920000-0x000000000092A000-memory.dmp
          Filesize

          40KB

          Download
        • memory/1928-132-0x0000000000760000-0x0000000000789000-memory.dmp
          Filesize

          164KB

          Download
        • memory/1928-129-0x0000000000000000-mapping.dmp
          Download
        • memory/3052-135-0x0000000002550000-0x0000000002639000-memory.dmp
          Filesize

          932KB

          Download
        • memory/3052-128-0x0000000005C80000-0x0000000005DFC000-memory.dmp
          Filesize

          1.5MB

          Download
        • memory/3240-126-0x0000000001870000-0x0000000001B90000-memory.dmp
          Filesize

          3.1MB

          Download
        • memory/3240-127-0x0000000000FF0000-0x0000000001000000-memory.dmp
          Filesize

          64KB

          Download
        • memory/3240-125-0x000000000041D110-mapping.dmp
          Download
        • memory/3240-124-0x0000000000400000-0x0000000000429000-memory.dmp
          Filesize

          164KB

          Download