Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-en -
submitted
10-09-2021 05:25
General
-
Target
Swift Copy.exe
-
Size
459KB
-
MD5
3b2a3fb863cf4f30e508e7be83d5adc7
-
SHA1
b81ab8811217e31a7ff73e6defd0c51b0ceba101
-
SHA256
acf3df7da4bdf99226ab8574e15d1145e46e28605afdf660f1fb19b1d061c386
-
SHA512
c24ad26caea342de74148c29f45a1891d19989f8af63ba51da2877ad7bcf65a2f4449f1b8f638d38efd5ce44e14b8dc58930fcb9fe53563eac26ce64f211214d
Score
10/10
Malware Config
Extracted
Family
xloader
Version
2.3
Campaign
n58i
C2
http://www.biosonicmicrocurrent.com/n58i/
Decoy
electrifyz.com
silkpetalz.net
cognitivenavigation.com
poophaikus.com
orchidiris.com
arteregalos.com
dailybookmarks.info
gogoanume.pro
hushmailgmx.com
trjisa.com
notontrend.com
2020polltax.com
orderhappy.club
panggabean.net
govsathi.com
hrsbxg.com
xvideotokyo.online
lotteplaze.com
lovecleanliveclean.com
swaphomeloans.net
Signatures
-
Xloader
Xloader is a rebranded version of Formbook malware.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
-
Suspicious behavior: MapViewOfSection 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 4 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"C:\Users\Admin\AppData\Local\Temp\Swift Copy.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/388-71-0x0000000000000000-mapping.dmp
-
memory/768-66-0x0000000000000000-mapping.dmp
-
memory/768-72-0x0000000001DC0000-0x0000000001E4F000-memory.dmpFilesize
572KB
-
memory/768-70-0x0000000001F50000-0x0000000002253000-memory.dmpFilesize
3.0MB
-
memory/768-69-0x0000000000090000-0x00000000000B8000-memory.dmpFilesize
160KB
-
memory/768-68-0x0000000000680000-0x0000000000698000-memory.dmpFilesize
96KB
-
memory/768-67-0x00000000758D1000-0x00000000758D3000-memory.dmpFilesize
8KB
-
memory/936-59-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/936-61-0x0000000000700000-0x0000000000A03000-memory.dmpFilesize
3.0MB
-
memory/936-63-0x00000000000A0000-0x00000000000B0000-memory.dmpFilesize
64KB
-
memory/936-64-0x00000000005E0000-0x00000000005F0000-memory.dmpFilesize
64KB
-
memory/936-60-0x000000000041D040-mapping.dmp
-
memory/1196-65-0x0000000004920000-0x0000000004A78000-memory.dmpFilesize
1.3MB
-
memory/1196-62-0x0000000004120000-0x000000000424F000-memory.dmpFilesize
1.2MB
-
memory/1196-73-0x0000000004E10000-0x0000000004EC9000-memory.dmpFilesize
740KB
-
memory/1936-53-0x0000000000E60000-0x0000000000E61000-memory.dmpFilesize
4KB
-
memory/1936-58-0x0000000000E30000-0x0000000000E5A000-memory.dmpFilesize
168KB
-
memory/1936-57-0x0000000004340000-0x000000000439F000-memory.dmpFilesize
380KB
-
memory/1936-56-0x00000000004A0000-0x00000000004A7000-memory.dmpFilesize
28KB
-
memory/1936-55-0x0000000004C70000-0x0000000004C71000-memory.dmpFilesize
4KB