Analysis
-
max time kernel
300s -
max time network
301s -
platform
windows7_x64 -
resource
win7-en -
submitted
15-09-2021 16:42
General
-
Target
TPJX2QwEdXs5sTV.exe
-
Size
655KB
-
MD5
ce556ce97ea23cbc2940f2aad45d468f
-
SHA1
cc2bdaefa2f0ac108e2f456e42a42e8258580cf4
-
SHA256
7c3d5ebd2c417a52b2a0b98dee95b5a7f283816f6a2453ceeffd31becc140882
-
SHA512
82d4d71aeb5118d600394c64eb127ca4a87d7b83702feb4f9c5b0a0d98a597f812ebfd16784cbde54b9f4b1c87d3c7eaf57fb1c86b9720df95419887fc13f77b
Score
10/10
Malware Config
Extracted
Family
xloader
Version
2.4
Campaign
t75f
C2
http://www.438451.com/t75f/
Decoy
ice-lemon.pro
ar3spro.cloud
9055837.com
fucksociety.net
prettyofficialx.com
mfxw.xyz
relationshipquiz.info
customia.xyz
juanayjuan.com
zidiankj.com
facture-booking.com
secondmining.store
aboutyou.club
gongxichen.com
laurabraincreative.com
pierrot-bros.com
saintpaulaccountingservices.com
dom-maya.com
garderobamarzen.net
la-salamandre-assurances.com
Signatures
-
Xloader
Xloader is a rebranded version of Formbook malware.
-
Xloader Payload 3 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 53 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 4 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\TPJX2QwEdXs5sTV.exe"C:\Users\Admin\AppData\Local\Temp\TPJX2QwEdXs5sTV.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\wlanext.exe"C:\Windows\SysWOW64\wlanext.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/596-59-0x000000000041D410-mapping.dmp
-
memory/596-60-0x0000000000930000-0x0000000000C33000-memory.dmpFilesize
3.0MB
-
memory/596-61-0x0000000000190000-0x00000000001A1000-memory.dmpFilesize
68KB
-
memory/596-58-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1392-69-0x0000000006A60000-0x0000000006B5E000-memory.dmpFilesize
1016KB
-
memory/1392-62-0x0000000006020000-0x00000000060EA000-memory.dmpFilesize
808KB
-
memory/1748-65-0x0000000000EB0000-0x0000000000EC6000-memory.dmpFilesize
88KB
-
memory/1748-63-0x0000000000000000-mapping.dmp
-
memory/1748-67-0x00000000009B0000-0x0000000000CB3000-memory.dmpFilesize
3.0MB
-
memory/1748-66-0x00000000000C0000-0x00000000000E9000-memory.dmpFilesize
164KB
-
memory/1748-68-0x0000000000820000-0x00000000008B0000-memory.dmpFilesize
576KB
-
memory/1784-64-0x0000000000000000-mapping.dmp
-
memory/2008-57-0x0000000002220000-0x000000000224B000-memory.dmpFilesize
172KB
-
memory/2008-56-0x0000000004EF0000-0x0000000004F51000-memory.dmpFilesize
388KB
-
memory/2008-55-0x0000000000480000-0x0000000000487000-memory.dmpFilesize
28KB
-
memory/2008-52-0x0000000000800000-0x0000000000801000-memory.dmpFilesize
4KB
-
memory/2008-54-0x0000000004E50000-0x0000000004E51000-memory.dmpFilesize
4KB