Analysis

  • max time kernel
    118s
  • max time network
    121s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    21-09-2021 13:53

General

  • Target

    64c00be3d0bc5f000ee6d2d6d49e72c9e9f36090f19b7f9620ff0993a0e84025.exe

  • Size

    262KB

  • MD5

    259c7a6403af1553ed0436fbf9e592b8

  • SHA1

    b0aa55e4f8a14c48f844a3e90e9ba74e476fe0de

  • SHA256

    64c00be3d0bc5f000ee6d2d6d49e72c9e9f36090f19b7f9620ff0993a0e84025

  • SHA512

    e48738b38934fb0f8c94f9f81d8448e610ab02d0819897e7be66d082154828681d9603c51d5dffd7224c2d9d1df35c97f70056df20b73a665447318d576cee37

Score
10/10

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

m0np

C2

http://www.devmedicalcentre.com/m0np/

Decoy

gruppovimar.com

seniordatingtv.com

pinpinyouqian.website

retreatreflectreplenish.com

baby-handmade.store

econsupplies.com

helloaustinpodcast.com

europe-lodging.com

ferahanaokulu.com

thehomeinspo.com

rawhoneytnpasumo6.xyz

tyckasei.quest

scissorsandbuffer.com

jatinvestmentsmaldives.com

softandcute.store

afuturemakerspromotions.online

leonsigntech.com

havetheshortscovered.com

cvkf.email

iplyyu.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • Xloader Payload 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\64c00be3d0bc5f000ee6d2d6d49e72c9e9f36090f19b7f9620ff0993a0e84025.exe
    "C:\Users\Admin\AppData\Local\Temp\64c00be3d0bc5f000ee6d2d6d49e72c9e9f36090f19b7f9620ff0993a0e84025.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2208
    • C:\Users\Admin\AppData\Local\Temp\64c00be3d0bc5f000ee6d2d6d49e72c9e9f36090f19b7f9620ff0993a0e84025.exe
      "C:\Users\Admin\AppData\Local\Temp\64c00be3d0bc5f000ee6d2d6d49e72c9e9f36090f19b7f9620ff0993a0e84025.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2464

Network

MITRE ATT&CK Matrix ATT&CK v6

Discovery

System Information Discovery

1
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nsm8BAD.tmp\zghj.dll
    MD5

    232cae5eddd5fae3327da010858e3065

    SHA1

    eef27ff768dafd59901ff338fc77ab31bcdb3ba2

    SHA256

    60a6cb735a0b35c181fdee04ecd7f0c83078a5549043071c7b9881bc2cc2d328

    SHA512

    d4336d92b23a088e99a17e03ace46ba69a87bbcc5182c8e91e35e5e5f5f90f9c6fcb6f89bc404d81e95d16411af330ecbeed53a0dc8f83d01ce27fa5fe38ef2c

  • memory/2464-116-0x000000000041D450-mapping.dmp
  • memory/2464-117-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

  • memory/2464-118-0x0000000000A50000-0x0000000000D70000-memory.dmp
    Filesize

    3.1MB