Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    24-09-2021 06:45

General

  • Target

    3dfa10d42004768b9da7da94dc0586a0b9d68b56dd6bf5b5057b6b896eec5336.exe

  • Size

    256KB

  • MD5

    638e7aeb015199f26c16d111f6d623d5

  • SHA1

    09c27479e0440c8d993d3c737fd0b14da56ced2d

  • SHA256

    3dfa10d42004768b9da7da94dc0586a0b9d68b56dd6bf5b5057b6b896eec5336

  • SHA512

    5fd191195066cc188567b5fc13a8e6571e99de64ae9629ac61a70f6ab8d3b91ddc3591d2aa6b263ebf60e48c28ef05e0231eac6e16da6a48c7948af78c68fa88

Score
10/10

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

m0np

C2

http://www.devmedicalcentre.com/m0np/

Decoy

gruppovimar.com

seniordatingtv.com

pinpinyouqian.website

retreatreflectreplenish.com

baby-handmade.store

econsupplies.com

helloaustinpodcast.com

europe-lodging.com

ferahanaokulu.com

thehomeinspo.com

rawhoneytnpasumo6.xyz

tyckasei.quest

scissorsandbuffer.com

jatinvestmentsmaldives.com

softandcute.store

afuturemakerspromotions.online

leonsigntech.com

havetheshortscovered.com

cvkf.email

iplyyu.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • Xloader Payload 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3dfa10d42004768b9da7da94dc0586a0b9d68b56dd6bf5b5057b6b896eec5336.exe
    "C:\Users\Admin\AppData\Local\Temp\3dfa10d42004768b9da7da94dc0586a0b9d68b56dd6bf5b5057b6b896eec5336.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2392
    • C:\Users\Admin\AppData\Local\Temp\3dfa10d42004768b9da7da94dc0586a0b9d68b56dd6bf5b5057b6b896eec5336.exe
      "C:\Users\Admin\AppData\Local\Temp\3dfa10d42004768b9da7da94dc0586a0b9d68b56dd6bf5b5057b6b896eec5336.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2644

Network

MITRE ATT&CK Matrix ATT&CK v6

Discovery

System Information Discovery

1
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nsn8DD0.tmp\jioygaihoyj.dll
    MD5

    731ddab9e9bcdb17a059fca6320dcc80

    SHA1

    11ce746cba27661ce67c4198b0a50423af2e70de

    SHA256

    1826d0e604d68f81001dfd38e3bc475d036fe6eaef08d7b74c3af7e2683170ca

    SHA512

    3c44ed4083f2660e561d64946c79b5a087d5e9efd740d79179797e157e354bb04189830d5147a17b05519d1520b078fcaeb0c5c5020aafa1daff17dd66fa10cc

  • memory/2644-116-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

  • memory/2644-117-0x000000000041D450-mapping.dmp
  • memory/2644-118-0x0000000000A40000-0x0000000000D60000-memory.dmp
    Filesize

    3.1MB