ledger.exe

General
Target

ledger.exe

Filesize

746KB

Completed

24-09-2021 12:43

Score
10 /10
MD5

bb7bbc40aef8439092e6345d3428c975

SHA1

9bf46b95ff700e57bc0e38d5133577bfad260ea2

SHA256

b194903f2fb1231113b2cffdd6cf47e25d4d9f99675654f70865b1f3d0a9160c

Malware Config

Extracted

Family xloader
Version 2.3
Campaign n58i
C2

http://www.biosonicmicrocurrent.com/n58i/

Decoy

electrifyz.com

silkpetalz.net

cognitivenavigation.com

poophaikus.com

orchidiris.com

arteregalos.com

dailybookmarks.info

gogoanume.pro

hushmailgmx.com

trjisa.com

notontrend.com

2020polltax.com

orderhappy.club

panggabean.net

govsathi.com

hrsbxg.com

xvideotokyo.online

lotteplaze.com

lovecleanliveclean.com

swaphomeloans.net

arcadems.info

creatingstrongerathletes.com

follaproperties.com

i-postgram.com

bootybella.fitness

avtofan.net

bimbavbi.com

yourtravelsbuddy.com

laiofit.com

ofnick.com

2g6gc6zma9g.net

phamthanhdam.com

shopteve.com

add-fast.com

studioloungemke.com

maxtoutfitness.com

mapleway.systems

login-settings.com

affoshop.com

hupubets.com

3energyservices.com

ccmfonline.com

keyhousebuyers.com

curvecue.com

developerdevelopment.com

jamesdunnandsons.com

devyassine.com

dongyilove.com

alienpuran.com

tuolp.com

Signatures 11

Filter: none

  • Xloader

    Description

    Xloader is a rebranded version of Formbook malware.

  • Xloader Payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/1580-124-0x0000000000400000-0x0000000000428000-memory.dmpxloader
    behavioral2/memory/1580-125-0x000000000041D040-mapping.dmpxloader
    behavioral2/memory/1860-131-0x0000000002A50000-0x0000000002A78000-memory.dmpxloader
  • Suspicious use of SetThreadContext
    ledger.exeledger.exemstsc.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 776 set thread context of 1580776ledger.exeledger.exe
    PID 1580 set thread context of 30201580ledger.exeExplorer.EXE
    PID 1860 set thread context of 30201860mstsc.exeExplorer.EXE
  • Modifies registry class
    Explorer.EXE

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InstanceExplorer.EXE
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\InstanceExplorer.EXE
  • Suspicious behavior: EnumeratesProcesses
    ledger.exemstsc.exe

    Reported IOCs

    pidprocess
    1580ledger.exe
    1580ledger.exe
    1580ledger.exe
    1580ledger.exe
    1860mstsc.exe
    1860mstsc.exe
    1860mstsc.exe
    1860mstsc.exe
    1860mstsc.exe
    1860mstsc.exe
    1860mstsc.exe
    1860mstsc.exe
    1860mstsc.exe
    1860mstsc.exe
    1860mstsc.exe
    1860mstsc.exe
    1860mstsc.exe
    1860mstsc.exe
    1860mstsc.exe
    1860mstsc.exe
    1860mstsc.exe
    1860mstsc.exe
    1860mstsc.exe
    1860mstsc.exe
    1860mstsc.exe
    1860mstsc.exe
    1860mstsc.exe
    1860mstsc.exe
    1860mstsc.exe
    1860mstsc.exe
    1860mstsc.exe
    1860mstsc.exe
    1860mstsc.exe
    1860mstsc.exe
    1860mstsc.exe
    1860mstsc.exe
    1860mstsc.exe
    1860mstsc.exe
    1860mstsc.exe
    1860mstsc.exe
    1860mstsc.exe
    1860mstsc.exe
    1860mstsc.exe
    1860mstsc.exe
    1860mstsc.exe
    1860mstsc.exe
    1860mstsc.exe
    1860mstsc.exe
    1860mstsc.exe
    1860mstsc.exe
    1860mstsc.exe
    1860mstsc.exe
    1860mstsc.exe
    1860mstsc.exe
    1860mstsc.exe
    1860mstsc.exe
    1860mstsc.exe
    1860mstsc.exe
    1860mstsc.exe
    1860mstsc.exe
    1860mstsc.exe
    1860mstsc.exe
    1860mstsc.exe
    1860mstsc.exe
  • Suspicious behavior: GetForegroundWindowSpam
    Explorer.EXE

    Reported IOCs

    pidprocess
    3020Explorer.EXE
  • Suspicious behavior: MapViewOfSection
    ledger.exemstsc.exe

    Reported IOCs

    pidprocess
    1580ledger.exe
    1580ledger.exe
    1580ledger.exe
    1860mstsc.exe
    1860mstsc.exe
  • Suspicious use of AdjustPrivilegeToken
    ledger.exeExplorer.EXEmstsc.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1580ledger.exe
    Token: SeShutdownPrivilege3020Explorer.EXE
    Token: SeCreatePagefilePrivilege3020Explorer.EXE
    Token: SeShutdownPrivilege3020Explorer.EXE
    Token: SeCreatePagefilePrivilege3020Explorer.EXE
    Token: SeDebugPrivilege1860mstsc.exe
  • Suspicious use of FindShellTrayWindow
    Explorer.EXE

    Reported IOCs

    pidprocess
    3020Explorer.EXE
    3020Explorer.EXE
    3020Explorer.EXE
    3020Explorer.EXE
  • Suspicious use of UnmapMainImage
    Explorer.EXE

    Reported IOCs

    pidprocess
    3020Explorer.EXE
  • Suspicious use of WriteProcessMemory
    ledger.exeExplorer.EXEmstsc.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 776 wrote to memory of 1580776ledger.exeledger.exe
    PID 776 wrote to memory of 1580776ledger.exeledger.exe
    PID 776 wrote to memory of 1580776ledger.exeledger.exe
    PID 776 wrote to memory of 1580776ledger.exeledger.exe
    PID 776 wrote to memory of 1580776ledger.exeledger.exe
    PID 776 wrote to memory of 1580776ledger.exeledger.exe
    PID 3020 wrote to memory of 18603020Explorer.EXEmstsc.exe
    PID 3020 wrote to memory of 18603020Explorer.EXEmstsc.exe
    PID 3020 wrote to memory of 18603020Explorer.EXEmstsc.exe
    PID 1860 wrote to memory of 26481860mstsc.execmd.exe
    PID 1860 wrote to memory of 26481860mstsc.execmd.exe
    PID 1860 wrote to memory of 26481860mstsc.execmd.exe
Processes 8
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    Modifies registry class
    Suspicious behavior: GetForegroundWindowSpam
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of FindShellTrayWindow
    Suspicious use of UnmapMainImage
    Suspicious use of WriteProcessMemory
    PID:3020
    • C:\Users\Admin\AppData\Local\Temp\ledger.exe
      "C:\Users\Admin\AppData\Local\Temp\ledger.exe"
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:776
      • C:\Users\Admin\AppData\Local\Temp\ledger.exe
        "C:\Users\Admin\AppData\Local\Temp\ledger.exe"
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        PID:1580
    • C:\Windows\SysWOW64\autofmt.exe
      "C:\Windows\SysWOW64\autofmt.exe"
      PID:1828
    • C:\Windows\SysWOW64\autoconv.exe
      "C:\Windows\SysWOW64\autoconv.exe"
      PID:2028
    • C:\Windows\SysWOW64\autochk.exe
      "C:\Windows\SysWOW64\autochk.exe"
      PID:1712
    • C:\Windows\SysWOW64\mstsc.exe
      "C:\Windows\SysWOW64\mstsc.exe"
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1860
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\ledger.exe"
        PID:2648
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads
                          • memory/776-121-0x0000000005640000-0x0000000005656000-memory.dmp

                          • memory/776-116-0x0000000005670000-0x0000000005671000-memory.dmp

                          • memory/776-117-0x00000000050C0000-0x00000000050C1000-memory.dmp

                          • memory/776-118-0x00000000050A0000-0x00000000050A1000-memory.dmp

                          • memory/776-119-0x0000000005170000-0x000000000566E000-memory.dmp

                          • memory/776-120-0x0000000008870000-0x0000000008871000-memory.dmp

                          • memory/776-122-0x0000000008B80000-0x0000000008BE0000-memory.dmp

                          • memory/776-123-0x000000000B320000-0x000000000B34A000-memory.dmp

                          • memory/776-114-0x00000000007B0000-0x00000000007B1000-memory.dmp

                          • memory/1580-126-0x00000000019D0000-0x0000000001CF0000-memory.dmp

                          • memory/1580-124-0x0000000000400000-0x0000000000428000-memory.dmp

                          • memory/1580-127-0x00000000014D0000-0x00000000014E0000-memory.dmp

                          • memory/1580-125-0x000000000041D040-mapping.dmp

                          • memory/1860-134-0x0000000004840000-0x00000000048CF000-memory.dmp

                          • memory/1860-129-0x0000000000000000-mapping.dmp

                          • memory/1860-130-0x00000000003B0000-0x00000000006AC000-memory.dmp

                          • memory/1860-131-0x0000000002A50000-0x0000000002A78000-memory.dmp

                          • memory/1860-133-0x0000000004900000-0x0000000004C20000-memory.dmp

                          • memory/2648-132-0x0000000000000000-mapping.dmp

                          • memory/3020-128-0x0000000005D10000-0x0000000005E67000-memory.dmp

                          • memory/3020-135-0x00000000024A0000-0x0000000002571000-memory.dmp