Overview

overview

10

Static

static

1

loader1.exe

windows7_x64

10

loader1.exe

windows10_x64

10

Analysis

  • max time kernel
    300s
  • max time network
    300s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    27-09-2021 05:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    loader1.exe

  • Size

    253KB

  • MD5

    196ef716e51eb90f7ffcfd2219ce1d5e

  • SHA1

    3c5d438cb3dee2b0474ea45be67069db184e26bb

  • SHA256

    c5ccdeea44050d8be9cf04b42ba6336dfd81e4a930ec6cd916f5f4e3a5f713bb

  • SHA512

    e303bd36a6cd409bf146b0716a52c50ab5069b3dd513303a8c63c1494013450e5a84ee0bf7eb5d7396946080f57ef08275e09326bc2bd3fc80f94f911e872759

Score
10/10
xloaderm0nploaderpersistencerat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

m0np

C2

http://www.devmedicalcentre.com/m0np/

Decoy

gruppovimar.com

seniordatingtv.com

pinpinyouqian.website

retreatreflectreplenish.com

baby-handmade.store

econsupplies.com

helloaustinpodcast.com

europe-lodging.com

ferahanaokulu.com

thehomeinspo.com

rawhoneytnpasumo6.xyz

tyckasei.quest

scissorsandbuffer.com

jatinvestmentsmaldives.com

softandcute.store

afuturemakerspromotions.online

leonsigntech.com

havetheshortscovered.com

cvkf.email

iplyyu.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 4 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 6 IoCs
    installer
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:3024
    • C:\Users\Admin\AppData\Local\Temp\loader1.exe
      "C:\Users\Admin\AppData\Local\Temp\loader1.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:900
      • C:\Users\Admin\AppData\Local\Temp\loader1.exe
        "C:\Users\Admin\AppData\Local\Temp\loader1.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:996
    • C:\Windows\SysWOW64\colorcpl.exe
      "C:\Windows\SysWOW64\colorcpl.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:376
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\loader1.exe"
        3⤵
          PID:1152
        • C:\Program Files\Mozilla Firefox\Firefox.exe
          "C:\Program Files\Mozilla Firefox\Firefox.exe"
          3⤵
            PID:2696
        • C:\Program Files (x86)\K8ptdkzi\itsdv4vlzj8ft.exe
          "C:\Program Files (x86)\K8ptdkzi\itsdv4vlzj8ft.exe"
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:3036
          • C:\Program Files (x86)\K8ptdkzi\itsdv4vlzj8ft.exe
            "C:\Program Files (x86)\K8ptdkzi\itsdv4vlzj8ft.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:1200

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\K8ptdkzi\itsdv4vlzj8ft.exe
        MD5

        196ef716e51eb90f7ffcfd2219ce1d5e

        SHA1

        3c5d438cb3dee2b0474ea45be67069db184e26bb

        SHA256

        c5ccdeea44050d8be9cf04b42ba6336dfd81e4a930ec6cd916f5f4e3a5f713bb

        SHA512

        e303bd36a6cd409bf146b0716a52c50ab5069b3dd513303a8c63c1494013450e5a84ee0bf7eb5d7396946080f57ef08275e09326bc2bd3fc80f94f911e872759

        Download Submit
      • C:\Program Files (x86)\K8ptdkzi\itsdv4vlzj8ft.exe
        MD5

        196ef716e51eb90f7ffcfd2219ce1d5e

        SHA1

        3c5d438cb3dee2b0474ea45be67069db184e26bb

        SHA256

        c5ccdeea44050d8be9cf04b42ba6336dfd81e4a930ec6cd916f5f4e3a5f713bb

        SHA512

        e303bd36a6cd409bf146b0716a52c50ab5069b3dd513303a8c63c1494013450e5a84ee0bf7eb5d7396946080f57ef08275e09326bc2bd3fc80f94f911e872759

        Download Submit
      • C:\Program Files (x86)\K8ptdkzi\itsdv4vlzj8ft.exe
        MD5

        196ef716e51eb90f7ffcfd2219ce1d5e

        SHA1

        3c5d438cb3dee2b0474ea45be67069db184e26bb

        SHA256

        c5ccdeea44050d8be9cf04b42ba6336dfd81e4a930ec6cd916f5f4e3a5f713bb

        SHA512

        e303bd36a6cd409bf146b0716a52c50ab5069b3dd513303a8c63c1494013450e5a84ee0bf7eb5d7396946080f57ef08275e09326bc2bd3fc80f94f911e872759

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\oxp407vczottn
        MD5

        ac7a35a54ad3d34e18ee939ea1678e21

        SHA1

        5a673519a148588580d76db26f72bfecfddedf24

        SHA256

        bb46faeb56bad25dba83768bbbb1f91a57c535b2aad86ce6d1253b8dfedd8f3e

        SHA512

        1140fef1699b9bf4a8d1f4a04a55f33aab019008259776babb973169ede9031c37ee3c0da0567d634c2563a687332624040ae9b6e48367805eb0f06363ecc3c1

        Download Submit
      • \Users\Admin\AppData\Local\Temp\nsh81DE.tmp\wkpnpsjabyz.dll
        MD5

        cceb1c08032a04804191f34f7e070d5d

        SHA1

        7a6628b4b164874e61a034b17b669631dc3d7eb7

        SHA256

        eed96b31d0af300135ddd50ba8274b31d7902564bcb5c84224e5d1b2e357aaae

        SHA512

        e5ac48d0d422dc53133c15a1e8029cdf500186096b253e9893568410a20dfe25301e897db2b1cf902e2d1c85cde0309b1e4ac2c9b7cdeed5c41f1af472c23467

        Download Submit
      • \Users\Admin\AppData\Local\Temp\nsm55ED.tmp\wkpnpsjabyz.dll
        MD5

        cceb1c08032a04804191f34f7e070d5d

        SHA1

        7a6628b4b164874e61a034b17b669631dc3d7eb7

        SHA256

        eed96b31d0af300135ddd50ba8274b31d7902564bcb5c84224e5d1b2e357aaae

        SHA512

        e5ac48d0d422dc53133c15a1e8029cdf500186096b253e9893568410a20dfe25301e897db2b1cf902e2d1c85cde0309b1e4ac2c9b7cdeed5c41f1af472c23467

        Download Submit
      • memory/376-121-0x00000000003B0000-0x00000000003C9000-memory.dmp
        Filesize

        100KB

        Download
      • memory/376-122-0x0000000002FB0000-0x0000000002FD9000-memory.dmp
        Filesize

        164KB

        Download
      • memory/376-120-0x0000000000000000-mapping.dmp
        Download
      • memory/376-124-0x00000000048A0000-0x0000000004BC0000-memory.dmp
        Filesize

        3.1MB

        Download
      • memory/376-125-0x0000000004790000-0x0000000004820000-memory.dmp
        Filesize

        576KB

        Download
      • memory/996-117-0x0000000000B80000-0x0000000000EA0000-memory.dmp
        Filesize

        3.1MB

        Download
      • memory/996-118-0x00000000006D0000-0x00000000006E1000-memory.dmp
        Filesize

        68KB

        Download
      • memory/996-116-0x000000000041D450-mapping.dmp
        Download
      • memory/996-115-0x0000000000400000-0x0000000000429000-memory.dmp
        Filesize

        164KB

        Download
      • memory/1152-123-0x0000000000000000-mapping.dmp
        Download
      • memory/1200-133-0x000000000041D450-mapping.dmp
        Download
      • memory/1200-135-0x0000000000A80000-0x0000000000DA0000-memory.dmp
        Filesize

        3.1MB

        Download
      • memory/2696-136-0x0000000000000000-mapping.dmp
        Download
      • memory/2696-138-0x0000025A041E0000-0x0000025A0427E000-memory.dmp
        Filesize

        632KB

        Download
      • memory/2696-137-0x00007FF639090000-0x00007FF639123000-memory.dmp
        Filesize

        588KB

        Download
      • memory/3024-126-0x0000000004DA0000-0x0000000004EAE000-memory.dmp
        Filesize

        1.1MB

        Download
      • memory/3024-119-0x0000000006C10000-0x0000000006D3E000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/3036-127-0x0000000000000000-mapping.dmp
        Download