Overview

overview

10

Static

static

truck pictures.exe

windows7_x64

10

truck pictures.exe

windows10_x64

10

Resubmissions

27-09-2021 07:15

210927-h3flrsfhdl 10

19-09-2021 16:46

210919-t9ztrsehbn 10

Analysis

  • max time kernel
    600s
  • max time network
    597s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    27-09-2021 07:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    truck pictures.exe

  • Size

    634KB

  • MD5

    99ed5f72e5742e549a6ec78655fd3cfc

  • SHA1

    31a4f6fc81c45e49f4787cebe622256fa74d8a06

  • SHA256

    5c8f31380d956958134331ea55e63835fd16ca1f02f4c81672b69db70bc97ab8

  • SHA512

    45abc2973402ba0ae81b4e708c257c9e8f5fe472b1fdf969766697a5226481764b0bf8d9be8dd99effd47e7556ed0110b48b892c315d850b952ed700ac2f9711

Score
10/10
xloadercuigloaderpersistenceratsuricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

cuig

C2

http://www.qtih.top/cuig/

Decoy

sofiathinks-elderly.net

lahamicoast.info

2shengman.com

cbsautoplex.com

arcana-candles.com

genrage.com

kukumiou.xyz

thequizerking.com

sonataproductions.com

rebuildgomnmf.xyz

ubcoin.store

yiyouxue.net

firstlifehome.com

mdx-inc.net

gotbn-c01.com

dinobrindes.store

jcm-iso.com

cliente-mais.com

mloujewelry.com

correoversoi.quest

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Xloader Payload 4 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Drops file in Program Files directory
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1392
    • C:\Users\Admin\AppData\Local\Temp\truck pictures.exe
      "C:\Users\Admin\AppData\Local\Temp\truck pictures.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1144
      • C:\Users\Admin\AppData\Local\Temp\truck pictures.exe
        "C:\Users\Admin\AppData\Local\Temp\truck pictures.exe"
        3⤵
          PID:1536
        • C:\Users\Admin\AppData\Local\Temp\truck pictures.exe
          "C:\Users\Admin\AppData\Local\Temp\truck pictures.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:1556
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Windows\SysWOW64\svchost.exe"
        2⤵
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Drops file in Program Files directory
        • Modifies Internet Explorer settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1880
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\truck pictures.exe"
          3⤵
          • Deletes itself
          PID:680
        • C:\Program Files\Mozilla Firefox\Firefox.exe
          "C:\Program Files\Mozilla Firefox\Firefox.exe"
          3⤵
            PID:1336
        • C:\Program Files (x86)\Kwnuxv4rh\ThumbCacheg0h.exe
          "C:\Program Files (x86)\Kwnuxv4rh\ThumbCacheg0h.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1916
          • C:\Program Files (x86)\Kwnuxv4rh\ThumbCacheg0h.exe
            "C:\Program Files (x86)\Kwnuxv4rh\ThumbCacheg0h.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1464

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Kwnuxv4rh\ThumbCacheg0h.exe
        MD5

        99ed5f72e5742e549a6ec78655fd3cfc

        SHA1

        31a4f6fc81c45e49f4787cebe622256fa74d8a06

        SHA256

        5c8f31380d956958134331ea55e63835fd16ca1f02f4c81672b69db70bc97ab8

        SHA512

        45abc2973402ba0ae81b4e708c257c9e8f5fe472b1fdf969766697a5226481764b0bf8d9be8dd99effd47e7556ed0110b48b892c315d850b952ed700ac2f9711

        Download Submit
      • C:\Program Files (x86)\Kwnuxv4rh\ThumbCacheg0h.exe
        MD5

        99ed5f72e5742e549a6ec78655fd3cfc

        SHA1

        31a4f6fc81c45e49f4787cebe622256fa74d8a06

        SHA256

        5c8f31380d956958134331ea55e63835fd16ca1f02f4c81672b69db70bc97ab8

        SHA512

        45abc2973402ba0ae81b4e708c257c9e8f5fe472b1fdf969766697a5226481764b0bf8d9be8dd99effd47e7556ed0110b48b892c315d850b952ed700ac2f9711

        Download Submit
      • C:\Program Files (x86)\Kwnuxv4rh\ThumbCacheg0h.exe
        MD5

        99ed5f72e5742e549a6ec78655fd3cfc

        SHA1

        31a4f6fc81c45e49f4787cebe622256fa74d8a06

        SHA256

        5c8f31380d956958134331ea55e63835fd16ca1f02f4c81672b69db70bc97ab8

        SHA512

        45abc2973402ba0ae81b4e708c257c9e8f5fe472b1fdf969766697a5226481764b0bf8d9be8dd99effd47e7556ed0110b48b892c315d850b952ed700ac2f9711

        Download Submit
      • memory/680-68-0x0000000000000000-mapping.dmp
        Download
      • memory/1144-55-0x0000000000440000-0x0000000000447000-memory.dmp
        Filesize

        28KB

        Download
      • memory/1144-56-0x0000000002010000-0x0000000002011000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1144-57-0x0000000004300000-0x0000000004360000-memory.dmp
        Filesize

        384KB

        Download
      • memory/1144-58-0x0000000001F80000-0x0000000001FAB000-memory.dmp
        Filesize

        172KB

        Download
      • memory/1144-53-0x0000000000010000-0x0000000000011000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1336-79-0x0000000000000000-mapping.dmp
        Download
      • memory/1336-81-0x0000000000060000-0x0000000000119000-memory.dmp
        Filesize

        740KB

        Download
      • memory/1336-80-0x000000013F440000-0x000000013F4D3000-memory.dmp
        Filesize

        588KB

        Download
      • memory/1392-70-0x0000000006BB0000-0x0000000006D36000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/1392-63-0x00000000065A0000-0x000000000667D000-memory.dmp
        Filesize

        884KB

        Download
      • memory/1464-85-0x000000000041D3F0-mapping.dmp
        Download
      • memory/1464-87-0x00000000009A0000-0x0000000000CA3000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/1556-62-0x0000000000240000-0x0000000000251000-memory.dmp
        Filesize

        68KB

        Download
      • memory/1556-61-0x0000000000AC0000-0x0000000000DC3000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/1556-59-0x0000000000400000-0x0000000000429000-memory.dmp
        Filesize

        164KB

        Download
      • memory/1556-60-0x000000000041D3F0-mapping.dmp
        Download
      • memory/1880-71-0x0000000076581000-0x0000000076583000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1880-69-0x0000000000530000-0x00000000005C0000-memory.dmp
        Filesize

        576KB

        Download
      • memory/1880-65-0x0000000000250000-0x0000000000258000-memory.dmp
        Filesize

        32KB

        Download
      • memory/1880-67-0x00000000008F0000-0x0000000000BF3000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/1880-66-0x0000000000080000-0x00000000000A9000-memory.dmp
        Filesize

        164KB

        Download
      • memory/1880-64-0x0000000000000000-mapping.dmp
        Download
      • memory/1916-72-0x0000000000000000-mapping.dmp
        Download
      • memory/1916-75-0x0000000000FF0000-0x0000000000FF1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1916-78-0x0000000000FA0000-0x0000000000FA1000-memory.dmp
        Filesize

        4KB

        Download