Overview

overview

10

Static

static

1

PURCHASE_O...DF.exe

windows7_x64

10

PURCHASE_O...DF.exe

windows10_x64

10

Analysis

  • max time kernel
    71s
  • max time network
    73s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    29-09-2021 10:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PURCHASE_ORDER_QUOTE_08974_PDF.exe

  • Size

    335KB

  • MD5

    da46f894bfb4c008ec86332694e96c4b

  • SHA1

    711061b453fdad42741ffb94e8dd4bc88c843c3e

  • SHA256

    d079479dd85fb94fe08f6cd70cfff35e39c14294174a8ed6f9b480ffc1cbc9b2

  • SHA512

    673fecd3b4bb8693f65c6cccd7dd22097918dcc17afab8fbd637e6c5b7d736c3b9fadef4a9d95a225814fb6239acbe05f090f679c0c631a4b6b3c02078eac01f

Score
10/10
xloaderm6rsloaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

m6rs

C2

http://www.litediv.com/m6rs/

Decoy

globalsovereignbank.com

ktnrape.xyz

churchybulletin.com

ddyla.com

imatge.cat

iwholesalestore.com

cultivapro.club

ibcfcl.com

refurbisheddildo.com

killerinktnpasumo4.xyz

mdphotoart.com

smi-ity.com

stanprolearningcenter.com

companyintelapp.com

tacticarc.com

soolls.com

gra68.net

cedricettori.digital

mossobuy.com

way2liv.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 2 IoCs
    rat
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PURCHASE_ORDER_QUOTE_08974_PDF.exe
    "C:\Users\Admin\AppData\Local\Temp\PURCHASE_ORDER_QUOTE_08974_PDF.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:664
    • C:\Users\Admin\AppData\Local\Temp\PURCHASE_ORDER_QUOTE_08974_PDF.exe
      "C:\Users\Admin\AppData\Local\Temp\PURCHASE_ORDER_QUOTE_08974_PDF.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:992

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nsj86C0.tmp\nptvt.dll
    MD5

    da26ff9ae6b9598237bd1eb5dafb63ad

    SHA1

    791bcc972166c5d91b4c864100be0de85732d220

    SHA256

    46172625d47ca69be70167bc786fc8589f518ce9809967d0e2f1218b1e32c4cb

    SHA512

    4c662fc149ea9c5d457e47ade7c4e4160a3c04c8f4817d733ef78766774ae8b6b40a391d729bc653a1243956474b00b7dbfd8103f2693434337e091919c9ed5a

    Download Submit
  • memory/992-115-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/992-116-0x000000000041D3D0-mapping.dmp
    Download
  • memory/992-117-0x0000000000AC0000-0x0000000000DE0000-memory.dmp
    Filesize

    3.1MB

    Download