Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
05-10-2021 13:00
Static task
static1
Behavioral task
behavioral1
Sample
cxl.exe
Resource
win7-en-20210920
General
-
Target
cxl.exe
-
Size
440KB
-
MD5
f51da2ac8cdfc1ff41921f0fceee4514
-
SHA1
f910ed6637480ff6930df72d9258029641a186ba
-
SHA256
f89bda22f77706b290e5f56032cd4c884f8da016a379f6c6a978acf4983f0175
-
SHA512
830f6fadf25b3b839d648a71e82eb3fb37c0e5376d5ce76044a39321ab54f356cec4f9a8ef08f01ebe2d86b6e6643a24a591b680ab2f88c29ecb8e43e837ed46
Malware Config
Extracted
xloader
2.5
noha
http://www.mglracing.com/noha/
iphone13promax.support
trailer-racks.xyz
overseaspoolservice.com
r2d2u.com
dawajeju.com
nextgenproxyvote.com
xn--vhqp8mm8dbtz.group
commonsenserisk.com
cmcqgxtyd.com
data2form.com
bois-applique.com
originallollipop.com
lj0008lj.net
spfldvaccineday.info
phalcosnusa.com
llcmastermachine.com
onlyforu14.rest
bestmarketingautomations.com
officialswitchmusic.com
thepretenseofjustice.com
authenticradio.net
standardizedsubmissions.com
aegnoshipping.com
478762.com
inclusionchecks.com
number-is-04.net
yyds9527.space
big-thought.com
controle2.email
groupninemed.com
fisworkdeck.com
imonbayazid.com
pixlrz.com
headlinebysmp.com
simulatefuck.com
efficientmother.com
wkshops22012.xyz
artehamburguer.com
beauallenpoetry.com
bonairemarathon.com
sprintfingers.com
ranbix.com
denghaoxin.club
jillianvansice.com
purpledge.com
mariadimitropoulou.com
surveyplanetgroup.tech
apocalyptoapertureserrature.net
cbd-cannabis.store
dirtcheapfire.com
xn--zbss74a16j.xn--czru2d
auth-appsgo.com
estchemdelat.space
kweeka.money
marketingtipsntricks.com
dayandwestbeauty.com
paddlercentral.com
nongminle.net
aodesai.store
evtasimaucretleri.com
micj7873.com
unarecord.com
zsnhviig.xyz
hallmark-transport.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1776-55-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1776-56-0x000000000041D490-mapping.dmp xloader behavioral1/memory/1828-65-0x00000000000D0000-0x00000000000F9000-memory.dmp xloader -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 316 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
cxl.exepid process 1544 cxl.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
cxl.execxl.exechkdsk.exedescription pid process target process PID 1544 set thread context of 1776 1544 cxl.exe cxl.exe PID 1776 set thread context of 1404 1776 cxl.exe Explorer.EXE PID 1776 set thread context of 1404 1776 cxl.exe Explorer.EXE PID 1828 set thread context of 1404 1828 chkdsk.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
chkdsk.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
cxl.exechkdsk.exepid process 1776 cxl.exe 1776 cxl.exe 1776 cxl.exe 1828 chkdsk.exe 1828 chkdsk.exe 1828 chkdsk.exe 1828 chkdsk.exe 1828 chkdsk.exe 1828 chkdsk.exe 1828 chkdsk.exe 1828 chkdsk.exe 1828 chkdsk.exe 1828 chkdsk.exe 1828 chkdsk.exe 1828 chkdsk.exe 1828 chkdsk.exe 1828 chkdsk.exe 1828 chkdsk.exe 1828 chkdsk.exe 1828 chkdsk.exe 1828 chkdsk.exe 1828 chkdsk.exe 1828 chkdsk.exe 1828 chkdsk.exe 1828 chkdsk.exe 1828 chkdsk.exe 1828 chkdsk.exe 1828 chkdsk.exe 1828 chkdsk.exe 1828 chkdsk.exe 1828 chkdsk.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1404 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
cxl.exechkdsk.exepid process 1776 cxl.exe 1776 cxl.exe 1776 cxl.exe 1776 cxl.exe 1828 chkdsk.exe 1828 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
cxl.exechkdsk.exedescription pid process Token: SeDebugPrivilege 1776 cxl.exe Token: SeDebugPrivilege 1828 chkdsk.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
Explorer.EXEpid process 1404 Explorer.EXE 1404 Explorer.EXE 1404 Explorer.EXE 1404 Explorer.EXE 1404 Explorer.EXE 1404 Explorer.EXE -
Suspicious use of SendNotifyMessage 6 IoCs
Processes:
Explorer.EXEpid process 1404 Explorer.EXE 1404 Explorer.EXE 1404 Explorer.EXE 1404 Explorer.EXE 1404 Explorer.EXE 1404 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
cxl.exeExplorer.EXEchkdsk.exedescription pid process target process PID 1544 wrote to memory of 1776 1544 cxl.exe cxl.exe PID 1544 wrote to memory of 1776 1544 cxl.exe cxl.exe PID 1544 wrote to memory of 1776 1544 cxl.exe cxl.exe PID 1544 wrote to memory of 1776 1544 cxl.exe cxl.exe PID 1544 wrote to memory of 1776 1544 cxl.exe cxl.exe PID 1544 wrote to memory of 1776 1544 cxl.exe cxl.exe PID 1544 wrote to memory of 1776 1544 cxl.exe cxl.exe PID 1404 wrote to memory of 1828 1404 Explorer.EXE chkdsk.exe PID 1404 wrote to memory of 1828 1404 Explorer.EXE chkdsk.exe PID 1404 wrote to memory of 1828 1404 Explorer.EXE chkdsk.exe PID 1404 wrote to memory of 1828 1404 Explorer.EXE chkdsk.exe PID 1828 wrote to memory of 316 1828 chkdsk.exe cmd.exe PID 1828 wrote to memory of 316 1828 chkdsk.exe cmd.exe PID 1828 wrote to memory of 316 1828 chkdsk.exe cmd.exe PID 1828 wrote to memory of 316 1828 chkdsk.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cxl.exe"C:\Users\Admin\AppData\Local\Temp\cxl.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cxl.exe"C:\Users\Admin\AppData\Local\Temp\cxl.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\cxl.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nslB1C2.tmp\iivedwr.dllMD5
3e9d045c2d39e938be8d6ca201334b33
SHA12d186f686d45dfdd4657b905ae96976696fd8413
SHA256017ac808ba839b52ff09e5cced4a6a7e1673a8bdbcc4f5e78d8e0ce3b05acc7d
SHA51248ffe8f61bc0ee3121658600ae91e63631b99c1d7332898ac4e68fcde6348a6ff419d71171905c1ee1f5440e13405bbd1734fe2f3e0e460ffc0a9c86bac724d1
-
memory/316-63-0x0000000000000000-mapping.dmp
-
memory/1404-59-0x0000000006050000-0x0000000006170000-memory.dmpFilesize
1.1MB
-
memory/1404-68-0x0000000006A60000-0x0000000006B6F000-memory.dmpFilesize
1.1MB
-
memory/1404-61-0x0000000004210000-0x000000000430B000-memory.dmpFilesize
1004KB
-
memory/1544-53-0x00000000751D1000-0x00000000751D3000-memory.dmpFilesize
8KB
-
memory/1776-57-0x0000000000950000-0x0000000000C53000-memory.dmpFilesize
3.0MB
-
memory/1776-60-0x0000000000570000-0x0000000000581000-memory.dmpFilesize
68KB
-
memory/1776-58-0x00000000002C0000-0x00000000002D1000-memory.dmpFilesize
68KB
-
memory/1776-56-0x000000000041D490-mapping.dmp
-
memory/1776-55-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1828-62-0x0000000000000000-mapping.dmp
-
memory/1828-65-0x00000000000D0000-0x00000000000F9000-memory.dmpFilesize
164KB
-
memory/1828-66-0x00000000020B0000-0x00000000023B3000-memory.dmpFilesize
3.0MB
-
memory/1828-64-0x00000000005A0000-0x00000000005A7000-memory.dmpFilesize
28KB
-
memory/1828-67-0x0000000001DE0000-0x0000000001E70000-memory.dmpFilesize
576KB