Overview

overview

10

Static

static

Quotation-...is.exe

windows7_x64

10

Quotation-...is.exe

windows10_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    15-10-2021 21:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Quotation- urgent basis.exe

  • Size

    349KB

  • MD5

    ef946df7574b283bf24b349d2cb679bf

  • SHA1

    5100dfe4456adfd5cea41b5c137ea9e2fd10c7f7

  • SHA256

    5bb8975c8a7e8080a8a68034458adfb7b8e9812b5a1fdd15f891656b03d086e6

  • SHA512

    1a06445a1433fa1701ce6a06b9c3d134f2322dde48994a4ed1d1805fb2b8d49b859d2ffefcfa7f967af49b4f761e2629530e3a37389d271516719b8b43e94108

Score
10/10
xloaderb2c0loaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

b2c0

C2

http://www.thesewhitevvalls.com/b2c0/

Decoy

bjyxszd520.xyz

hsvfingerprinting.com

elliotpioneer.com

bf396.com

chinaopedia.com

6233v.com

shopeuphoricapparel.com

loccssol.store

truefictionpictures.com

playstarexch.com

peruviancoffee.store

shobhajoshi.com

philme.net

avito-rules.com

independencehomecenters.com

atp-cayenne.com

invetorsbank.com

sasanos.com

scentfreebnb.com

catfuid.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 4 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1392
    • C:\Users\Admin\AppData\Local\Temp\Quotation- urgent basis.exe
      "C:\Users\Admin\AppData\Local\Temp\Quotation- urgent basis.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1752
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tSXhFZeobghlE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp70BD.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:860
      • C:\Users\Admin\AppData\Local\Temp\Quotation- urgent basis.exe
        "C:\Users\Admin\AppData\Local\Temp\Quotation- urgent basis.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:912
        • C:\Windows\SysWOW64\wuapp.exe
          "C:\Windows\SysWOW64\wuapp.exe"
          4⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1096
          • C:\Windows\SysWOW64\cmd.exe
            /c del "C:\Users\Admin\AppData\Local\Temp\Quotation- urgent basis.exe"
            5⤵
            • Deletes itself
            PID:1084

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/860-60-0x0000000000000000-mapping.dmp
    Download
  • memory/912-67-0x0000000000210000-0x0000000000221000-memory.dmp
    Filesize

    68KB

    Download
  • memory/912-63-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/912-66-0x0000000000820000-0x0000000000B23000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/912-70-0x0000000000350000-0x0000000000361000-memory.dmp
    Filesize

    68KB

    Download
  • memory/912-61-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/912-62-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/912-64-0x000000000041D4C0-mapping.dmp
    Download
  • memory/912-69-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1084-75-0x0000000000000000-mapping.dmp
    Download
  • memory/1096-73-0x0000000000290000-0x000000000029B000-memory.dmp
    Filesize

    44KB

    Download
  • memory/1096-77-0x0000000001CA0000-0x0000000001D30000-memory.dmp
    Filesize

    576KB

    Download
  • memory/1096-72-0x0000000000000000-mapping.dmp
    Download
  • memory/1096-74-0x00000000000F0000-0x0000000000119000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1096-76-0x0000000001F70000-0x0000000002273000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1392-71-0x0000000007160000-0x0000000007283000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1392-78-0x0000000008DF0000-0x0000000008F0E000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1392-68-0x00000000061E0000-0x00000000062A2000-memory.dmp
    Filesize

    776KB

    Download
  • memory/1752-58-0x0000000000350000-0x0000000000355000-memory.dmp
    Filesize

    20KB

    Download
  • memory/1752-54-0x0000000001030000-0x0000000001031000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1752-56-0x0000000076241000-0x0000000076243000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1752-57-0x0000000000EE0000-0x0000000000EE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1752-59-0x0000000000CC0000-0x0000000000D0B000-memory.dmp
    Filesize

    300KB

    Download