Overview

overview

10

Static

static

REE2021211...CT.exe

windows7_x64

10

REE2021211...CT.exe

windows7_x64

10

REE2021211...CT.exe

windows7_x64

10

REE2021211...CT.exe

windows11_x64

10

REE2021211...CT.exe

windows10_x64

10

REE2021211...CT.exe

windows10_x64

10

REE2021211...CT.exe

windows10_x64

10

Resubmissions

21-10-2021 12:23

211021-pkfx5sacd7 10

21-10-2021 11:12

211021-na81haabh3 10

Analysis

  • max time kernel
    153s
  • max time network
    158s
  • platform
    windows10_x64
  • resource
    win10-de-20211014
  • submitted
    21-10-2021 12:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    REE20212110575259OCT.exe

  • Size

    498KB

  • MD5

    9c00fc940483cff2a0f3f619db16ad54

  • SHA1

    6f9c746d9cfb4e0bbf829783a82b883f7317b16b

  • SHA256

    8a54e41751369783c64f56f30133b985933092324e9b2dad025641d23643280c

  • SHA512

    30451538f9ed65159280a168c711056d7bc0776d0c30f1c82bfa4dfacfe4373c01f503004f1eacc1a690104f99bf7e78c61c5436261c0813508467ff5dd4ff21

Score
10/10
xloadergab8loaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

gab8

C2

http://www.purodetalle.com/gab8/

Decoy

amateurfeetworship.com

big-food.biz

metaversevolution.com

profecional-pacasmayo.com

royzoom.com

bekindevolution.com

hokozaki.com

waltersswholesale.com

wayfinderacu.com

schnurrgallery.com

babygearrentals.net

imggtoken.club

24x7x366.com

lakiernictwo.info

les-cours.com

dwticket.com

onarollshades.com

ramireztradepartners.com

safarparfums.com

6ngie.info

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 3 IoCs
    rat
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 21 IoCs
  • Suspicious behavior: EnumeratesProcesses 45 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2540
    • C:\Users\Admin\AppData\Local\Temp\REE20212110575259OCT.exe
      "C:\Users\Admin\AppData\Local\Temp\REE20212110575259OCT.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1188
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\REE20212110575259OCT.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1420
      • C:\Users\Admin\AppData\Local\Temp\REE20212110575259OCT.exe
        "C:\Users\Admin\AppData\Local\Temp\REE20212110575259OCT.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1808
    • C:\Windows\SysWOW64\msdt.exe
      "C:\Windows\SysWOW64\msdt.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2260
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\REE20212110575259OCT.exe"
        3⤵
          PID:1716
    • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
      "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" /frequentupdate SCHEDULEDTASK displaylevel=False
      1⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:2836

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1188-115-0x0000000000E00000-0x0000000000E01000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1188-117-0x0000000005CA0000-0x0000000005CA1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1188-118-0x0000000005840000-0x0000000005841000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1188-119-0x00000000057A0000-0x0000000005C9E000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/1188-120-0x0000000005810000-0x0000000005811000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1188-121-0x0000000005980000-0x0000000005987000-memory.dmp
      Filesize

      28KB

      Download
    • memory/1188-122-0x00000000065C0000-0x00000000065C1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1188-123-0x0000000006570000-0x00000000065BB000-memory.dmp
      Filesize

      300KB

      Download
    • memory/1420-139-0x0000000007E50000-0x0000000007E51000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1420-159-0x0000000009590000-0x00000000095C3000-memory.dmp
      Filesize

      204KB

      Download
    • memory/1420-176-0x0000000009C00000-0x0000000009C01000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1420-128-0x00000000049D0000-0x00000000049D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1420-127-0x00000000049D0000-0x00000000049D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1420-130-0x0000000006E40000-0x0000000006E41000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1420-131-0x0000000007620000-0x0000000007621000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1420-133-0x0000000006FE0000-0x0000000006FE1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1420-175-0x0000000006FE3000-0x0000000006FE4000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1420-174-0x0000000009B10000-0x0000000009B11000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1420-136-0x0000000006FE2000-0x0000000006FE3000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1420-173-0x000000007EDA0000-0x000000007EDA1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1420-137-0x0000000007380000-0x0000000007381000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1420-138-0x0000000007520000-0x0000000007521000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1420-124-0x0000000000000000-mapping.dmp
      Download
    • memory/1420-140-0x0000000007EC0000-0x0000000007EC1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1420-172-0x0000000009990000-0x0000000009991000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1420-142-0x0000000007F30000-0x0000000007F31000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1420-143-0x0000000007370000-0x0000000007371000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1420-167-0x0000000009570000-0x0000000009571000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1420-152-0x00000000049D0000-0x00000000049D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1420-146-0x0000000008390000-0x0000000008391000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1420-151-0x00000000087C0000-0x00000000087C1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1420-150-0x0000000008980000-0x0000000008981000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1420-149-0x00000000082B0000-0x00000000082B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1716-147-0x0000000000000000-mapping.dmp
      Download
    • memory/1808-125-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

      Download
    • memory/1808-134-0x0000000001770000-0x0000000001781000-memory.dmp
      Filesize

      68KB

      Download
    • memory/1808-132-0x0000000001970000-0x0000000001C90000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/1808-126-0x000000000041D3B0-mapping.dmp
      Download
    • memory/2260-148-0x00000000053E0000-0x0000000005700000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/2260-145-0x00000000010F0000-0x0000000001119000-memory.dmp
      Filesize

      164KB

      Download
    • memory/2260-144-0x0000000001240000-0x00000000013B3000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/2260-141-0x0000000000000000-mapping.dmp
      Download
    • memory/2260-245-0x00000000050A0000-0x0000000005130000-memory.dmp
      Filesize

      576KB

      Download
    • memory/2540-135-0x0000000002520000-0x000000000260A000-memory.dmp
      Filesize

      936KB

      Download
    • memory/2540-246-0x00000000026D0000-0x0000000002781000-memory.dmp
      Filesize

      708KB

      Download