Overview

overview

10

Static

static

1

371c76d362...20.exe

windows7_x64

10

371c76d362...20.exe

windows7_x64

10

371c76d362...20.exe

windows7_x64

10

371c76d362...20.exe

windows11_x64

10

371c76d362...20.exe

windows10_x64

10

371c76d362...20.exe

windows10_x64

10

371c76d362...20.exe

windows10_x64

10

Resubmissions

21-10-2021 12:23

211021-pkp6tabbdj 10

21-10-2021 10:11

211021-l7x86abaak 10

Analysis

  • max time kernel
    210s
  • max time network
    376s
  • platform
    windows11_x64
  • resource
    win11
  • submitted
    21-10-2021 12:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    371c76d36256463a54d34e12d6741720.exe

  • Size

    251KB

  • MD5

    371c76d36256463a54d34e12d6741720

  • SHA1

    41843093a5b3a7f5712abd30937004b203851252

  • SHA256

    4de35ea5d1f54708e27e4806246a6c9d9b2217cfef24c7b2321a8f6026c5d98c

  • SHA512

    f2e87fb4628a8b413ced0d92bcedafc4667e8655ac2c13fa15b7f806ddd19daec919003da80f4157f83e5a24b24a4ccac98c2dfd351227b6a549443c8e7c5759

Score
10/10
xloaderm5cwloaderpersistencerat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

m5cw

C2

http://www.art-for-a-cause.com/m5cw/

Decoy

stolpfabriken.com

aromaessentialco.com

rmcclaincpa.com

wuruixin.com

sidhyanticlasses.com

horilka.store

organic-outlaws.com

customsoftwarelogistics.com

cheryltesting.com

thecompacthomegym.com

the22yards.club

quickloanprovidersservices.com

grippyent.com

guard-usa.com

agircredit.com

classificationmetallurgie.com

quizzesandcode.com

catdanos.com

8676789.rest

gotbestshavlngplansforyou.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 1 IoCs
    rat
  • Sets service image path in registry 2 TTPs
    persistence
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\371c76d36256463a54d34e12d6741720.exe
    "C:\Users\Admin\AppData\Local\Temp\371c76d36256463a54d34e12d6741720.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3300
    • C:\Users\Admin\AppData\Local\Temp\371c76d36256463a54d34e12d6741720.exe
      "C:\Users\Admin\AppData\Local\Temp\371c76d36256463a54d34e12d6741720.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1692
  • C:\Windows\System32\WaaSMedicAgent.exe
    C:\Windows\System32\WaaSMedicAgent.exe 8d45c801146088e00e2c8e6ae8cb319a yHPgqmqVy0SwL0XrNvskGw.0.1.0.3.0
    1⤵
    • Modifies data under HKEY_USERS
    PID:2352
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:788
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
    1⤵
    • Checks processor information in registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1864
    • C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
      C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
      2⤵
        PID:2164
    • C:\Windows\System32\sihclient.exe
      C:\Windows\System32\sihclient.exe /cv yHPgqmqVy0SwL0XrNvskGw.0.2
      1⤵
        PID:2644
      • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.100_none_04da31ff4c67c24a\TiWorker.exe
        C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.100_none_04da31ff4c67c24a\TiWorker.exe -Embedding
        1⤵
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        PID:2608
      • C:\Windows\System32\WaaSMedicAgent.exe
        C:\Windows\System32\WaaSMedicAgent.exe 8d45c801146088e00e2c8e6ae8cb319a yHPgqmqVy0SwL0XrNvskGw.0.1.0.3.0
        1⤵
        • Modifies data under HKEY_USERS
        PID:3680
      • C:\Windows\System32\WaaSMedicAgent.exe
        C:\Windows\System32\WaaSMedicAgent.exe 8d45c801146088e00e2c8e6ae8cb319a yHPgqmqVy0SwL0XrNvskGw.0.1.0.3.0
        1⤵
        • Modifies data under HKEY_USERS
        PID:1972

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      System Information Discovery

      2
      T1082

      Query Registry

      1
      T1012

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\nsqFCAB.tmp\ztqv.dll
        MD5

        97d84d39bb68b5a29e976b40d7d0a00c

        SHA1

        cf4c09487fffb9ace9ab6b82f33da0d5a851ef1c

        SHA256

        5b29c5ee49d9cdde15d88a9e4f8f6b4bba9e2dc4ec65c02d734726fe0f2952c8

        SHA512

        aab5b8831538f96c00e77f16349065bfaa93e7b25206a6d5fe0871f518f38ae31437f2f9f93f36f488e1869eaf97dd4697a282d726ce9a292cf4276242733546

        Download Submit
      • memory/788-146-0x000001EB42B20000-0x000001EB42B30000-memory.dmp
        Filesize

        64KB

        Download
      • memory/788-147-0x000001EB42BA0000-0x000001EB42BB0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/788-148-0x000001EB45290000-0x000001EB45294000-memory.dmp
        Filesize

        16KB

        Download
      • memory/1692-150-0x0000000000000000-mapping.dmp
        Download
      • memory/1692-151-0x0000000000400000-0x0000000000429000-memory.dmp
        Filesize

        164KB

        Download
      • memory/1692-152-0x0000000000C20000-0x0000000000F76000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/2164-153-0x0000000000000000-mapping.dmp
        Download