Overview

overview

10

Static

static

1

371c76d362...20.exe

windows7_x64

10

371c76d362...20.exe

windows7_x64

10

371c76d362...20.exe

windows7_x64

10

371c76d362...20.exe

windows11_x64

10

371c76d362...20.exe

windows10_x64

10

371c76d362...20.exe

windows10_x64

10

371c76d362...20.exe

windows10_x64

10

Resubmissions

21-10-2021 12:23

211021-pkp6tabbdj 10

21-10-2021 10:11

211021-l7x86abaak 10

Analysis

  • max time kernel
    117s
  • max time network
    357s
  • platform
    windows10_x64
  • resource
    win10-ja-20211014
  • submitted
    21-10-2021 12:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    371c76d36256463a54d34e12d6741720.exe

  • Size

    251KB

  • MD5

    371c76d36256463a54d34e12d6741720

  • SHA1

    41843093a5b3a7f5712abd30937004b203851252

  • SHA256

    4de35ea5d1f54708e27e4806246a6c9d9b2217cfef24c7b2321a8f6026c5d98c

  • SHA512

    f2e87fb4628a8b413ced0d92bcedafc4667e8655ac2c13fa15b7f806ddd19daec919003da80f4157f83e5a24b24a4ccac98c2dfd351227b6a549443c8e7c5759

Score
10/10
xloaderm5cwloaderpersistencerat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

m5cw

C2

http://www.art-for-a-cause.com/m5cw/

Decoy

stolpfabriken.com

aromaessentialco.com

rmcclaincpa.com

wuruixin.com

sidhyanticlasses.com

horilka.store

organic-outlaws.com

customsoftwarelogistics.com

cheryltesting.com

thecompacthomegym.com

the22yards.club

quickloanprovidersservices.com

grippyent.com

guard-usa.com

agircredit.com

classificationmetallurgie.com

quizzesandcode.com

catdanos.com

8676789.rest

gotbestshavlngplansforyou.com

Signatures

  • Registers COM server for autorun 1 TTPs
    persistence
  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 2 IoCs
    rat
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 23 IoCs
  • Modifies registry class 44 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\371c76d36256463a54d34e12d6741720.exe
    "C:\Users\Admin\AppData\Local\Temp\371c76d36256463a54d34e12d6741720.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4156
    • C:\Users\Admin\AppData\Local\Temp\371c76d36256463a54d34e12d6741720.exe
      "C:\Users\Admin\AppData\Local\Temp\371c76d36256463a54d34e12d6741720.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:3116
  • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.196.0921.0007\FileSyncConfig.exe
    "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.196.0921.0007\FileSyncConfig.exe"
    1⤵
    • Modifies registry class
    PID:4432
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" /frequentupdate SCHEDULEDTASK displaylevel=False
    1⤵
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:4780

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nshFBE6.tmp\ztqv.dll
    MD5

    97d84d39bb68b5a29e976b40d7d0a00c

    SHA1

    cf4c09487fffb9ace9ab6b82f33da0d5a851ef1c

    SHA256

    5b29c5ee49d9cdde15d88a9e4f8f6b4bba9e2dc4ec65c02d734726fe0f2952c8

    SHA512

    aab5b8831538f96c00e77f16349065bfaa93e7b25206a6d5fe0871f518f38ae31437f2f9f93f36f488e1869eaf97dd4697a282d726ce9a292cf4276242733546

    Download Submit
  • memory/3116-116-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/3116-117-0x000000000041D4C0-mapping.dmp
    Download
  • memory/3116-118-0x0000000000AB0000-0x0000000000DD0000-memory.dmp
    Filesize

    3.1MB

    Download