Overview

overview

10

Static

static

1

1.exe

windows7_x64

10

1.exe

windows10_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    22-10-2021 08:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1.exe

  • Size

    416KB

  • MD5

    1a3bcd7f400b0d7a37166c1c5af7f886

  • SHA1

    a654cdfc29951ac2e77af3fbbbd7160b5205c8f9

  • SHA256

    fe63755f7b7c30e933cb3897136a75a7d1903ca044a04ef9bd91d426596f279d

  • SHA512

    47974116e9b5b0cc6407fe7c651619b6fef5af7df0190d3b4e5c906a1520ed66ae7e4e1af6e578bf93af9dbd3625845678fd834aea15db9082dad2abbd77f69f

Score
10/10
xloaderiaoploaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

iaop

C2

http://www.georgeinnhatherleigh.com/iaop/

Decoy

oosakichi.com

group1beadles.com

navegadorexclusivo.digital

awefca.xyz

strakerwilliams.com

stone-img.com

radialodge.com

tequesquitengo.net

humanegardens.com

rubberyporqjp.xyz

farazkhak.com

gfsexpornvideos.com

stealth-carrier.com

hemtpi.xyz

tygcj.com

agileiance.com

ioan316.com

kitchendesigns.xyz

shannacarolphotography.com

oheytech88.net

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 3 IoCs
    rat
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1304
    • C:\Users\Admin\AppData\Local\Temp\1.exe
      "C:\Users\Admin\AppData\Local\Temp\1.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1876
      • C:\Users\Admin\AppData\Local\Temp\1.exe
        "C:\Users\Admin\AppData\Local\Temp\1.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1328
    • C:\Windows\SysWOW64\help.exe
      "C:\Windows\SysWOW64\help.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1476
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\1.exe"
        3⤵
        • Deletes itself
        PID:920

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nsyBEED.tmp\wvhivcwcy.dll
    MD5

    5d0d2589c6c859b43bb0e6c6b88fa767

    SHA1

    4085e250109fefddf1a35b3fb3fadc66714effda

    SHA256

    6de76b65e1561c0897a3261b9fe55ac75ef4d1e2456a302a9257dc38dcb81d1e

    SHA512

    8ef33f865ed19fd6779e7520590bbe1aa864cc5f7e3222f314f6953abcbc7537aaf2397f0b91a720db3e220cea1c3da15ec453ea1d5bb82a7d783bf5853b68af

    Download Submit
  • memory/920-67-0x0000000000000000-mapping.dmp
    Download
  • memory/1304-62-0x0000000007570000-0x0000000007706000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/1304-69-0x0000000005DC0000-0x0000000005EA0000-memory.dmp
    Filesize

    896KB

    Download
  • memory/1328-58-0x000000000041D4E0-mapping.dmp
    Download
  • memory/1328-60-0x0000000000740000-0x0000000000A43000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1328-61-0x0000000000360000-0x0000000000371000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1328-57-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1476-63-0x0000000000000000-mapping.dmp
    Download
  • memory/1476-64-0x0000000000030000-0x0000000000036000-memory.dmp
    Filesize

    24KB

    Download
  • memory/1476-65-0x0000000000090000-0x00000000000B9000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1476-66-0x00000000008B0000-0x0000000000BB3000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1476-68-0x00000000002F0000-0x0000000000380000-memory.dmp
    Filesize

    576KB

    Download
  • memory/1876-55-0x0000000075B71000-0x0000000075B73000-memory.dmp
    Filesize

    8KB

    Download