Overview

overview

10

Static

static

triage_dro...le.exe

windows7_x64

10

triage_dro...le.exe

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    156s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    25-10-2021 11:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    triage_dropped_file.exe

  • Size

    941KB

  • MD5

    538af9b3eb449aaf53eeaf6ecf3c4037

  • SHA1

    edc27955b5d2388c7a2b792721941d2c270eac5a

  • SHA256

    de43df6bd459b56aec0cd86e0873cc0c5b556e08547e2b9ea79082c44d9b7220

  • SHA512

    a5eb2c410f8669bfb744158d459fe69221649d444394958774f2d91b7082c6537f798114ca51b395d7fe35db634cf41b86d6b7bb589ee17e0acd688bfea17ba3

Score
10/10
xloaderfpdiloaderpersistenceratspywarestealersuricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

fpdi

C2

http://www.walletwriter.space/fpdi/

Decoy

jencio.com

b9jty7.com

banahinvestments.com

capitolfurniture.net

jlvip1086.com

pompeyocargo.com

designbyshubhi.info

elbauldepecas.com

bracelexx.online

advanceporbrx.xyz

ruihongco.com

wipemirecord.com

goodfoodsme.com

sommpick.com

rangilugujarat.com

realestate5g.com

spunkdlashes.com

palisadestahoehousing.com

brandingsocal.com

privatejetsboston.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Xloader Payload 4 IoCs
    rat
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Drops file in Program Files directory
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3064
    • C:\Users\Admin\AppData\Local\Temp\triage_dropped_file.exe
      "C:\Users\Admin\AppData\Local\Temp\triage_dropped_file.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3492
      • C:\Users\Admin\AppData\Local\Temp\triage_dropped_file.exe
        "C:\Users\Admin\AppData\Local\Temp\triage_dropped_file.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:4080
    • C:\Windows\SysWOW64\cscript.exe
      "C:\Windows\SysWOW64\cscript.exe"
      2⤵
      • Adds policy Run key to start application
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:584
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\triage_dropped_file.exe"
        3⤵
          PID:1120
        • C:\Windows\SysWOW64\cmd.exe
          /c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
          3⤵
            PID:3328
          • C:\Program Files\Mozilla Firefox\Firefox.exe
            "C:\Program Files\Mozilla Firefox\Firefox.exe"
            3⤵
              PID:3296
          • C:\Program Files (x86)\Cdzmtq4lp\zbelg08pafc4nrw.exe
            "C:\Program Files (x86)\Cdzmtq4lp\zbelg08pafc4nrw.exe"
            2⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Drops file in Program Files directory
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:936
            • C:\Program Files (x86)\Cdzmtq4lp\zbelg08pafc4nrw.exe
              "C:\Program Files (x86)\Cdzmtq4lp\zbelg08pafc4nrw.exe"
              3⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3956

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Cdzmtq4lp\zbelg08pafc4nrw.exe
          MD5

          538af9b3eb449aaf53eeaf6ecf3c4037

          SHA1

          edc27955b5d2388c7a2b792721941d2c270eac5a

          SHA256

          de43df6bd459b56aec0cd86e0873cc0c5b556e08547e2b9ea79082c44d9b7220

          SHA512

          a5eb2c410f8669bfb744158d459fe69221649d444394958774f2d91b7082c6537f798114ca51b395d7fe35db634cf41b86d6b7bb589ee17e0acd688bfea17ba3

          Download Submit
        • C:\Program Files (x86)\Cdzmtq4lp\zbelg08pafc4nrw.exe
          MD5

          538af9b3eb449aaf53eeaf6ecf3c4037

          SHA1

          edc27955b5d2388c7a2b792721941d2c270eac5a

          SHA256

          de43df6bd459b56aec0cd86e0873cc0c5b556e08547e2b9ea79082c44d9b7220

          SHA512

          a5eb2c410f8669bfb744158d459fe69221649d444394958774f2d91b7082c6537f798114ca51b395d7fe35db634cf41b86d6b7bb589ee17e0acd688bfea17ba3

          Download Submit
        • C:\Program Files (x86)\Cdzmtq4lp\zbelg08pafc4nrw.exe
          MD5

          538af9b3eb449aaf53eeaf6ecf3c4037

          SHA1

          edc27955b5d2388c7a2b792721941d2c270eac5a

          SHA256

          de43df6bd459b56aec0cd86e0873cc0c5b556e08547e2b9ea79082c44d9b7220

          SHA512

          a5eb2c410f8669bfb744158d459fe69221649d444394958774f2d91b7082c6537f798114ca51b395d7fe35db634cf41b86d6b7bb589ee17e0acd688bfea17ba3

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\DB1
          MD5

          b608d407fc15adea97c26936bc6f03f6

          SHA1

          953e7420801c76393902c0d6bb56148947e41571

          SHA256

          b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

          SHA512

          cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

          Download Submit
        • memory/584-127-0x0000000005160000-0x0000000005480000-memory.dmp
          Filesize

          3.1MB

          Download
        • memory/584-128-0x00000000050B0000-0x0000000005140000-memory.dmp
          Filesize

          576KB

          Download
        • memory/584-123-0x0000000000000000-mapping.dmp
          Download
        • memory/584-124-0x0000000001090000-0x00000000010B7000-memory.dmp
          Filesize

          156KB

          Download
        • memory/584-125-0x0000000000DA0000-0x0000000000DC9000-memory.dmp
          Filesize

          164KB

          Download
        • memory/936-132-0x0000000000000000-mapping.dmp
          Download
        • memory/1120-126-0x0000000000000000-mapping.dmp
          Download
        • memory/3064-122-0x0000000000930000-0x00000000009DF000-memory.dmp
          Filesize

          700KB

          Download
        • memory/3064-129-0x0000000005E20000-0x0000000005F2D000-memory.dmp
          Filesize

          1.1MB

          Download
        • memory/3328-130-0x0000000000000000-mapping.dmp
          Download
        • memory/3492-115-0x00000000001D0000-0x00000000001D6000-memory.dmp
          Filesize

          24KB

          Download
        • memory/3492-116-0x00000000001D0000-0x00000000001DA000-memory.dmp
          Filesize

          40KB

          Download
        • memory/3956-138-0x000000000041D460-mapping.dmp
          Download
        • memory/3956-140-0x00000000009D0000-0x0000000000CF0000-memory.dmp
          Filesize

          3.1MB

          Download
        • memory/4080-121-0x00000000009D0000-0x00000000009E1000-memory.dmp
          Filesize

          68KB

          Download
        • memory/4080-120-0x0000000000A10000-0x0000000000D30000-memory.dmp
          Filesize

          3.1MB

          Download
        • memory/4080-118-0x000000000041D460-mapping.dmp
          Download
        • memory/4080-117-0x0000000000400000-0x0000000000429000-memory.dmp
          Filesize

          164KB

          Download