Overview

overview

10

Static

static

1

PO410.EXE

windows7_x64

10

PO410.EXE

windows10_x64

10

Analysis

  • max time kernel
    136s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    01-11-2021 19:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO410.EXE

  • Size

    510KB

  • MD5

    ad7186322cdd40e2b1b1611e483f7f3d

  • SHA1

    6d21feb43f067ed236788e66c15e7dd0fe80de89

  • SHA256

    daeedbdae991fad156f54e821b3bb18763922f0cff3b7331e23ae6bce40a4cc4

  • SHA512

    b753101e66b98d6e99318ba958c5accc2dfb98b485d0176cd0d5665149bf732222d6082af4a9bba6f2a3b33d9f97b75fec0300419fe4a7373aac98ec800541fc

Score
10/10
xloaderhpinloaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

hpin

C2

http://www.smgraphicdesign.com/hpin/

Decoy

lalashealingplace.com

melaniealdridgephotography.com

ss3369.com

career-bliss.com

handelbabu.quest

larryhover.com

xyz-vr.xyz

telvicedemo.net

aaakk95.com

follow-er.com

thepiwarrior.com

dgltqd.com

dailyswee.com

tonymoney.net

earthsidesoulalchemist.com

meditatieleeuwarden.online

blancorealtor.com

xn--erhardlohmller-psb.gmbh

coachtobetter.info

singpost.agency

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 3 IoCs
    rat
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1356
      • C:\Users\Admin\AppData\Local\Temp\PO410.EXE
        "C:\Users\Admin\AppData\Local\Temp\PO410.EXE"
        2⤵
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:368
        • C:\Users\Admin\AppData\Local\Temp\PO410.EXE
          "C:\Users\Admin\AppData\Local\Temp\PO410.EXE"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:820

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\nso3D9.tmp\wsbrkczsk.dll
      MD5

      099722351dc74e898ecabce1d16a3b64

      SHA1

      3dd5c13bec54537e1f2a5081a8ce93d2ac4f0d5a

      SHA256

      1895ecc21ae7170272a3466cfc75ae8e30565155cc301f7a4ea95834f672ea37

      SHA512

      a417bd75ff5b07dbb20db30537491dbcce4562c171a7bfc7a3931e0879d244930f1696d281b0dc0a8ab3802e25edf11cb752788d838e9333010847315caad39b

      Download Submit
    • memory/368-54-0x0000000075A71000-0x0000000075A73000-memory.dmp
      Filesize

      8KB

      Download
    • memory/820-56-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

      Download
    • memory/820-57-0x000000000041D480-mapping.dmp
      Download
    • memory/820-58-0x0000000000890000-0x0000000000B93000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/820-60-0x0000000000340000-0x0000000000351000-memory.dmp
      Filesize

      68KB

      Download
    • memory/820-61-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

      Download
    • memory/820-62-0x0000000000390000-0x00000000003A1000-memory.dmp
      Filesize

      68KB

      Download