Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
11-11-2021 06:43
General
-
Target
swift.exe
-
Size
838KB
-
MD5
dae40883df63939076b90643ea59bc79
-
SHA1
cb5d1491347cc417bcc1d1e4090c8d6da787daec
-
SHA256
9f1a46f25ff46ddc69bb64b4bffbf628e41eb6c4820c617bfb06fd287e8cd08a
-
SHA512
a709fceca7430ae88e4d2d68bb166337820519293fbad8ec118c132ba0cf04872f75d3d27876a2589f8c6db31eee368f1882c9a5a654821370a0ffea4820cb8a
Malware Config
Extracted
xloader
2.5
rqan
http://www.cardboutiqueapp.com/rqan/
panda.wiki
gailkannamassage.com
ungravitystudio.com
coraggiomusicschool.com
51walkerstreetrippleside.com
infemax.store
mapara-foundation.net
elitespeedwaxs.com
manateeprint.com
thelocksmithtradeshow.com
phoenix-out-of-ashes.com
marionkgregory.store
abasketofwords.com
century21nokta.com
anthonyaarnold.com
forevermyanmar.com
ramashi.com
uniquecarbonbrush.com
packecco.com
appelnacrtl.quest
Signatures
-
Xloader
Xloader is a rebranded version of Formbook malware.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates system info in registry 2 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 54 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\swift.exe"C:\Users\Admin\AppData\Local\Temp\swift.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mobsync.exeC:\Windows\System32\mobsync.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1736-121-0x0000000004EC0000-0x00000000051E0000-memory.dmpFilesize
3.1MB
-
memory/1736-117-0x0000000000000000-mapping.dmp
-
memory/1736-118-0x0000000003000000-0x0000000003001000-memory.dmpFilesize
4KB
-
memory/1736-119-0x0000000072480000-0x00000000724A9000-memory.dmpFilesize
164KB
-
memory/1736-122-0x0000000003690000-0x00000000036A1000-memory.dmpFilesize
68KB
-
memory/3040-123-0x0000000002E80000-0x0000000002F7A000-memory.dmpFilesize
1000KB
-
memory/3040-129-0x0000000003000000-0x00000000030FF000-memory.dmpFilesize
1020KB
-
memory/4368-115-0x0000000000710000-0x0000000000735000-memory.dmpFilesize
148KB
-
memory/4368-116-0x0000000002411000-0x0000000002425000-memory.dmpFilesize
80KB
-
memory/4556-126-0x00000000003B0000-0x00000000003D9000-memory.dmpFilesize
164KB
-
memory/4556-125-0x0000000000A70000-0x0000000000A7A000-memory.dmpFilesize
40KB
-
memory/4556-124-0x0000000000000000-mapping.dmp
-
memory/4556-127-0x0000000004ED0000-0x00000000051F0000-memory.dmpFilesize
3.1MB
-
memory/4556-128-0x0000000004B90000-0x0000000004C20000-memory.dmpFilesize
576KB