Overview

overview

10

Static

static

PO_No.2022...BW.exe

windows7_x64

10

PO_No.2022...BW.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    145s
  • platform
    windows10_x64
  • resource
    win10-en-20211104
  • submitted
    17-11-2021 07:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO_No.202201EYL-01_ABW.exe

  • Size

    1.0MB

  • MD5

    0025968e7da258b082f9c904e500568b

  • SHA1

    49f3dbc6f9f52322240285c8ba8ac65d6f528c87

  • SHA256

    e7f1ace8723e30320b9e8bc3dc8a079c2d82d8c58b6ef7e0810ee4f661f5f141

  • SHA512

    d9f6ebef441441c7ef749039c724e7c13bb5d4cb552b2509b7f9aa19a31c255ba6213124b4bff62d78f2867d8edc73286083bf2c454cd8f0ea55fe7d488e378b

Score
10/10
xloader46uqloaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

46uq

C2

http://www.liberia-infos.net/46uq/

Decoy

beardeddentguy.com

envirobombs.com

mintbox.pro

xiangpusun.com

pyjama-france.com

mendocinocountylive.com

innovativepropsolutions.com

hpsaddlerock.com

qrmaindonesia.com

liphelp.com

archaeaenergy.info

18446744073709551615.com

littlecreekacresri.com

elderlycareacademy.com

drshivanieyecare.com

ashibumi.com

stevenalexandergolf.com

adoratv.net

visitnewrichmond.com

fxbvanpool.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 55 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3020
    • C:\Users\Admin\AppData\Local\Temp\PO_No.202201EYL-01_ABW.exe
      "C:\Users\Admin\AppData\Local\Temp\PO_No.202201EYL-01_ABW.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:656
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PO_No.202201EYL-01_ABW.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3672
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\BcQECCNDawY.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3148
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BcQECCNDawY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp392D.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:1964
      • C:\Users\Admin\AppData\Local\Temp\PO_No.202201EYL-01_ABW.exe
        "C:\Users\Admin\AppData\Local\Temp\PO_No.202201EYL-01_ABW.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2092
    • C:\Windows\SysWOW64\msdt.exe
      "C:\Windows\SysWOW64\msdt.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      PID:1816

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    MD5

    1c19c16e21c97ed42d5beabc93391fc5

    SHA1

    8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

    SHA256

    1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

    SHA512

    7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    MD5

    42b05edb7a4620e187aa5dc4fd0c7610

    SHA1

    3a58e789855e9e57be76d287e05c3cfe7c5f43eb

    SHA256

    1d605427f145bcaceedf5a0a77f9c7a211037012ec9a6a4fb660e766e90e5656

    SHA512

    a515e4dfd5e94ed712b69f710c4b8b31ea4dfbc7018eeb90481b7217b826e77fde8a7290c0ec1cdc413fb74a408feb720eb426ef32a47a6096a3017dbd682b54

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp392D.tmp
    MD5

    d6f352331bf88a278113d6277ccb544a

    SHA1

    fb084cf5bf38c00664de6737d82f877a3dede5e1

    SHA256

    37f23e3a7f6a6b8c7ab7e55acd12d31a542d55cf33c623fc6145e5c254d6814b

    SHA512

    3e92e730c0ac665f398cc5ca6d7791b5a50f0fc45d5b05e4aa06c5a20ae7e7c4379d285a5ed3f3bd8f4004578c04b7f2d5817ef5ff617612f792778abf018223

    Download Submit
  • memory/656-125-0x00000000071F0000-0x00000000071F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/656-118-0x00000000003F0000-0x00000000003F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/656-124-0x0000000004FE0000-0x0000000004FE7000-memory.dmp
    Filesize

    28KB

    Download
  • memory/656-120-0x00000000052A0000-0x00000000052A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/656-126-0x00000000072E0000-0x000000000732E000-memory.dmp
    Filesize

    312KB

    Download
  • memory/656-127-0x0000000007330000-0x000000000735C000-memory.dmp
    Filesize

    176KB

    Download
  • memory/656-122-0x0000000004D20000-0x0000000004D21000-memory.dmp
    Filesize

    4KB

    Download
  • memory/656-121-0x0000000004DA0000-0x0000000004DA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/656-123-0x0000000004DA0000-0x000000000529E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/1816-562-0x0000000004400000-0x0000000004490000-memory.dmp
    Filesize

    576KB

    Download
  • memory/1816-242-0x0000000004590000-0x00000000048B0000-memory.dmp
    Filesize

    3.1MB

    Download
  • memory/1816-240-0x0000000000580000-0x00000000005A9000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1816-237-0x0000000000810000-0x0000000000983000-memory.dmp
    Filesize

    1.4MB

    Download
  • memory/1816-206-0x0000000000000000-mapping.dmp
    Download
  • memory/1964-130-0x0000000000000000-mapping.dmp
    Download
  • memory/2092-145-0x000000000041D4B0-mapping.dmp
    Download
  • memory/2092-162-0x00000000011E0000-0x00000000011F1000-memory.dmp
    Filesize

    68KB

    Download
  • memory/2092-154-0x0000000001280000-0x00000000015A0000-memory.dmp
    Filesize

    3.1MB

    Download
  • memory/2092-144-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/3020-586-0x0000000006BD0000-0x0000000006D19000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/3020-163-0x0000000006940000-0x0000000006A97000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/3148-129-0x0000000000000000-mapping.dmp
    Download
  • memory/3148-234-0x0000000004743000-0x0000000004744000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3148-135-0x0000000004480000-0x0000000004481000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3148-136-0x0000000004480000-0x0000000004481000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3148-146-0x0000000006F60000-0x0000000006F61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3148-143-0x0000000004742000-0x0000000004743000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3148-205-0x000000007E6E0000-0x000000007E6E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3148-179-0x0000000008EA0000-0x0000000008ED3000-memory.dmp
    Filesize

    204KB

    Download
  • memory/3148-166-0x0000000004480000-0x0000000004481000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3148-142-0x0000000004740000-0x0000000004741000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3672-231-0x0000000006663000-0x0000000006664000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3672-192-0x0000000008A40000-0x0000000008A41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3672-141-0x0000000006662000-0x0000000006663000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3672-158-0x00000000079C0000-0x00000000079C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3672-152-0x00000000074B0000-0x00000000074B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3672-204-0x000000007E420000-0x000000007E421000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3672-156-0x0000000007390000-0x0000000007391000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3672-150-0x0000000006C20000-0x0000000006C21000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3672-160-0x0000000007CA0000-0x0000000007CA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3672-164-0x0000000004080000-0x0000000004081000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3672-140-0x0000000006660000-0x0000000006661000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3672-148-0x0000000006BB0000-0x0000000006BB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3672-134-0x0000000006CA0000-0x0000000006CA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3672-133-0x0000000006500000-0x0000000006501000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3672-132-0x0000000004080000-0x0000000004081000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3672-131-0x0000000004080000-0x0000000004081000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3672-128-0x0000000000000000-mapping.dmp
    Download