Overview

overview

10

Static

static

Order Inqu...td.exe

windows7_x64

10

Order Inqu...td.exe

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-en-20211104
  • submitted
    18-11-2021 08:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Order Inquiry_List0811221Group_Pte Ltd.exe

  • Size

    753KB

  • MD5

    7a472b26cb03fb90b7f7a98f0e3aaaac

  • SHA1

    0dfd979849653398c60d791ee385f80a3648dc0b

  • SHA256

    9bd94109c257b316e248e2486f3b84bf358cc5b9b259154e6b0544bcb04269d6

  • SHA512

    84c1f8ed44c4bb3dd15d11a8ba1f3127e59e69d0f3edf5c36a711d252f6022079e5424dddb42e32cde19f7bb665ce853d19fd07e6029470857014aefd2e1444e

Score
10/10
xloader46uqloaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

46uq

C2

http://www.jixelbbk.com/46uq/

Decoy

spiritueleonlinetraining.online

jrpz86.com

dataxmart.com

zeogg.club

killiandooley.com

159studios.com

clginter.com

greenwirechicago.com

kennycheng.tech

carolyngracecoaching.com

cp-altodelamuela.com

amazonflowerjewelry.com

anseron.net

surplusqlxbjy.online

asasal.com

online-buy-now.com

kolab.today

statisticsacademy.com

dcupqiu.club

braxtynmi.xyz

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 3 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1208
    • C:\Users\Admin\AppData\Local\Temp\Order Inquiry_List0811221Group_Pte Ltd.exe
      "C:\Users\Admin\AppData\Local\Temp\Order Inquiry_List0811221Group_Pte Ltd.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1456
      • C:\Users\Admin\AppData\Local\Temp\Order Inquiry_List0811221Group_Pte Ltd.exe
        "C:\Users\Admin\AppData\Local\Temp\Order Inquiry_List0811221Group_Pte Ltd.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1852
    • C:\Windows\SysWOW64\ipconfig.exe
      "C:\Windows\SysWOW64\ipconfig.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Gathers network information
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1396
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\Order Inquiry_List0811221Group_Pte Ltd.exe"
        3⤵
        • Deletes itself
        PID:484

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/484-73-0x0000000000000000-mapping.dmp
    Download
  • memory/1208-68-0x0000000006110000-0x000000000622C000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1208-76-0x0000000006230000-0x00000000063A0000-memory.dmp
    Filesize

    1.4MB

    Download
  • memory/1396-75-0x0000000000710000-0x00000000007A0000-memory.dmp
    Filesize

    576KB

    Download
  • memory/1396-74-0x0000000002270000-0x0000000002573000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1396-72-0x0000000000080000-0x00000000000A9000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1396-71-0x00000000003B0000-0x00000000003BA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1396-69-0x0000000000000000-mapping.dmp
    Download
  • memory/1456-60-0x0000000004EA0000-0x0000000004EF9000-memory.dmp
    Filesize

    356KB

    Download
  • memory/1456-55-0x0000000001390000-0x0000000001391000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1456-59-0x00000000005F0000-0x00000000005F6000-memory.dmp
    Filesize

    24KB

    Download
  • memory/1456-58-0x0000000004E60000-0x0000000004E61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1456-57-0x0000000075C51000-0x0000000075C53000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1852-66-0x0000000000770000-0x0000000000A73000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1852-67-0x00000000002B0000-0x00000000002C1000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1852-64-0x000000000041D420-mapping.dmp
    Download
  • memory/1852-63-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1852-62-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1852-61-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download