Overview

overview

10

Static

static

QUOTE REQU...Co.exe

windows7_x64

10

QUOTE REQU...Co.exe

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    19-11-2021 07:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    QUOTE REQUEST FOB_Medlited Trading Co.exe

  • Size

    611KB

  • MD5

    8ddcaa0954d47bcb1e6b18de42fbfd6c

  • SHA1

    8de0ab3b4e57d551f4783b6a1410d429c8b62c38

  • SHA256

    c50fdcefdf51c648404eb54eebcb81012e2c736252e232759c7eef5fac1d5174

  • SHA512

    31dc38d1d45893c6f00e28d2cf192e1451a5c4e84af701fe76c04b1175a7c528f7f95d1d3ec3edb30448b2465e127c66c64904e07da9a762663e9b29c8c4c80d

Score
10/10
xloader46uqloaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

46uq

C2

http://www.liberia-infos.net/46uq/

Decoy

beardeddentguy.com

envirobombs.com

mintbox.pro

xiangpusun.com

pyjama-france.com

mendocinocountylive.com

innovativepropsolutions.com

hpsaddlerock.com

qrmaindonesia.com

liphelp.com

archaeaenergy.info

18446744073709551615.com

littlecreekacresri.com

elderlycareacademy.com

drshivanieyecare.com

ashibumi.com

stevenalexandergolf.com

adoratv.net

visitnewrichmond.com

fxbvanpool.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1212
    • C:\Users\Admin\AppData\Local\Temp\QUOTE REQUEST FOB_Medlited Trading Co.exe
      "C:\Users\Admin\AppData\Local\Temp\QUOTE REQUEST FOB_Medlited Trading Co.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1820
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\dpzpuc.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:980
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dpzpuc" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5D5C.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:960
      • C:\Users\Admin\AppData\Local\Temp\QUOTE REQUEST FOB_Medlited Trading Co.exe
        "C:\Users\Admin\AppData\Local\Temp\QUOTE REQUEST FOB_Medlited Trading Co.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1376
    • C:\Windows\SysWOW64\chkdsk.exe
      "C:\Windows\SysWOW64\chkdsk.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      PID:1320

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp5D5C.tmp
    MD5

    245cec850ea4264fed957d0d9d782c12

    SHA1

    434f946d073fcf685445d124c1ece3dda5f5efb6

    SHA256

    6dc29bf7ab16992087daed2fddc15ca64039fb3cb15918c459f6db804ce1a73f

    SHA512

    cc6cb48749b403f0b6e49286bb3fd070ad25dd2b60488b54ddd520108fb4868a5da8e90b25e6816a060069cdd1af9f5d46d576c997ed9faa1ffb452a49e43746

    Download Submit
  • memory/960-63-0x0000000000000000-mapping.dmp
    Download
  • memory/980-70-0x0000000002260000-0x0000000002EAA000-memory.dmp
    Filesize

    12.3MB

    Download
  • memory/980-61-0x0000000000000000-mapping.dmp
    Download
  • memory/980-74-0x0000000002260000-0x0000000002EAA000-memory.dmp
    Filesize

    12.3MB

    Download
  • memory/980-75-0x0000000002260000-0x0000000002EAA000-memory.dmp
    Filesize

    12.3MB

    Download
  • memory/1212-73-0x0000000003CB0000-0x0000000003D5F000-memory.dmp
    Filesize

    700KB

    Download
  • memory/1212-81-0x0000000006880000-0x0000000006976000-memory.dmp
    Filesize

    984KB

    Download
  • memory/1320-80-0x0000000001F30000-0x0000000001FC0000-memory.dmp
    Filesize

    576KB

    Download
  • memory/1320-79-0x0000000002070000-0x0000000002373000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1320-78-0x0000000000080000-0x00000000000A9000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1320-77-0x0000000000990000-0x0000000000997000-memory.dmp
    Filesize

    28KB

    Download
  • memory/1320-76-0x0000000000000000-mapping.dmp
    Download
  • memory/1376-65-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1376-68-0x000000000041D4B0-mapping.dmp
    Download
  • memory/1376-67-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1376-72-0x0000000000290000-0x00000000002A1000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1376-66-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1376-71-0x0000000000950000-0x0000000000C53000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1820-60-0x0000000005240000-0x000000000529C000-memory.dmp
    Filesize

    368KB

    Download
  • memory/1820-59-0x0000000000360000-0x0000000000366000-memory.dmp
    Filesize

    24KB

    Download
  • memory/1820-57-0x00000000757E1000-0x00000000757E3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1820-58-0x0000000004D50000-0x0000000004D51000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1820-55-0x0000000000E10000-0x0000000000E11000-memory.dmp
    Filesize

    4KB

    Download