Overview

overview

10

Static

static

Payment_Au...TT.exe

windows7_x64

3

Payment_Au...TT.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    22-11-2021 13:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Payment_Authorization Issue_swift MT105TT.exe

  • Size

    459KB

  • MD5

    e33471aca4f7ba9761cfbf41b091c9da

  • SHA1

    a3b8444a7367eec1b5fe10f11d653b29a27c3b73

  • SHA256

    c36c4e9b60d516ae00051b635624267123056adbbd874b7b9f67920dcb71aada

  • SHA512

    ce8b9cf90ecbd781c7d3c75aa7694d75e2c6a4c49570de3f67b161cd64a21ac59d65228336be7a98fbfc7d0ad41b94aebb1dacb9fad88f00c1507503fcb3a790

Score
10/10
xloader46uqloaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

46uq

C2

http://www.liberia-infos.net/46uq/

Decoy

beardeddentguy.com

envirobombs.com

mintbox.pro

xiangpusun.com

pyjama-france.com

mendocinocountylive.com

innovativepropsolutions.com

hpsaddlerock.com

qrmaindonesia.com

liphelp.com

archaeaenergy.info

18446744073709551615.com

littlecreekacresri.com

elderlycareacademy.com

drshivanieyecare.com

ashibumi.com

stevenalexandergolf.com

adoratv.net

visitnewrichmond.com

fxbvanpool.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Xloader Payload 3 IoCs
    rat
  • Blocklisted process makes network request 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 52 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3064
    • C:\Users\Admin\AppData\Local\Temp\Payment_Authorization Issue_swift MT105TT.exe
      "C:\Users\Admin\AppData\Local\Temp\Payment_Authorization Issue_swift MT105TT.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3760
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\cdNqrPIAFuqkR.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3456
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cdNqrPIAFuqkR" /XML "C:\Users\Admin\AppData\Local\Temp\tmp89BE.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:1040
      • C:\Users\Admin\AppData\Local\Temp\Payment_Authorization Issue_swift MT105TT.exe
        "C:\Users\Admin\AppData\Local\Temp\Payment_Authorization Issue_swift MT105TT.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:608
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\SysWOW64\wscript.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      PID:1052

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp89BE.tmp
    MD5

    0c6783d9de5678e1a1de990683f1c824

    SHA1

    6467cf3c6f5a3f1bc44183fde68315c4b3e279a4

    SHA256

    9c1ad5f643db5f162f3ff8585e5cc53d974b84b3a35913d10b0d06aff367c296

    SHA512

    59097f11ba224f7947c1fad5c1cf4b49986e2ffcc67591a1bf038b0b8f5142ef89364e4248ce7b0c458a26e584884c934b51456a87466dfde2ada278bdd9422c

    Download Submit
  • memory/608-142-0x00000000018A0000-0x00000000018B1000-memory.dmp
    Filesize

    68KB

    Download
  • memory/608-133-0x000000000041D4B0-mapping.dmp
    Download
  • memory/608-132-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/608-141-0x00000000019E0000-0x0000000001D00000-memory.dmp
    Filesize

    3.1MB

    Download
  • memory/1040-126-0x0000000000000000-mapping.dmp
    Download
  • memory/1052-179-0x0000000004FF0000-0x0000000005310000-memory.dmp
    Filesize

    3.1MB

    Download
  • memory/1052-167-0x0000000000000000-mapping.dmp
    Download
  • memory/1052-172-0x0000000000C30000-0x0000000000C57000-memory.dmp
    Filesize

    156KB

    Download
  • memory/1052-175-0x0000000000BB0000-0x0000000000BD9000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1052-387-0x0000000004E40000-0x0000000004ED0000-memory.dmp
    Filesize

    576KB

    Download
  • memory/3064-143-0x0000000006010000-0x00000000061A5000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3064-388-0x0000000004E10000-0x0000000004F47000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/3456-136-0x0000000006CA0000-0x0000000006CA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3456-145-0x0000000006CD0000-0x0000000006CD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3456-131-0x0000000007090000-0x0000000007091000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3456-128-0x0000000000670000-0x0000000000671000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3456-127-0x0000000000670000-0x0000000000671000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3456-134-0x0000000001100000-0x0000000001101000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3456-135-0x0000000001102000-0x0000000001103000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3456-177-0x0000000001103000-0x0000000001104000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3456-137-0x0000000006D40000-0x0000000006D41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3456-138-0x0000000006EB0000-0x0000000006EB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3456-140-0x00000000076C0000-0x00000000076C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3456-125-0x0000000000000000-mapping.dmp
    Download
  • memory/3456-171-0x000000007EE80000-0x000000007EE81000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3456-168-0x0000000008ED0000-0x0000000008ED1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3456-144-0x0000000000E80000-0x0000000000E81000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3456-129-0x00000000010B0000-0x00000000010B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3456-146-0x0000000007C40000-0x0000000007C41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3456-147-0x0000000000670000-0x0000000000671000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3456-154-0x0000000008BD0000-0x0000000008C03000-memory.dmp
    Filesize

    204KB

    Download
  • memory/3456-161-0x0000000008B90000-0x0000000008B91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3456-166-0x0000000008D00000-0x0000000008D01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3760-122-0x00000000073E0000-0x00000000073E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3760-123-0x0000000007340000-0x0000000007341000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3760-124-0x00000000074E0000-0x000000000753D000-memory.dmp
    Filesize

    372KB

    Download
  • memory/3760-121-0x0000000004DD0000-0x0000000004DD6000-memory.dmp
    Filesize

    24KB

    Download
  • memory/3760-120-0x0000000004CC0000-0x0000000004CC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3760-115-0x0000000000160000-0x0000000000161000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3760-119-0x0000000004C20000-0x000000000511E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3760-118-0x0000000004C20000-0x0000000004C21000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3760-117-0x0000000005120000-0x0000000005121000-memory.dmp
    Filesize

    4KB

    Download