Overview

overview

10

Static

static

Purchase Order.exe

windows7_x64

10

Purchase Order.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    24-11-2021 10:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Purchase Order.exe

  • Size

    516KB

  • MD5

    1a84232e14194f3ac154f8711d6f683e

  • SHA1

    c735848eb56e7fbfe229918de1e042c238edb1a8

  • SHA256

    8e405b6451c62462b5df1a0490175f4b9712ee1b1ab25a52f7e3a1f736400439

  • SHA512

    1f697fcd5c22ecb1aec21e569f8624666cded36cf357b65213ff93c3245c396652e48252d114b17d8442452a395fd695be78b9f8a23e67ff9b98ebc16f85db95

Score
10/10
xloaderea0rloaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ea0r

C2

http://www.asiapubz-hk.com/ea0r/

Decoy

lionheartcreativestudios.com

konzertmanagement.com

blackpanther.online

broychim-int.com

takut18.com

txstarsolar.com

herdsherpa.com

igorshestakov.com

shinesbox.com

reflectpkljlt.xyz

oiltoolshub.com

viralmoneychallenge.com

changingalphastrategies.com

mecitiris.com

rdadmin.online

miniambiente.com

kominarcine.com

pino-almond.com

heihit.xyz

junqi888.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 4 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 49 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3020
    • C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
      "C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2700
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UcvvwVHjSby.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:808
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UcvvwVHjSby" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6A01.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:3308
      • C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
        "C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2148
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\SysWOW64\wscript.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:396
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"
        3⤵
          PID:3396

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp6A01.tmp
      MD5

      3aedc2f077a7d279d197e74a888e9da8

      SHA1

      4cbe0aa876c591ac832347ebcb390ab66c78361e

      SHA256

      05b499696238bdb27dc52b392296acba0fee0ebce2c8dfd764cb079c470e29e9

      SHA512

      cb8040427ea30a406f47574688412c706e0c82c32fbffab073ce4b4c774c77a22c814bded168a6ed0611d87d203d8cc3d61f4b5f9e7a11de88725aba3a772d8c

      Download Submit
    • memory/396-387-0x00000000044A0000-0x0000000004530000-memory.dmp
      Filesize

      576KB

      Download
    • memory/396-182-0x0000000004640000-0x0000000004960000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/396-162-0x0000000002740000-0x0000000002769000-memory.dmp
      Filesize

      164KB

      Download
    • memory/396-161-0x0000000000350000-0x0000000000377000-memory.dmp
      Filesize

      156KB

      Download
    • memory/396-150-0x0000000000000000-mapping.dmp
      Download
    • memory/808-126-0x0000000000DB0000-0x0000000000DB1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/808-163-0x0000000008FA0000-0x0000000008FA1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/808-124-0x0000000000000000-mapping.dmp
      Download
    • memory/808-184-0x0000000000FA3000-0x0000000000FA4000-memory.dmp
      Filesize

      4KB

      Download
    • memory/808-171-0x00000000094F0000-0x00000000094F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/808-127-0x0000000000DB0000-0x0000000000DB1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/808-169-0x0000000009390000-0x0000000009391000-memory.dmp
      Filesize

      4KB

      Download
    • memory/808-129-0x0000000000FA0000-0x0000000000FA1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/808-130-0x0000000004740000-0x0000000004741000-memory.dmp
      Filesize

      4KB

      Download
    • memory/808-131-0x00000000072B0000-0x00000000072B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/808-164-0x000000007E2F0000-0x000000007E2F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/808-144-0x0000000008340000-0x0000000008341000-memory.dmp
      Filesize

      4KB

      Download
    • memory/808-134-0x0000000007160000-0x0000000007161000-memory.dmp
      Filesize

      4KB

      Download
    • memory/808-136-0x0000000007950000-0x0000000007951000-memory.dmp
      Filesize

      4KB

      Download
    • memory/808-137-0x0000000007200000-0x0000000007201000-memory.dmp
      Filesize

      4KB

      Download
    • memory/808-138-0x0000000007AF0000-0x0000000007AF1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/808-139-0x0000000000FA2000-0x0000000000FA3000-memory.dmp
      Filesize

      4KB

      Download
    • memory/808-154-0x0000000008FC0000-0x0000000008FF3000-memory.dmp
      Filesize

      204KB

      Download
    • memory/808-146-0x0000000000DB0000-0x0000000000DB1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/808-145-0x00000000081F0000-0x00000000081F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/808-143-0x0000000007920000-0x0000000007921000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2148-132-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

      Download
    • memory/2148-141-0x0000000000F90000-0x00000000010DA000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2148-140-0x00000000014D0000-0x00000000017F0000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/2148-133-0x000000000041D410-mapping.dmp
      Download
    • memory/2700-123-0x0000000008FB0000-0x000000000901B000-memory.dmp
      Filesize

      428KB

      Download
    • memory/2700-120-0x0000000005520000-0x0000000005521000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2700-121-0x0000000008AE0000-0x0000000008AE4000-memory.dmp
      Filesize

      16KB

      Download
    • memory/2700-119-0x0000000005660000-0x0000000005B5E000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/2700-122-0x0000000008E10000-0x0000000008E11000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2700-115-0x0000000000B30000-0x0000000000B31000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2700-118-0x0000000005550000-0x0000000005551000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2700-117-0x0000000005B60000-0x0000000005B61000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3020-142-0x00000000061D0000-0x0000000006375000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3020-388-0x0000000005E40000-0x0000000005F92000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/3308-125-0x0000000000000000-mapping.dmp
      Download
    • memory/3396-170-0x0000000000000000-mapping.dmp
      Download