Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    25-11-2021 16:29

General

  • Target

    TT_SWIFT_Export Order_noref S10SMG00318021.exe

  • Size

    653KB

  • MD5

    fff91c58119d3cd7f68457e8565f7116

  • SHA1

    4201eb7214bd3658889739e4856412b8063e0405

  • SHA256

    f8c0d385ece89cd926b2c74680c036f9927414955e7ff4ed12b576470b8c1745

  • SHA512

    c05cf9e0ed2aad4c08b394d97fc1257d273aa8dd51a45487ba51ff5973ab7b2227aba7ea1e1e8e9daf7416aaea418b06edfa29ff93665f6d3cc5b1a392dbed92

Score
10/10

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

46uq

C2

http://www.liberia-infos.net/46uq/

Decoy

beardeddentguy.com

envirobombs.com

mintbox.pro

xiangpusun.com

pyjama-france.com

mendocinocountylive.com

innovativepropsolutions.com

hpsaddlerock.com

qrmaindonesia.com

liphelp.com

archaeaenergy.info

18446744073709551615.com

littlecreekacresri.com

elderlycareacademy.com

drshivanieyecare.com

ashibumi.com

stevenalexandergolf.com

adoratv.net

visitnewrichmond.com

fxbvanpool.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • Xloader Payload 3 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 49 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2672
    • C:\Users\Admin\AppData\Local\Temp\TT_SWIFT_Export Order_noref S10SMG00318021.exe
      "C:\Users\Admin\AppData\Local\Temp\TT_SWIFT_Export Order_noref S10SMG00318021.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3820
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\TT_SWIFT_Export Order_noref S10SMG00318021.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4504
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\AnsPejV.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:656
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AnsPejV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD194.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:1000
      • C:\Users\Admin\AppData\Local\Temp\TT_SWIFT_Export Order_noref S10SMG00318021.exe
        "C:\Users\Admin\AppData\Local\Temp\TT_SWIFT_Export Order_noref S10SMG00318021.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1428
    • C:\Windows\SysWOW64\cscript.exe
      "C:\Windows\SysWOW64\cscript.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      PID:696

Network

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Discovery

System Information Discovery

1
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    MD5

    1c19c16e21c97ed42d5beabc93391fc5

    SHA1

    8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

    SHA256

    1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

    SHA512

    7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    MD5

    ef33e78aa7b685f14328bbcd093cef5c

    SHA1

    e6dacd3e68ea5a592b0417834c90654038d539b4

    SHA256

    9e5c2646edabfa71f0e78d96a62abcb2f83fcb4a0f6890088f48132706adfff9

    SHA512

    bd1b33e964162c9b55ddfcf86b4827d182507f9190b1acf864d37ed73b1185349b348e09bdab255545e5f5c1b1b737e57f80ab3968505a6e27e932c681137b8c

  • C:\Users\Admin\AppData\Local\Temp\tmpD194.tmp
    MD5

    8e378b65e7c9a6cdb40619d3ab813bd6

    SHA1

    1ff067a68cb62a9df7598382deeaab5e0ac31f24

    SHA256

    225e124b35dbc54df83450dbdbf0d59f0e75f2fd1f3c5d993e6e63115c769348

    SHA512

    5057926b62dfe5573d208d425742278bb5aac1d693ee4cd533e6f310fe166b9fb4182d1c1504de3a224f9491f8df12de0ced4b8cbfec95b8e3c96333052dd873

  • memory/656-161-0x0000000008620000-0x0000000008621000-memory.dmp
    Filesize

    4KB

  • memory/656-208-0x00000000070F3000-0x00000000070F4000-memory.dmp
    Filesize

    4KB

  • memory/656-157-0x0000000007F10000-0x0000000007F11000-memory.dmp
    Filesize

    4KB

  • memory/656-155-0x00000000070F2000-0x00000000070F3000-memory.dmp
    Filesize

    4KB

  • memory/656-153-0x00000000070F0000-0x00000000070F1000-memory.dmp
    Filesize

    4KB

  • memory/656-177-0x00000000095D0000-0x0000000009603000-memory.dmp
    Filesize

    204KB

  • memory/656-130-0x0000000000000000-mapping.dmp
  • memory/656-135-0x00000000010A0000-0x00000000010A1000-memory.dmp
    Filesize

    4KB

  • memory/656-184-0x000000007F340000-0x000000007F341000-memory.dmp
    Filesize

    4KB

  • memory/656-134-0x00000000010A0000-0x00000000010A1000-memory.dmp
    Filesize

    4KB

  • memory/656-163-0x00000000010A0000-0x00000000010A1000-memory.dmp
    Filesize

    4KB

  • memory/696-357-0x0000000000000000-mapping.dmp
  • memory/696-419-0x00000000047C0000-0x0000000004AE0000-memory.dmp
    Filesize

    3.1MB

  • memory/696-622-0x0000000004610000-0x00000000046A0000-memory.dmp
    Filesize

    576KB

  • memory/696-370-0x0000000000300000-0x0000000000327000-memory.dmp
    Filesize

    156KB

  • memory/696-373-0x0000000002A30000-0x0000000002A59000-memory.dmp
    Filesize

    164KB

  • memory/1000-132-0x0000000000000000-mapping.dmp
  • memory/1428-139-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

  • memory/1428-140-0x000000000041D4B0-mapping.dmp
  • memory/1428-284-0x0000000000F00000-0x0000000000F11000-memory.dmp
    Filesize

    68KB

  • memory/1428-154-0x0000000000CA0000-0x0000000000CB1000-memory.dmp
    Filesize

    68KB

  • memory/1428-150-0x0000000000F80000-0x00000000012A0000-memory.dmp
    Filesize

    3.1MB

  • memory/2672-287-0x00000000070F0000-0x0000000007269000-memory.dmp
    Filesize

    1.5MB

  • memory/2672-156-0x00000000058D0000-0x0000000005A13000-memory.dmp
    Filesize

    1.3MB

  • memory/2672-625-0x00000000032C0000-0x00000000033AC000-memory.dmp
    Filesize

    944KB

  • memory/3820-124-0x0000000005C10000-0x0000000005C11000-memory.dmp
    Filesize

    4KB

  • memory/3820-125-0x0000000005DB0000-0x0000000005E0A000-memory.dmp
    Filesize

    360KB

  • memory/3820-123-0x0000000004FF3000-0x0000000004FF5000-memory.dmp
    Filesize

    8KB

  • memory/3820-126-0x0000000006310000-0x0000000006311000-memory.dmp
    Filesize

    4KB

  • memory/3820-115-0x00000000003A0000-0x00000000003A1000-memory.dmp
    Filesize

    4KB

  • memory/3820-122-0x0000000005880000-0x0000000005881000-memory.dmp
    Filesize

    4KB

  • memory/3820-121-0x00000000050A0000-0x00000000050A8000-memory.dmp
    Filesize

    32KB

  • memory/3820-120-0x0000000005250000-0x0000000005251000-memory.dmp
    Filesize

    4KB

  • memory/3820-119-0x00000000050B0000-0x00000000050B1000-memory.dmp
    Filesize

    4KB

  • memory/3820-118-0x0000000004F10000-0x0000000004F11000-memory.dmp
    Filesize

    4KB

  • memory/3820-117-0x0000000004FF0000-0x0000000004FF1000-memory.dmp
    Filesize

    4KB

  • memory/4504-129-0x0000000003710000-0x0000000003711000-memory.dmp
    Filesize

    4KB

  • memory/4504-187-0x000000007E1F0000-0x000000007E1F1000-memory.dmp
    Filesize

    4KB

  • memory/4504-164-0x0000000003710000-0x0000000003711000-memory.dmp
    Filesize

    4KB

  • memory/4504-193-0x00000000098D0000-0x00000000098D1000-memory.dmp
    Filesize

    4KB

  • memory/4504-207-0x0000000003793000-0x0000000003794000-memory.dmp
    Filesize

    4KB

  • memory/4504-159-0x00000000082C0000-0x00000000082C1000-memory.dmp
    Filesize

    4KB

  • memory/4504-151-0x0000000003792000-0x0000000003793000-memory.dmp
    Filesize

    4KB

  • memory/4504-147-0x0000000003790000-0x0000000003791000-memory.dmp
    Filesize

    4KB

  • memory/4504-148-0x0000000008480000-0x0000000008481000-memory.dmp
    Filesize

    4KB

  • memory/4504-144-0x0000000008230000-0x0000000008231000-memory.dmp
    Filesize

    4KB

  • memory/4504-143-0x00000000081C0000-0x00000000081C1000-memory.dmp
    Filesize

    4KB

  • memory/4504-141-0x00000000079A0000-0x00000000079A1000-memory.dmp
    Filesize

    4KB

  • memory/4504-133-0x0000000007B20000-0x0000000007B21000-memory.dmp
    Filesize

    4KB

  • memory/4504-131-0x0000000005040000-0x0000000005041000-memory.dmp
    Filesize

    4KB

  • memory/4504-128-0x0000000003710000-0x0000000003711000-memory.dmp
    Filesize

    4KB

  • memory/4504-127-0x0000000000000000-mapping.dmp