STATEMENT Oct-Nov 25-11-2021.com

General
Target

STATEMENT Oct-Nov 25-11-2021.com.exe

Filesize

301KB

Completed

25-11-2021 16:50

Score
10/10
MD5

02e738dd13974ab64a472f6aa2f065a8

SHA1

6134aee9ceffce4d6ed1777739493def77b62533

SHA256

9acf8fb51cab55a01a74cb84ca9958862b29b8909408e87412700e63a4f578ae

Malware Config

Extracted

Family xloader
Version 2.5
Campaign unzn
C2

http://www.davanamays.com/unzn/

Decoy

xiulf.com

highcountrymortar.com

523561.com

marketingagency.tools

ganmovie.net

nationaalcontactpunt.com

sirrbter.com

begizas.xyz

missimi-fashion.com

munixc.info

daas.support

spaceworbc.com

faithtruthresolve.com

gymkub.com

thegrayverse.xyz

artisanmakefurniture.com

029tryy.com

ijuubx.biz

iphone13promax.club

techuniversus.com

samrgov.xyz

grownupcurl.com

sj0755.net

beekeeperkit.com

richessesabondantes.com

xclgjgjh.net

webworkscork.com

vedepviet365.com

bretabeameven.com

cdzsmhw.com

clearperspective.biz

tigrg5g784sh.biz

bbezan011.xyz

mycar.store

mansooralobeidli.com

ascensionmemberszoom.com

unlimitedrehab.com

wozka.top

askylarkgoods.com

rj793.com

prosvalor.com

primetimeexpress.com

boixosnoisperu.com

mmasportgear.com

concertiranian.net

hyponymys.info

maila.one

yti0fyic.xyz

shashiprayag.com

speedprosmotorsports.com

Signatures 13

Filter: none

Discovery
  • Xloader

    Description

    Xloader is a rebranded version of Formbook malware.

  • Xloader Payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/576-57-0x0000000000400000-0x0000000000429000-memory.dmpxloader
    behavioral1/memory/576-58-0x000000000041D430-mapping.dmpxloader
    behavioral1/memory/576-63-0x0000000000400000-0x0000000000429000-memory.dmpxloader
    behavioral1/memory/816-68-0x0000000000080000-0x00000000000A9000-memory.dmpxloader
  • Deletes itself
    cmd.exe

    Reported IOCs

    pidprocess
    1000cmd.exe
  • Loads dropped DLL
    STATEMENT Oct-Nov 25-11-2021.com.exe

    Reported IOCs

    pidprocess
    520STATEMENT Oct-Nov 25-11-2021.com.exe
  • Suspicious use of SetThreadContext
    STATEMENT Oct-Nov 25-11-2021.com.exeSTATEMENT Oct-Nov 25-11-2021.com.exesvchost.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 520 set thread context of 576520STATEMENT Oct-Nov 25-11-2021.com.exeSTATEMENT Oct-Nov 25-11-2021.com.exe
    PID 576 set thread context of 1200576STATEMENT Oct-Nov 25-11-2021.com.exeExplorer.EXE
    PID 576 set thread context of 1200576STATEMENT Oct-Nov 25-11-2021.com.exeExplorer.EXE
    PID 816 set thread context of 1200816svchost.exeExplorer.EXE
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Suspicious behavior: EnumeratesProcesses
    STATEMENT Oct-Nov 25-11-2021.com.exesvchost.exe

    Reported IOCs

    pidprocess
    576STATEMENT Oct-Nov 25-11-2021.com.exe
    576STATEMENT Oct-Nov 25-11-2021.com.exe
    576STATEMENT Oct-Nov 25-11-2021.com.exe
    816svchost.exe
    816svchost.exe
    816svchost.exe
    816svchost.exe
    816svchost.exe
    816svchost.exe
    816svchost.exe
    816svchost.exe
    816svchost.exe
    816svchost.exe
    816svchost.exe
    816svchost.exe
    816svchost.exe
    816svchost.exe
    816svchost.exe
    816svchost.exe
    816svchost.exe
    816svchost.exe
    816svchost.exe
    816svchost.exe
    816svchost.exe
    816svchost.exe
    816svchost.exe
    816svchost.exe
    816svchost.exe
    816svchost.exe
  • Suspicious behavior: GetForegroundWindowSpam
    Explorer.EXE

    Reported IOCs

    pidprocess
    1200Explorer.EXE
  • Suspicious behavior: MapViewOfSection
    STATEMENT Oct-Nov 25-11-2021.com.exesvchost.exe

    Reported IOCs

    pidprocess
    576STATEMENT Oct-Nov 25-11-2021.com.exe
    576STATEMENT Oct-Nov 25-11-2021.com.exe
    576STATEMENT Oct-Nov 25-11-2021.com.exe
    576STATEMENT Oct-Nov 25-11-2021.com.exe
    816svchost.exe
    816svchost.exe
  • Suspicious use of AdjustPrivilegeToken
    STATEMENT Oct-Nov 25-11-2021.com.exesvchost.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege576STATEMENT Oct-Nov 25-11-2021.com.exe
    Token: SeDebugPrivilege816svchost.exe
  • Suspicious use of FindShellTrayWindow
    Explorer.EXE

    Reported IOCs

    pidprocess
    1200Explorer.EXE
    1200Explorer.EXE
  • Suspicious use of SendNotifyMessage
    Explorer.EXE

    Reported IOCs

    pidprocess
    1200Explorer.EXE
    1200Explorer.EXE
  • Suspicious use of WriteProcessMemory
    STATEMENT Oct-Nov 25-11-2021.com.exeExplorer.EXEsvchost.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 520 wrote to memory of 576520STATEMENT Oct-Nov 25-11-2021.com.exeSTATEMENT Oct-Nov 25-11-2021.com.exe
    PID 520 wrote to memory of 576520STATEMENT Oct-Nov 25-11-2021.com.exeSTATEMENT Oct-Nov 25-11-2021.com.exe
    PID 520 wrote to memory of 576520STATEMENT Oct-Nov 25-11-2021.com.exeSTATEMENT Oct-Nov 25-11-2021.com.exe
    PID 520 wrote to memory of 576520STATEMENT Oct-Nov 25-11-2021.com.exeSTATEMENT Oct-Nov 25-11-2021.com.exe
    PID 520 wrote to memory of 576520STATEMENT Oct-Nov 25-11-2021.com.exeSTATEMENT Oct-Nov 25-11-2021.com.exe
    PID 520 wrote to memory of 576520STATEMENT Oct-Nov 25-11-2021.com.exeSTATEMENT Oct-Nov 25-11-2021.com.exe
    PID 520 wrote to memory of 576520STATEMENT Oct-Nov 25-11-2021.com.exeSTATEMENT Oct-Nov 25-11-2021.com.exe
    PID 1200 wrote to memory of 8161200Explorer.EXEsvchost.exe
    PID 1200 wrote to memory of 8161200Explorer.EXEsvchost.exe
    PID 1200 wrote to memory of 8161200Explorer.EXEsvchost.exe
    PID 1200 wrote to memory of 8161200Explorer.EXEsvchost.exe
    PID 816 wrote to memory of 1000816svchost.execmd.exe
    PID 816 wrote to memory of 1000816svchost.execmd.exe
    PID 816 wrote to memory of 1000816svchost.execmd.exe
    PID 816 wrote to memory of 1000816svchost.execmd.exe
Processes 5
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    Suspicious behavior: GetForegroundWindowSpam
    Suspicious use of FindShellTrayWindow
    Suspicious use of SendNotifyMessage
    Suspicious use of WriteProcessMemory
    PID:1200
    • C:\Users\Admin\AppData\Local\Temp\STATEMENT Oct-Nov 25-11-2021.com.exe
      "C:\Users\Admin\AppData\Local\Temp\STATEMENT Oct-Nov 25-11-2021.com.exe"
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:520
      • C:\Users\Admin\AppData\Local\Temp\STATEMENT Oct-Nov 25-11-2021.com.exe
        "C:\Users\Admin\AppData\Local\Temp\STATEMENT Oct-Nov 25-11-2021.com.exe"
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        PID:576
    • C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\SysWOW64\svchost.exe"
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:816
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\STATEMENT Oct-Nov 25-11-2021.com.exe"
        Deletes itself
        PID:1000
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • \Users\Admin\AppData\Local\Temp\nsoF587.tmp\ncpszgn.dll

                          MD5

                          c3678c74295ff18273f177d3058bcc9d

                          SHA1

                          619a2fbfb1f1512e96af74733345e5539786e789

                          SHA256

                          d6cb2032b903d1820cc840659d655877cba6d1e6746ebf366696aed3d9dc0c65

                          SHA512

                          3542b7dfeea67460f52fd40f212831ebc33a7831b3b05770ce619c0e25f030129028e5e96c3291fc578d39075107e7ef8bf5883ea79a38c69a0edee9df72056c

                        • memory/520-55-0x0000000075191000-0x0000000075193000-memory.dmp

                        • memory/576-57-0x0000000000400000-0x0000000000429000-memory.dmp

                        • memory/576-58-0x000000000041D430-mapping.dmp

                        • memory/576-61-0x00000000003D0000-0x00000000003E1000-memory.dmp

                        • memory/576-60-0x0000000000970000-0x0000000000C73000-memory.dmp

                        • memory/576-63-0x0000000000400000-0x0000000000429000-memory.dmp

                        • memory/576-64-0x00000000005A0000-0x00000000005B1000-memory.dmp

                        • memory/816-71-0x00000000005E0000-0x0000000000670000-memory.dmp

                        • memory/816-66-0x0000000000000000-mapping.dmp

                        • memory/816-67-0x0000000000220000-0x0000000000228000-memory.dmp

                        • memory/816-68-0x0000000000080000-0x00000000000A9000-memory.dmp

                        • memory/816-69-0x0000000000770000-0x0000000000A73000-memory.dmp

                        • memory/1000-70-0x0000000000000000-mapping.dmp

                        • memory/1200-62-0x0000000007340000-0x0000000007486000-memory.dmp

                        • memory/1200-65-0x0000000005F70000-0x000000000604E000-memory.dmp

                        • memory/1200-72-0x0000000007490000-0x00000000075F1000-memory.dmp