STATEMENT Oct-Nov 25-11-2021.com

max time kernel150s
max time network149s
platformwindows10_x64
resourcewin10-en-20211104
submitted25-11-2021 16:48

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

STATEMENT Oct-Nov 25-11-2021.com.exe

Filesize

301KB

Completed

25-11-2021 16:50

Score

10^/10

MD5

02e738dd13974ab64a472f6aa2f065a8

SHA1

6134aee9ceffce4d6ed1777739493def77b62533

SHA256

9acf8fb51cab55a01a74cb84ca9958862b29b8909408e87412700e63a4f578ae

Extracted

Family	xloader
Version	2.5
Campaign	unzn
C2	http://www.davanamays.com/unzn/ http://www.davanamays.com/unzn/
Decoy	xiulf.com highcountrymortar.com 523561.com marketingagency.tools ganmovie.net nationaalcontactpunt.com sirrbter.com begizas.xyz missimi-fashion.com munixc.info daas.support spaceworbc.com faithtruthresolve.com gymkub.com thegrayverse.xyz artisanmakefurniture.com 029tryy.com ijuubx.biz iphone13promax.club techuniversus.com samrgov.xyz grownupcurl.com sj0755.net beekeeperkit.com richessesabondantes.com xclgjgjh.net webworkscork.com vedepviet365.com bretabeameven.com cdzsmhw.com clearperspective.biz tigrg5g784sh.biz bbezan011.xyz mycar.store mansooralobeidli.com ascensionmemberszoom.com unlimitedrehab.com wozka.top askylarkgoods.com rj793.com prosvalor.com primetimeexpress.com boixosnoisperu.com mmasportgear.com concertiranian.net hyponymys.info maila.one yti0fyic.xyz shashiprayag.com speedprosmotorsports.com westchestercountyjunkcars.com patienceinmypocket.com rausachbaoloc.com plexregroup.com outsydercs.com foodandflour.com lenacrypto.xyz homeservicetoday.net marthaperry.com vmtcyd4q8.com shamefulguys.com loccssol.store gnarledportra.xyz 042atk.xyz xiulf.com highcountrymortar.com 523561.com marketingagency.tools ganmovie.net nationaalcontactpunt.com sirrbter.com begizas.xyz missimi-fashion.com munixc.info daas.support spaceworbc.com faithtruthresolve.com gymkub.com thegrayverse.xyz artisanmakefurniture.com 029tryy.com ijuubx.biz iphone13promax.club techuniversus.com samrgov.xyz grownupcurl.com sj0755.net beekeeperkit.com richessesabondantes.com xclgjgjh.net webworkscork.com vedepviet365.com bretabeameven.com cdzsmhw.com clearperspective.biz tigrg5g784sh.biz bbezan011.xyz mycar.store mansooralobeidli.com ascensionmemberszoom.com unlimitedrehab.com wozka.top askylarkgoods.com rj793.com prosvalor.com primetimeexpress.com boixosnoisperu.com mmasportgear.com concertiranian.net hyponymys.info maila.one yti0fyic.xyz shashiprayag.com speedprosmotorsports.com westchestercountyjunkcars.com patienceinmypocket.com rausachbaoloc.com plexregroup.com outsydercs.com foodandflour.com lenacrypto.xyz homeservicetoday.net marthaperry.com vmtcyd4q8.com shamefulguys.com loccssol.store gnarledportra.xyz 042atk.xyz

Discovery

Xloader

Description

Xloader is a rebranded version of Formbook malware.

Tags

loader xloader

Xloader Payload

Reported IOCs

resource	yara_rule
behavioral2/memory/4064-119-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/4064-120-0x000000000041D430-mapping.dmp	xloader
behavioral2/memory/4280-127-0x0000000000C20000-0x0000000000C49000-memory.dmp	xloader

Loads dropped DLL
STATEMENT Oct-Nov 25-11-2021.com.exe

Reported IOCs

pid process

396 STATEMENT Oct-Nov 25-11-2021.com.exe

pid	process
396	STATEMENT Oct-Nov 25-11-2021.com.exe

Suspicious use of SetThreadContext

STATEMENT Oct-Nov 25-11-2021.com.exeSTATEMENT Oct-Nov 25-11-2021.com.exewscript.exe

Reported IOCs

description	pid	process	target process
PID 396 set thread context of 4064	396	STATEMENT Oct-Nov 25-11-2021.com.exe	STATEMENT Oct-Nov 25-11-2021.com.exe
PID 4064 set thread context of 2416	4064	STATEMENT Oct-Nov 25-11-2021.com.exe	Explorer.EXE
PID 4280 set thread context of 2416	4280	wscript.exe	Explorer.EXE

Enumerates physical storage devices

Description

Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

TTPs

System Information Discovery

Suspicious behavior: EnumeratesProcesses

STATEMENT Oct-Nov 25-11-2021.com.exewscript.exe

Reported IOCs

pid	process
4064	STATEMENT Oct-Nov 25-11-2021.com.exe
4064	STATEMENT Oct-Nov 25-11-2021.com.exe
4064	STATEMENT Oct-Nov 25-11-2021.com.exe
4064	STATEMENT Oct-Nov 25-11-2021.com.exe
4280	wscript.exe
4280	wscript.exe
4280	wscript.exe
4280	wscript.exe
4280	wscript.exe
4280	wscript.exe
4280	wscript.exe
4280	wscript.exe
4280	wscript.exe
4280	wscript.exe
4280	wscript.exe
4280	wscript.exe
4280	wscript.exe
4280	wscript.exe
4280	wscript.exe
4280	wscript.exe
4280	wscript.exe
4280	wscript.exe
4280	wscript.exe
4280	wscript.exe
4280	wscript.exe
4280	wscript.exe
4280	wscript.exe
4280	wscript.exe
4280	wscript.exe
4280	wscript.exe
4280	wscript.exe
4280	wscript.exe
4280	wscript.exe
4280	wscript.exe
4280	wscript.exe
4280	wscript.exe
4280	wscript.exe
4280	wscript.exe
4280	wscript.exe
4280	wscript.exe
4280	wscript.exe
4280	wscript.exe
4280	wscript.exe
4280	wscript.exe
4280	wscript.exe
4280	wscript.exe
4280	wscript.exe
4280	wscript.exe
4280	wscript.exe
4280	wscript.exe
4280	wscript.exe
4280	wscript.exe
4280	wscript.exe
4280	wscript.exe
4280	wscript.exe
4280	wscript.exe
4280	wscript.exe
4280	wscript.exe

Suspicious behavior: GetForegroundWindowSpam
Explorer.EXE

Reported IOCs

pid process

2416 Explorer.EXE

pid	process
2416	Explorer.EXE

Suspicious behavior: MapViewOfSection

STATEMENT Oct-Nov 25-11-2021.com.exewscript.exe

Reported IOCs

pid	process
4064	STATEMENT Oct-Nov 25-11-2021.com.exe
4064	STATEMENT Oct-Nov 25-11-2021.com.exe
4064	STATEMENT Oct-Nov 25-11-2021.com.exe
4280	wscript.exe
4280	wscript.exe

Suspicious use of AdjustPrivilegeToken
STATEMENT Oct-Nov 25-11-2021.com.exewscript.exe

Reported IOCs

description pid process

Token: SeDebugPrivilege 4064 STATEMENT Oct-Nov 25-11-2021.com.exe
Token: SeDebugPrivilege 4280 wscript.exe

description	pid	process
Token: SeDebugPrivilege	4064	STATEMENT Oct-Nov 25-11-2021.com.exe
Token: SeDebugPrivilege	4280	wscript.exe

Suspicious use of WriteProcessMemory

STATEMENT Oct-Nov 25-11-2021.com.exeExplorer.EXEwscript.exe

Reported IOCs

description	pid	process	target process
PID 396 wrote to memory of 4064	396	STATEMENT Oct-Nov 25-11-2021.com.exe	STATEMENT Oct-Nov 25-11-2021.com.exe
PID 396 wrote to memory of 4064	396	STATEMENT Oct-Nov 25-11-2021.com.exe	STATEMENT Oct-Nov 25-11-2021.com.exe
PID 396 wrote to memory of 4064	396	STATEMENT Oct-Nov 25-11-2021.com.exe	STATEMENT Oct-Nov 25-11-2021.com.exe
PID 396 wrote to memory of 4064	396	STATEMENT Oct-Nov 25-11-2021.com.exe	STATEMENT Oct-Nov 25-11-2021.com.exe
PID 396 wrote to memory of 4064	396	STATEMENT Oct-Nov 25-11-2021.com.exe	STATEMENT Oct-Nov 25-11-2021.com.exe
PID 396 wrote to memory of 4064	396	STATEMENT Oct-Nov 25-11-2021.com.exe	STATEMENT Oct-Nov 25-11-2021.com.exe
PID 2416 wrote to memory of 4280	2416	Explorer.EXE	wscript.exe
PID 2416 wrote to memory of 4280	2416	Explorer.EXE	wscript.exe
PID 2416 wrote to memory of 4280	2416	Explorer.EXE	wscript.exe
PID 4280 wrote to memory of 4156	4280	wscript.exe	cmd.exe
PID 4280 wrote to memory of 4156	4280	wscript.exe	cmd.exe
PID 4280 wrote to memory of 4156	4280	wscript.exe	cmd.exe

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory

PID:2416

C:\Users\Admin\AppData\Local\Temp\STATEMENT Oct-Nov 25-11-2021.com.exe

"C:\Users\Admin\AppData\Local\Temp\STATEMENT Oct-Nov 25-11-2021.com.exe"

Loads dropped DLL
Suspicious use of SetThreadContext
Suspicious use of WriteProcessMemory

PID:396

C:\Users\Admin\AppData\Local\Temp\STATEMENT Oct-Nov 25-11-2021.com.exe

"C:\Users\Admin\AppData\Local\Temp\STATEMENT Oct-Nov 25-11-2021.com.exe"

Suspicious use of SetThreadContext
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken

PID:4064

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\SysWOW64\wscript.exe"

Suspicious use of SetThreadContext
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory

PID:4280

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Local\Temp\STATEMENT Oct-Nov 25-11-2021.com.exe"

PID:4156

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

System Information Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

00:00 00:00

\Users\Admin\AppData\Local\Temp\nsv9F7E.tmp\ncpszgn.dll
MD5
c3678c74295ff18273f177d3058bcc9d

SHA1
619a2fbfb1f1512e96af74733345e5539786e789

SHA256
d6cb2032b903d1820cc840659d655877cba6d1e6746ebf366696aed3d9dc0c65

SHA512
3542b7dfeea67460f52fd40f212831ebc33a7831b3b05770ce619c0e25f030129028e5e96c3291fc578d39075107e7ef8bf5883ea79a38c69a0edee9df72056c

Download Submit
memory/2416-124-0x0000000004F80000-0x0000000005101000-memory.dmp

Download
memory/2416-131-0x0000000002440000-0x000000000253E000-memory.dmp

Download
memory/4064-122-0x00000000009B0000-0x0000000000CD0000-memory.dmp

Download
memory/4064-123-0x00000000008F0000-0x0000000000901000-memory.dmp

Download
memory/4064-120-0x000000000041D430-mapping.dmp

Download
memory/4064-119-0x0000000000400000-0x0000000000429000-memory.dmp

Download
memory/4156-128-0x0000000000000000-mapping.dmp

Download
memory/4280-127-0x0000000000C20000-0x0000000000C49000-memory.dmp

Download
memory/4280-126-0x0000000000D80000-0x0000000000DA7000-memory.dmp

Download
memory/4280-129-0x0000000004E40000-0x0000000005160000-memory.dmp

Download
memory/4280-130-0x0000000004B90000-0x0000000004C20000-memory.dmp

Download
memory/4280-125-0x0000000000000000-mapping.dmp

Download

STATEMENT Oct-Nov 25-11-2021.com

Extracted

Filter: none

Description

Tags

Tags

Reported IOCs

Reported IOCs

Reported IOCs

Description

TTPs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Title