TT COPY_02101011.exe

General
Target

TT COPY_02101011.exe

Filesize

302KB

Completed

25-11-2021 16:49

Score
10/10
MD5

ebabc0d66a9e01cc0926f3b311feff5f

SHA1

83a44664135a7255045becde754dae29be496c8f

SHA256

ea8733d0ea6248e2f522487d09e7854230a648e67f1a5e90fea31f6305a1ff7b

Malware Config

Extracted

Family xloader
Version 2.5
Campaign e8ia
C2

http://www.helpfromjames.com/e8ia/

Decoy

le-hameau-enchanteur.com

quantumsystem-au.club

engravedeeply.com

yesrecompensas.lat

cavallitowerofficials.com

800seaspray.com

skifun-jetski.com

thouartafoot.com

nft2dollar.com

petrestore.online

cjcutthecord2.com

tippimccullough.com

gadget198.xyz

djmiriam.com

bitbasepay.com

cukierniawz.com

mcclureic.xyz

inthekitchenshakinandbakin.com

busy-clicks.com

melaniemorris.online

elysiangp.com

7bkj.com

wakeanddraw.com

ascalar.com

iteraxon.com

henleygirlscricket.com

torresflooringdecorllc.com

helgquieta.quest

xesteem.com

graffity-aws.com

bolerparts.com

andriylysenko.com

bestinvest-4-you.com

frelsicycling.com

airductcleaningindianapolis.net

nlproperties.net

alkoora.xyz

sakiyaman.com

wwwsmyrnaschooldistrict.com

unitedsafetyassociation.com

fiveallianceapparel.com

edgelordkids.com

herhauling.com

intelldat.com

weprepareamerica-planet.com

webartsolution.net

yiquge.com

marraasociados.com

dentalimplantnearyou-ca.space

linemanbible.com

Signatures 13

Filter: none

Discovery
  • Xloader

    Description

    Xloader is a rebranded version of Formbook malware.

  • Xloader Payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1484-57-0x0000000000400000-0x0000000000429000-memory.dmpxloader
    behavioral1/memory/1484-58-0x000000000041D4D0-mapping.dmpxloader
    behavioral1/memory/572-66-0x0000000000080000-0x00000000000A9000-memory.dmpxloader
  • Deletes itself
    cmd.exe

    Reported IOCs

    pidprocess
    1892cmd.exe
  • Loads dropped DLL
    TT COPY_02101011.exe

    Reported IOCs

    pidprocess
    1868TT COPY_02101011.exe
  • Suspicious use of SetThreadContext
    TT COPY_02101011.exeTT COPY_02101011.exehelp.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1868 set thread context of 14841868TT COPY_02101011.exeTT COPY_02101011.exe
    PID 1484 set thread context of 12441484TT COPY_02101011.exeExplorer.EXE
    PID 572 set thread context of 1244572help.exeExplorer.EXE
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Suspicious behavior: EnumeratesProcesses
    TT COPY_02101011.exehelp.exe

    Reported IOCs

    pidprocess
    1484TT COPY_02101011.exe
    1484TT COPY_02101011.exe
    572help.exe
    572help.exe
    572help.exe
    572help.exe
    572help.exe
    572help.exe
    572help.exe
    572help.exe
    572help.exe
    572help.exe
    572help.exe
    572help.exe
    572help.exe
    572help.exe
    572help.exe
    572help.exe
    572help.exe
    572help.exe
    572help.exe
    572help.exe
    572help.exe
    572help.exe
    572help.exe
    572help.exe
    572help.exe
    572help.exe
    572help.exe
    572help.exe
  • Suspicious behavior: GetForegroundWindowSpam
    Explorer.EXE

    Reported IOCs

    pidprocess
    1244Explorer.EXE
  • Suspicious behavior: MapViewOfSection
    TT COPY_02101011.exehelp.exe

    Reported IOCs

    pidprocess
    1484TT COPY_02101011.exe
    1484TT COPY_02101011.exe
    1484TT COPY_02101011.exe
    572help.exe
    572help.exe
  • Suspicious use of AdjustPrivilegeToken
    TT COPY_02101011.exehelp.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1484TT COPY_02101011.exe
    Token: SeDebugPrivilege572help.exe
  • Suspicious use of FindShellTrayWindow
    Explorer.EXE

    Reported IOCs

    pidprocess
    1244Explorer.EXE
    1244Explorer.EXE
  • Suspicious use of SendNotifyMessage
    Explorer.EXE

    Reported IOCs

    pidprocess
    1244Explorer.EXE
    1244Explorer.EXE
  • Suspicious use of WriteProcessMemory
    TT COPY_02101011.exeExplorer.EXEhelp.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1868 wrote to memory of 14841868TT COPY_02101011.exeTT COPY_02101011.exe
    PID 1868 wrote to memory of 14841868TT COPY_02101011.exeTT COPY_02101011.exe
    PID 1868 wrote to memory of 14841868TT COPY_02101011.exeTT COPY_02101011.exe
    PID 1868 wrote to memory of 14841868TT COPY_02101011.exeTT COPY_02101011.exe
    PID 1868 wrote to memory of 14841868TT COPY_02101011.exeTT COPY_02101011.exe
    PID 1868 wrote to memory of 14841868TT COPY_02101011.exeTT COPY_02101011.exe
    PID 1868 wrote to memory of 14841868TT COPY_02101011.exeTT COPY_02101011.exe
    PID 1244 wrote to memory of 5721244Explorer.EXEhelp.exe
    PID 1244 wrote to memory of 5721244Explorer.EXEhelp.exe
    PID 1244 wrote to memory of 5721244Explorer.EXEhelp.exe
    PID 1244 wrote to memory of 5721244Explorer.EXEhelp.exe
    PID 572 wrote to memory of 1892572help.execmd.exe
    PID 572 wrote to memory of 1892572help.execmd.exe
    PID 572 wrote to memory of 1892572help.execmd.exe
    PID 572 wrote to memory of 1892572help.execmd.exe
Processes 5
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    Suspicious behavior: GetForegroundWindowSpam
    Suspicious use of FindShellTrayWindow
    Suspicious use of SendNotifyMessage
    Suspicious use of WriteProcessMemory
    PID:1244
    • C:\Users\Admin\AppData\Local\Temp\TT COPY_02101011.exe
      "C:\Users\Admin\AppData\Local\Temp\TT COPY_02101011.exe"
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1868
      • C:\Users\Admin\AppData\Local\Temp\TT COPY_02101011.exe
        "C:\Users\Admin\AppData\Local\Temp\TT COPY_02101011.exe"
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        PID:1484
    • C:\Windows\SysWOW64\help.exe
      "C:\Windows\SysWOW64\help.exe"
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:572
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\TT COPY_02101011.exe"
        Deletes itself
        PID:1892
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • \Users\Admin\AppData\Local\Temp\nsiBAE7.tmp\wdtzbwxasut.dll

                          MD5

                          54c860c5cd0476d353802753c7bbfb06

                          SHA1

                          f3fac4c8e96cbb528944fe76c7f74fda8171a597

                          SHA256

                          19fbfdb247a76a54351902926c309fd6d3e7be25c6dca0062fc781215680913e

                          SHA512

                          83dd85d9a54a1fa688c7776a15e48d70b8ec12ed789f4ac2054fa3affaed3fdaa375a5bd3d542c7b1831810a4825ee518a14f2390c50bfb65d9b774bceb6b183

                        • memory/572-63-0x0000000000000000-mapping.dmp

                        • memory/572-68-0x00000000004E0000-0x0000000000570000-memory.dmp

                        • memory/572-67-0x0000000000940000-0x0000000000C43000-memory.dmp

                        • memory/572-65-0x0000000000CC0000-0x0000000000CC6000-memory.dmp

                        • memory/572-66-0x0000000000080000-0x00000000000A9000-memory.dmp

                        • memory/1244-62-0x0000000007180000-0x000000000731F000-memory.dmp

                        • memory/1244-69-0x00000000060F0000-0x00000000061DD000-memory.dmp

                        • memory/1484-60-0x0000000000910000-0x0000000000C13000-memory.dmp

                        • memory/1484-61-0x0000000000350000-0x0000000000361000-memory.dmp

                        • memory/1484-58-0x000000000041D4D0-mapping.dmp

                        • memory/1484-57-0x0000000000400000-0x0000000000429000-memory.dmp

                        • memory/1868-55-0x0000000076A21000-0x0000000076A23000-memory.dmp

                        • memory/1892-64-0x0000000000000000-mapping.dmp