TT COPY_02101011.exe

General
Target

TT COPY_02101011.exe

Filesize

302KB

Completed

25-11-2021 16:49

Score
10/10
MD5

ebabc0d66a9e01cc0926f3b311feff5f

SHA1

83a44664135a7255045becde754dae29be496c8f

SHA256

ea8733d0ea6248e2f522487d09e7854230a648e67f1a5e90fea31f6305a1ff7b

Malware Config

Extracted

Family xloader
Version 2.5
Campaign e8ia
C2

http://www.helpfromjames.com/e8ia/

Decoy

le-hameau-enchanteur.com

quantumsystem-au.club

engravedeeply.com

yesrecompensas.lat

cavallitowerofficials.com

800seaspray.com

skifun-jetski.com

thouartafoot.com

nft2dollar.com

petrestore.online

cjcutthecord2.com

tippimccullough.com

gadget198.xyz

djmiriam.com

bitbasepay.com

cukierniawz.com

mcclureic.xyz

inthekitchenshakinandbakin.com

busy-clicks.com

melaniemorris.online

elysiangp.com

7bkj.com

wakeanddraw.com

ascalar.com

iteraxon.com

henleygirlscricket.com

torresflooringdecorllc.com

helgquieta.quest

xesteem.com

graffity-aws.com

bolerparts.com

andriylysenko.com

bestinvest-4-you.com

frelsicycling.com

airductcleaningindianapolis.net

nlproperties.net

alkoora.xyz

sakiyaman.com

wwwsmyrnaschooldistrict.com

unitedsafetyassociation.com

fiveallianceapparel.com

edgelordkids.com

herhauling.com

intelldat.com

weprepareamerica-planet.com

webartsolution.net

yiquge.com

marraasociados.com

dentalimplantnearyou-ca.space

linemanbible.com

Signatures 16

Filter: none

Collection
Credential Access
Defense Evasion
Discovery
Persistence
  • Xloader

    Description

    Xloader is a rebranded version of Formbook malware.

  • Xloader Payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/3740-116-0x0000000000400000-0x0000000000429000-memory.dmpxloader
    behavioral2/memory/3740-117-0x000000000041D4D0-mapping.dmpxloader
    behavioral2/memory/3012-124-0x0000000002340000-0x0000000002369000-memory.dmpxloader
    behavioral2/memory/3456-137-0x000000000041D4D0-mapping.dmpxloader
  • Executes dropped EXE
    qxlh8tbpylmdi6ex.exeqxlh8tbpylmdi6ex.exe

    Reported IOCs

    pidprocess
    1880qxlh8tbpylmdi6ex.exe
    3456qxlh8tbpylmdi6ex.exe
  • Loads dropped DLL
    TT COPY_02101011.exeqxlh8tbpylmdi6ex.exe

    Reported IOCs

    pidprocess
    2636TT COPY_02101011.exe
    1880qxlh8tbpylmdi6ex.exe
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Adds Run key to start application
    cmd.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Runcmd.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\5J3DUFWXGH = "C:\\Program Files (x86)\\Isxxxv4vp\\qxlh8tbpylmdi6ex.exe"cmd.exe
  • Suspicious use of SetThreadContext
    TT COPY_02101011.exeTT COPY_02101011.execmd.exeqxlh8tbpylmdi6ex.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2636 set thread context of 37402636TT COPY_02101011.exeTT COPY_02101011.exe
    PID 3740 set thread context of 30203740TT COPY_02101011.exeExplorer.EXE
    PID 3012 set thread context of 30203012cmd.exeExplorer.EXE
    PID 1880 set thread context of 34561880qxlh8tbpylmdi6ex.exeqxlh8tbpylmdi6ex.exe
  • Drops file in Program Files directory
    Explorer.EXEcmd.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Program Files (x86)\Isxxxv4vp\qxlh8tbpylmdi6ex.exeExplorer.EXE
    File opened for modificationC:\Program Files (x86)\Isxxxv4vp\qxlh8tbpylmdi6ex.exeExplorer.EXE
    File opened for modificationC:\Program Files (x86)\Isxxxv4vp\qxlh8tbpylmdi6ex.execmd.exe
    File opened for modificationC:\Program Files (x86)\Isxxxv4vpExplorer.EXE
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • NSIS installer

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral2/files/0x0003000000000689-132.datnsis_installer_1
    behavioral2/files/0x0003000000000689-132.datnsis_installer_2
    behavioral2/files/0x0003000000000689-133.datnsis_installer_1
    behavioral2/files/0x0003000000000689-133.datnsis_installer_2
    behavioral2/files/0x0003000000000689-138.datnsis_installer_1
    behavioral2/files/0x0003000000000689-138.datnsis_installer_2
  • Modifies Internet Explorer settings
    cmd.exe

    TTPs

    Modify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\Registry\User\S-1-5-21-941723256-3451054534-3089625102-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2cmd.exe
  • Suspicious behavior: EnumeratesProcesses
    TT COPY_02101011.execmd.exeqxlh8tbpylmdi6ex.exe

    Reported IOCs

    pidprocess
    3740TT COPY_02101011.exe
    3740TT COPY_02101011.exe
    3740TT COPY_02101011.exe
    3740TT COPY_02101011.exe
    3012cmd.exe
    3012cmd.exe
    3012cmd.exe
    3012cmd.exe
    3012cmd.exe
    3012cmd.exe
    3012cmd.exe
    3012cmd.exe
    3012cmd.exe
    3012cmd.exe
    3012cmd.exe
    3012cmd.exe
    3012cmd.exe
    3012cmd.exe
    3012cmd.exe
    3012cmd.exe
    3012cmd.exe
    3012cmd.exe
    3012cmd.exe
    3012cmd.exe
    3012cmd.exe
    3012cmd.exe
    3012cmd.exe
    3012cmd.exe
    3012cmd.exe
    3012cmd.exe
    3012cmd.exe
    3012cmd.exe
    3012cmd.exe
    3012cmd.exe
    3012cmd.exe
    3012cmd.exe
    3012cmd.exe
    3012cmd.exe
    3012cmd.exe
    3012cmd.exe
    3012cmd.exe
    3012cmd.exe
    3012cmd.exe
    3012cmd.exe
    3012cmd.exe
    3012cmd.exe
    3012cmd.exe
    3012cmd.exe
    3012cmd.exe
    3012cmd.exe
    3456qxlh8tbpylmdi6ex.exe
    3456qxlh8tbpylmdi6ex.exe
    3012cmd.exe
    3012cmd.exe
    3012cmd.exe
    3012cmd.exe
    3012cmd.exe
    3012cmd.exe
  • Suspicious behavior: GetForegroundWindowSpam
    Explorer.EXE

    Reported IOCs

    pidprocess
    3020Explorer.EXE
  • Suspicious behavior: MapViewOfSection
    TT COPY_02101011.execmd.exe

    Reported IOCs

    pidprocess
    3740TT COPY_02101011.exe
    3740TT COPY_02101011.exe
    3740TT COPY_02101011.exe
    3012cmd.exe
    3012cmd.exe
    3012cmd.exe
    3012cmd.exe
  • Suspicious use of AdjustPrivilegeToken
    TT COPY_02101011.execmd.exeExplorer.EXEqxlh8tbpylmdi6ex.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege3740TT COPY_02101011.exe
    Token: SeDebugPrivilege3012cmd.exe
    Token: SeShutdownPrivilege3020Explorer.EXE
    Token: SeCreatePagefilePrivilege3020Explorer.EXE
    Token: SeDebugPrivilege3456qxlh8tbpylmdi6ex.exe
  • Suspicious use of WriteProcessMemory
    TT COPY_02101011.exeExplorer.EXEcmd.exeqxlh8tbpylmdi6ex.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2636 wrote to memory of 37402636TT COPY_02101011.exeTT COPY_02101011.exe
    PID 2636 wrote to memory of 37402636TT COPY_02101011.exeTT COPY_02101011.exe
    PID 2636 wrote to memory of 37402636TT COPY_02101011.exeTT COPY_02101011.exe
    PID 2636 wrote to memory of 37402636TT COPY_02101011.exeTT COPY_02101011.exe
    PID 2636 wrote to memory of 37402636TT COPY_02101011.exeTT COPY_02101011.exe
    PID 2636 wrote to memory of 37402636TT COPY_02101011.exeTT COPY_02101011.exe
    PID 3020 wrote to memory of 30123020Explorer.EXEcmd.exe
    PID 3020 wrote to memory of 30123020Explorer.EXEcmd.exe
    PID 3020 wrote to memory of 30123020Explorer.EXEcmd.exe
    PID 3012 wrote to memory of 40723012cmd.execmd.exe
    PID 3012 wrote to memory of 40723012cmd.execmd.exe
    PID 3012 wrote to memory of 40723012cmd.execmd.exe
    PID 3012 wrote to memory of 25963012cmd.execmd.exe
    PID 3012 wrote to memory of 25963012cmd.execmd.exe
    PID 3012 wrote to memory of 25963012cmd.execmd.exe
    PID 3012 wrote to memory of 16883012cmd.exeFirefox.exe
    PID 3012 wrote to memory of 16883012cmd.exeFirefox.exe
    PID 3012 wrote to memory of 16883012cmd.exeFirefox.exe
    PID 3020 wrote to memory of 18803020Explorer.EXEqxlh8tbpylmdi6ex.exe
    PID 3020 wrote to memory of 18803020Explorer.EXEqxlh8tbpylmdi6ex.exe
    PID 3020 wrote to memory of 18803020Explorer.EXEqxlh8tbpylmdi6ex.exe
    PID 1880 wrote to memory of 34561880qxlh8tbpylmdi6ex.exeqxlh8tbpylmdi6ex.exe
    PID 1880 wrote to memory of 34561880qxlh8tbpylmdi6ex.exeqxlh8tbpylmdi6ex.exe
    PID 1880 wrote to memory of 34561880qxlh8tbpylmdi6ex.exeqxlh8tbpylmdi6ex.exe
    PID 1880 wrote to memory of 34561880qxlh8tbpylmdi6ex.exeqxlh8tbpylmdi6ex.exe
    PID 1880 wrote to memory of 34561880qxlh8tbpylmdi6ex.exeqxlh8tbpylmdi6ex.exe
    PID 1880 wrote to memory of 34561880qxlh8tbpylmdi6ex.exeqxlh8tbpylmdi6ex.exe
Processes 9
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    Drops file in Program Files directory
    Suspicious behavior: GetForegroundWindowSpam
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:3020
    • C:\Users\Admin\AppData\Local\Temp\TT COPY_02101011.exe
      "C:\Users\Admin\AppData\Local\Temp\TT COPY_02101011.exe"
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2636
      • C:\Users\Admin\AppData\Local\Temp\TT COPY_02101011.exe
        "C:\Users\Admin\AppData\Local\Temp\TT COPY_02101011.exe"
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        PID:3740
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\SysWOW64\cmd.exe"
      Adds Run key to start application
      Suspicious use of SetThreadContext
      Drops file in Program Files directory
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3012
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\TT COPY_02101011.exe"
        PID:4072
      • C:\Windows\SysWOW64\cmd.exe
        /c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
        PID:2596
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        PID:1688
    • C:\Program Files (x86)\Isxxxv4vp\qxlh8tbpylmdi6ex.exe
      "C:\Program Files (x86)\Isxxxv4vp\qxlh8tbpylmdi6ex.exe"
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1880
      • C:\Program Files (x86)\Isxxxv4vp\qxlh8tbpylmdi6ex.exe
        "C:\Program Files (x86)\Isxxxv4vp\qxlh8tbpylmdi6ex.exe"
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        PID:3456
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Privilege Escalation
                Replay Monitor
                00:00 00:00
                Downloads
                • C:\Program Files (x86)\Isxxxv4vp\qxlh8tbpylmdi6ex.exe

                  MD5

                  ebabc0d66a9e01cc0926f3b311feff5f

                  SHA1

                  83a44664135a7255045becde754dae29be496c8f

                  SHA256

                  ea8733d0ea6248e2f522487d09e7854230a648e67f1a5e90fea31f6305a1ff7b

                  SHA512

                  b9f9c3ec7080bf31e0ab43b68f8183d75a59ae262e7320e846883f7ec91695e5e01d70432a163252712fc7bdb6e27b6e5fb6b5589e31eb8779f3b2b5586eeeeb

                • C:\Program Files (x86)\Isxxxv4vp\qxlh8tbpylmdi6ex.exe

                  MD5

                  ebabc0d66a9e01cc0926f3b311feff5f

                  SHA1

                  83a44664135a7255045becde754dae29be496c8f

                  SHA256

                  ea8733d0ea6248e2f522487d09e7854230a648e67f1a5e90fea31f6305a1ff7b

                  SHA512

                  b9f9c3ec7080bf31e0ab43b68f8183d75a59ae262e7320e846883f7ec91695e5e01d70432a163252712fc7bdb6e27b6e5fb6b5589e31eb8779f3b2b5586eeeeb

                • C:\Program Files (x86)\Isxxxv4vp\qxlh8tbpylmdi6ex.exe

                  MD5

                  ebabc0d66a9e01cc0926f3b311feff5f

                  SHA1

                  83a44664135a7255045becde754dae29be496c8f

                  SHA256

                  ea8733d0ea6248e2f522487d09e7854230a648e67f1a5e90fea31f6305a1ff7b

                  SHA512

                  b9f9c3ec7080bf31e0ab43b68f8183d75a59ae262e7320e846883f7ec91695e5e01d70432a163252712fc7bdb6e27b6e5fb6b5589e31eb8779f3b2b5586eeeeb

                • C:\Users\Admin\AppData\Local\Temp\5itxry81kuzl8up3

                  MD5

                  7cfbccd72474438d7fc638703213241c

                  SHA1

                  45da096b227587739be2cfd1fd216a7a0fc40a9a

                  SHA256

                  02e9f10a4673cf06dc6ded72098e6d37e6162b5c88937eb67ebbfc0c0ee39d58

                  SHA512

                  66b38fd3c6a4a9c85338e13776204a65a4be9323357c7758472946f2cc21ece513d4df4790cf232d109083365360046be38732725f09b56d5fc0bf4b0cc0629b

                • C:\Users\Admin\AppData\Local\Temp\DB1

                  MD5

                  b608d407fc15adea97c26936bc6f03f6

                  SHA1

                  953e7420801c76393902c0d6bb56148947e41571

                  SHA256

                  b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

                  SHA512

                  cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

                • \Users\Admin\AppData\Local\Temp\nssCA47.tmp\wdtzbwxasut.dll

                  MD5

                  54c860c5cd0476d353802753c7bbfb06

                  SHA1

                  f3fac4c8e96cbb528944fe76c7f74fda8171a597

                  SHA256

                  19fbfdb247a76a54351902926c309fd6d3e7be25c6dca0062fc781215680913e

                  SHA512

                  83dd85d9a54a1fa688c7776a15e48d70b8ec12ed789f4ac2054fa3affaed3fdaa375a5bd3d542c7b1831810a4825ee518a14f2390c50bfb65d9b774bceb6b183

                • \Users\Admin\AppData\Local\Temp\nswC461.tmp\wdtzbwxasut.dll

                  MD5

                  54c860c5cd0476d353802753c7bbfb06

                  SHA1

                  f3fac4c8e96cbb528944fe76c7f74fda8171a597

                  SHA256

                  19fbfdb247a76a54351902926c309fd6d3e7be25c6dca0062fc781215680913e

                  SHA512

                  83dd85d9a54a1fa688c7776a15e48d70b8ec12ed789f4ac2054fa3affaed3fdaa375a5bd3d542c7b1831810a4825ee518a14f2390c50bfb65d9b774bceb6b183

                • memory/1880-131-0x0000000000000000-mapping.dmp

                • memory/2596-129-0x0000000000000000-mapping.dmp

                • memory/3012-124-0x0000000002340000-0x0000000002369000-memory.dmp

                • memory/3012-126-0x0000000002D70000-0x0000000003090000-memory.dmp

                • memory/3012-123-0x00000000001E0000-0x0000000000239000-memory.dmp

                • memory/3012-122-0x0000000000000000-mapping.dmp

                • memory/3012-127-0x0000000003090000-0x0000000003120000-memory.dmp

                • memory/3020-128-0x00000000064E0000-0x0000000006666000-memory.dmp

                • memory/3020-121-0x00000000061D0000-0x0000000006375000-memory.dmp

                • memory/3456-137-0x000000000041D4D0-mapping.dmp

                • memory/3456-139-0x0000000000A30000-0x0000000000D50000-memory.dmp

                • memory/3740-116-0x0000000000400000-0x0000000000429000-memory.dmp

                • memory/3740-120-0x00000000005E0000-0x00000000005F1000-memory.dmp

                • memory/3740-119-0x0000000000A50000-0x0000000000D70000-memory.dmp

                • memory/3740-117-0x000000000041D4D0-mapping.dmp

                • memory/4072-125-0x0000000000000000-mapping.dmp