Overview

overview

10

Static

static

1

TT COPY_02101011.exe

windows7_x64

10

TT COPY_02101011.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    25-11-2021 16:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TT COPY_02101011.exe

  • Size

    302KB

  • MD5

    ebabc0d66a9e01cc0926f3b311feff5f

  • SHA1

    83a44664135a7255045becde754dae29be496c8f

  • SHA256

    ea8733d0ea6248e2f522487d09e7854230a648e67f1a5e90fea31f6305a1ff7b

  • SHA512

    b9f9c3ec7080bf31e0ab43b68f8183d75a59ae262e7320e846883f7ec91695e5e01d70432a163252712fc7bdb6e27b6e5fb6b5589e31eb8779f3b2b5586eeeeb

Score
10/10
xloadere8ialoaderpersistenceratspywarestealer

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

e8ia

C2

http://www.helpfromjames.com/e8ia/

Decoy

le-hameau-enchanteur.com

quantumsystem-au.club

engravedeeply.com

yesrecompensas.lat

cavallitowerofficials.com

800seaspray.com

skifun-jetski.com

thouartafoot.com

nft2dollar.com

petrestore.online

cjcutthecord2.com

tippimccullough.com

gadget198.xyz

djmiriam.com

bitbasepay.com

cukierniawz.com

mcclureic.xyz

inthekitchenshakinandbakin.com

busy-clicks.com

melaniemorris.online

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 4 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 6 IoCs
    installer
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 58 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Drops file in Program Files directory
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3020
    • C:\Users\Admin\AppData\Local\Temp\TT COPY_02101011.exe
      "C:\Users\Admin\AppData\Local\Temp\TT COPY_02101011.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2636
      • C:\Users\Admin\AppData\Local\Temp\TT COPY_02101011.exe
        "C:\Users\Admin\AppData\Local\Temp\TT COPY_02101011.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:3740
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\SysWOW64\cmd.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3012
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\TT COPY_02101011.exe"
        3⤵
          PID:4072
        • C:\Windows\SysWOW64\cmd.exe
          /c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
          3⤵
            PID:2596
          • C:\Program Files\Mozilla Firefox\Firefox.exe
            "C:\Program Files\Mozilla Firefox\Firefox.exe"
            3⤵
              PID:1688
          • C:\Program Files (x86)\Isxxxv4vp\qxlh8tbpylmdi6ex.exe
            "C:\Program Files (x86)\Isxxxv4vp\qxlh8tbpylmdi6ex.exe"
            2⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:1880
            • C:\Program Files (x86)\Isxxxv4vp\qxlh8tbpylmdi6ex.exe
              "C:\Program Files (x86)\Isxxxv4vp\qxlh8tbpylmdi6ex.exe"
              3⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3456

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        2
        T1112

        Credential Access

        Credentials in Files

        1
        T1081

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Isxxxv4vp\qxlh8tbpylmdi6ex.exe
          MD5

          ebabc0d66a9e01cc0926f3b311feff5f

          SHA1

          83a44664135a7255045becde754dae29be496c8f

          SHA256

          ea8733d0ea6248e2f522487d09e7854230a648e67f1a5e90fea31f6305a1ff7b

          SHA512

          b9f9c3ec7080bf31e0ab43b68f8183d75a59ae262e7320e846883f7ec91695e5e01d70432a163252712fc7bdb6e27b6e5fb6b5589e31eb8779f3b2b5586eeeeb

          Download Submit
        • C:\Program Files (x86)\Isxxxv4vp\qxlh8tbpylmdi6ex.exe
          MD5

          ebabc0d66a9e01cc0926f3b311feff5f

          SHA1

          83a44664135a7255045becde754dae29be496c8f

          SHA256

          ea8733d0ea6248e2f522487d09e7854230a648e67f1a5e90fea31f6305a1ff7b

          SHA512

          b9f9c3ec7080bf31e0ab43b68f8183d75a59ae262e7320e846883f7ec91695e5e01d70432a163252712fc7bdb6e27b6e5fb6b5589e31eb8779f3b2b5586eeeeb

          Download Submit
        • C:\Program Files (x86)\Isxxxv4vp\qxlh8tbpylmdi6ex.exe
          MD5

          ebabc0d66a9e01cc0926f3b311feff5f

          SHA1

          83a44664135a7255045becde754dae29be496c8f

          SHA256

          ea8733d0ea6248e2f522487d09e7854230a648e67f1a5e90fea31f6305a1ff7b

          SHA512

          b9f9c3ec7080bf31e0ab43b68f8183d75a59ae262e7320e846883f7ec91695e5e01d70432a163252712fc7bdb6e27b6e5fb6b5589e31eb8779f3b2b5586eeeeb

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\5itxry81kuzl8up3
          MD5

          7cfbccd72474438d7fc638703213241c

          SHA1

          45da096b227587739be2cfd1fd216a7a0fc40a9a

          SHA256

          02e9f10a4673cf06dc6ded72098e6d37e6162b5c88937eb67ebbfc0c0ee39d58

          SHA512

          66b38fd3c6a4a9c85338e13776204a65a4be9323357c7758472946f2cc21ece513d4df4790cf232d109083365360046be38732725f09b56d5fc0bf4b0cc0629b

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\DB1
          MD5

          b608d407fc15adea97c26936bc6f03f6

          SHA1

          953e7420801c76393902c0d6bb56148947e41571

          SHA256

          b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

          SHA512

          cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

          Download Submit
        • \Users\Admin\AppData\Local\Temp\nssCA47.tmp\wdtzbwxasut.dll
          MD5

          54c860c5cd0476d353802753c7bbfb06

          SHA1

          f3fac4c8e96cbb528944fe76c7f74fda8171a597

          SHA256

          19fbfdb247a76a54351902926c309fd6d3e7be25c6dca0062fc781215680913e

          SHA512

          83dd85d9a54a1fa688c7776a15e48d70b8ec12ed789f4ac2054fa3affaed3fdaa375a5bd3d542c7b1831810a4825ee518a14f2390c50bfb65d9b774bceb6b183

          Download Submit
        • \Users\Admin\AppData\Local\Temp\nswC461.tmp\wdtzbwxasut.dll
          MD5

          54c860c5cd0476d353802753c7bbfb06

          SHA1

          f3fac4c8e96cbb528944fe76c7f74fda8171a597

          SHA256

          19fbfdb247a76a54351902926c309fd6d3e7be25c6dca0062fc781215680913e

          SHA512

          83dd85d9a54a1fa688c7776a15e48d70b8ec12ed789f4ac2054fa3affaed3fdaa375a5bd3d542c7b1831810a4825ee518a14f2390c50bfb65d9b774bceb6b183

          Download Submit
        • memory/1880-131-0x0000000000000000-mapping.dmp
          Download
        • memory/2596-129-0x0000000000000000-mapping.dmp
          Download
        • memory/3012-126-0x0000000002D70000-0x0000000003090000-memory.dmp
          Filesize

          3.1MB

          Download
        • memory/3012-123-0x00000000001E0000-0x0000000000239000-memory.dmp
          Filesize

          356KB

          Download
        • memory/3012-127-0x0000000003090000-0x0000000003120000-memory.dmp
          Filesize

          576KB

          Download
        • memory/3012-122-0x0000000000000000-mapping.dmp
          Download
        • memory/3012-124-0x0000000002340000-0x0000000002369000-memory.dmp
          Filesize

          164KB

          Download
        • memory/3020-121-0x00000000061D0000-0x0000000006375000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3020-128-0x00000000064E0000-0x0000000006666000-memory.dmp
          Filesize

          1.5MB

          Download
        • memory/3456-137-0x000000000041D4D0-mapping.dmp
          Download
        • memory/3456-139-0x0000000000A30000-0x0000000000D50000-memory.dmp
          Filesize

          3.1MB

          Download
        • memory/3740-120-0x00000000005E0000-0x00000000005F1000-memory.dmp
          Filesize

          68KB

          Download
        • memory/3740-119-0x0000000000A50000-0x0000000000D70000-memory.dmp
          Filesize

          3.1MB

          Download
        • memory/3740-117-0x000000000041D4D0-mapping.dmp
          Download
        • memory/3740-116-0x0000000000400000-0x0000000000429000-memory.dmp
          Filesize

          164KB

          Download
        • memory/4072-125-0x0000000000000000-mapping.dmp
          Download