Overview

overview

10

Static

static

1

Statement ...om.exe

windows7_x64

10

Statement ...om.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    01-12-2021 06:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Statement 12-01-2021.com.exe

  • Size

    552KB

  • MD5

    d84165c69252af24ac6a92da452b4eb2

  • SHA1

    5ca05c20d6240e1ab18c4204cfe3a8d85b5fede4

  • SHA256

    99e122686461defed546b28e1b3461a92cc5a3e0fe46cac917f5e130d5941f1f

  • SHA512

    ada97e517e7678ad971c73395d282d84c1b35493f7cd012ac226a08549757ec756d147ccc404620cd655804c24d1ed5f8e68390478fc3a5b6f134d326c78b3f5

Score
10/10
xloaderunznloaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

unzn

C2

http://www.davanamays.com/unzn/

Decoy

xiulf.com

highcountrymortar.com

523561.com

marketingagency.tools

ganmovie.net

nationaalcontactpunt.com

sirrbter.com

begizas.xyz

missimi-fashion.com

munixc.info

daas.support

spaceworbc.com

faithtruthresolve.com

gymkub.com

thegrayverse.xyz

artisanmakefurniture.com

029tryy.com

ijuubx.biz

iphone13promax.club

techuniversus.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 4 IoCs
    rat
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1268
    • C:\Users\Admin\AppData\Local\Temp\Statement 12-01-2021.com.exe
      "C:\Users\Admin\AppData\Local\Temp\Statement 12-01-2021.com.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:848
      • C:\Users\Admin\AppData\Local\Temp\Statement 12-01-2021.com.exe
        "C:\Users\Admin\AppData\Local\Temp\Statement 12-01-2021.com.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:360
    • C:\Windows\SysWOW64\ipconfig.exe
      "C:\Windows\SysWOW64\ipconfig.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Gathers network information
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1464
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\Statement 12-01-2021.com.exe"
        3⤵
        • Deletes itself
        PID:288

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nst1298.tmp\flfxltt.dll
    MD5

    41986140e388b8d37885dce52f32306f

    SHA1

    1e89e16a2f2d68f6d5af6519ce0e61d28c1f7c26

    SHA256

    3d63725dd035a901cadb74b2f0a6942f91462bd79b72ccc2d8196a5e72885748

    SHA512

    e0d2a09e92c4805b99864703df41bd7f71a1c40d0ad8b209e679b6029ee75a7a80d11472ffaf63d2ce3c8f353a515c56321f14cb17b36b6be431a9173f692971

    Download Submit
  • memory/288-68-0x0000000000000000-mapping.dmp
    Download
  • memory/360-64-0x00000000005F0000-0x0000000000601000-memory.dmp
    Filesize

    68KB

    Download
  • memory/360-58-0x000000000041D430-mapping.dmp
    Download
  • memory/360-60-0x0000000000990000-0x0000000000C93000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/360-61-0x00000000003D0000-0x00000000003E1000-memory.dmp
    Filesize

    68KB

    Download
  • memory/360-57-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/360-63-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/848-55-0x00000000764D1000-0x00000000764D3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1268-65-0x00000000071E0000-0x0000000007320000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/1268-62-0x0000000006A60000-0x0000000006BF5000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/1268-73-0x0000000008E80000-0x0000000008FA5000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1464-66-0x0000000000000000-mapping.dmp
    Download
  • memory/1464-69-0x00000000009E0000-0x00000000009EA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1464-71-0x0000000002110000-0x0000000002413000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1464-70-0x0000000000080000-0x00000000000A9000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1464-72-0x0000000000910000-0x00000000009A0000-memory.dmp
    Filesize

    576KB

    Download