Overview

overview

10

Static

static

1

DEC SOA_09012022.exe

windows7_x64

10

DEC SOA_09012022.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    10-01-2022 07:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DEC SOA_09012022.exe

  • Size

    373KB

  • MD5

    6046b2f34b67e06c817f4375c6d26a54

  • SHA1

    2230944a4216a07fde067866af7e81e1a52e8535

  • SHA256

    56d2b2837e2856b61ad276a3b52151851a79e366c22c03652caf2ad2b50623db

  • SHA512

    542a355b0b51c43d7462f255822401fcce56ba8a3c1f117a578f68c762cd329bf533667e8f6c1f56bad8ff71678954b59edec1da725b2a837bb401edcf94b2ac

Score
10/10
xloaderigwaloaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

igwa

Decoy

listingswithalex.com

funtabse.com

aydenwalling.com

prochal.net

superfoodsnederland.com

moldluck.com

dianekgordon.store

regionalhomescommercial.com

mysecuritymadesimple.com

malwaremastery.com

kodaikeiko.com

jrzg996.com

agricurve.net

songlingjiu.com

virginianundahfishingclub.com

friendschance.com

pastelpresents.com

answertitles.com

survival-hunter.com

nxfddl.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Xloader Payload 3 IoCs
    rat
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:3052
    • C:\Users\Admin\AppData\Local\Temp\DEC SOA_09012022.exe
      "C:\Users\Admin\AppData\Local\Temp\DEC SOA_09012022.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:3292
      • C:\Users\Admin\AppData\Local\Temp\DEC SOA_09012022.exe
        "C:\Users\Admin\AppData\Local\Temp\DEC SOA_09012022.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:3584
    • C:\Windows\SysWOW64\chkdsk.exe
      "C:\Windows\SysWOW64\chkdsk.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3668
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\DEC SOA_09012022.exe"
        3⤵
          PID:3888

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    2
    T1082

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\nskF687.tmp\rwxef.dll
      MD5

      52944a6532acdb2543a8f6076c5b1eeb

      SHA1

      f01e61cd9d9b724e1d77851440493858c008100b

      SHA256

      5432fa320cbf8e925f37aae93da2602d41e912dd8141332e38fb49b5c955290e

      SHA512

      b5510b843f40ef0e4d30ecac150409634cad612701575ca4f022bee266dba9b703cfdbd60c11018001d030ed45f9496815773d9dda3953bfe85af4d99260e22a

      Download Submit
    • memory/3052-128-0x0000000002910000-0x0000000002A00000-memory.dmp
      Filesize

      960KB

      Download
    • memory/3052-121-0x0000000004E10000-0x0000000004F97000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/3584-116-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

      Download
    • memory/3584-117-0x000000000041D440-mapping.dmp
      Download
    • memory/3584-120-0x00000000008E0000-0x00000000008F1000-memory.dmp
      Filesize

      68KB

      Download
    • memory/3584-119-0x0000000000950000-0x0000000000C70000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/3668-122-0x0000000000000000-mapping.dmp
      Download
    • memory/3668-124-0x0000000000760000-0x0000000000789000-memory.dmp
      Filesize

      164KB

      Download
    • memory/3668-126-0x0000000005210000-0x0000000005530000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/3668-127-0x0000000004F60000-0x0000000004FF0000-memory.dmp
      Filesize

      576KB

      Download
    • memory/3668-123-0x0000000000A60000-0x0000000000A6A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/3888-125-0x0000000000000000-mapping.dmp
      Download