Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    10-01-2022 12:17

General

  • Target

    DEC SOA_09012022.exe

  • Size

    373KB

  • MD5

    6046b2f34b67e06c817f4375c6d26a54

  • SHA1

    2230944a4216a07fde067866af7e81e1a52e8535

  • SHA256

    56d2b2837e2856b61ad276a3b52151851a79e366c22c03652caf2ad2b50623db

  • SHA512

    542a355b0b51c43d7462f255822401fcce56ba8a3c1f117a578f68c762cd329bf533667e8f6c1f56bad8ff71678954b59edec1da725b2a837bb401edcf94b2ac

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

igwa

Decoy

listingswithalex.com

funtabse.com

aydenwalling.com

prochal.net

superfoodsnederland.com

moldluck.com

dianekgordon.store

regionalhomescommercial.com

mysecuritymadesimple.com

malwaremastery.com

kodaikeiko.com

jrzg996.com

agricurve.net

songlingjiu.com

virginianundahfishingclub.com

friendschance.com

pastelpresents.com

answertitles.com

survival-hunter.com

nxfddl.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

  • Xloader Payload 4 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 6 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Drops file in Program Files directory
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:3056
    • C:\Users\Admin\AppData\Local\Temp\DEC SOA_09012022.exe
      "C:\Users\Admin\AppData\Local\Temp\DEC SOA_09012022.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:912
      • C:\Users\Admin\AppData\Local\Temp\DEC SOA_09012022.exe
        "C:\Users\Admin\AppData\Local\Temp\DEC SOA_09012022.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1028
    • C:\Windows\SysWOW64\msdt.exe
      "C:\Windows\SysWOW64\msdt.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3924
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\DEC SOA_09012022.exe"
        3⤵
          PID:1824
        • C:\Windows\SysWOW64\cmd.exe
          /c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
          3⤵
            PID:3620
          • C:\Program Files\Mozilla Firefox\Firefox.exe
            "C:\Program Files\Mozilla Firefox\Firefox.exe"
            3⤵
              PID:1184
          • C:\Program Files (x86)\Qblq\helpxzbxnrbp.exe
            "C:\Program Files (x86)\Qblq\helpxzbxnrbp.exe"
            2⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:2648
            • C:\Program Files (x86)\Qblq\helpxzbxnrbp.exe
              "C:\Program Files (x86)\Qblq\helpxzbxnrbp.exe"
              3⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:688

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Defense Evasion

        Modify Registry

        2
        T1112

        Credential Access

        Credentials in Files

        1
        T1081

        Discovery

        System Information Discovery

        1
        T1082

        Collection

        Data from Local System

        1
        T1005

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Qblq\helpxzbxnrbp.exe
          MD5

          6046b2f34b67e06c817f4375c6d26a54

          SHA1

          2230944a4216a07fde067866af7e81e1a52e8535

          SHA256

          56d2b2837e2856b61ad276a3b52151851a79e366c22c03652caf2ad2b50623db

          SHA512

          542a355b0b51c43d7462f255822401fcce56ba8a3c1f117a578f68c762cd329bf533667e8f6c1f56bad8ff71678954b59edec1da725b2a837bb401edcf94b2ac

        • C:\Program Files (x86)\Qblq\helpxzbxnrbp.exe
          MD5

          6046b2f34b67e06c817f4375c6d26a54

          SHA1

          2230944a4216a07fde067866af7e81e1a52e8535

          SHA256

          56d2b2837e2856b61ad276a3b52151851a79e366c22c03652caf2ad2b50623db

          SHA512

          542a355b0b51c43d7462f255822401fcce56ba8a3c1f117a578f68c762cd329bf533667e8f6c1f56bad8ff71678954b59edec1da725b2a837bb401edcf94b2ac

        • C:\Program Files (x86)\Qblq\helpxzbxnrbp.exe
          MD5

          6046b2f34b67e06c817f4375c6d26a54

          SHA1

          2230944a4216a07fde067866af7e81e1a52e8535

          SHA256

          56d2b2837e2856b61ad276a3b52151851a79e366c22c03652caf2ad2b50623db

          SHA512

          542a355b0b51c43d7462f255822401fcce56ba8a3c1f117a578f68c762cd329bf533667e8f6c1f56bad8ff71678954b59edec1da725b2a837bb401edcf94b2ac

        • C:\Users\Admin\AppData\Local\Temp\DB1
          MD5

          b608d407fc15adea97c26936bc6f03f6

          SHA1

          953e7420801c76393902c0d6bb56148947e41571

          SHA256

          b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

          SHA512

          cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

        • C:\Users\Admin\AppData\Local\Temp\dzj7wydhstvhlw1sy23
          MD5

          d41d8cd98f00b204e9800998ecf8427e

          SHA1

          da39a3ee5e6b4b0d3255bfef95601890afd80709

          SHA256

          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

          SHA512

          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

        • C:\Users\Admin\AppData\Local\Temp\wklfmyml
          MD5

          50c3351485ffad798f860720ca86c51d

          SHA1

          0bc92630e09367fc9d874c171c556198add38267

          SHA256

          73075fdf0c62d3d9a9ea4b57f5dbd6349235be6ed8a848d95f0caf5de2f14448

          SHA512

          d87494b1bde8c3f7002ff077d190a629d01acf5250ec36a0e00c4864681f83837b5b8599032f9c09c1c832a141ad281123d5d71579528e8dc7107913d2851018

        • \Users\Admin\AppData\Local\Temp\nsi20D9.tmp\rwxef.dll
          MD5

          52944a6532acdb2543a8f6076c5b1eeb

          SHA1

          f01e61cd9d9b724e1d77851440493858c008100b

          SHA256

          5432fa320cbf8e925f37aae93da2602d41e912dd8141332e38fb49b5c955290e

          SHA512

          b5510b843f40ef0e4d30ecac150409634cad612701575ca4f022bee266dba9b703cfdbd60c11018001d030ed45f9496815773d9dda3953bfe85af4d99260e22a

        • \Users\Admin\AppData\Local\Temp\nsiB57.tmp\rwxef.dll
          MD5

          52944a6532acdb2543a8f6076c5b1eeb

          SHA1

          f01e61cd9d9b724e1d77851440493858c008100b

          SHA256

          5432fa320cbf8e925f37aae93da2602d41e912dd8141332e38fb49b5c955290e

          SHA512

          b5510b843f40ef0e4d30ecac150409634cad612701575ca4f022bee266dba9b703cfdbd60c11018001d030ed45f9496815773d9dda3953bfe85af4d99260e22a

        • memory/688-138-0x000000000041D440-mapping.dmp
        • memory/688-140-0x00000000009D0000-0x0000000000CF0000-memory.dmp
          Filesize

          3.1MB

        • memory/1028-120-0x00000000006D0000-0x00000000006E1000-memory.dmp
          Filesize

          68KB

        • memory/1028-119-0x00000000009C0000-0x0000000000CE0000-memory.dmp
          Filesize

          3.1MB

        • memory/1028-117-0x000000000041D440-mapping.dmp
        • memory/1028-116-0x0000000000400000-0x0000000000429000-memory.dmp
          Filesize

          164KB

        • memory/1824-125-0x0000000000000000-mapping.dmp
        • memory/2648-131-0x0000000000000000-mapping.dmp
        • memory/3056-128-0x0000000005C90000-0x0000000005DE4000-memory.dmp
          Filesize

          1.3MB

        • memory/3056-121-0x0000000005790000-0x00000000058C8000-memory.dmp
          Filesize

          1.2MB

        • memory/3620-129-0x0000000000000000-mapping.dmp
        • memory/3924-127-0x00000000049F0000-0x0000000004A80000-memory.dmp
          Filesize

          576KB

        • memory/3924-126-0x0000000004BA0000-0x0000000004EC0000-memory.dmp
          Filesize

          3.1MB

        • memory/3924-124-0x0000000000A70000-0x0000000000A99000-memory.dmp
          Filesize

          164KB

        • memory/3924-123-0x00000000010D0000-0x0000000001243000-memory.dmp
          Filesize

          1.4MB

        • memory/3924-122-0x0000000000000000-mapping.dmp