Overview

overview

10

Static

static

97ccf6ebd6...f0.exe

windows7_x64

10

97ccf6ebd6...f0.exe

windows10_x64

10

Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    10-01-2022 15:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    97ccf6ebd6abe7786677f0e6e6b8aef0.exe

  • Size

    882KB

  • MD5

    97ccf6ebd6abe7786677f0e6e6b8aef0

  • SHA1

    be06f330c04450b80848d8c5ed680dd8fce61c21

  • SHA256

    44ed69358c6ef98ffc0e4da5aee0692f74fd03b8a7ea7c5c3b08f427f32a45e5

  • SHA512

    0f4d549a3798ba0e9e10bc2e7f680290f5fc5b11c39e3f784cf04c1c0969739d906bd556f5c7f722c4a6d4d2d1ed2ab3246d2e668f03149fa1a033eeff17e761

Score
10/10
xloadernt3floaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

nt3f

Decoy

tricyclee.com

kxsw999.com

wisteria-pavilion.com

bellaclancy.com

promissioskincare.com

hzy001.xyz

checkouthomehd.com

soladere.com

point4sales.com

socalmafia.com

libertadysarmiento.online

nftthirty.com

digitalgoldcryptostock.net

tulekiloscaird.com

austinfishandchicken.com

wlxxch.com

mgav51.xyz

landbanking.global

saprove.com

babyfaces.skin

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\97ccf6ebd6abe7786677f0e6e6b8aef0.exe
    "C:\Users\Admin\AppData\Local\Temp\97ccf6ebd6abe7786677f0e6e6b8aef0.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1688
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wLPRsknlyKFXuL.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1528
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wLPRsknlyKFXuL" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9147.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:852
    • C:\Users\Admin\AppData\Local\Temp\97ccf6ebd6abe7786677f0e6e6b8aef0.exe
      "C:\Users\Admin\AppData\Local\Temp\97ccf6ebd6abe7786677f0e6e6b8aef0.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1852

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp9147.tmp
    MD5

    0d87e4baec25a048c6b40293736cd63d

    SHA1

    578d487657ad2fc3925d0ea89c027a8093aca712

    SHA256

    e18b150d09817366a8ca43716bb15490b7085a5e6a089eab55d4e1d06289ad3a

    SHA512

    6f1d2b531a2ff7bab5848ba56d98b72d5f082e5ec764c1bfda60e73faf7bc6a2794e23b950928bfca78236150ad2a0c65432839fc0f3a2a1e9e63638e638eac1

    Download Submit
  • memory/852-60-0x0000000000000000-mapping.dmp
    Download
  • memory/1528-59-0x0000000000000000-mapping.dmp
    Download
  • memory/1528-68-0x00000000024C0000-0x000000000310A000-memory.dmp
    Filesize

    12.3MB

    Download
  • memory/1528-61-0x0000000076151000-0x0000000076153000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1688-57-0x0000000000360000-0x000000000036E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/1688-58-0x0000000005270000-0x00000000052CE000-memory.dmp
    Filesize

    376KB

    Download
  • memory/1688-54-0x0000000000CC0000-0x0000000000DA4000-memory.dmp
    Filesize

    912KB

    Download
  • memory/1688-56-0x0000000004F50000-0x0000000004F51000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1688-55-0x0000000000CC0000-0x0000000000DA4000-memory.dmp
    Filesize

    912KB

    Download
  • memory/1852-63-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1852-64-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1852-65-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1852-66-0x000000000041D460-mapping.dmp
    Download
  • memory/1852-67-0x00000000008A0000-0x0000000000BA3000-memory.dmp
    Filesize

    3.0MB

    Download