Analysis

  • max time kernel
    81s
  • max time network
    124s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    11-01-2022 01:06

General

  • Target

    1b167aee9b70233663c28c1ed5ea099369f17b83b8f619dc0cf7925cfbb3b83d.exe

  • Size

    594KB

  • MD5

    3307bd369cf29789bc0e4a28a60212bc

  • SHA1

    a3427db83936cd9e5af6c98019945833680c007a

  • SHA256

    1b167aee9b70233663c28c1ed5ea099369f17b83b8f619dc0cf7925cfbb3b83d

  • SHA512

    bde682298b8c8ea82529ee07e4f3c68b18a8e1b8b9f94f3c119452341d4802f029a09f4a2e94dbf71a7e37c3aec769c3e6cacbf2633cb4f503fe8788a2b37c8f

Score
10/10

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

pnug

Decoy

natureate.com

ita-pots.website

sucohansmushroom.com

produrielrosen.com

gosystemupdatenow.online

jiskra.art

janwiench.com

norfolkfoodhall.com

iloveaddictss.com

pogozip.com

buyinstapva.com

teardirectionfreedom.xyz

0205168.com

apaixonadosporpugs.online

jawscoinc.com

crafter.quest

wikipedianow.com

radiopuls.net

kendama-co.com

goodstudycanada.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • Xloader Payload 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1b167aee9b70233663c28c1ed5ea099369f17b83b8f619dc0cf7925cfbb3b83d.exe
    "C:\Users\Admin\AppData\Local\Temp\1b167aee9b70233663c28c1ed5ea099369f17b83b8f619dc0cf7925cfbb3b83d.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2420
    • C:\Users\Admin\AppData\Local\Temp\1b167aee9b70233663c28c1ed5ea099369f17b83b8f619dc0cf7925cfbb3b83d.exe
      "C:\Users\Admin\AppData\Local\Temp\1b167aee9b70233663c28c1ed5ea099369f17b83b8f619dc0cf7925cfbb3b83d.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2744

Network

MITRE ATT&CK Matrix ATT&CK v6

Discovery

System Information Discovery

1
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nsj9A4F.tmp\yiinyuiygtr.dll
    MD5

    d4ad23215639a5f19713244b43b9436b

    SHA1

    90aac5a4f115241015b0b2e2635accf4b8dffded

    SHA256

    b854dfeef6729df501459ff0599d87d9bbc0201cb822d121376481910bb767b9

    SHA512

    82a1a850c96f14d266052bd403001e3c4df5b879bfeed795202746d0e854c41ef9f4d4a40529b04d90771514d72bb973d3c0d79a55b81f791ab88ef7df64afd2

  • memory/2744-116-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

  • memory/2744-117-0x000000000041D400-mapping.dmp
  • memory/2744-118-0x00000000009E0000-0x0000000000D00000-memory.dmp
    Filesize

    3.1MB