Overview

overview

10

Static

static

50376d0b1e...34.exe

windows7_x64

10

50376d0b1e...34.exe

windows10_x64

10

Analysis

  • max time kernel
    121s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    12-01-2022 10:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    50376d0b1e8512f7181eff0d87feb534.exe

  • Size

    366KB

  • MD5

    50376d0b1e8512f7181eff0d87feb534

  • SHA1

    fb5f6fcb930c10abef806138d2839bff3247f973

  • SHA256

    e4999525a5626a76247a8f02a9e08c0ea35f13f717687b8a966cddb72f8adc6f

  • SHA512

    bd3e399c262bbe4e8ef730985162f361ba0469c4995f64a34ac27b401df9573e7957dc46119f2c56f10ba27132ad9cffd411b658fca914add43f33c8830189ea

Score
10/10
xloadernt3floaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

nt3f

Decoy

tricyclee.com

kxsw999.com

wisteria-pavilion.com

bellaclancy.com

promissioskincare.com

hzy001.xyz

checkouthomehd.com

soladere.com

point4sales.com

socalmafia.com

libertadysarmiento.online

nftthirty.com

digitalgoldcryptostock.net

tulekiloscaird.com

austinfishandchicken.com

wlxxch.com

mgav51.xyz

landbanking.global

saprove.com

babyfaces.skin

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\50376d0b1e8512f7181eff0d87feb534.exe
    "C:\Users\Admin\AppData\Local\Temp\50376d0b1e8512f7181eff0d87feb534.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1304
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eEkpoxtGLuQ.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1484
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eEkpoxtGLuQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD5D5.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1644
    • C:\Users\Admin\AppData\Local\Temp\50376d0b1e8512f7181eff0d87feb534.exe
      "C:\Users\Admin\AppData\Local\Temp\50376d0b1e8512f7181eff0d87feb534.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1676

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpD5D5.tmp
    MD5

    8fa4d8fae187de6295ac153db80759e9

    SHA1

    0565724032561711cfc92d334629a3809e39d6e6

    SHA256

    6f5cb1d540be5d0159a0c5bb16727f86913f1bbd43f1e5dcc7100915a5e87118

    SHA512

    7731652eed025059e64b7fdc896ae1918e88bc8adc6d81b3d75e03f950ca8ba7759e80951bbbf889f6bc13c8bdbb5fd81bc4bc3ada112db1a881fae2c8005416

    Download Submit
  • memory/1304-56-0x0000000000040000-0x00000000000A2000-memory.dmp
    Filesize

    392KB

    Download
  • memory/1304-57-0x0000000075F91000-0x0000000075F93000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1304-58-0x0000000004CA0000-0x0000000004CA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1304-59-0x0000000000830000-0x000000000083E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/1304-60-0x0000000004D70000-0x0000000004DD0000-memory.dmp
    Filesize

    384KB

    Download
  • memory/1304-55-0x0000000000040000-0x00000000000A2000-memory.dmp
    Filesize

    392KB

    Download
  • memory/1484-61-0x0000000000000000-mapping.dmp
    Download
  • memory/1484-70-0x0000000002440000-0x000000000308A000-memory.dmp
    Filesize

    12.3MB

    Download
  • memory/1644-63-0x0000000000000000-mapping.dmp
    Download
  • memory/1676-65-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1676-66-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1676-67-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1676-68-0x000000000041D460-mapping.dmp
    Download
  • memory/1676-69-0x00000000008C0000-0x0000000000BC3000-memory.dmp
    Filesize

    3.0MB

    Download