Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    110s
  • max time network
    125s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    12-01-2022 13:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8ad6a7b3eabe8b13dac49c87671807b8185f42e9c3bd6ac94c33f4ab3435bd60.exe

  • Size

    404KB

  • MD5

    bab6e1a8f9654f390192b69e25418de5

  • SHA1

    0740a5161c3a065a84b4caf0bc194f1736ba79df

  • SHA256

    8ad6a7b3eabe8b13dac49c87671807b8185f42e9c3bd6ac94c33f4ab3435bd60

  • SHA512

    1143cc6133e3e6731e15e71cbe87398c90cb2e80fcfff6fb3ee115b2f543b677c48e907fde940898b3ffd0ded89cd21239cbfdd5e72e2555a7f03be4e09b23a8

Score
10/10
xloadernt3floaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

nt3f

Decoy

tricyclee.com

kxsw999.com

wisteria-pavilion.com

bellaclancy.com

promissioskincare.com

hzy001.xyz

checkouthomehd.com

soladere.com

point4sales.com

socalmafia.com

libertadysarmiento.online

nftthirty.com

digitalgoldcryptostock.net

tulekiloscaird.com

austinfishandchicken.com

wlxxch.com

mgav51.xyz

landbanking.global

saprove.com

babyfaces.skin

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8ad6a7b3eabe8b13dac49c87671807b8185f42e9c3bd6ac94c33f4ab3435bd60.exe
    "C:\Users\Admin\AppData\Local\Temp\8ad6a7b3eabe8b13dac49c87671807b8185f42e9c3bd6ac94c33f4ab3435bd60.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3584
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UVfsWG.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:392
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UVfsWG" /XML "C:\Users\Admin\AppData\Local\Temp\tmp44D5.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:3352
    • C:\Users\Admin\AppData\Local\Temp\8ad6a7b3eabe8b13dac49c87671807b8185f42e9c3bd6ac94c33f4ab3435bd60.exe
      "C:\Users\Admin\AppData\Local\Temp\8ad6a7b3eabe8b13dac49c87671807b8185f42e9c3bd6ac94c33f4ab3435bd60.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:588

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp44D5.tmp
    MD5

    e8d906703e09e9ac12d29a1dfe54dda2

    SHA1

    6f279132fb73936caf48ed42c0dcf9514450bcd4

    SHA256

    45778db0347c6f618a36a4127b9bc67a05e95fcf690588cde1e1d673219a7c46

    SHA512

    55f4bc6c68f1a29ef1b25ee3f3b709096d854c1a2c7d6f63d1b4a032b678c74bb271e7be94cb141608313a91085c9585b192a2bffd45764aaef1d21cbda57485

    Download Submit
  • memory/392-156-0x0000000007F40000-0x0000000007FA6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/392-367-0x0000000009C80000-0x0000000009C88000-memory.dmp
    Filesize

    32KB

    Download
  • memory/392-372-0x0000000009C80000-0x0000000009C88000-memory.dmp
    Filesize

    32KB

    Download
  • memory/392-139-0x00000000081A0000-0x00000000084F0000-memory.dmp
    Filesize

    3.3MB

    Download
  • memory/392-366-0x0000000009C90000-0x0000000009CAA000-memory.dmp
    Filesize

    104KB

    Download
  • memory/392-361-0x0000000009C90000-0x0000000009CAA000-memory.dmp
    Filesize

    104KB

    Download
  • memory/392-236-0x0000000004F73000-0x0000000004F74000-memory.dmp
    Filesize

    4KB

    Download
  • memory/392-167-0x0000000009D00000-0x0000000009D94000-memory.dmp
    Filesize

    592KB

    Download
  • memory/392-166-0x0000000009B30000-0x0000000009BD5000-memory.dmp
    Filesize

    660KB

    Download
  • memory/392-125-0x0000000000000000-mapping.dmp
    Download
  • memory/392-161-0x000000007F5F0000-0x000000007F5F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/392-127-0x0000000003530000-0x0000000003531000-memory.dmp
    Filesize

    4KB

    Download
  • memory/392-128-0x0000000003530000-0x0000000003531000-memory.dmp
    Filesize

    4KB

    Download
  • memory/392-160-0x00000000097B0000-0x00000000097CE000-memory.dmp
    Filesize

    120KB

    Download
  • memory/392-130-0x0000000004E10000-0x0000000004E46000-memory.dmp
    Filesize

    216KB

    Download
  • memory/392-158-0x0000000008630000-0x000000000867B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/392-138-0x0000000004F72000-0x0000000004F73000-memory.dmp
    Filesize

    4KB

    Download
  • memory/392-133-0x0000000007910000-0x0000000007F38000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/392-134-0x0000000007870000-0x0000000007892000-memory.dmp
    Filesize

    136KB

    Download
  • memory/392-135-0x0000000007F40000-0x0000000007FA6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/392-136-0x0000000008020000-0x0000000008086000-memory.dmp
    Filesize

    408KB

    Download
  • memory/392-137-0x0000000004F70000-0x0000000004F71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/392-140-0x0000000008510000-0x000000000852C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/392-159-0x00000000089A0000-0x0000000008A16000-memory.dmp
    Filesize

    472KB

    Download
  • memory/392-157-0x0000000008020000-0x0000000008086000-memory.dmp
    Filesize

    408KB

    Download
  • memory/392-141-0x0000000008630000-0x000000000867B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/392-155-0x0000000007870000-0x0000000007892000-memory.dmp
    Filesize

    136KB

    Download
  • memory/392-143-0x00000000089A0000-0x0000000008A16000-memory.dmp
    Filesize

    472KB

    Download
  • memory/392-144-0x0000000003530000-0x0000000003531000-memory.dmp
    Filesize

    4KB

    Download
  • memory/392-152-0x0000000007910000-0x0000000007F38000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/392-153-0x0000000009A00000-0x0000000009A33000-memory.dmp
    Filesize

    204KB

    Download
  • memory/392-154-0x0000000009A00000-0x0000000009A33000-memory.dmp
    Filesize

    204KB

    Download
  • memory/588-131-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/588-142-0x0000000001300000-0x0000000001620000-memory.dmp
    Filesize

    3.1MB

    Download
  • memory/588-132-0x000000000041D460-mapping.dmp
    Download
  • memory/3352-126-0x0000000000000000-mapping.dmp
    Download
  • memory/3584-124-0x0000000008B90000-0x0000000008BEE000-memory.dmp
    Filesize

    376KB

    Download
  • memory/3584-115-0x0000000000730000-0x000000000079C000-memory.dmp
    Filesize

    432KB

    Download
  • memory/3584-117-0x0000000005620000-0x0000000005B1E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3584-116-0x0000000000730000-0x000000000079C000-memory.dmp
    Filesize

    432KB

    Download
  • memory/3584-123-0x00000000089F0000-0x0000000008A8C000-memory.dmp
    Filesize

    624KB

    Download
  • memory/3584-122-0x0000000008670000-0x00000000086BB000-memory.dmp
    Filesize

    300KB

    Download
  • memory/3584-121-0x0000000005610000-0x000000000561E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/3584-120-0x0000000005100000-0x000000000510A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/3584-119-0x0000000005120000-0x000000000561E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3584-118-0x0000000005120000-0x00000000051B2000-memory.dmp
    Filesize

    584KB

    Download