Resubmissions

17-01-2022 09:47

220117-lsbfvahch4 10

17-01-2022 09:46

220117-lrzr2shehk 1

17-01-2022 09:40

220117-lnkhyshcf3 10

Analysis

  • max time kernel
    4265058s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    17-01-2022 09:40

General

  • Target

    10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74.exe

  • Size

    592KB

  • MD5

    f8e05f051c4151136ab7da1002e4c915

  • SHA1

    23bd18eee8c7cdc3fe21ecb778af9a89e855b71e

  • SHA256

    10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74

  • SHA512

    427a04103a5fbede6f2ebe2e5e82a5fc4790b5108ac9bb165f96cc04871d655ca12a92d2bbaea13491a56e76122aa0412595613560e392fa1a7365c81e829463

Score
10/10

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

pnug

Decoy

natureate.com

ita-pots.website

sucohansmushroom.com

produrielrosen.com

gosystemupdatenow.online

jiskra.art

janwiench.com

norfolkfoodhall.com

iloveaddictss.com

pogozip.com

buyinstapva.com

teardirectionfreedom.xyz

0205168.com

apaixonadosporpugs.online

jawscoinc.com

crafter.quest

wikipedianow.com

radiopuls.net

kendama-co.com

goodstudycanada.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • Xloader Payload 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74.exe
    "C:\Users\Admin\AppData\Local\Temp\10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3528
    • C:\Users\Admin\AppData\Local\Temp\10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74.exe
      "C:\Users\Admin\AppData\Local\Temp\10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:4056
  • C:\Windows\system32\MusNotification.exe
    C:\Windows\system32\MusNotification.exe
    1⤵
    • Checks processor information in registry
    • Suspicious use of AdjustPrivilegeToken
    PID:3748

Network

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3528-130-0x0000000000930000-0x00000000009CA000-memory.dmp
    Filesize

    616KB

  • memory/3528-131-0x0000000000930000-0x00000000009CA000-memory.dmp
    Filesize

    616KB

  • memory/3528-132-0x00000000058E0000-0x0000000005E84000-memory.dmp
    Filesize

    5.6MB

  • memory/3528-133-0x00000000053D0000-0x0000000005462000-memory.dmp
    Filesize

    584KB

  • memory/3528-134-0x0000000005330000-0x00000000058D4000-memory.dmp
    Filesize

    5.6MB

  • memory/3528-135-0x0000000005380000-0x000000000538A000-memory.dmp
    Filesize

    40KB

  • memory/3528-136-0x0000000008CB0000-0x0000000008D4C000-memory.dmp
    Filesize

    624KB

  • memory/4056-137-0x0000000000000000-mapping.dmp
  • memory/4056-138-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

  • memory/4056-139-0x0000000000F00000-0x000000000124A000-memory.dmp
    Filesize

    3.3MB