Overview

overview

10

Static

static

1

PROFORMA I...DF.exe

windows7_x64

10

PROFORMA I...DF.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    19-01-2022 12:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PROFORMA INVOICE_PDF.exe

  • Size

    718KB

  • MD5

    076375a538b587ac4d6297ffc2c8b58c

  • SHA1

    e1b0d3265fa30eb2cf3d207cb550b884963ff475

  • SHA256

    64c7583a94ab474b9cd3509e8ca73eb7a19e70ffc2c4fa4582ccd7fd3f10c5ec

  • SHA512

    8dd8f67a728a13b6c3928dc845213dd0ba0ce31b97f8dedd2c262c72483fc8674a619aa969f4275184de1ad7e1b75aff0fd9bf54a2b622a56e2827ec8c6c912f

Score
10/10
xloadernt3floaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

nt3f

Decoy

tricyclee.com

kxsw999.com

wisteria-pavilion.com

bellaclancy.com

promissioskincare.com

hzy001.xyz

checkouthomehd.com

soladere.com

point4sales.com

socalmafia.com

libertadysarmiento.online

nftthirty.com

digitalgoldcryptostock.net

tulekiloscaird.com

austinfishandchicken.com

wlxxch.com

mgav51.xyz

landbanking.global

saprove.com

babyfaces.skin

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Xloader Payload 2 IoCs
    rat
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1380
    • C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE_PDF.exe
      "C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE_PDF.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1212
      • C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE_PDF.exe
        "C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE_PDF.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1052
    • C:\Windows\SysWOW64\autochk.exe
      "C:\Windows\SysWOW64\autochk.exe"
      2⤵
        PID:1168
      • C:\Windows\SysWOW64\raserver.exe
        "C:\Windows\SysWOW64\raserver.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1408

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\nsyA30.tmp\idsllcv.dll
      MD5

      75a6e047d5d32cd1cc52dccb3c200d87

      SHA1

      f0fc2e45c5c324c27e9bb9c2a6ee3580e0dbac1c

      SHA256

      674500cab69b44aaf389ff8022d77cb6b1f3166225bb58cba2c964b843bc442e

      SHA512

      4a079e2e4444bdd4bc03defdd51040e15fb21a09a2d59344d1fb50a7629e722e6de558cf683dc20a94f1618d1923343f0fe83fd87c1928779d605848684a23f1

      Download Submit
    • memory/1052-57-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

      Download
    • memory/1052-58-0x00000000008E0000-0x0000000000BE3000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1052-60-0x0000000000340000-0x0000000000351000-memory.dmp
      Filesize

      68KB

      Download
    • memory/1212-55-0x0000000075D61000-0x0000000075D63000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1380-61-0x0000000006BA0000-0x0000000006C9F000-memory.dmp
      Filesize

      1020KB

      Download
    • memory/1380-67-0x0000000006D70000-0x0000000006E9C000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/1408-63-0x0000000000530000-0x000000000054C000-memory.dmp
      Filesize

      112KB

      Download
    • memory/1408-64-0x0000000000080000-0x00000000000A9000-memory.dmp
      Filesize

      164KB

      Download
    • memory/1408-65-0x0000000001F90000-0x0000000002293000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1408-66-0x0000000000630000-0x0000000001F81000-memory.dmp
      Filesize

      25.3MB

      Download