Analysis
-
max time kernel
17s -
max time network
25s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
19-01-2022 12:53
General
-
Target
PROFORMA INVOICE_PDF.exe
-
Size
718KB
-
MD5
076375a538b587ac4d6297ffc2c8b58c
-
SHA1
e1b0d3265fa30eb2cf3d207cb550b884963ff475
-
SHA256
64c7583a94ab474b9cd3509e8ca73eb7a19e70ffc2c4fa4582ccd7fd3f10c5ec
-
SHA512
8dd8f67a728a13b6c3928dc845213dd0ba0ce31b97f8dedd2c262c72483fc8674a619aa969f4275184de1ad7e1b75aff0fd9bf54a2b622a56e2827ec8c6c912f
Malware Config
Extracted
xloader
2.5
nt3f
tricyclee.com
kxsw999.com
wisteria-pavilion.com
bellaclancy.com
promissioskincare.com
hzy001.xyz
checkouthomehd.com
soladere.com
point4sales.com
socalmafia.com
libertadysarmiento.online
nftthirty.com
digitalgoldcryptostock.net
tulekiloscaird.com
austinfishandchicken.com
wlxxch.com
mgav51.xyz
landbanking.global
saprove.com
babyfaces.skin
Signatures
-
Xloader
Xloader is a rebranded version of Formbook malware.
-
Xloader Payload 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE_PDF.exe"C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE_PDF.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE_PDF.exe"C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE_PDF.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nsa8B96.tmp\idsllcv.dllMD5
75a6e047d5d32cd1cc52dccb3c200d87
SHA1f0fc2e45c5c324c27e9bb9c2a6ee3580e0dbac1c
SHA256674500cab69b44aaf389ff8022d77cb6b1f3166225bb58cba2c964b843bc442e
SHA5124a079e2e4444bdd4bc03defdd51040e15fb21a09a2d59344d1fb50a7629e722e6de558cf683dc20a94f1618d1923343f0fe83fd87c1928779d605848684a23f1
-
memory/1060-131-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB