Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    20-01-2022 08:28

General

  • Target

    MV ULTRASONIC_PDA$62,000.exe

  • Size

    287KB

  • MD5

    238fa7f1204998f7b13571649e15508a

  • SHA1

    e130539aee3a44c1902016476eb9f4304976aa4d

  • SHA256

    3f76d69c552a61ab3d1207fb64ac3aecf812e98f99c5413a9472d59859c38077

  • SHA512

    53c571454bd46209555718f97cb4b35c4dce038e52ec2a4d6a8c9315bacf569259ee3c511fc8e26c42a15739a91f8988339610c34d322a0c44c38dc92c6c3e41

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

igwa

Decoy

listingswithalex.com

funtabse.com

aydenwalling.com

prochal.net

superfoodsnederland.com

moldluck.com

dianekgordon.store

regionalhomescommercial.com

mysecuritymadesimple.com

malwaremastery.com

kodaikeiko.com

jrzg996.com

agricurve.net

songlingjiu.com

virginianundahfishingclub.com

friendschance.com

pastelpresents.com

answertitles.com

survival-hunter.com

nxfddl.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

  • Xloader Payload 5 IoCs
  • Sets service image path in registry 2 TTPs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious behavior: EnumeratesProcesses 58 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2428
    • C:\Users\Admin\AppData\Local\Temp\MV ULTRASONIC_PDA$62,000.exe
      "C:\Users\Admin\AppData\Local\Temp\MV ULTRASONIC_PDA$62,000.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2576
      • C:\Users\Admin\AppData\Local\Temp\MV ULTRASONIC_PDA$62,000.exe
        "C:\Users\Admin\AppData\Local\Temp\MV ULTRASONIC_PDA$62,000.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:3392
    • C:\Windows\SysWOW64\autofmt.exe
      "C:\Windows\SysWOW64\autofmt.exe"
      2⤵
        PID:3504
      • C:\Windows\SysWOW64\cmmon32.exe
        "C:\Windows\SysWOW64\cmmon32.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3260
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\MV ULTRASONIC_PDA$62,000.exe"
          3⤵
            PID:2272
      • C:\Windows\System32\WaaSMedicAgent.exe
        C:\Windows\System32\WaaSMedicAgent.exe 7b714c6aafcaf72bf5172589b98c0161 usKK10gzFUaaKekVHlVCEA.0.1.0.0.0
        1⤵
        • Modifies data under HKEY_USERS
        PID:3264
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k wusvcs -p
        1⤵
          PID:2848

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Defense Evasion

        Modify Registry

        1
        T1112

        Discovery

        System Information Discovery

        1
        T1082

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\nss29D9.tmp\mhvofabkmab.dll
          MD5

          c7ccaa08597a1e093cda3a2f126f75e0

          SHA1

          4ded36dbe3b7a87752630c0e496378cf159a7632

          SHA256

          8be78073ef9fdcc6639e9fde21d313ad35de29b3e81e6cdb8e5d1fa2a89a19d8

          SHA512

          9dedc0bf6dd27964a70539782f291d334752eb2fbd386ba31c1e08d08cd7e1861e54d0ea2dfda332dcbcb614062dddd60cdc9b6def1388b8334c9c56faefaa6e

        • memory/2428-138-0x0000000008D90000-0x0000000008EE7000-memory.dmp
          Filesize

          1.3MB

        • memory/2428-143-0x0000000003760000-0x000000000382F000-memory.dmp
          Filesize

          828KB

        • memory/2428-135-0x00000000088A0000-0x0000000008987000-memory.dmp
          Filesize

          924KB

        • memory/3260-139-0x00000000004D0000-0x00000000004DC000-memory.dmp
          Filesize

          48KB

        • memory/3260-140-0x0000000002C00000-0x0000000002C29000-memory.dmp
          Filesize

          164KB

        • memory/3260-141-0x0000000002F90000-0x0000000004EDA000-memory.dmp
          Filesize

          31.3MB

        • memory/3260-142-0x0000000002F90000-0x0000000004EDA000-memory.dmp
          Filesize

          31.3MB

        • memory/3392-136-0x0000000000400000-0x0000000000429000-memory.dmp
          Filesize

          164KB

        • memory/3392-137-0x0000000000E90000-0x0000000000EA1000-memory.dmp
          Filesize

          68KB

        • memory/3392-134-0x0000000000510000-0x0000000000D7A000-memory.dmp
          Filesize

          8.4MB

        • memory/3392-133-0x0000000000510000-0x0000000000D7A000-memory.dmp
          Filesize

          8.4MB

        • memory/3392-131-0x0000000000400000-0x0000000000429000-memory.dmp
          Filesize

          164KB