Overview

overview

10

Static

static

1

SKM-973116...if.exe

windows7_x64

10

SKM-973116...if.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    15s
  • max time network
    77s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    20-01-2022 11:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SKM-973116391_PDF.pif.exe

  • Size

    297KB

  • MD5

    aefc9702ff5d6d9064ec8e5ea82e4870

  • SHA1

    716ad70dc07a6b7d3c46209de8627bf3f3535361

  • SHA256

    ef986fa9ac50432d1fc1be8e0ace872cbf28cf51d967d6d35647aa3f77acf94e

  • SHA512

    e5180f0d131111627300dd3b61abae59cf77e0d2a4aa50d9b22dec1c270a865caed5fa4130174930ae2810584c4169e9bf56a0b597401014737d60b250580b55

Score
10/10
xloaderuar3loaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

uar3

Decoy

sgadvocats.com

mjscannabus.com

hilldaley.com

ksdollhouse.com

hotgiftboutique.com

purebloodsmeet.com

relaunched.info

cap-glove.com

productcollection.store

fulikyy.xyz

remoteaviationjobs.com

bestcleancrystal.com

virtualorganizationpartner.com

bookgocar.com

hattuafhv.quest

makonigroup.com

officecom-myaccount.com

malgorzata-lac.com

e-learningeducators.com

hygilaur.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 1 IoCs
    rat
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SKM-973116391_PDF.pif.exe
    "C:\Users\Admin\AppData\Local\Temp\SKM-973116391_PDF.pif.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1284
    • C:\Users\Admin\AppData\Local\Temp\SKM-973116391_PDF.pif.exe
      "C:\Users\Admin\AppData\Local\Temp\SKM-973116391_PDF.pif.exe"
      2⤵
        PID:3392

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\nsy94FC.tmp\qhkurpf.dll
      MD5

      4b585786f7c4954b6ec5fa47486c3e01

      SHA1

      def671ab058b9db6bb436c57be2ed88b8f80580c

      SHA256

      c553442735f0cf507ae1db7e5beb9dfd91e6e26759ba4b064cb284a684ed8aa9

      SHA512

      38585b0152d9a2d74ce47caaf1d2eb83e314e2930268ca607ad40352b10b5669fbb2fc4700d653e19273f01e66f54a71b0e543f5e707d94913ec92a69633c29a

      Download Submit
    • memory/3392-131-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

      Download