Analysis

  • max time kernel
    23s
  • max time network
    72s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    20-01-2022 11:07

General

  • Target

    scan doc_o1022111234.exe

  • Size

    285KB

  • MD5

    69ee93123716e7d21e0e527be980c22b

  • SHA1

    bb4b074dda0d143d36a6c4c572bd669be67fe0e5

  • SHA256

    3866d4f2f3fa6a3cdedd0b3e4704b438881b0a147e75eeddacaeea85e52c669a

  • SHA512

    36925cddedff3acb9a217ce35e8d676a46d76f5873471daf9e9cf512f2df5934fe263532b0ba789573fdc887eb211eee6cbe0988b8e22306d16ff211509c1edc

Score
10/10

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

cxep

Decoy

estateglobal.info

loransstore.com

loginofy.com

fjallravenz.online

cefseguranca-app.com

safontadiestramiento.com

bubbleteapro.com

morethanmummies.com

serviciopersonalizadoweb.com

headerbidder.info

skworkforce.com

heightsorthodontics.com

chulavistapd.com

southjerseyautobody.net

chargedbygratitude.com

meltingpotspot.com

gdjiachen.com

luckdrawprogram.com

vintagepaseo.com

bequestslojyh.xyz

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • Xloader Payload 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\scan doc_o1022111234.exe
    "C:\Users\Admin\AppData\Local\Temp\scan doc_o1022111234.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3996
    • C:\Users\Admin\AppData\Local\Temp\scan doc_o1022111234.exe
      "C:\Users\Admin\AppData\Local\Temp\scan doc_o1022111234.exe"
      2⤵
        PID:1316

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Discovery

    System Information Discovery

    1
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\nsxD0CC.tmp\uyhlelrjb.dll
      MD5

      3b2bf8df341ac6f0edfe50a1ae7ff555

      SHA1

      e9bdd7cbf9426b710c9ea60c36ee0b2183ebb602

      SHA256

      eace00923a15331adc6214d609b21328047a13ffdd4e14cc5e2e142241c156ad

      SHA512

      a127e8a748d8fa78b54e3cfbae47d147d93586f566b3d1a8a6cbc6e06df5f6ffdcc6abd61c4bf96d69b332f0646b90935fa2231d7be3cbfdd68975d387c9a6f1

    • memory/1316-131-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB