Overview

overview

10

Static

static

SNO22 Pric...14.exe

windows7_x64

1

SNO22 Pric...14.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    20-01-2022 10:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SNO22 PriceLetter595406_RACX-159814.exe

  • Size

    373KB

  • MD5

    7692a9ecc1b4d092387cffe6faa8d762

  • SHA1

    37e70527d40c881115036ae2de66e3685d3a8f10

  • SHA256

    22c8527c55a52f56653e38bf1f2dbc8ccc06ab0f0ab16879138f30037b710b0a

  • SHA512

    e0c02c683d444ad442c1758113f875687df702402270dc7705b1b12c49e8c88e82b022f88f8d5a1767a43fdcf0f41a2bdbf281703b9dc97c322dd2cf68ff765a

Score
10/10
xloaderp8celoaderpersistenceratsuricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

p8ce

Decoy

wishmeluck1.xyz

nawabumi.com

terra.fish

eoraipsumami.quest

awakeningyourid.com

csyein.com

tslsinteligentes.com

cataractusa.com

capitalwheelstogo.com

staffremotely.com

trashbinwasher.com

blaneyparkrendezvous.com

yolrt.com

northendtaproom.com

showgeini.com

b95206.com

almcpersonaltraining.com

lovabledoodleshome.com

woodlandstationcondos.com

nikahlive.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Xloader Payload 2 IoCs
    rat
  • Sets service image path in registry 2 TTPs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Modifies data under HKEY_USERS 41 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2424
    • C:\Users\Admin\AppData\Local\Temp\SNO22 PriceLetter595406_RACX-159814.exe
      "C:\Users\Admin\AppData\Local\Temp\SNO22 PriceLetter595406_RACX-159814.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:3644
      • C:\Users\Admin\AppData\Local\Temp\SNO22 PriceLetter595406_RACX-159814.exe
        "C:\Users\Admin\AppData\Local\Temp\SNO22 PriceLetter595406_RACX-159814.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:4040
    • C:\Windows\SysWOW64\cscript.exe
      "C:\Windows\SysWOW64\cscript.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1432
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\SNO22 PriceLetter595406_RACX-159814.exe"
        3⤵
          PID:336
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p
      1⤵
        PID:3164
      • C:\Windows\System32\WaaSMedicAgent.exe
        C:\Windows\System32\WaaSMedicAgent.exe 279abbe49442db908f67ea628b329132 u3pCchQsYkujnCz7FYwSeA.0.1.0.0.0
        1⤵
        • Modifies data under HKEY_USERS
        PID:1424
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k wusvcs -p
        1⤵
          PID:2916

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1432-314-0x0000000004D70000-0x0000000004E00000-memory.dmp
          Filesize

          576KB

          Download
        • memory/1432-313-0x0000000004F10000-0x000000000525A000-memory.dmp
          Filesize

          3.3MB

          Download
        • memory/1432-311-0x0000000000ED0000-0x0000000000EF7000-memory.dmp
          Filesize

          156KB

          Download
        • memory/1432-312-0x0000000000BC0000-0x0000000000BE9000-memory.dmp
          Filesize

          164KB

          Download
        • memory/2424-310-0x0000000007CB0000-0x0000000007DAD000-memory.dmp
          Filesize

          1012KB

          Download
        • memory/2424-315-0x0000000007BB0000-0x0000000007CA5000-memory.dmp
          Filesize

          980KB

          Download
        • memory/3644-133-0x00000000051E0000-0x00000000051EA000-memory.dmp
          Filesize

          40KB

          Download
        • memory/3644-305-0x0000000007990000-0x0000000007A2C000-memory.dmp
          Filesize

          624KB

          Download
        • memory/3644-134-0x0000000005090000-0x0000000005122000-memory.dmp
          Filesize

          584KB

          Download
        • memory/3644-130-0x0000000000720000-0x0000000000784000-memory.dmp
          Filesize

          400KB

          Download
        • memory/3644-132-0x0000000005130000-0x00000000051C2000-memory.dmp
          Filesize

          584KB

          Download
        • memory/3644-131-0x00000000057D0000-0x0000000005D74000-memory.dmp
          Filesize

          5.6MB

          Download
        • memory/4040-308-0x0000000000EB0000-0x000000000165A000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/4040-309-0x0000000000E40000-0x0000000000E51000-memory.dmp
          Filesize

          68KB

          Download
        • memory/4040-306-0x0000000000400000-0x0000000000429000-memory.dmp
          Filesize

          164KB

          Download