Analysis

  • max time kernel
    119s
  • max time network
    124s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    23-01-2022 23:56

General

  • Target

    28a107f37e75bafd9fd49ac3ed8745d676d04d2bd5bfea8f926f04a2f393cd51.exe

  • Size

    441KB

  • MD5

    f71bfac229c8d64d9c18cb777e348f14

  • SHA1

    1e91e3daa8f78813368040afbfa154284ed54e3d

  • SHA256

    28a107f37e75bafd9fd49ac3ed8745d676d04d2bd5bfea8f926f04a2f393cd51

  • SHA512

    a3bc2381a1fc467795d06937716a33c69d45797325c48c5d947416c64e9346218043737a60ab7844e68013415fd02d412e5e290d7c2e7beddb5f0224af5776d9

Score
10/10

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

pnug

Decoy

natureate.com

ita-pots.website

sucohansmushroom.com

produrielrosen.com

gosystemupdatenow.online

jiskra.art

janwiench.com

norfolkfoodhall.com

iloveaddictss.com

pogozip.com

buyinstapva.com

teardirectionfreedom.xyz

0205168.com

apaixonadosporpugs.online

jawscoinc.com

crafter.quest

wikipedianow.com

radiopuls.net

kendama-co.com

goodstudycanada.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • Xloader Payload 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\28a107f37e75bafd9fd49ac3ed8745d676d04d2bd5bfea8f926f04a2f393cd51.exe
    "C:\Users\Admin\AppData\Local\Temp\28a107f37e75bafd9fd49ac3ed8745d676d04d2bd5bfea8f926f04a2f393cd51.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3580
    • C:\Users\Admin\AppData\Local\Temp\28a107f37e75bafd9fd49ac3ed8745d676d04d2bd5bfea8f926f04a2f393cd51.exe
      "C:\Users\Admin\AppData\Local\Temp\28a107f37e75bafd9fd49ac3ed8745d676d04d2bd5bfea8f926f04a2f393cd51.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:652

Network

MITRE ATT&CK Matrix ATT&CK v6

Discovery

System Information Discovery

1
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nsx86A.tmp\axpkk.dll
    MD5

    c89f99953ab2fa059c15f14b85b5d3be

    SHA1

    688be2dbc7035ec165205d0aa4d9c3f6bfe5fa2d

    SHA256

    1d92062cc9853399967cace0559ef172a6704219bda438f4c9b353f506e6c60f

    SHA512

    947e06962dc19178ee3c1d88490e88c382cbdb06ca6a804364306b6b16368f041ec06884983248ef991b6a341df5724928aad70e5153d5d8f7c92eb7d384429d

  • memory/652-117-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

  • memory/652-118-0x0000000000B80000-0x0000000000EA0000-memory.dmp
    Filesize

    3.1MB

  • memory/3580-116-0x0000000002270000-0x0000000002293000-memory.dmp
    Filesize

    140KB