Overview

overview

10

Static

static

dc06649db7...dd.exe

windows7_x64

10

dc06649db7...dd.exe

windows10_x64

10

Analysis

  • max time kernel
    122s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    26-01-2022 14:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dc06649db7eafdb332b7d8f2adb2ebdd.exe

  • Size

    810KB

  • MD5

    dc06649db7eafdb332b7d8f2adb2ebdd

  • SHA1

    a1179b64bcc678631108c8b16ec297838e8499fb

  • SHA256

    ae0d62b6b0dd86dd84bd8b67de7dc40130139b8a3be6e5f4c5acea86142a5da3

  • SHA512

    7d1da393a50faf546cbc023183618254e82362bdaf88e88b21793b4c5279642f1418e1dfa0c4949c654aea38f2e8a91f6b6acc1b07dc0be7fcc25b939679ae50

Score
10/10
xloadernt3floaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

nt3f

Decoy

tricyclee.com

kxsw999.com

wisteria-pavilion.com

bellaclancy.com

promissioskincare.com

hzy001.xyz

checkouthomehd.com

soladere.com

point4sales.com

socalmafia.com

libertadysarmiento.online

nftthirty.com

digitalgoldcryptostock.net

tulekiloscaird.com

austinfishandchicken.com

wlxxch.com

mgav51.xyz

landbanking.global

saprove.com

babyfaces.skin

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 1 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dc06649db7eafdb332b7d8f2adb2ebdd.exe
    "C:\Users\Admin\AppData\Local\Temp\dc06649db7eafdb332b7d8f2adb2ebdd.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:740
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\FdsdzRAs.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1736
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FdsdzRAs" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD78A.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:568
    • C:\Users\Admin\AppData\Local\Temp\dc06649db7eafdb332b7d8f2adb2ebdd.exe
      "C:\Users\Admin\AppData\Local\Temp\dc06649db7eafdb332b7d8f2adb2ebdd.exe"
      2⤵
        PID:2012
      • C:\Users\Admin\AppData\Local\Temp\dc06649db7eafdb332b7d8f2adb2ebdd.exe
        "C:\Users\Admin\AppData\Local\Temp\dc06649db7eafdb332b7d8f2adb2ebdd.exe"
        2⤵
          PID:2000
        • C:\Users\Admin\AppData\Local\Temp\dc06649db7eafdb332b7d8f2adb2ebdd.exe
          "C:\Users\Admin\AppData\Local\Temp\dc06649db7eafdb332b7d8f2adb2ebdd.exe"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1812

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scheduled Task

      1
      T1053

      Persistence

      Scheduled Task

      1
      T1053

      Privilege Escalation

      Scheduled Task

      1
      T1053

      Defense Evasion

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmpD78A.tmp
        MD5

        fded1d7b2a5b1f657bd79957c6cfd5aa

        SHA1

        b0ecf21c1cbd1a8b70a8277517caf1ce97c4948a

        SHA256

        7b9f596f2deacd19ea898bf32fbf0868278d512a46533af03e1fcf36e8e67c2f

        SHA512

        055a8c4c15fe014e47065e34e2667eff62cf99d54062d20f762f542a682a364ccd96a55b3d4ec4b5419210eab271ff2cde7f8ce3650fe5da2223af230e5080cf

        Download Submit
      • memory/740-54-0x00000000001D0000-0x00000000002A2000-memory.dmp
        Filesize

        840KB

        Download
      • memory/740-55-0x0000000076041000-0x0000000076043000-memory.dmp
        Filesize

        8KB

        Download
      • memory/740-56-0x00000000050A0000-0x00000000050A1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/740-57-0x0000000000370000-0x000000000037C000-memory.dmp
        Filesize

        48KB

        Download
      • memory/740-58-0x0000000004B00000-0x0000000004B62000-memory.dmp
        Filesize

        392KB

        Download
      • memory/1736-66-0x0000000002480000-0x00000000030CA000-memory.dmp
        Filesize

        12.3MB

        Download
      • memory/1736-67-0x0000000002480000-0x00000000030CA000-memory.dmp
        Filesize

        12.3MB

        Download
      • memory/1736-68-0x0000000002480000-0x00000000030CA000-memory.dmp
        Filesize

        12.3MB

        Download
      • memory/1812-64-0x0000000000400000-0x0000000000429000-memory.dmp
        Filesize

        164KB

        Download
      • memory/1812-63-0x0000000000400000-0x0000000000429000-memory.dmp
        Filesize

        164KB

        Download
      • memory/1812-65-0x0000000000400000-0x0000000000429000-memory.dmp
        Filesize

        164KB

        Download