Overview

overview

10

Static

static

1

dridex

windows10-2004_x64

10

Analysis

  • max time kernel
    77s
  • max time network
    134s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    28-01-2022 06:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9af4d9ef8b2a850854ae23411d44d3603147c26898bca1010fd2f9b16f6d456e.exe

  • Size

    248KB

  • MD5

    c2ca2ba9c38eb02217588662717ba6c3

  • SHA1

    8a897f24d2e564af2c2fcc272ab0cfbef10611b5

  • SHA256

    9af4d9ef8b2a850854ae23411d44d3603147c26898bca1010fd2f9b16f6d456e

  • SHA512

    7c7a80f37013b8b5fe27e0c9c3144884abde6ca49484c3e8c6cc78daa9f3b6ac890577247223e7d4875b865244e8732840c6a47170fbe2c7f27406ba4c8f52a6

Score
10/10
xloaderb80iloaderpersistencerat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

b80i

Decoy

yixuan5.com

jiazheng369.com

danielleefelipe.net

micorgas.com

uvywah.com

nbjcgl.com

streets4suites.com

hempgotas.com

postmoon.xyz

gaboshoes.com

pastodwes.com

libes.asia

damusalama.com

youngliving1.com

mollyagee.com

branchwallet.com

seebuehnegoerlitz.com

inventors.community

teentykarm.quest

927291.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 1 IoCs
    rat
  • Sets service image path in registry 2 TTPs
    persistence
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9af4d9ef8b2a850854ae23411d44d3603147c26898bca1010fd2f9b16f6d456e.exe
    "C:\Users\Admin\AppData\Local\Temp\9af4d9ef8b2a850854ae23411d44d3603147c26898bca1010fd2f9b16f6d456e.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2436
    • C:\Users\Admin\AppData\Local\Temp\9af4d9ef8b2a850854ae23411d44d3603147c26898bca1010fd2f9b16f6d456e.exe
      "C:\Users\Admin\AppData\Local\Temp\9af4d9ef8b2a850854ae23411d44d3603147c26898bca1010fd2f9b16f6d456e.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:3296
  • C:\Windows\System32\WaaSMedicAgent.exe
    C:\Windows\System32\WaaSMedicAgent.exe 2fa5c967f1ce28aacf419a7d1978af73 omc2//L2GE+ip2xL58nQkA.0.1.0.0.0
    1⤵
    • Modifies data under HKEY_USERS
    PID:804

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nsvA6FD.tmp\npsx.dll
    MD5

    ff94ac3a49e4c0bcdf0c1fe9730293d9

    SHA1

    2f81d5b8ec6515fbdfa099eabb0babf9d6c40b97

    SHA256

    4d2a5f508e4d6a54d71af82fcea978527cdd216423fb050457dfeb4db581178f

    SHA512

    01f8bc3ac735473c60e842d76d282f4859fd9fecada580bffc629a8127a821a0839ed832143c7034b3a1e3dfca9561841626f0b8fbe582cb6a0e7dab453a5a16

    Download Submit
  • memory/2436-132-0x0000000002280000-0x0000000002284000-memory.dmp
    Filesize

    16KB

    Download
  • memory/3296-131-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download