Overview

overview

10

Static

static

1

HIRE SOA F...21.exe

windows7_x64

10

HIRE SOA F...21.exe

windows10_x64

10

Analysis

  • max time kernel
    154s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    28-01-2022 12:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    HIRE SOA FOR DEC_2021.exe

  • Size

    247KB

  • MD5

    d8af2363d5a46336733b6121c0b4cf0e

  • SHA1

    fcb0ee44436230d924b2550fc9935ee76f2498fe

  • SHA256

    2a4415721925c12ce8a80719697ffbda5daf88fe34804b0549bc5d5605790cdb

  • SHA512

    e34f724dc4a7837ff86ed5d5214e1ed22e5643bbd45f881066b05b4ae4766a6330a48db8e4ef8dcee9ca8bf5ace43d987a667f62ea086992d2ff1ee24875889d

Score
10/10
xloadercxeploaderpersistencerat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

cxep

Decoy

estateglobal.info

loransstore.com

loginofy.com

fjallravenz.online

cefseguranca-app.com

safontadiestramiento.com

bubbleteapro.com

morethanmummies.com

serviciopersonalizadoweb.com

headerbidder.info

skworkforce.com

heightsorthodontics.com

chulavistapd.com

southjerseyautobody.net

chargedbygratitude.com

meltingpotspot.com

gdjiachen.com

luckdrawprogram.com

vintagepaseo.com

bequestslojyh.xyz

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 3 IoCs
    rat
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 64 IoCs
  • Opens file in notepad (likely ransom note) 2 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 10 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1424
    • C:\Users\Admin\AppData\Local\Temp\HIRE SOA FOR DEC_2021.exe
      "C:\Users\Admin\AppData\Local\Temp\HIRE SOA FOR DEC_2021.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1956
      • C:\Users\Admin\AppData\Local\Temp\HIRE SOA FOR DEC_2021.exe
        "C:\Users\Admin\AppData\Local\Temp\HIRE SOA FOR DEC_2021.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1196
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      2⤵
        PID:676
      • C:\Windows\SysWOW64\msiexec.exe
        "C:\Windows\SysWOW64\msiexec.exe"
        2⤵
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:988
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\HIRE SOA FOR DEC_2021.exe"
          3⤵
          • Deletes itself
          PID:1920
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\nmdcx8dorpuxth4.txt
        2⤵
        • Opens file in notepad (likely ransom note)
        PID:1744
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\ab.txt
        2⤵
        • Opens file in notepad (likely ransom note)
        PID:1432

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\ab.txt
      MD5

      e66b15aa06214e6d88ecf31208bf636b

      SHA1

      4ecd3fbcd14c48bbee63d8b73de26ce2c5c4fc42

      SHA256

      cb56d5562dfc52d2a9c672b2000e434d9b4ba5b63e679fc76018c86d4328e68a

      SHA512

      555bda57ea973ba918337d61ee159fc64b7528708309a4a8130c90eca9a92d418fdfbd1ab7f7927daf8bfb2a56ae14318da351a63d1b85d7df1a1017ec5d04b7

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\nmdcx8dorpuxth4
      MD5

      19a6d15c584c7ced29c4be7b6e5c8310

      SHA1

      cbe7a6a76aa53eb978275231e80552b9c7150d6d

      SHA256

      26d815e0d2f66777dd1ed59fac4fda402951e67b530183ef7f16e0a87e440607

      SHA512

      93ad0baf26dc907821cc3df6eab9b0293213efb9a9c8646dcba80c2aebb06a70d0a4e175fb907a8cae38707e96fc6552805b33f8766124c74595896e85813912

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\nmdcx8dorpuxth4.txt
      MD5

      19a6d15c584c7ced29c4be7b6e5c8310

      SHA1

      cbe7a6a76aa53eb978275231e80552b9c7150d6d

      SHA256

      26d815e0d2f66777dd1ed59fac4fda402951e67b530183ef7f16e0a87e440607

      SHA512

      93ad0baf26dc907821cc3df6eab9b0293213efb9a9c8646dcba80c2aebb06a70d0a4e175fb907a8cae38707e96fc6552805b33f8766124c74595896e85813912

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\yyyvokmb
      MD5

      e66b15aa06214e6d88ecf31208bf636b

      SHA1

      4ecd3fbcd14c48bbee63d8b73de26ce2c5c4fc42

      SHA256

      cb56d5562dfc52d2a9c672b2000e434d9b4ba5b63e679fc76018c86d4328e68a

      SHA512

      555bda57ea973ba918337d61ee159fc64b7528708309a4a8130c90eca9a92d418fdfbd1ab7f7927daf8bfb2a56ae14318da351a63d1b85d7df1a1017ec5d04b7

      Download Submit
    • \Users\Admin\AppData\Local\Temp\nsd5BD.tmp\sdxajjgxerh.dll
      MD5

      0bccdbf53def482e16174cd6488e0ced

      SHA1

      b33612410abdbc5644292052c943ef5cc21f73a2

      SHA256

      da9cdfe0680a235bc1ef297eaa6cf5723f34b95a043700e8ace1bd8c24ce974c

      SHA512

      68b4d0fe21b58486fc07b53f57b75fe509e858fafdd79b300dfb93e521cb2400693a3f18ae8ad941bfddca88fa6941abf0b83d373ca7da8c530254d8e9905846

      Download Submit
    • memory/676-56-0x000007FEFBE11000-0x000007FEFBE13000-memory.dmp
      Filesize

      8KB

      Download
    • memory/988-71-0x00000000023A0000-0x00000000026A3000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/988-72-0x0000000000C20000-0x0000000000CB0000-memory.dmp
      Filesize

      576KB

      Download
    • memory/988-70-0x00000000000F0000-0x0000000000119000-memory.dmp
      Filesize

      164KB

      Download
    • memory/988-69-0x0000000000F80000-0x0000000000F94000-memory.dmp
      Filesize

      80KB

      Download
    • memory/1196-60-0x00000000008B0000-0x0000000000BB3000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1196-66-0x00000000004C0000-0x00000000004D1000-memory.dmp
      Filesize

      68KB

      Download
    • memory/1196-61-0x0000000000480000-0x0000000000491000-memory.dmp
      Filesize

      68KB

      Download
    • memory/1196-63-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

      Download
    • memory/1196-58-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

      Download
    • memory/1424-67-0x0000000007DB0000-0x0000000007EBE000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/1424-62-0x0000000007B00000-0x0000000007C31000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/1424-73-0x0000000007DB0000-0x0000000009106000-memory.dmp
      Filesize

      19.3MB

      Download
    • memory/1956-54-0x0000000075431000-0x0000000075433000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1956-57-0x00000000003E0000-0x00000000003E2000-memory.dmp
      Filesize

      8KB

      Download