Overview

overview

10

Static

static

1

dridex

windows10-2004_x64

10

Analysis

  • max time kernel
    91s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    30-01-2022 21:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5ed4b0af136119c2bc78ca0cc3e0b58f77fbe72e9c7218d7c64f3caa2e5eda5e.exe

  • Size

    247KB

  • MD5

    05ff4e6e816ac6dec4dab71a9d3b18a5

  • SHA1

    7586520a0aa2b07c1f5035ac7cd37437f971d0ee

  • SHA256

    5ed4b0af136119c2bc78ca0cc3e0b58f77fbe72e9c7218d7c64f3caa2e5eda5e

  • SHA512

    d42c53b829f0bff34dca46a9c35c0be5cbeeeaa9dbadfdf04a134d9606d22c2cae1874810c21d6de1435f03991f2b84d43c014484e08177d2585d2366cd3cc7f

Score
10/10
xloaderjdo2loaderpersistencerat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

jdo2

Decoy

adopte-un-per.com

lmandarin.com

shonemurawni.quest

bantasis.com

jsdigitalekuns.net

hiddenroom.net

arungjerampangalengan.com

yinghongxw.com

buzzcupid.com

lattent.digital

faxtoemailguide.com

romanticfriryrose.com

ruleaou.com

mochiko-blog.com

sekireixploit.com

bcx-wiremesh.com

jobportalsg.com

wysspirit.com

iflycny.com

sh-cy17.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 1 IoCs
    rat
  • Sets service image path in registry 2 TTPs
    persistence
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5ed4b0af136119c2bc78ca0cc3e0b58f77fbe72e9c7218d7c64f3caa2e5eda5e.exe
    "C:\Users\Admin\AppData\Local\Temp\5ed4b0af136119c2bc78ca0cc3e0b58f77fbe72e9c7218d7c64f3caa2e5eda5e.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1864
    • C:\Users\Admin\AppData\Local\Temp\5ed4b0af136119c2bc78ca0cc3e0b58f77fbe72e9c7218d7c64f3caa2e5eda5e.exe
      "C:\Users\Admin\AppData\Local\Temp\5ed4b0af136119c2bc78ca0cc3e0b58f77fbe72e9c7218d7c64f3caa2e5eda5e.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:3220
  • C:\Windows\System32\WaaSMedicAgent.exe
    C:\Windows\System32\WaaSMedicAgent.exe 8dc75277e4cd37b4f94d8bfe5325d154 NZEgRxQceUqaoGTnPodVoA.0.1.0.0.0
    1⤵
    • Modifies data under HKEY_USERS
    PID:2536

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nsd7857.tmp\mxmlndo.dll
    MD5

    344382794ed9995b500c3927e8c96d3b

    SHA1

    3b959a00909af7c9c914488a4ac14b846df11c0b

    SHA256

    11b1c7caae358a83745d4a3efc75f042aa4464029f209e1e58ff55809ba45c1d

    SHA512

    eecc5fc5e9c554ed7b452d929386b0e9f6dbd23e9ba958b30ee7a5bb2056778014f10ecbdb314cb977549210d3cb1490530a5b30935efc4382d75a26594f0abd

    Download Submit
  • memory/3220-131-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download