Overview

overview

10

Static

static

DHL Delive...ts.exe

windows7_x64

10

DHL Delive...ts.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    153s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    31-01-2022 15:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DHL Delivery Documents.exe

  • Size

    78KB

  • MD5

    94743aae8b0eb58bf9849035dc640b3c

  • SHA1

    089f398df4eb9cf0511038cff177ecd3fbc9715c

  • SHA256

    b34bc888551b9a603edf76a356a4c0fc290fac420d3c6df0decd0916970bfb9b

  • SHA512

    23b72e99ec9ad81a97d3b4902c020c7f27b3b156ca81bc5c818f9ecd88b40f6cfb3b9b436511e952de31a9c7841cf80e9019c0ad2a54d075ba5f1bf7e9e562b0

Score
10/10
xloaderzqzwloaderpersistencerat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

zqzw

Decoy

laurentmathieu.com

nohohonndana.com

hhmc.info

shophallows.com

blazebunk.com

goodbridge.xyz

flakycloud.com

bakermckenziegroups.com

formation-adistance.com

lovingearthbotanicals.com

tbrservice.plus

heritagehousehotels.com

drwbuildersco.com

lacsghb.com

wain3x.com

dadreview.club

continiutycp.com

cockgirls.com

48mpt.xyz

033skz.xyz

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 2 IoCs
    rat
  • Sets service image path in registry 2 TTPs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious behavior: EnumeratesProcesses 58 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2440
    • C:\Users\Admin\AppData\Local\Temp\DHL Delivery Documents.exe
      "C:\Users\Admin\AppData\Local\Temp\DHL Delivery Documents.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3504
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:320
    • C:\Windows\SysWOW64\WWAHost.exe
      "C:\Windows\SysWOW64\WWAHost.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2596
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        3⤵
          PID:2912
    • C:\Windows\System32\WaaSMedicAgent.exe
      C:\Windows\System32\WaaSMedicAgent.exe f87852be5b1160b56a8734c3ced8b7ac SQSLfwJpYki1XtwICMDPjw.0.1.0.0.0
      1⤵
      • Modifies data under HKEY_USERS
      PID:3808
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k wusvcs -p
      1⤵
        PID:2756

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/320-132-0x0000000000400000-0x0000000000429000-memory.dmp
        Filesize

        164KB

        Download
      • memory/320-134-0x0000000001030000-0x00000000017DA000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/320-135-0x0000000001030000-0x00000000017DA000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/2440-136-0x0000000007CA0000-0x0000000007D75000-memory.dmp
        Filesize

        852KB

        Download
      • memory/2440-225-0x0000000007D80000-0x0000000007E32000-memory.dmp
        Filesize

        712KB

        Download
      • memory/2596-155-0x0000000002B60000-0x0000000002B89000-memory.dmp
        Filesize

        164KB

        Download
      • memory/2596-153-0x0000000000700000-0x00000000007DC000-memory.dmp
        Filesize

        880KB

        Download
      • memory/2596-158-0x0000000003D80000-0x00000000040CA000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/2596-224-0x0000000003AB0000-0x0000000003B40000-memory.dmp
        Filesize

        576KB

        Download
      • memory/3504-130-0x0000000000D10000-0x0000000000D28000-memory.dmp
        Filesize

        96KB

        Download
      • memory/3504-131-0x000000001DEC0000-0x000000001DEC2000-memory.dmp
        Filesize

        8KB

        Download