Overview

overview

10

Static

static

Pzszsebwqn...nn.exe

windows10_x64

10

Resubmissions

01-02-2022 13:08

220201-qdmyjsdde8 10

01-02-2022 12:57

220201-p62fzabab6 10

01-02-2022 07:00

220201-hsnvdsbab7 10

Analysis

  • max time kernel
    136s
  • max time network
    478s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    01-02-2022 12:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Pzszsebwqndrzimfyunhokbpqivlqwshnn.exe

  • Size

    920KB

  • MD5

    65523cf4b441d2dbe144566c4bea5849

  • SHA1

    119d9e00c6b08f5e93f477a9429c263390e4a4c2

  • SHA256

    09effc5108b5ca6e852a9712180ad493ad2e4aa5e3693056953583fbce18cf92

  • SHA512

    348e742fae24048357e04e10872228438c1a327b7292944beefb0b885b7f9995d01b0aec2e0a5316cf5ac6bcc2f8afd7868076d477bf6b09791d3127b57a089b

Score
10/10
xloaderpvxzloaderpersistencerat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

pvxz

Decoy

imt-token.club

abravewayocen.online

shcloudcar.com

mshoppingworld.online

ncgf08.xyz

stuinfo.xyz

wesavetheplanetofficial.com

tourbox.xyz

believeinyourselftraining.com

jsboyat.com

aaeconomy.info

9etmorea.info

purosepeti7.com

goticketly.com

pinkmemorypt.com

mylifewellnesscentre.com

iridina.online

petrestore.online

neema.xyz

novelfooditalia.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 2 IoCs
    rat
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 44 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2420
    • C:\Users\Admin\AppData\Local\Temp\Pzszsebwqndrzimfyunhokbpqivlqwshnn.exe
      "C:\Users\Admin\AppData\Local\Temp\Pzszsebwqndrzimfyunhokbpqivlqwshnn.exe"
      2⤵
      • Adds Run key to start application
      PID:2676
      • C:\Windows\SysWOW64\logagent.exe
        C:\Windows\System32\logagent.exe
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:524
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      2⤵
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3752
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe"
      2⤵
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2472
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff8a1e24f50,0x7ff8a1e24f60,0x7ff8a1e24f70
        3⤵
          PID:2888
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1488,3839380370085343122,12847792891243471551,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1492 /prefetch:2
          3⤵
            PID:1392
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1488,3839380370085343122,12847792891243471551,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1836 /prefetch:8
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:1932
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1488,3839380370085343122,12847792891243471551,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2192 /prefetch:8
            3⤵
              PID:1988
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,3839380370085343122,12847792891243471551,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2684 /prefetch:1
              3⤵
                PID:1928
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,3839380370085343122,12847792891243471551,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2692 /prefetch:1
                3⤵
                  PID:2828
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,3839380370085343122,12847792891243471551,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3516 /prefetch:1
                  3⤵
                    PID:696
                • C:\Windows\system32\cmd.exe
                  "C:\Windows\system32\cmd.exe"
                  2⤵
                    PID:4072
                • C:\Windows\System32\rundll32.exe
                  C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                  1⤵
                    PID:792
                  • C:\Windows\system32\LogonUI.exe
                    "LogonUI.exe" /flags:0x0 /state0:0xa3a80055 /state1:0x41c64e6d
                    1⤵
                    • Drops file in Windows directory
                    • Modifies data under HKEY_USERS
                    • Suspicious use of SetWindowsHookEx
                    PID:792

                  Network

                  MITRE ATT&CK Matrix ATT&CK v6

                  Initial Access

                  Execution

                  Persistence

                  Registry Run Keys / Startup Folder

                  1
                  T1060

                  Privilege Escalation

                  Defense Evasion

                  Modify Registry

                  1
                  T1112

                  Credential Access

                  Discovery

                  Query Registry

                  2
                  T1012

                  Peripheral Device Discovery

                  1
                  T1120

                  System Information Discovery

                  2
                  T1082

                  Lateral Movement

                  Collection

                  Exfiltration

                  Command and Control

                  Impact

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • \??\pipe\crashpad_2472_WMPFZZAYLJXKJRAU
                    MD5

                    d41d8cd98f00b204e9800998ecf8427e

                    SHA1

                    da39a3ee5e6b4b0d3255bfef95601890afd80709

                    SHA256

                    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                    SHA512

                    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                    Download Submit
                  • memory/524-209-0x00000000001C0000-0x00000000001C1000-memory.dmp
                    Filesize

                    4KB

                    Download
                  • memory/524-210-0x0000000072480000-0x00000000724A9000-memory.dmp
                    Filesize

                    164KB

                    Download
                  • memory/524-212-0x0000000000FF0000-0x0000000001310000-memory.dmp
                    Filesize

                    3.1MB

                    Download
                  • memory/524-214-0x00000000007E0000-0x0000000000AA3000-memory.dmp
                    Filesize

                    2.8MB

                    Download
                  • memory/2420-213-0x000000000B290000-0x000000000B3FD000-memory.dmp
                    Filesize

                    1.4MB

                    Download
                  • memory/2676-115-0x0000000000680000-0x0000000000681000-memory.dmp
                    Filesize

                    4KB

                    Download