Overview

overview

10

Static

static

IMG 29987 ...22.exe

windows7_x64

10

IMG 29987 ...22.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    162s
  • max time network
    169s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    03-02-2022 08:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    IMG 29987 SHIPMENT Order 85 3.02.2022.exe

  • Size

    558KB

  • MD5

    d541dd30d857710b9a5f708b83db0241

  • SHA1

    6a6b66e233eee0b11129732e35e4e7c65c631c84

  • SHA256

    af662c52d97d2590fa9a275d02feaf5aab3c18365e002a288efd862bd09aa6b4

  • SHA512

    685cdf9f95452ca8b177208cac7fc6841709167a5a46116d7267c6330fcf4f77ecca67dd9730554682bdc5fbf9e19f5f2f0bb3bb3ab2f520f49271261067ac89

Score
10/10
xloaderp8celoaderpersistencerat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

p8ce

Decoy

wishmeluck1.xyz

nawabumi.com

terra.fish

eoraipsumami.quest

awakeningyourid.com

csyein.com

tslsinteligentes.com

cataractusa.com

capitalwheelstogo.com

staffremotely.com

trashbinwasher.com

blaneyparkrendezvous.com

yolrt.com

northendtaproom.com

showgeini.com

b95206.com

almcpersonaltraining.com

lovabledoodleshome.com

woodlandstationcondos.com

nikahlive.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 2 IoCs
    rat
  • Sets service image path in registry 2 TTPs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2328
    • C:\Users\Admin\AppData\Local\Temp\IMG 29987 SHIPMENT Order 85 3.02.2022.exe
      "C:\Users\Admin\AppData\Local\Temp\IMG 29987 SHIPMENT Order 85 3.02.2022.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:828
      • C:\Users\Admin\AppData\Local\Temp\IMG 29987 SHIPMENT Order 85 3.02.2022.exe
        "C:\Users\Admin\AppData\Local\Temp\IMG 29987 SHIPMENT Order 85 3.02.2022.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:820
    • C:\Windows\SysWOW64\cscript.exe
      "C:\Windows\SysWOW64\cscript.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3364
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\IMG 29987 SHIPMENT Order 85 3.02.2022.exe"
        3⤵
          PID:3028
    • C:\Windows\system32\MusNotifyIcon.exe
      %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
      1⤵
      • Checks processor information in registry
      PID:768
    • C:\Windows\System32\WaaSMedicAgent.exe
      C:\Windows\System32\WaaSMedicAgent.exe 7a3930a051db2f78b12d8d3b516b027f 56J+OO/JnEWglzfMAQ6rcg.0.1.0.0.0
      1⤵
      • Modifies data under HKEY_USERS
      PID:812
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k NetworkService -p
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:1260

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/820-137-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

      Download
    • memory/820-140-0x0000000001590000-0x0000000001D4A000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/820-139-0x0000000001590000-0x0000000001D4A000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/828-133-0x0000000005660000-0x00000000056F2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/828-134-0x0000000000F90000-0x000000000102C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/828-135-0x0000000002BC0000-0x0000000002C81000-memory.dmp
      Filesize

      772KB

      Download
    • memory/828-136-0x0000000005E60000-0x0000000006404000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/828-130-0x00000000007C0000-0x0000000000854000-memory.dmp
      Filesize

      592KB

      Download
    • memory/828-132-0x0000000005490000-0x00000000054D0000-memory.dmp
      Filesize

      256KB

      Download
    • memory/828-131-0x0000000002BC0000-0x0000000002C81000-memory.dmp
      Filesize

      772KB

      Download
    • memory/2328-141-0x0000000008350000-0x0000000008405000-memory.dmp
      Filesize

      724KB

      Download
    • memory/3364-143-0x00000000005A0000-0x00000000005C9000-memory.dmp
      Filesize

      164KB

      Download
    • memory/3364-142-0x0000000000CB0000-0x0000000000CD7000-memory.dmp
      Filesize

      156KB

      Download
    • memory/3364-144-0x0000000004990000-0x0000000004CDA000-memory.dmp
      Filesize

      3.3MB

      Download