Overview

overview

10

Static

static

New Purcha...er.exe

windows7_x64

10

New Purcha...er.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    156s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    07-02-2022 00:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    New Purchase Order.exe

  • Size

    747KB

  • MD5

    99e9bf49fad21cd57261f354af9742e4

  • SHA1

    28e1025ad185b7502568d4dbdab483b25b8e0fac

  • SHA256

    92ddc88d7c1bde849c18747f4fcd526c240a81efe9c74ee1dcaa4a72ecc9ac3a

  • SHA512

    1c8e9d9e6052ebb054623aaaadde67627e0cb07f576cc8aaa5be5f48dcc34370d8658148a9716c8ca139742dbe4145bb3f4c365b2e23012138f1aace61280bbc

Score
10/10
xloadernoi6loaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

noi6

Decoy

daliglobalservice.com

thenationschristianchurch.com

aliqy.com

grace-saunders.com

endlessretirement.com

stanleycupticket.com

dltgame.club

healthqnahindi.com

salniyrk.icu

laurasbaked.com

vintagechinese.com

agrocomposites.com

aimedsports.com

vegeatsdirect.com

goh-pbl.com

fairview.global

affiliateprogramscenter.com

blogizarshop.com

loorzon.com

curtex.info

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 47 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2444
    • C:\Users\Admin\AppData\Local\Temp\New Purchase Order.exe
      "C:\Users\Admin\AppData\Local\Temp\New Purchase Order.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2188
      • C:\Users\Admin\AppData\Local\Temp\New Purchase Order.exe
        "C:\Users\Admin\AppData\Local\Temp\New Purchase Order.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1404
    • C:\Windows\SysWOW64\cscript.exe
      "C:\Windows\SysWOW64\cscript.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1208
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\New Purchase Order.exe"
        3⤵
          PID:2484
    • C:\Windows\system32\MusNotifyIcon.exe
      %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
      1⤵
      • Checks processor information in registry
      PID:3316
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k NetworkService -p
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:3084

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1208-142-0x0000000000750000-0x0000000000777000-memory.dmp
      Filesize

      156KB

      Download
    • memory/1208-145-0x0000000005250000-0x00000000052DF000-memory.dmp
      Filesize

      572KB

      Download
    • memory/1208-144-0x0000000005350000-0x000000000569A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/1208-143-0x0000000002F50000-0x0000000002F79000-memory.dmp
      Filesize

      164KB

      Download
    • memory/1404-139-0x00000000013E0000-0x000000000172A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/1404-137-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

      Download
    • memory/1404-140-0x0000000000E60000-0x0000000000E70000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2188-135-0x0000000004B70000-0x0000000004B7A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2188-136-0x0000000004E70000-0x0000000004EC6000-memory.dmp
      Filesize

      344KB

      Download
    • memory/2188-130-0x0000000000110000-0x00000000001D0000-memory.dmp
      Filesize

      768KB

      Download
    • memory/2188-134-0x0000000004AF0000-0x0000000004B8C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/2188-133-0x0000000004C30000-0x0000000004CC2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/2188-132-0x00000000051E0000-0x0000000005784000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/2188-131-0x0000000004B90000-0x0000000004C2C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/2444-141-0x0000000008AD0000-0x0000000008BD5000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/2444-146-0x0000000008BE0000-0x0000000008C88000-memory.dmp
      Filesize

      672KB

      Download