Overview

overview

10

Static

static

Swift mes...22.exe

windows7_x64

3

Swift mes...22.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    167s
  • max time network
    173s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    07-02-2022 11:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Swift mesajı 4.02.2022.exe

  • Size

    7KB

  • MD5

    877b1a2b61c1b9d6580ddab9416a4f2a

  • SHA1

    553657a0141dd16f29dbe8ac254b8ce77b8857b2

  • SHA256

    d11763e5e7a68e1ebd3c8094630dd0d1e184e08eeb9a9d5e3f8200e7aeb9aea9

  • SHA512

    c13d8cfa5bd0f8de604128085b5aebb582f9d07fb36ea11d35c214bb827d30658c9d0d32f3458d20a43ded6a2c8137cf80748bb139751a94800f0ff149bad24a

Score
10/10
xloaderp8celoaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

p8ce

Decoy

wishmeluck1.xyz

nawabumi.com

terra.fish

eoraipsumami.quest

awakeningyourid.com

csyein.com

tslsinteligentes.com

cataractusa.com

capitalwheelstogo.com

staffremotely.com

trashbinwasher.com

blaneyparkrendezvous.com

yolrt.com

northendtaproom.com

showgeini.com

b95206.com

almcpersonaltraining.com

lovabledoodleshome.com

woodlandstationcondos.com

nikahlive.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 51 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2412
    • C:\Users\Admin\AppData\Local\Temp\ Swift mesajı 4.02.2022.exe
      "C:\Users\Admin\AppData\Local\Temp\ Swift mesajı 4.02.2022.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3684
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:3648
    • C:\Windows\SysWOW64\msdt.exe
      "C:\Windows\SysWOW64\msdt.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1020
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
        3⤵
          PID:2092
    • C:\Windows\system32\MusNotifyIcon.exe
      %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
      1⤵
      • Checks processor information in registry
      PID:1872
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k NetworkService -p
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:1508

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1020-138-0x0000000000D10000-0x0000000000D67000-memory.dmp
      Filesize

      348KB

      Download
    • memory/1020-139-0x00000000006F0000-0x0000000000719000-memory.dmp
      Filesize

      164KB

      Download
    • memory/1020-140-0x0000000004870000-0x0000000004BBA000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/1020-141-0x0000000004610000-0x00000000046A0000-memory.dmp
      Filesize

      576KB

      Download
    • memory/2412-137-0x0000000008230000-0x000000000837F000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2412-142-0x0000000008380000-0x00000000084DD000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/3648-133-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

      Download
    • memory/3648-135-0x00000000012C0000-0x0000000001A6A000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/3648-136-0x00000000012C0000-0x0000000001A6A000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/3684-130-0x00000000005B0000-0x00000000005B8000-memory.dmp
      Filesize

      32KB

      Download
    • memory/3684-131-0x0000000005040000-0x0000000005041000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3684-132-0x0000000000BB0000-0x0000000000C4C000-memory.dmp
      Filesize

      624KB

      Download