Overview

overview

10

Static

static

1

2021_036,pdf.exe

windows7_x64

10

2021_036,pdf.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    181s
  • max time network
    190s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    08-02-2022 01:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2021_036,pdf.exe

  • Size

    220KB

  • MD5

    251729c3c3a66cb76aab3fe702145906

  • SHA1

    19ecdee079a7abb02a82781af0e14d5a7f54705f

  • SHA256

    5f3be7bf52d0617f50d8dcf095edc606854a589a94f2ac8186d6b9406960aa86

  • SHA512

    e2d7af9a4be4b86cd1fd08e40f297b8cf417f8977986ce7832bf73f797cca7a05da5ea5398df8ff155d3a8087ed5c8a00ce5b2676509a8c667c081b7db77b9a0

Score
10/10
xloadergh6nloaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

gh6n

Decoy

cpschoolsschoology.com

thestocksforum.com

pixiewish.com

sopressd.com

muktokontha.com

tiejiabang.net

fdo.technology

kuringnl.com

barbarapastor.com

21stcenturytrading.com

digiwarung.com

canvafynyc.com

forfaitinghouse.com

3704368.com

mymonwero.com

ponpow.com

fringe.golf

heartfeltindonesia.com

defensivedrivercpc.com

allaboutgt.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 3 IoCs
    rat
  • Loads dropped DLL 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 47 IoCs
  • Suspicious behavior: EnumeratesProcesses 56 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2328
    • C:\Users\Admin\AppData\Local\Temp\2021_036,pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\2021_036,pdf.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:3772
      • C:\Users\Admin\AppData\Local\Temp\2021_036,pdf.exe
        "C:\Users\Admin\AppData\Local\Temp\2021_036,pdf.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1284
    • C:\Windows\SysWOW64\cmstp.exe
      "C:\Windows\SysWOW64\cmstp.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1680
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\2021_036,pdf.exe"
        3⤵
          PID:4060
    • C:\Windows\system32\MusNotifyIcon.exe
      %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
      1⤵
      • Checks processor information in registry
      PID:2780
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k NetworkService -p
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:2076

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    2
    T1082

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Isdjek.dll
      MD5

      7183a8b8bb7e8b4712ffa8720476909c

      SHA1

      0819caf4c801c7877832442b47d6149143e1ebc4

      SHA256

      9d254261d58e3d155775c785039ecc7afa053c1e0b1d7eed2ff203101da48ddc

      SHA512

      21e7242f7f80d390a1f930594df78797340d8178a90da59ed9f0ee78f9b7b9cac0bc379637b25d5ca059fe0f2ff26b1e40926fb5597da4fe23dcbbb5b2ab254e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\nstD3A5.tmp\System.dll
      MD5

      fccff8cb7a1067e23fd2e2b63971a8e1

      SHA1

      30e2a9e137c1223a78a0f7b0bf96a1c361976d91

      SHA256

      6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

      SHA512

      f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

      Download Submit
    • memory/1284-132-0x0000000000400000-0x0000000000428000-memory.dmp
      Filesize

      160KB

      Download
    • memory/1284-133-0x00000000005C0000-0x0000000000D6A000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/1284-134-0x0000000000400000-0x0000000000428000-memory.dmp
      Filesize

      160KB

      Download
    • memory/1284-135-0x00000000005B0000-0x00000000005C0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1680-137-0x00000000009C0000-0x00000000009D6000-memory.dmp
      Filesize

      88KB

      Download
    • memory/1680-138-0x00000000001B0000-0x00000000001D8000-memory.dmp
      Filesize

      160KB

      Download
    • memory/1680-139-0x0000000004350000-0x000000000469A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/1680-140-0x0000000004180000-0x000000000420F000-memory.dmp
      Filesize

      572KB

      Download
    • memory/2328-136-0x0000000008350000-0x000000000844F000-memory.dmp
      Filesize

      1020KB

      Download
    • memory/2328-141-0x0000000008450000-0x00000000084FA000-memory.dmp
      Filesize

      680KB

      Download