Overview

overview

10

Static

static

QUOTATION.exe

windows7_x64

10

QUOTATION.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    186s
  • max time network
    197s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    09-02-2022 10:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    QUOTATION.exe

  • Size

    564KB

  • MD5

    98baccb2a35dcd64991688d8c2f9863e

  • SHA1

    2cf34e18ccb91d2e0572ec833f8656178f4e834b

  • SHA256

    33b08940d5a2fdd70c73fddf7e359193eb86a1d42e7cce27dba02718b7279c49

  • SHA512

    caf53ba7e93e0f781877cfc318b429dbec9490b443ff8e5533f5ef0c89a1f612ac6e7cc245c99b34ffbf4c9bad95c8e2a183e7faffba3ce78a8b23b1c4757e54

Score
10/10
xloadernt3floaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

nt3f

Decoy

tricyclee.com

kxsw999.com

wisteria-pavilion.com

bellaclancy.com

promissioskincare.com

hzy001.xyz

checkouthomehd.com

soladere.com

point4sales.com

socalmafia.com

libertadysarmiento.online

nftthirty.com

digitalgoldcryptostock.net

tulekiloscaird.com

austinfishandchicken.com

wlxxch.com

mgav51.xyz

landbanking.global

saprove.com

babyfaces.skin

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Xloader Payload 3 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 47 IoCs
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2420
    • C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe
      "C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:3640
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svUINqq.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1940
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\svUINqq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp12BC.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:2988
      • C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe
        "C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:3944
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      PID:2116
  • C:\Windows\system32\MusNotifyIcon.exe
    %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
    1⤵
    • Checks processor information in registry
    PID:2664
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    PID:552

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp12BC.tmp
    MD5

    8994ba6fa3d7e866d5095ef8d01985ba

    SHA1

    01444101a4fc1c7bb10b2f10242e7c197d3f1b81

    SHA256

    37ceb9e4650e898b5d803f1e360aba35b2585bd9292652205f11fb708b9fd908

    SHA512

    01d2213e65c20fb8eb454b30d48115cea6667b566366a92d8ed5afbd9a5caa21ff68319123df48cf08fa2daf564bfe042d9b0c618289e66b8cf62c27bb4a807c

    Download Submit
  • memory/1940-153-0x0000000006B50000-0x0000000006B72000-memory.dmp
    Filesize

    136KB

    Download
  • memory/1940-164-0x00000000080C0000-0x00000000080F2000-memory.dmp
    Filesize

    200KB

    Download
  • memory/1940-175-0x0000000009130000-0x0000000009138000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1940-174-0x0000000009150000-0x000000000916A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/1940-173-0x0000000009040000-0x000000000904E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/1940-172-0x0000000009090000-0x0000000009126000-memory.dmp
    Filesize

    600KB

    Download
  • memory/1940-152-0x0000000006CA0000-0x00000000072C8000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/1940-140-0x000000007479E000-0x000000007479F000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1940-171-0x0000000008E80000-0x0000000008E8A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1940-142-0x00000000065D0000-0x0000000006606000-memory.dmp
    Filesize

    216KB

    Download
  • memory/1940-169-0x0000000009450000-0x0000000009ACA000-memory.dmp
    Filesize

    6.5MB

    Download
  • memory/1940-145-0x0000000006660000-0x0000000006661000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1940-167-0x000000007EF20000-0x000000007EF21000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1940-166-0x00000000080A0000-0x00000000080BE000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1940-165-0x0000000070300000-0x000000007034C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/1940-162-0x0000000006665000-0x0000000006667000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1940-147-0x0000000006662000-0x0000000006663000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1940-154-0x0000000006BF0000-0x0000000006C56000-memory.dmp
    Filesize

    408KB

    Download
  • memory/1940-160-0x0000000007AF0000-0x0000000007B0E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1940-170-0x0000000008E10000-0x0000000008E2A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/1940-155-0x0000000007340000-0x00000000073A6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/2116-158-0x0000000000530000-0x0000000000542000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2116-159-0x0000000002AC0000-0x0000000002AE9000-memory.dmp
    Filesize

    164KB

    Download
  • memory/2116-161-0x0000000004A60000-0x0000000004DAA000-memory.dmp
    Filesize

    3.3MB

    Download
  • memory/2116-163-0x0000000004890000-0x0000000004920000-memory.dmp
    Filesize

    576KB

    Download
  • memory/2420-148-0x0000000008A50000-0x0000000008B60000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/2420-168-0x0000000008B60000-0x0000000008C9E000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/3640-135-0x0000000000D20000-0x0000000000DBC000-memory.dmp
    Filesize

    624KB

    Download
  • memory/3640-133-0x0000000004FA0000-0x0000000004FE0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/3640-137-0x0000000005C40000-0x00000000061E4000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/3640-130-0x000000007479E000-0x000000007479F000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3640-131-0x0000000000580000-0x0000000000614000-memory.dmp
    Filesize

    592KB

    Download
  • memory/3640-136-0x0000000005023000-0x0000000005025000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3640-134-0x00000000051D0000-0x0000000005262000-memory.dmp
    Filesize

    584KB

    Download
  • memory/3640-132-0x0000000005020000-0x0000000005021000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3944-151-0x0000000001440000-0x0000000001451000-memory.dmp
    Filesize

    68KB

    Download
  • memory/3944-150-0x00000000010F0000-0x000000000143A000-memory.dmp
    Filesize

    3.3MB

    Download
  • memory/3944-146-0x000000000041D000-0x000000000041E000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3944-143-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/3944-149-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download