Overview

overview

10

Static

static

1

09022022-7...df.exe

windows7_x64

10

09022022-7...df.exe

windows10_x64

10

Analysis

  • max time kernel
    300s
  • max time network
    300s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    09-02-2022 16:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    09022022-739651826-pdf.exe

  • Size

    265KB

  • MD5

    37c86eea298f12684500f2083a2e4e7d

  • SHA1

    4c84e078d068e2a79ddbc48d03459e87390cb756

  • SHA256

    46adc5850ed556d130d5d35db220fc303d45d719960e7e4b4b56174e9cdd3850

  • SHA512

    8a9ea9cf85e375a5b4b50789c6cf1041172400916a045c735987929c52081ff25748bfa404472c580261f8251f37973ba30ecdbc464f0546f702518ff87cd09a

Score
10/10
xloaderuar3loaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

uar3

Decoy

sgadvocats.com

mjscannabus.com

hilldaley.com

ksdollhouse.com

hotgiftboutique.com

purebloodsmeet.com

relaunched.info

cap-glove.com

productcollection.store

fulikyy.xyz

remoteaviationjobs.com

bestcleancrystal.com

virtualorganizationpartner.com

bookgocar.com

hattuafhv.quest

makonigroup.com

officecom-myaccount.com

malgorzata-lac.com

e-learningeducators.com

hygilaur.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 2 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 61 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 32 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1448
    • C:\Users\Admin\AppData\Local\Temp\09022022-739651826-pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\09022022-739651826-pdf.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1720
      • C:\Users\Admin\AppData\Local\Temp\qgerjshzns.exe
        C:\Users\Admin\AppData\Local\Temp\qgerjshzns.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1552
        • C:\Users\Admin\AppData\Local\Temp\qgerjshzns.exe
          C:\Users\Admin\AppData\Local\Temp\qgerjshzns.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:876
    • C:\Windows\SysWOW64\colorcpl.exe
      "C:\Windows\SysWOW64\colorcpl.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:632
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\qgerjshzns.exe"
        3⤵
          PID:1848

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\akvjxtp6f43v
      MD5

      14823dd88a486c9049dc8e39e95e8d6c

      SHA1

      fe4faa49db61f5e4dce75a41bd4e3006b0f2fed8

      SHA256

      ee11c5923f5ec6cc1c3db829cd59d9ee4a3cc85404c68e4ab90177f010eb13c8

      SHA512

      e43f375eb42952580dab5f8acdd81a88e0b8c4de659b0406afd1599bbb044b71a53b353d67615fa4d2a1c7191e1e35d9e58d5ce6bdd18311e74df0f41201b560

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\qgerjshzns.exe
      MD5

      61c6afe8eb1faafafbe8ee85d527d30e

      SHA1

      c3ec3a8a18ab801d7191ae3c3fc08d1dae3bdf46

      SHA256

      034f1d54ff9954dba589f77cf229352e339424a9f35199f23cb979c05bb889ed

      SHA512

      4eff030db73d65b490ab20e58034f116dc123a24b22dfb9e7d82676544085b314e52148d868f1135b8e9d80ec78c4757b4461ec1fdd42f29fcac1a5e4e5a9591

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\qgerjshzns.exe
      MD5

      61c6afe8eb1faafafbe8ee85d527d30e

      SHA1

      c3ec3a8a18ab801d7191ae3c3fc08d1dae3bdf46

      SHA256

      034f1d54ff9954dba589f77cf229352e339424a9f35199f23cb979c05bb889ed

      SHA512

      4eff030db73d65b490ab20e58034f116dc123a24b22dfb9e7d82676544085b314e52148d868f1135b8e9d80ec78c4757b4461ec1fdd42f29fcac1a5e4e5a9591

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\qgerjshzns.exe
      MD5

      61c6afe8eb1faafafbe8ee85d527d30e

      SHA1

      c3ec3a8a18ab801d7191ae3c3fc08d1dae3bdf46

      SHA256

      034f1d54ff9954dba589f77cf229352e339424a9f35199f23cb979c05bb889ed

      SHA512

      4eff030db73d65b490ab20e58034f116dc123a24b22dfb9e7d82676544085b314e52148d868f1135b8e9d80ec78c4757b4461ec1fdd42f29fcac1a5e4e5a9591

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\uxxvuqyvja
      MD5

      43572ef3180d3c5c33a5cf9d62a6d696

      SHA1

      e079bf345f9b9133ecc1813839c4182ee6285802

      SHA256

      3a09220007d41f44063d266b9cf59c30e85b22e3bf33546c272046f32ea32abe

      SHA512

      9045ef3ea42ed91767e7b70c1e7641aaa44f2c6bd9a83f6db301a691b88e4e7e015e77fc6f578f49fad51f8e582563fa3fb68d8013c4078e3a62078b7684d7bd

      Download Submit
    • \Users\Admin\AppData\Local\Temp\qgerjshzns.exe
      MD5

      61c6afe8eb1faafafbe8ee85d527d30e

      SHA1

      c3ec3a8a18ab801d7191ae3c3fc08d1dae3bdf46

      SHA256

      034f1d54ff9954dba589f77cf229352e339424a9f35199f23cb979c05bb889ed

      SHA512

      4eff030db73d65b490ab20e58034f116dc123a24b22dfb9e7d82676544085b314e52148d868f1135b8e9d80ec78c4757b4461ec1fdd42f29fcac1a5e4e5a9591

      Download Submit
    • \Users\Admin\AppData\Local\Temp\qgerjshzns.exe
      MD5

      61c6afe8eb1faafafbe8ee85d527d30e

      SHA1

      c3ec3a8a18ab801d7191ae3c3fc08d1dae3bdf46

      SHA256

      034f1d54ff9954dba589f77cf229352e339424a9f35199f23cb979c05bb889ed

      SHA512

      4eff030db73d65b490ab20e58034f116dc123a24b22dfb9e7d82676544085b314e52148d868f1135b8e9d80ec78c4757b4461ec1fdd42f29fcac1a5e4e5a9591

      Download Submit
    • \Users\Admin\AppData\Local\Temp\qgerjshzns.exe
      MD5

      61c6afe8eb1faafafbe8ee85d527d30e

      SHA1

      c3ec3a8a18ab801d7191ae3c3fc08d1dae3bdf46

      SHA256

      034f1d54ff9954dba589f77cf229352e339424a9f35199f23cb979c05bb889ed

      SHA512

      4eff030db73d65b490ab20e58034f116dc123a24b22dfb9e7d82676544085b314e52148d868f1135b8e9d80ec78c4757b4461ec1fdd42f29fcac1a5e4e5a9591

      Download Submit
    • memory/632-71-0x0000000000CE0000-0x0000000000CF8000-memory.dmp
      Filesize

      96KB

      Download
    • memory/632-74-0x0000000000920000-0x00000000009B0000-memory.dmp
      Filesize

      576KB

      Download
    • memory/632-73-0x0000000002100000-0x0000000002403000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/632-72-0x0000000000080000-0x00000000000A9000-memory.dmp
      Filesize

      164KB

      Download
    • memory/876-63-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

      Download
    • memory/876-68-0x00000000002D0000-0x00000000002E1000-memory.dmp
      Filesize

      68KB

      Download
    • memory/876-66-0x00000000006E0000-0x00000000009E3000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/876-67-0x000000000041D000-0x000000000041E000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1448-69-0x0000000005000000-0x00000000050FA000-memory.dmp
      Filesize

      1000KB

      Download
    • memory/1448-75-0x0000000006730000-0x000000000684A000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/1720-55-0x0000000075831000-0x0000000075833000-memory.dmp
      Filesize

      8KB

      Download