Overview

overview

10

Static

static

1

09022022.exe

windows7_x64

10

09022022.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    211s
  • max time network
    213s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    09-02-2022 18:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    09022022.exe

  • Size

    265KB

  • MD5

    37c86eea298f12684500f2083a2e4e7d

  • SHA1

    4c84e078d068e2a79ddbc48d03459e87390cb756

  • SHA256

    46adc5850ed556d130d5d35db220fc303d45d719960e7e4b4b56174e9cdd3850

  • SHA512

    8a9ea9cf85e375a5b4b50789c6cf1041172400916a045c735987929c52081ff25748bfa404472c580261f8251f37973ba30ecdbc464f0546f702518ff87cd09a

Score
10/10
xloaderuar3loaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

uar3

Decoy

sgadvocats.com

mjscannabus.com

hilldaley.com

ksdollhouse.com

hotgiftboutique.com

purebloodsmeet.com

relaunched.info

cap-glove.com

productcollection.store

fulikyy.xyz

remoteaviationjobs.com

bestcleancrystal.com

virtualorganizationpartner.com

bookgocar.com

hattuafhv.quest

makonigroup.com

officecom-myaccount.com

malgorzata-lac.com

e-learningeducators.com

hygilaur.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 2 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 51 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2412
    • C:\Users\Admin\AppData\Local\Temp\09022022.exe
      "C:\Users\Admin\AppData\Local\Temp\09022022.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3660
      • C:\Users\Admin\AppData\Local\Temp\qgerjshzns.exe
        C:\Users\Admin\AppData\Local\Temp\qgerjshzns.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1800
        • C:\Users\Admin\AppData\Local\Temp\qgerjshzns.exe
          C:\Users\Admin\AppData\Local\Temp\qgerjshzns.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:1264
    • C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3952
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\qgerjshzns.exe"
        3⤵
          PID:1428
    • C:\Windows\system32\MusNotifyIcon.exe
      %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
      1⤵
      • Checks processor information in registry
      PID:1152
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k NetworkService -p
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:2220

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    2
    T1082

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\akvjxtp6f43v
      MD5

      14823dd88a486c9049dc8e39e95e8d6c

      SHA1

      fe4faa49db61f5e4dce75a41bd4e3006b0f2fed8

      SHA256

      ee11c5923f5ec6cc1c3db829cd59d9ee4a3cc85404c68e4ab90177f010eb13c8

      SHA512

      e43f375eb42952580dab5f8acdd81a88e0b8c4de659b0406afd1599bbb044b71a53b353d67615fa4d2a1c7191e1e35d9e58d5ce6bdd18311e74df0f41201b560

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\qgerjshzns.exe
      MD5

      61c6afe8eb1faafafbe8ee85d527d30e

      SHA1

      c3ec3a8a18ab801d7191ae3c3fc08d1dae3bdf46

      SHA256

      034f1d54ff9954dba589f77cf229352e339424a9f35199f23cb979c05bb889ed

      SHA512

      4eff030db73d65b490ab20e58034f116dc123a24b22dfb9e7d82676544085b314e52148d868f1135b8e9d80ec78c4757b4461ec1fdd42f29fcac1a5e4e5a9591

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\qgerjshzns.exe
      MD5

      61c6afe8eb1faafafbe8ee85d527d30e

      SHA1

      c3ec3a8a18ab801d7191ae3c3fc08d1dae3bdf46

      SHA256

      034f1d54ff9954dba589f77cf229352e339424a9f35199f23cb979c05bb889ed

      SHA512

      4eff030db73d65b490ab20e58034f116dc123a24b22dfb9e7d82676544085b314e52148d868f1135b8e9d80ec78c4757b4461ec1fdd42f29fcac1a5e4e5a9591

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\qgerjshzns.exe
      MD5

      61c6afe8eb1faafafbe8ee85d527d30e

      SHA1

      c3ec3a8a18ab801d7191ae3c3fc08d1dae3bdf46

      SHA256

      034f1d54ff9954dba589f77cf229352e339424a9f35199f23cb979c05bb889ed

      SHA512

      4eff030db73d65b490ab20e58034f116dc123a24b22dfb9e7d82676544085b314e52148d868f1135b8e9d80ec78c4757b4461ec1fdd42f29fcac1a5e4e5a9591

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\uxxvuqyvja
      MD5

      43572ef3180d3c5c33a5cf9d62a6d696

      SHA1

      e079bf345f9b9133ecc1813839c4182ee6285802

      SHA256

      3a09220007d41f44063d266b9cf59c30e85b22e3bf33546c272046f32ea32abe

      SHA512

      9045ef3ea42ed91767e7b70c1e7641aaa44f2c6bd9a83f6db301a691b88e4e7e015e77fc6f578f49fad51f8e582563fa3fb68d8013c4078e3a62078b7684d7bd

      Download Submit
    • memory/1264-137-0x00000000009E0000-0x0000000000D2A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/1264-134-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

      Download
    • memory/1264-138-0x000000000041D000-0x000000000041E000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1264-139-0x00000000009C0000-0x00000000009D1000-memory.dmp
      Filesize

      68KB

      Download
    • memory/2412-140-0x00000000088B0000-0x00000000089C5000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/2412-145-0x0000000008B10000-0x0000000008C9D000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3952-141-0x0000000000C00000-0x0000000001033000-memory.dmp
      Filesize

      4.2MB

      Download
    • memory/3952-142-0x0000000004C00000-0x0000000004F4A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/3952-143-0x0000000000800000-0x0000000000829000-memory.dmp
      Filesize

      164KB

      Download
    • memory/3952-144-0x0000000004A30000-0x0000000004AC0000-memory.dmp
      Filesize

      576KB

      Download