Overview

overview

10

Static

static

Alis sifarisi.exe

windows7_x64

10

Alis sifarisi.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    11-02-2022 10:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Alis sifarisi.exe

  • Size

    1.0MB

  • MD5

    54c39236d174c27d217736cd049d8bbd

  • SHA1

    832f5c5c4cbf2b4f888f319654cf002176bbb916

  • SHA256

    2179647ebf96503deb5fae78827c5d99757f2926f0226cb5a6e4181e2f0c1a07

  • SHA512

    1df01d52dc6965d5b42c3f03887b01c0fdd1593666e1733d8776d4a64f22253c062e6f1e29fc403f2217547f96962955fe7733b23b55b0f5fd3a5774acec5c7a

Score
10/10
xloaderpvxzloaderpersistenceratsuricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

pvxz

Decoy

imt-token.club

abravewayocen.online

shcloudcar.com

mshoppingworld.online

ncgf08.xyz

stuinfo.xyz

wesavetheplanetofficial.com

tourbox.xyz

believeinyourselftraining.com

jsboyat.com

aaeconomy.info

9etmorea.info

purosepeti7.com

goticketly.com

pinkmemorypt.com

mylifewellnesscentre.com

iridina.online

petrestore.online

neema.xyz

novelfooditalia.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Xloader Payload 2 IoCs
    rat
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 51 IoCs
  • Suspicious behavior: EnumeratesProcesses 56 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2448
    • C:\Users\Admin\AppData\Local\Temp\Alis sifarisi.exe
      "C:\Users\Admin\AppData\Local\Temp\Alis sifarisi.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3868
      • C:\Windows\SysWOW64\logagent.exe
        C:\Windows\System32\logagent.exe
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:972
    • C:\Windows\SysWOW64\autofmt.exe
      "C:\Windows\SysWOW64\autofmt.exe"
      2⤵
        PID:2984
      • C:\Windows\SysWOW64\help.exe
        "C:\Windows\SysWOW64\help.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1248
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Windows\SysWOW64\logagent.exe"
          3⤵
            PID:1496
      • C:\Windows\system32\MusNotifyIcon.exe
        %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
        1⤵
        • Checks processor information in registry
        PID:1252
      • C:\Windows\System32\svchost.exe
        C:\Windows\System32\svchost.exe -k NetworkService -p
        1⤵
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        PID:1928

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/972-142-0x0000000004300000-0x0000000004311000-memory.dmp
        Filesize

        68KB

        Download
      • memory/972-137-0x0000000000350000-0x0000000000351000-memory.dmp
        Filesize

        4KB

        Download
      • memory/972-138-0x0000000072480000-0x00000000724A9000-memory.dmp
        Filesize

        164KB

        Download
      • memory/972-140-0x0000000004450000-0x000000000479A000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/972-141-0x000000007249D000-0x000000007249E000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1248-144-0x0000000000CA0000-0x0000000000CA7000-memory.dmp
        Filesize

        28KB

        Download
      • memory/1248-146-0x00000000034D0000-0x000000000381A000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/1248-145-0x0000000002CD0000-0x0000000002CF9000-memory.dmp
        Filesize

        164KB

        Download
      • memory/1248-147-0x0000000003200000-0x0000000003290000-memory.dmp
        Filesize

        576KB

        Download
      • memory/2448-143-0x0000000002DA0000-0x0000000002E4E000-memory.dmp
        Filesize

        696KB

        Download
      • memory/2448-148-0x0000000007B40000-0x0000000007C59000-memory.dmp
        Filesize

        1.1MB

        Download
      • memory/3868-135-0x0000000000406000-0x0000000000407000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3868-133-0x00000000022B0000-0x00000000022B1000-memory.dmp
        Filesize

        4KB

        Download