Overview

overview

10

Static

static

1

SC221420.exe

windows7_x64

10

SC221420.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    159s
  • max time network
    172s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    15-02-2022 12:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SC221420.exe

  • Size

    456KB

  • MD5

    376f50bcc33f115ff257d0c05ac4ba1b

  • SHA1

    6a81172d13f238b8ca60850870070ce8f3b20488

  • SHA256

    0fcfde1ee285a35c722bfdd0b33f08771a26503d4bfc20541726456cf9351af1

  • SHA512

    9bcce9e9dd2f2326f11b8a94867808404af9741e8e0dec59cf073a6eec666acfbb3eaaa26b6bb155060679937ee991048bf4ba3398bc53354c50dd9b61dae81c

Score
10/10
xloaderahc8loaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ahc8

Decoy

192451.com

wwwripostes.net

sirikhalsalaw.com

bitterbaybay.com

stella-scrubs.com

almanecermezcal.com

goodgood.online

translate-now.online

sincerefilm.com

quadrantforensics.com

johnfrenchart.com

plick-click.com

alnileen.com

tghi.xyz

172711.com

maymakita.com

punnyaseva.com

ukash-online.com

sho-yururi-blog.com

hebergement-solidaire.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Xloader Payload 2 IoCs
    rat
  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 49 IoCs
  • Suspicious behavior: EnumeratesProcesses 50 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2308
    • C:\Users\Admin\AppData\Local\Temp\SC221420.exe
      "C:\Users\Admin\AppData\Local\Temp\SC221420.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2788
      • C:\Users\Admin\AppData\Local\Temp\phlnztizg.exe
        C:\Users\Admin\AppData\Local\Temp\phlnztizg.exe C:\Users\Admin\AppData\Local\Temp\bxqlkx
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1220
        • C:\Users\Admin\AppData\Local\Temp\phlnztizg.exe
          C:\Users\Admin\AppData\Local\Temp\phlnztizg.exe C:\Users\Admin\AppData\Local\Temp\bxqlkx
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:2332
    • C:\Windows\SysWOW64\autoconv.exe
      "C:\Windows\SysWOW64\autoconv.exe"
      2⤵
        PID:2884
      • C:\Windows\SysWOW64\autoconv.exe
        "C:\Windows\SysWOW64\autoconv.exe"
        2⤵
          PID:3428
        • C:\Windows\SysWOW64\autoconv.exe
          "C:\Windows\SysWOW64\autoconv.exe"
          2⤵
            PID:3340
          • C:\Windows\SysWOW64\autoconv.exe
            "C:\Windows\SysWOW64\autoconv.exe"
            2⤵
              PID:376
            • C:\Windows\SysWOW64\autoconv.exe
              "C:\Windows\SysWOW64\autoconv.exe"
              2⤵
                PID:2320
              • C:\Windows\SysWOW64\autoconv.exe
                "C:\Windows\SysWOW64\autoconv.exe"
                2⤵
                  PID:1080
                • C:\Windows\SysWOW64\autoconv.exe
                  "C:\Windows\SysWOW64\autoconv.exe"
                  2⤵
                    PID:4088
                  • C:\Windows\SysWOW64\autoconv.exe
                    "C:\Windows\SysWOW64\autoconv.exe"
                    2⤵
                      PID:1180
                    • C:\Windows\SysWOW64\cscript.exe
                      "C:\Windows\SysWOW64\cscript.exe"
                      2⤵
                      • Blocklisted process makes network request
                      • Suspicious use of SetThreadContext
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious behavior: MapViewOfSection
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:2340
                      • C:\Windows\SysWOW64\cmd.exe
                        /c del "C:\Users\Admin\AppData\Local\Temp\phlnztizg.exe"
                        3⤵
                          PID:4076
                    • C:\Windows\system32\MusNotifyIcon.exe
                      %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
                      1⤵
                      • Checks processor information in registry
                      PID:3804
                    • C:\Windows\System32\svchost.exe
                      C:\Windows\System32\svchost.exe -k NetworkService -p
                      1⤵
                      • Drops file in Windows directory
                      • Modifies data under HKEY_USERS
                      PID:60
                    • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
                      C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
                      1⤵
                      • Drops file in Windows directory
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1508

                    Network

                    MITRE ATT&CK Matrix ATT&CK v6

                    Initial Access

                    Execution

                    Persistence

                    Privilege Escalation

                    Defense Evasion

                    Credential Access

                    Discovery

                    System Information Discovery

                    2
                    T1082

                    Query Registry

                    1
                    T1012

                    Lateral Movement

                    Collection

                    Exfiltration

                    Command and Control

                    Impact

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\5i7piex8bs4j
                      MD5

                      a52498c2a045ff0a0065ef878e1ffdfe

                      SHA1

                      23abc7ebc00bf80780a11dca2d25c46123046088

                      SHA256

                      52a72dec9b196122f3008e8f314ca83546448cf48e47ce485398d52edc7c0861

                      SHA512

                      25af0ff1d48e4c5d15f22f8d4770ff846dd711ea00a40255db094ebc7340df4ccd760e0654ca021c34d2f85e55b6770a720a01a0affcaa31530bdb28efb01dd7

                      Download Submit
                    • C:\Users\Admin\AppData\Local\Temp\bxqlkx
                      MD5

                      30efdc42eda73cb1c555eaf1484814f9

                      SHA1

                      4263d4d980c3e262615f9577d262d96dab3160bc

                      SHA256

                      95fc7ef3394623fa4142d220c0b13d62d7e03f0ad23917167dc578eef688f848

                      SHA512

                      a67b30b0a9c7660c973b02bb054a43dd113cba575519ed89c054215407f4f8e9c4326f3734a6af4a831b04f3c2ce8907aec6e5aae2f857218f84fc2920fc2459

                      Download Submit
                    • C:\Users\Admin\AppData\Local\Temp\phlnztizg.exe
                      MD5

                      f9082eb743fa0bf57bf91d97f5251a44

                      SHA1

                      0c58960df67a771c5a780ea0bf1adcbb3296710c

                      SHA256

                      c9a316691f8285991d3baad24b188e103c7b9ded0744f91e9c636633f88dbb20

                      SHA512

                      30ea6e7257b307c865ecfc0b823270c1c2ed1a6805bf97f0edd54a3d9ac8686764fd4fe3f1ce9c31aeef66ecaf913953e3c89c32cf25efe7c2cfc12b39724d62

                      Download Submit
                    • C:\Users\Admin\AppData\Local\Temp\phlnztizg.exe
                      MD5

                      f9082eb743fa0bf57bf91d97f5251a44

                      SHA1

                      0c58960df67a771c5a780ea0bf1adcbb3296710c

                      SHA256

                      c9a316691f8285991d3baad24b188e103c7b9ded0744f91e9c636633f88dbb20

                      SHA512

                      30ea6e7257b307c865ecfc0b823270c1c2ed1a6805bf97f0edd54a3d9ac8686764fd4fe3f1ce9c31aeef66ecaf913953e3c89c32cf25efe7c2cfc12b39724d62

                      Download Submit
                    • C:\Users\Admin\AppData\Local\Temp\phlnztizg.exe
                      MD5

                      f9082eb743fa0bf57bf91d97f5251a44

                      SHA1

                      0c58960df67a771c5a780ea0bf1adcbb3296710c

                      SHA256

                      c9a316691f8285991d3baad24b188e103c7b9ded0744f91e9c636633f88dbb20

                      SHA512

                      30ea6e7257b307c865ecfc0b823270c1c2ed1a6805bf97f0edd54a3d9ac8686764fd4fe3f1ce9c31aeef66ecaf913953e3c89c32cf25efe7c2cfc12b39724d62

                      Download Submit
                    • memory/1220-134-0x00000000004A0000-0x00000000004A2000-memory.dmp
                      Filesize

                      8KB

                      Download
                    • memory/2308-146-0x0000000003590000-0x0000000003684000-memory.dmp
                      Filesize

                      976KB

                      Download
                    • memory/2308-141-0x0000000008C60000-0x0000000008DA8000-memory.dmp
                      Filesize

                      1.3MB

                      Download
                    • memory/2332-139-0x000000000041D000-0x000000000041E000-memory.dmp
                      Filesize

                      4KB

                      Download
                    • memory/2332-140-0x00000000008D0000-0x00000000008E1000-memory.dmp
                      Filesize

                      68KB

                      Download
                    • memory/2332-137-0x0000000000990000-0x0000000000CDA000-memory.dmp
                      Filesize

                      3.3MB

                      Download
                    • memory/2332-135-0x0000000000400000-0x0000000000429000-memory.dmp
                      Filesize

                      164KB

                      Download
                    • memory/2340-142-0x00000000001D0000-0x00000000001F7000-memory.dmp
                      Filesize

                      156KB

                      Download
                    • memory/2340-143-0x0000000002BA0000-0x0000000002BC9000-memory.dmp
                      Filesize

                      164KB

                      Download
                    • memory/2340-144-0x0000000004CD0000-0x000000000501A000-memory.dmp
                      Filesize

                      3.3MB

                      Download
                    • memory/2340-145-0x0000000004A30000-0x0000000004AC0000-memory.dmp
                      Filesize

                      576KB

                      Download