Overview

overview

10

Static

static

1

SC221420.exe

windows7_x64

10

SC221420.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    153s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    15-02-2022 17:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SC221420.exe

  • Size

    456KB

  • MD5

    376f50bcc33f115ff257d0c05ac4ba1b

  • SHA1

    6a81172d13f238b8ca60850870070ce8f3b20488

  • SHA256

    0fcfde1ee285a35c722bfdd0b33f08771a26503d4bfc20541726456cf9351af1

  • SHA512

    9bcce9e9dd2f2326f11b8a94867808404af9741e8e0dec59cf073a6eec666acfbb3eaaa26b6bb155060679937ee991048bf4ba3398bc53354c50dd9b61dae81c

Score
10/10
xloaderahc8loaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ahc8

Decoy

192451.com

wwwripostes.net

sirikhalsalaw.com

bitterbaybay.com

stella-scrubs.com

almanecermezcal.com

goodgood.online

translate-now.online

sincerefilm.com

quadrantforensics.com

johnfrenchart.com

plick-click.com

alnileen.com

tghi.xyz

172711.com

maymakita.com

punnyaseva.com

ukash-online.com

sho-yururi-blog.com

hebergement-solidaire.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Xloader Payload 2 IoCs
    rat
  • Blocklisted process makes network request 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 51 IoCs
  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2372
    • C:\Users\Admin\AppData\Local\Temp\SC221420.exe
      "C:\Users\Admin\AppData\Local\Temp\SC221420.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3880
      • C:\Users\Admin\AppData\Local\Temp\phlnztizg.exe
        C:\Users\Admin\AppData\Local\Temp\phlnztizg.exe C:\Users\Admin\AppData\Local\Temp\bxqlkx
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:492
        • C:\Users\Admin\AppData\Local\Temp\phlnztizg.exe
          C:\Users\Admin\AppData\Local\Temp\phlnztizg.exe C:\Users\Admin\AppData\Local\Temp\bxqlkx
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:1560
    • C:\Windows\SysWOW64\autoconv.exe
      "C:\Windows\SysWOW64\autoconv.exe"
      2⤵
        PID:1940
      • C:\Windows\SysWOW64\msiexec.exe
        "C:\Windows\SysWOW64\msiexec.exe"
        2⤵
        • Blocklisted process makes network request
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2144
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\phlnztizg.exe"
          3⤵
            PID:3036
      • C:\Windows\system32\MusNotifyIcon.exe
        %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
        1⤵
        • Checks processor information in registry
        PID:2724
      • C:\Windows\System32\svchost.exe
        C:\Windows\System32\svchost.exe -k NetworkService -p
        1⤵
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        PID:2328
      • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
        C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
        1⤵
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        PID:1112

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      System Information Discovery

      2
      T1082

      Query Registry

      1
      T1012

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\5i7piex8bs4j
        MD5

        a52498c2a045ff0a0065ef878e1ffdfe

        SHA1

        23abc7ebc00bf80780a11dca2d25c46123046088

        SHA256

        52a72dec9b196122f3008e8f314ca83546448cf48e47ce485398d52edc7c0861

        SHA512

        25af0ff1d48e4c5d15f22f8d4770ff846dd711ea00a40255db094ebc7340df4ccd760e0654ca021c34d2f85e55b6770a720a01a0affcaa31530bdb28efb01dd7

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\bxqlkx
        MD5

        30efdc42eda73cb1c555eaf1484814f9

        SHA1

        4263d4d980c3e262615f9577d262d96dab3160bc

        SHA256

        95fc7ef3394623fa4142d220c0b13d62d7e03f0ad23917167dc578eef688f848

        SHA512

        a67b30b0a9c7660c973b02bb054a43dd113cba575519ed89c054215407f4f8e9c4326f3734a6af4a831b04f3c2ce8907aec6e5aae2f857218f84fc2920fc2459

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\phlnztizg.exe
        MD5

        f9082eb743fa0bf57bf91d97f5251a44

        SHA1

        0c58960df67a771c5a780ea0bf1adcbb3296710c

        SHA256

        c9a316691f8285991d3baad24b188e103c7b9ded0744f91e9c636633f88dbb20

        SHA512

        30ea6e7257b307c865ecfc0b823270c1c2ed1a6805bf97f0edd54a3d9ac8686764fd4fe3f1ce9c31aeef66ecaf913953e3c89c32cf25efe7c2cfc12b39724d62

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\phlnztizg.exe
        MD5

        f9082eb743fa0bf57bf91d97f5251a44

        SHA1

        0c58960df67a771c5a780ea0bf1adcbb3296710c

        SHA256

        c9a316691f8285991d3baad24b188e103c7b9ded0744f91e9c636633f88dbb20

        SHA512

        30ea6e7257b307c865ecfc0b823270c1c2ed1a6805bf97f0edd54a3d9ac8686764fd4fe3f1ce9c31aeef66ecaf913953e3c89c32cf25efe7c2cfc12b39724d62

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\phlnztizg.exe
        MD5

        f9082eb743fa0bf57bf91d97f5251a44

        SHA1

        0c58960df67a771c5a780ea0bf1adcbb3296710c

        SHA256

        c9a316691f8285991d3baad24b188e103c7b9ded0744f91e9c636633f88dbb20

        SHA512

        30ea6e7257b307c865ecfc0b823270c1c2ed1a6805bf97f0edd54a3d9ac8686764fd4fe3f1ce9c31aeef66ecaf913953e3c89c32cf25efe7c2cfc12b39724d62

        Download Submit
      • memory/1560-136-0x0000000000AA0000-0x0000000000DEA000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/1560-134-0x0000000000400000-0x0000000000429000-memory.dmp
        Filesize

        164KB

        Download
      • memory/1560-138-0x000000000041D000-0x000000000041E000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1560-139-0x0000000000500000-0x0000000000511000-memory.dmp
        Filesize

        68KB

        Download
      • memory/2144-144-0x00000000008A0000-0x00000000008C9000-memory.dmp
        Filesize

        164KB

        Download
      • memory/2144-143-0x00000000009E0000-0x00000000009F2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/2144-145-0x0000000004840000-0x0000000004B8A000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/2144-146-0x00000000045D0000-0x0000000004660000-memory.dmp
        Filesize

        576KB

        Download
      • memory/2372-140-0x0000000008810000-0x0000000008915000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/2372-147-0x0000000008610000-0x00000000086B1000-memory.dmp
        Filesize

        644KB

        Download