Overview

overview

10

Static

static

1

loader4.exe

windows7_x64

10

loader4.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    301s
  • max time network
    303s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    16-02-2022 02:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    loader4.exe

  • Size

    267KB

  • MD5

    a745520f45bced7375d4e918a82c0517

  • SHA1

    5fe7418c073c45eebbd6d12220cd63a49ea4f122

  • SHA256

    22099fbafc3dda95912c51aa0c313826f21e2fe84ef51453c649f66ab29c6916

  • SHA512

    caa99e83e30c03a90e97c09f296eb2530e08da47957b4aa632909ffae9a2c929cf641496fbc9640598e1dca05f269b950b3ce8c10b198af0180684581e6dc194

Score
10/10
xloaderndf8loaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ndf8

Decoy

cantobait.com

theangularteam.com

qq2222.xyz

floridasteamclean.com

daffodilhilldesigns.com

mindfulagilecoaching.com

xbyll.com

jessicaepedro2021.net

ccssv.top

zenginbilgiler.com

partumball.com

1681890.com

schippermediaproductions.com

m2volleyballclub.com

ooiase.com

sharingtechnology.net

kiminplaka.com

usedgeartrader.com

cosyba.com

foodfriendshipandyou.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Xloader Payload 3 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 55 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2440
    • C:\Users\Admin\AppData\Local\Temp\loader4.exe
      "C:\Users\Admin\AppData\Local\Temp\loader4.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2460
      • C:\Users\Admin\AppData\Local\Temp\twwruwspfp.exe
        C:\Users\Admin\AppData\Local\Temp\twwruwspfp.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:740
        • C:\Users\Admin\AppData\Local\Temp\twwruwspfp.exe
          C:\Users\Admin\AppData\Local\Temp\twwruwspfp.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:648
    • C:\Windows\SysWOW64\mstsc.exe
      "C:\Windows\SysWOW64\mstsc.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2812
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\twwruwspfp.exe"
        3⤵
          PID:828
    • C:\Windows\system32\MusNotifyIcon.exe
      %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
      1⤵
      • Checks processor information in registry
      PID:2300
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k NetworkService -p
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:4060
    • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
      C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
      1⤵
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:1828

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    2
    T1082

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\puqyxao
      MD5

      0cccb3d3ec85f522fea9003131f138d8

      SHA1

      36963157e9e15060897a66454528b2d51ff5edab

      SHA256

      0321eb87cf5be1d4802819099986bb5fa020e238c808e078a82e813c815b79fe

      SHA512

      0ab908137ab532de23c15f7e8b39884359816708967b5c73ab0b97cb191ec8a2c0e21cd31180e5c59ee4632e5d43fc40cce8c484e9907dcb8535600d8144e880

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\twwruwspfp.exe
      MD5

      73133e111e6aa23a59aae286f9c39fa4

      SHA1

      859ab7fdf5cf27e7b41bcfc6f3ef224c3f461278

      SHA256

      f67e0787d9af8915d51c45c47249d790695919171f2698d1b94ab31d7db34661

      SHA512

      6cde996a0e2094ebf5fa883fb8064ec9563f0dc05bef0a6b52154d554a9a6fd4fcd49a99adbb3d4245a6548da75eae7057759d9c057cc50f9cb485d6fd7fce78

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\twwruwspfp.exe
      MD5

      73133e111e6aa23a59aae286f9c39fa4

      SHA1

      859ab7fdf5cf27e7b41bcfc6f3ef224c3f461278

      SHA256

      f67e0787d9af8915d51c45c47249d790695919171f2698d1b94ab31d7db34661

      SHA512

      6cde996a0e2094ebf5fa883fb8064ec9563f0dc05bef0a6b52154d554a9a6fd4fcd49a99adbb3d4245a6548da75eae7057759d9c057cc50f9cb485d6fd7fce78

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\twwruwspfp.exe
      MD5

      73133e111e6aa23a59aae286f9c39fa4

      SHA1

      859ab7fdf5cf27e7b41bcfc6f3ef224c3f461278

      SHA256

      f67e0787d9af8915d51c45c47249d790695919171f2698d1b94ab31d7db34661

      SHA512

      6cde996a0e2094ebf5fa883fb8064ec9563f0dc05bef0a6b52154d554a9a6fd4fcd49a99adbb3d4245a6548da75eae7057759d9c057cc50f9cb485d6fd7fce78

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\wjy7pi4nrswxf71xx
      MD5

      07d9a36fc28fec669f3faadcc3afb0cb

      SHA1

      759b5877bb4253463d1b9009367e25659ee33f2b

      SHA256

      9ae40010d4ca8121fdf6005ef4539f0fcc7aa7be94f674717757fad6908e06e2

      SHA512

      2228ea42ba63f8ecc66e0e5e29687e911bca430d449bae74389316a288fa4221200136aad7318d0cce38c8f9ff62672ff70063cae0ca73e3fe99fa9ba54094ed

      Download Submit
    • memory/648-139-0x000000000041D000-0x000000000041E000-memory.dmp
      Filesize

      4KB

      Download
    • memory/648-137-0x0000000000A80000-0x0000000000DCA000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/648-138-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

      Download
    • memory/648-134-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

      Download
    • memory/648-140-0x00000000005D0000-0x00000000005E1000-memory.dmp
      Filesize

      68KB

      Download
    • memory/2440-141-0x0000000008250000-0x000000000836D000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/2440-146-0x00000000084F0000-0x0000000008655000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/2812-142-0x0000000000570000-0x00000000006AA000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/2812-143-0x0000000002760000-0x0000000002789000-memory.dmp
      Filesize

      164KB

      Download
    • memory/2812-144-0x00000000049D0000-0x0000000004D1A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/2812-145-0x0000000004720000-0x00000000047B0000-memory.dmp
      Filesize

      576KB

      Download