Overview

overview

10

Static

static

1

Order-8261...df.exe

windows7_x64

10

Order-8261...df.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    170s
  • max time network
    185s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    17-02-2022 07:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Order-826141730-pdf.exe

  • Size

    289KB

  • MD5

    8a43982e93e888387968e03fafb14fd1

  • SHA1

    6328f5db0bd9a28dcfb71b936c6835c375299551

  • SHA256

    6cd98e5cee60f33ca33f4e49d5f230feb6152510230abd25f8b5beab47e2afec

  • SHA512

    68e5b99a36934d0afc494c18607731b146e069b431c210684016b21c48db3b1c3c876084a3641a0a7a59b01fce1c28d9e9210a55666cb62a24170e45b204d113

Score
10/10
xloaderuar3loaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

uar3

Decoy

sgadvocats.com

mjscannabus.com

hilldaley.com

ksdollhouse.com

hotgiftboutique.com

purebloodsmeet.com

relaunched.info

cap-glove.com

productcollection.store

fulikyy.xyz

remoteaviationjobs.com

bestcleancrystal.com

virtualorganizationpartner.com

bookgocar.com

hattuafhv.quest

makonigroup.com

officecom-myaccount.com

malgorzata-lac.com

e-learningeducators.com

hygilaur.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Xloader Payload 3 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 49 IoCs
  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2456
    • C:\Users\Admin\AppData\Local\Temp\Order-826141730-pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\Order-826141730-pdf.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3808
      • C:\Users\Admin\AppData\Local\Temp\luficfbm.exe
        C:\Users\Admin\AppData\Local\Temp\luficfbm.exe C:\Users\Admin\AppData\Local\Temp\mtuwtwg
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:640
        • C:\Users\Admin\AppData\Local\Temp\luficfbm.exe
          C:\Users\Admin\AppData\Local\Temp\luficfbm.exe C:\Users\Admin\AppData\Local\Temp\mtuwtwg
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:1220
    • C:\Windows\SysWOW64\colorcpl.exe
      "C:\Windows\SysWOW64\colorcpl.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3820
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\luficfbm.exe"
        3⤵
          PID:3900
    • C:\Windows\system32\MusNotifyIcon.exe
      %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
      1⤵
      • Checks processor information in registry
      PID:4040
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k NetworkService -p
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:3544
    • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
      C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
      1⤵
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:2844

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    2
    T1082

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\luficfbm.exe
      MD5

      4af5b3b1cd041ab843382f93ad6c2789

      SHA1

      9759a4fce91218ff80001013c7cf9e30d4314f39

      SHA256

      16c24c9af6ea42b6922724eeaf4041f828d873385c5311487038c3717fc299e2

      SHA512

      a0ea24ed5ee97c33b46158986120c053b0fecda7b06585c4d3a77aebbf784af3d2f17a3a0e1675654c94d5684cd9efb8fbb207dd8e8cc4b71765c409e0262f94

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\luficfbm.exe
      MD5

      4af5b3b1cd041ab843382f93ad6c2789

      SHA1

      9759a4fce91218ff80001013c7cf9e30d4314f39

      SHA256

      16c24c9af6ea42b6922724eeaf4041f828d873385c5311487038c3717fc299e2

      SHA512

      a0ea24ed5ee97c33b46158986120c053b0fecda7b06585c4d3a77aebbf784af3d2f17a3a0e1675654c94d5684cd9efb8fbb207dd8e8cc4b71765c409e0262f94

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\luficfbm.exe
      MD5

      4af5b3b1cd041ab843382f93ad6c2789

      SHA1

      9759a4fce91218ff80001013c7cf9e30d4314f39

      SHA256

      16c24c9af6ea42b6922724eeaf4041f828d873385c5311487038c3717fc299e2

      SHA512

      a0ea24ed5ee97c33b46158986120c053b0fecda7b06585c4d3a77aebbf784af3d2f17a3a0e1675654c94d5684cd9efb8fbb207dd8e8cc4b71765c409e0262f94

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\mtuwtwg
      MD5

      931fd4faa392ee85e6ed59c5e06f7f8b

      SHA1

      ab429dd4705545aa185c4df3dfce804dd7dcb70c

      SHA256

      d0a32dc4668f9040fea078eb8a193bddf98eae674432cbaeb6815a9c84002c97

      SHA512

      0c31e3ccdc4c9a9ce4b6e1478a6d2c162a6973a622efbd750d1986b54502299d54562582660975872ef1388361230194dc5270f9c2e0d32192dca2ac92c52e69

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\yib77mookzpru4zy99d3
      MD5

      9f97f3b2bc9603438f9ba0151c38c7b3

      SHA1

      ea9b86f66c0d796ddb8cb02077855e06a749d07c

      SHA256

      e26b5dbc7d4d377e67c7bcf76e36cca9d3e40c38c72682b939ef79532200b385

      SHA512

      b480ec729c98ebe9274651e04bd6444a09b7e5307450532e66e51884a0436970e702161aa922ad0e2c05a03aa7c1209abbbebe721b75388d1f075a4a847b675c

      Download Submit
    • memory/1220-138-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

      Download
    • memory/1220-137-0x00000000009B0000-0x0000000000CFA000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/1220-139-0x000000000041D000-0x000000000041E000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1220-134-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

      Download
    • memory/1220-140-0x00000000006D0000-0x00000000006E1000-memory.dmp
      Filesize

      68KB

      Download
    • memory/2456-141-0x0000000008BF0000-0x0000000008D09000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/2456-146-0x0000000008DF0000-0x0000000008EF5000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/3820-142-0x0000000000B20000-0x0000000000B39000-memory.dmp
      Filesize

      100KB

      Download
    • memory/3820-143-0x00000000003C0000-0x00000000003E9000-memory.dmp
      Filesize

      164KB

      Download
    • memory/3820-144-0x00000000044F0000-0x000000000483A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/3820-145-0x00000000043C0000-0x0000000004450000-memory.dmp
      Filesize

      576KB

      Download