Overview

overview

10

Static

static

Purchase O...43.exe

windows7_x64

10

Purchase O...43.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    18-02-2022 06:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Purchase Order FEB22_76543.exe

  • Size

    600KB

  • MD5

    939ab865c8b7be3fdfaf765139a62f02

  • SHA1

    fbe936019b2596e65ff25cb46abdb0f48fa93464

  • SHA256

    c0a5470477f1ef65286a66e14b46c02b71c41eabc473b9885fbe7911844d90b7

  • SHA512

    cf170932a7a1f57ea6e8e708bb28ec5c2487a40215b777a9cf6f653ebf3d75f32e95d00991de25d013fc3c7faa8ce5b13fbdbaeb12b8e752d808107e7695f763

Score
10/10
xloaderzqzwloaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

zqzw

Decoy

laurentmathieu.com

nohohonndana.com

hhmc.info

shophallows.com

blazebunk.com

goodbridge.xyz

flakycloud.com

bakermckenziegroups.com

formation-adistance.com

lovingearthbotanicals.com

tbrservice.plus

heritagehousehotels.com

drwbuildersco.com

lacsghb.com

wain3x.com

dadreview.club

continiutycp.com

cockgirls.com

48mpt.xyz

033skz.xyz

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 3 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 51 IoCs
  • Suspicious behavior: EnumeratesProcesses 44 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2456
    • C:\Users\Admin\AppData\Local\Temp\Purchase Order FEB22_76543.exe
      "C:\Users\Admin\AppData\Local\Temp\Purchase Order FEB22_76543.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3572
      • C:\Users\Admin\AppData\Local\Temp\Purchase Order FEB22_76543.exe
        "{path}"
        3⤵
          PID:2568
        • C:\Users\Admin\AppData\Local\Temp\Purchase Order FEB22_76543.exe
          "{path}"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          PID:3164
      • C:\Windows\SysWOW64\cmstp.exe
        "C:\Windows\SysWOW64\cmstp.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2500
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\Purchase Order FEB22_76543.exe"
          3⤵
            PID:912
      • C:\Windows\system32\MusNotifyIcon.exe
        %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
        1⤵
        • Checks processor information in registry
        PID:2252
      • C:\Windows\System32\svchost.exe
        C:\Windows\System32\svchost.exe -k NetworkService -p
        1⤵
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        PID:8
      • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
        C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
        1⤵
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        PID:3012

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2456-143-0x0000000008EF0000-0x0000000008FF4000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/2456-148-0x0000000008B60000-0x0000000008CA8000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2500-147-0x0000000004660000-0x00000000046F0000-memory.dmp
        Filesize

        576KB

        Download
      • memory/2500-146-0x0000000002840000-0x0000000002869000-memory.dmp
        Filesize

        164KB

        Download
      • memory/2500-145-0x0000000004730000-0x0000000004A7A000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/2500-144-0x00000000003D0000-0x00000000003E6000-memory.dmp
        Filesize

        88KB

        Download
      • memory/3164-139-0x0000000000400000-0x0000000000429000-memory.dmp
        Filesize

        164KB

        Download
      • memory/3164-137-0x0000000000400000-0x0000000000429000-memory.dmp
        Filesize

        164KB

        Download
      • memory/3164-140-0x00000000017D0000-0x0000000001B1A000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/3164-141-0x000000000041D000-0x000000000041E000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3164-142-0x0000000001C30000-0x0000000001C41000-memory.dmp
        Filesize

        68KB

        Download
      • memory/3572-130-0x000000007536E000-0x000000007536F000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3572-136-0x0000000004AC0000-0x0000000004ACA000-memory.dmp
        Filesize

        40KB

        Download
      • memory/3572-135-0x0000000004E20000-0x0000000004E21000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3572-134-0x0000000004BC0000-0x0000000004C5C000-memory.dmp
        Filesize

        624KB

        Download
      • memory/3572-133-0x0000000004B20000-0x0000000004BB2000-memory.dmp
        Filesize

        584KB

        Download
      • memory/3572-132-0x00000000050D0000-0x0000000005674000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/3572-131-0x0000000000090000-0x000000000012C000-memory.dmp
        Filesize

        624KB

        Download