Overview

overview

10

Static

static

1

CTMARRANGEMENT.exe

windows7_x64

10

CTMARRANGEMENT.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    198s
  • max time network
    208s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    19-02-2022 08:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CTMARRANGEMENT.exe

  • Size

    241KB

  • MD5

    b2f8226c665cc2d96fce6e8e1dff44bb

  • SHA1

    e4e99b9b85d1c957e684054cc44c4d4ab6816398

  • SHA256

    b5d3ff4b7af5cdc828b2c6d23177a5c85e7aea720b01be458ed979ce16a48d02

  • SHA512

    6ddd7dbb1359dff4461cf967cee483ecd5fc547a6b8ee7e3720d4eba53898ff57fcd8ad6630d334fe424dd430a5a8c68a7f09b8b3a0e46e40defceb8f95050a8

Score
10/10
xloaderu6vbloaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

u6vb

Decoy

blendedmatter.com

piquinmarketing.com

dubkirelax.online

optimumotoaksesuar.com

bendisle.com

islamicgeometricpatterns.net

cheesebox.online

lh-coaching.com

buildingmaterial.info

backwoods72.com

goodtreetee.com

zknqqpvsypx.mobi

phukienstreaming.com

turkistick.com

cbd-shop-portugal.com

imherllc.com

krallechols.quest

ttmmb.com

pornmodelsworld.com

weakyummy.space

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 2 IoCs
    rat
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies data under HKEY_USERS 49 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2308
    • C:\Users\Admin\AppData\Local\Temp\CTMARRANGEMENT.exe
      "C:\Users\Admin\AppData\Local\Temp\CTMARRANGEMENT.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4088
      • C:\Users\Admin\AppData\Local\Temp\CTMARRANGEMENT.exe
        "C:\Users\Admin\AppData\Local\Temp\CTMARRANGEMENT.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1780
    • C:\Windows\SysWOW64\chkdsk.exe
      "C:\Windows\SysWOW64\chkdsk.exe"
      2⤵
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:460
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\CTMARRANGEMENT.exe"
        3⤵
          PID:2452
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k NetworkService -p
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:2872

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    2
    T1082

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\nsjCE9B.tmp\motkbxlalna.dll
      MD5

      8ef2346d93874e3817a0884d963244bf

      SHA1

      65ee37be6eef3f9b1be9011a5a6b502147270833

      SHA256

      603e899639d21b1bf894843ceec38af6aa307f67564e2bffaf94891a0c0c27b9

      SHA512

      9efbe25b97117e5b38a905fc38e9503b93cb5e62db9599a0c257242a5d64d38165842fce7ba4d85dba54a18468ef1cfcaa0cfb8776bcc3c0694b7914a6bf1dae

      Download Submit
    • memory/460-139-0x0000000005660000-0x00000000059AA000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/460-138-0x0000000000600000-0x000000000060A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/460-140-0x0000000004B90000-0x0000000004BB9000-memory.dmp
      Filesize

      164KB

      Download
    • memory/1780-131-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

      Download
    • memory/1780-135-0x000000000041D000-0x000000000041E000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1780-134-0x0000000000AF0000-0x0000000000E3A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/1780-136-0x00000000005E0000-0x00000000005F1000-memory.dmp
      Filesize

      68KB

      Download
    • memory/2308-137-0x0000000008FF0000-0x000000000910C000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/4088-132-0x00000000009D0000-0x00000000009D2000-memory.dmp
      Filesize

      8KB

      Download