Analysis
-
max time kernel
155s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
21-02-2022 22:21
General
-
Target
Invoice Payment Details.exe
-
Size
892KB
-
MD5
9570c6d8cef329a8984dc89ecc786c28
-
SHA1
f318481b2fa2cc222bb783974c917f7c2b352c8f
-
SHA256
a55e49e3dffd386fbe1b8cfdafb4bcca81264b48e1fa2f9d68a7b8b12ec2bc7e
-
SHA512
3f1a3827be7daa886136c039b22a91d8c577e18f651cb414a2f9ebae258e45772533f17253f58a600c05b1307ef618ec6dd49ceebc5128333f53f83068293251
Score
10/10
Malware Config
Extracted
Family
xloader
Version
2.3
Campaign
kio8
Decoy
greeaircondition.com
thewilmingtonguide.com
cbluedotlivewdmall.com
globalcrime24.com
heightsplace.com
ghar.pro
asosbira.com
melolandia.com
velactun.com
erniesimms.com
nutbullet.com
drizzerstr.com
hnqym888.com
ghorowaseba.com
1317efoxchasedrive.info
stjudetroop623.com
facestaj.com
airpromaskaccessories.com
wolfetailors.com
56ohdc2016.com
Signatures
-
Xloader
Xloader is a rebranded version of Formbook malware.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Drops file in Windows directory 1 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 1 IoCs
-
Modifies data under HKEY_USERS 49 IoCs
-
Suspicious behavior: EnumeratesProcesses 36 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Invoice Payment Details.exe"C:\Users\Admin\AppData\Local\Temp\Invoice Payment Details.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Invoice Payment Details.exe"C:\Users\Admin\AppData\Local\Temp\Invoice Payment Details.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Invoice Payment Details.exe"C:\Users\Admin\AppData\Local\Temp\Invoice Payment Details.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Invoice Payment Details.exe"C:\Users\Admin\AppData\Local\Temp\Invoice Payment Details.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Invoice Payment Details.exe"3⤵
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1720-149-0x0000000000D20000-0x0000000000D49000-memory.dmpFilesize
164KB
-
memory/1720-151-0x00000000056A0000-0x000000000572F000-memory.dmpFilesize
572KB
-
memory/1720-150-0x0000000005770000-0x0000000005ABA000-memory.dmpFilesize
3.3MB
-
memory/1720-148-0x0000000000E50000-0x0000000000E5A000-memory.dmpFilesize
40KB
-
memory/2324-146-0x0000000001180000-0x0000000001190000-memory.dmpFilesize
64KB
-
memory/2324-144-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2324-145-0x000000000041D000-0x000000000041E000-memory.dmpFilesize
4KB
-
memory/2324-142-0x0000000001120000-0x0000000001130000-memory.dmpFilesize
64KB
-
memory/2324-138-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2324-140-0x0000000001250000-0x000000000159A000-memory.dmpFilesize
3.3MB
-
memory/2324-141-0x000000000041D000-0x000000000041E000-memory.dmpFilesize
4KB
-
memory/2372-137-0x0000000005760000-0x0000000005761000-memory.dmpFilesize
4KB
-
memory/2372-135-0x0000000005750000-0x000000000575A000-memory.dmpFilesize
40KB
-
memory/2372-136-0x00000000058C0000-0x0000000005916000-memory.dmpFilesize
344KB
-
memory/2372-130-0x00000000748CE000-0x00000000748CF000-memory.dmpFilesize
4KB
-
memory/2372-134-0x0000000005820000-0x00000000058B2000-memory.dmpFilesize
584KB
-
memory/2372-133-0x0000000005D30000-0x00000000062D4000-memory.dmpFilesize
5.6MB
-
memory/2372-132-0x0000000005640000-0x00000000056DC000-memory.dmpFilesize
624KB
-
memory/2372-131-0x0000000000C40000-0x0000000000D24000-memory.dmpFilesize
912KB
-
memory/2412-143-0x00000000084A0000-0x00000000085DA000-memory.dmpFilesize
1.2MB
-
memory/2412-147-0x0000000008D20000-0x0000000008E4C000-memory.dmpFilesize
1.2MB
-
memory/2412-152-0x0000000009250000-0x00000000093DC000-memory.dmpFilesize
1.5MB