Overview

overview

10

Static

static

Calendario...ti.exe

windows7_x64

5

Calendario...ti.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    156s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    21-02-2022 23:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Calendario dei pagamenti.exe

  • Size

    219KB

  • MD5

    1a02db6595fb5471a1d91a4f51897269

  • SHA1

    644069ab472309d4ecfca95de736dfb14676a776

  • SHA256

    dd9c6267a87c89067d157e28d6f3ca17f958871f3d403609ed72dad80514e226

  • SHA512

    ca86ca60343f96581c67ddaabd8553cfa030a1ae7cbedc0f05da403d972f7c2de9bf3048a0dbd43642c846f92f9c6f5b280f6537ef013a6d121fb70d72a2905d

Score
10/10
xloaderkio8loaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

kio8

Decoy

greeaircondition.com

thewilmingtonguide.com

cbluedotlivewdmall.com

globalcrime24.com

heightsplace.com

ghar.pro

asosbira.com

melolandia.com

velactun.com

erniesimms.com

nutbullet.com

drizzerstr.com

hnqym888.com

ghorowaseba.com

1317efoxchasedrive.info

stjudetroop623.com

facestaj.com

airpromaskaccessories.com

wolfetailors.com

56ohdc2016.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 3 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 51 IoCs
  • Suspicious behavior: EnumeratesProcesses 59 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2412
    • C:\Users\Admin\AppData\Local\Temp\Calendario dei pagamenti.exe
      "C:\Users\Admin\AppData\Local\Temp\Calendario dei pagamenti.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:3324
      • C:\Users\Admin\AppData\Local\Temp\Calendario dei pagamenti.exe
        "C:\Users\Admin\AppData\Local\Temp\Calendario dei pagamenti.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:3936
    • C:\Windows\SysWOW64\mstsc.exe
      "C:\Windows\SysWOW64\mstsc.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3988
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\Calendario dei pagamenti.exe"
        3⤵
          PID:1648
    • C:\Windows\system32\MusNotifyIcon.exe
      %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
      1⤵
      • Checks processor information in registry
      PID:3564
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k NetworkService -p
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:2200
    • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
      C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
      1⤵
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:3768

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2412-134-0x00000000081F0000-0x00000000082A1000-memory.dmp
      Filesize

      708KB

      Download
    • memory/2412-139-0x00000000088B0000-0x00000000089CD000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/3324-130-0x00000000010FD000-0x0000000001100000-memory.dmp
      Filesize

      12KB

      Download
    • memory/3936-131-0x0000000000D90000-0x00000000010DA000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/3936-132-0x00000000005C0000-0x00000000005E9000-memory.dmp
      Filesize

      164KB

      Download
    • memory/3936-133-0x00000000005F0000-0x0000000000600000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3988-135-0x00000000004E0000-0x000000000061A000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/3988-136-0x00000000001B0000-0x00000000001D9000-memory.dmp
      Filesize

      164KB

      Download
    • memory/3988-137-0x0000000004580000-0x00000000048CA000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/3988-138-0x00000000042B0000-0x000000000433F000-memory.dmp
      Filesize

      572KB

      Download