Overview

overview

10

Static

static

order conf...py.exe

windows7_x64

10

order conf...py.exe

windows10-2004_x64

7

Analysis

  • max time kernel
    150s
  • max time network
    160s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    22-02-2022 14:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    order confirmation payment copy.exe

  • Size

    29KB

  • MD5

    52b704a5b91990616f13578732a79b97

  • SHA1

    fd6c83a29b70dbe8fa9dbc5971ec03f403c5061e

  • SHA256

    678f04893ab76acac51db1dbfc38aa7b5bc442055e00d6f4dbc209e8d065b086

  • SHA512

    416fc722b9d7d327479666bbec60fe72117cdcf7eae58265004de483641c363601b6267a4c2367256d37a2498fd44ebe6ba675c642846a378b880cbd244c0056

Score
10/10
xloaderpo6rloaderpersistencerat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

po6r

Decoy

jnhuichuangxin.com

mubashir.art

extol.design

doyyindh.xyz

milanoautoexperts.com

4thefringe.com

453511.com

sellathonautocredit.com

velgian.com

6672pk.com

wodeluzhou.com

sumiyoshiku-hizaita.xyz

imoveldeprimeira.com

dgjssp.com

endokc.com

side-clicks.com

cashndashfinancial.com

vanhemelryck.info

agamitrading.com

woofgang.xyz

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1412
    • C:\Users\Admin\AppData\Local\Temp\order confirmation payment copy.exe
      "C:\Users\Admin\AppData\Local\Temp\order confirmation payment copy.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1796
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c ping yahoo.com
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:584
        • C:\Windows\SysWOW64\PING.EXE
          ping yahoo.com
          4⤵
          • Runs ping.exe
          PID:872
      • C:\Users\Admin\AppData\Local\Temp\order confirmation payment copy.exe
        "C:\Users\Admin\AppData\Local\Temp\order confirmation payment copy.exe"
        3⤵
          PID:1188
        • C:\Users\Admin\AppData\Local\Temp\order confirmation payment copy.exe
          "C:\Users\Admin\AppData\Local\Temp\order confirmation payment copy.exe"
          3⤵
            PID:1212
          • C:\Users\Admin\AppData\Local\Temp\order confirmation payment copy.exe
            "C:\Users\Admin\AppData\Local\Temp\order confirmation payment copy.exe"
            3⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            PID:1084
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\SysWOW64\netsh.exe"
          2⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:1972

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1084-60-0x0000000000400000-0x0000000000429000-memory.dmp
        Filesize

        164KB

        Download
      • memory/1084-66-0x00000000001A0000-0x00000000001B1000-memory.dmp
        Filesize

        68KB

        Download
      • memory/1084-65-0x000000000041D000-0x000000000041E000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1084-64-0x0000000000910000-0x0000000000C13000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/1084-62-0x0000000000400000-0x0000000000429000-memory.dmp
        Filesize

        164KB

        Download
      • memory/1084-61-0x0000000000400000-0x0000000000429000-memory.dmp
        Filesize

        164KB

        Download
      • memory/1412-67-0x0000000006F00000-0x0000000007034000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/1412-72-0x0000000003E30000-0x0000000003F03000-memory.dmp
        Filesize

        844KB

        Download
      • memory/1796-59-0x00000000050A0000-0x00000000050EC000-memory.dmp
        Filesize

        304KB

        Download
      • memory/1796-58-0x000000000AF00000-0x000000000AFB6000-memory.dmp
        Filesize

        728KB

        Download
      • memory/1796-57-0x0000000004900000-0x0000000004901000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1796-56-0x0000000076491000-0x0000000076493000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1796-55-0x0000000074E4E000-0x0000000074E4F000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1796-54-0x0000000000370000-0x000000000037C000-memory.dmp
        Filesize

        48KB

        Download
      • memory/1972-68-0x0000000001110000-0x000000000112B000-memory.dmp
        Filesize

        108KB

        Download
      • memory/1972-69-0x0000000000080000-0x00000000000A9000-memory.dmp
        Filesize

        164KB

        Download
      • memory/1972-70-0x0000000000B60000-0x0000000000E63000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/1972-71-0x0000000000960000-0x00000000009F0000-memory.dmp
        Filesize

        576KB

        Download