Overview

overview

10

Static

static

1

RECEIPT 02...52.exe

windows7_x64

10

RECEIPT 02...52.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    155s
  • max time network
    162s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    01-03-2022 11:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RECEIPT 0266255252.exe

  • Size

    300KB

  • MD5

    c7012ce63b4ed9e49bf7be48fc27beae

  • SHA1

    8c91c8e2a90b9e9b3d3dde1fb32e02e5de5dd347

  • SHA256

    b3babb49432b3d09adbf7e79dfb2fe84f4d417ad394ccd59412c9e083a42a673

  • SHA512

    6ded1f1974ace78c102fc60e65cef89b664860edd87938af9efa1b4574de43667b614fbc19f49fae2d018180a2a706181982179193bba5c5ccac565758ee2e60

Score
10/10
xloaderrmfgloaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

rmfg

Decoy

prospectcompounding.com

grand-prix.voyage

solvingpklogc.xyz

eliamhome.com

gamevip88.club

arsels.info

dswlt.com

dchehe.com

lawyerjerusalem.com

pbnseo.xyz

apuryifuid.com

kiukiupoker88.net

leannonimpact.com

kare-furniture.com

mississaugaremax.online

zpyh198.com

dueplay.store

naimi.ltd

greenstepspodiatry.com

cewirtanen.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Xloader Payload 2 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1164
    • C:\Users\Admin\AppData\Local\Temp\RECEIPT 0266255252.exe
      "C:\Users\Admin\AppData\Local\Temp\RECEIPT 0266255252.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4920
      • C:\Users\Admin\AppData\Local\Temp\etesfm.exe
        C:\Users\Admin\AppData\Local\Temp\etesfm.exe C:\Users\Admin\AppData\Local\Temp\vzyiso
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:3292
        • C:\Users\Admin\AppData\Local\Temp\etesfm.exe
          C:\Users\Admin\AppData\Local\Temp\etesfm.exe C:\Users\Admin\AppData\Local\Temp\vzyiso
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:4896
    • C:\Windows\SysWOW64\colorcpl.exe
      "C:\Windows\SysWOW64\colorcpl.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4908
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\etesfm.exe"
        3⤵
          PID:4660

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\etesfm.exe
      MD5

      12ba701928ac0c5894000dedc1213151

      SHA1

      eab2734cb14c0aedd4689b502c854869eb9e97d3

      SHA256

      31422622c217fe7978d0c5c8878a990a9288b80a796c4f3274e92ebf08005f4d

      SHA512

      1aca194f0f0905d470215745cd113b111345ba2330177cb59659db8d714dc2b65b780086f4586e6b908e2549bd079e7c5d20714ff35052fdcf6098c058aafb5a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\etesfm.exe
      MD5

      12ba701928ac0c5894000dedc1213151

      SHA1

      eab2734cb14c0aedd4689b502c854869eb9e97d3

      SHA256

      31422622c217fe7978d0c5c8878a990a9288b80a796c4f3274e92ebf08005f4d

      SHA512

      1aca194f0f0905d470215745cd113b111345ba2330177cb59659db8d714dc2b65b780086f4586e6b908e2549bd079e7c5d20714ff35052fdcf6098c058aafb5a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\etesfm.exe
      MD5

      12ba701928ac0c5894000dedc1213151

      SHA1

      eab2734cb14c0aedd4689b502c854869eb9e97d3

      SHA256

      31422622c217fe7978d0c5c8878a990a9288b80a796c4f3274e92ebf08005f4d

      SHA512

      1aca194f0f0905d470215745cd113b111345ba2330177cb59659db8d714dc2b65b780086f4586e6b908e2549bd079e7c5d20714ff35052fdcf6098c058aafb5a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\hg1xt3velopl8
      MD5

      f940151ae73b4a19450f1214d210fbb8

      SHA1

      c45702b0676bc18a792c217f6b804fecf0487836

      SHA256

      6e0e27ead911c2ec1fb0c30cdbad40bea1d7e90bedb3d74e3cd6d7f6ff0f430a

      SHA512

      d1911faa1088dbdf19971580dab118cca1e4ce28ec061fb7f49c2e9cfaeb67e7fbc7abcac824f36b0724a95fd204fff24b2c892e9ef81ede8b8c80c60ecf5f77

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\vzyiso
      MD5

      ca93353f618e990d0c4ac5c3007abfdd

      SHA1

      4a52063da3beb1ddf89f8d91e5bc7fd9c80a2fa9

      SHA256

      c8a49296632cae0607c345427b99fc44dfa1d90e6524bbfa8249acfeafe386dd

      SHA512

      36fcf63cee72aa2525981281d64bfc641eb4564a48f9cebb4c120a36efb79522869f3890f89839d4e456b29d324bbed6db8d0d0e2dc3d7ac8d9ce5be5e0041db

      Download Submit
    • memory/1164-140-0x0000000008E30000-0x0000000008F8C000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/1164-145-0x0000000008B20000-0x0000000008C00000-memory.dmp
      Filesize

      896KB

      Download
    • memory/4896-138-0x000000000041D000-0x000000000041E000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4896-137-0x0000000000BD0000-0x0000000000F1A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/4896-139-0x00000000005C0000-0x00000000005D1000-memory.dmp
      Filesize

      68KB

      Download
    • memory/4896-134-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

      Download
    • memory/4908-141-0x00000000005F0000-0x0000000000609000-memory.dmp
      Filesize

      100KB

      Download
    • memory/4908-142-0x00000000006B0000-0x00000000006D9000-memory.dmp
      Filesize

      164KB

      Download
    • memory/4908-143-0x0000000002970000-0x0000000002CBA000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/4908-144-0x00000000026A0000-0x0000000002730000-memory.dmp
      Filesize

      576KB

      Download