Analysis

  • max time kernel
    177s
  • max time network
    185s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    11-03-2022 02:15

General

  • Target

    triage_dropped_file.exe

  • Size

    308KB

  • MD5

    e41def555743c430d0def4a513de4d96

  • SHA1

    7c90a41062f1f867a1ae0bdeb1d37ca72cd2b95e

  • SHA256

    1190df73979f3dc768713f51fcf6e2eb439b95caf7c4a2b998c377ea5a35e9d5

  • SHA512

    331add20592a9cd8336bc902fe0f4934f6b50866904eb60f4cc3e6046c5edf8d29b5e901cc37f1619ffed9ae83201bbb93d165297ba41dda655b533870e722b6

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ahc8

Decoy

192451.com

wwwripostes.net

sirikhalsalaw.com

bitterbaybay.com

stella-scrubs.com

almanecermezcal.com

goodgood.online

translate-now.online

sincerefilm.com

quadrantforensics.com

johnfrenchart.com

plick-click.com

alnileen.com

tghi.xyz

172711.com

maymakita.com

punnyaseva.com

ukash-online.com

sho-yururi-blog.com

hebergement-solidaire.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

  • Xloader Payload 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 58 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2712
    • C:\Users\Admin\AppData\Local\Temp\triage_dropped_file.exe
      "C:\Users\Admin\AppData\Local\Temp\triage_dropped_file.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:824
      • C:\Users\Admin\AppData\Local\Temp\bifhcp.exe
        C:\Users\Admin\AppData\Local\Temp\bifhcp.exe C:\Users\Admin\AppData\Local\Temp\xvipmw
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1316
        • C:\Users\Admin\AppData\Local\Temp\bifhcp.exe
          C:\Users\Admin\AppData\Local\Temp\bifhcp.exe C:\Users\Admin\AppData\Local\Temp\xvipmw
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:1852
    • C:\Windows\SysWOW64\ipconfig.exe
      "C:\Windows\SysWOW64\ipconfig.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Gathers network information
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4696
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\bifhcp.exe"
        3⤵
          PID:1680

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Execution

    Command-Line Interface

    1
    T1059

    Discovery

    System Information Discovery

    2
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\8uvc6tb2cw52
      MD5

      ad8694bf41f9cbbb4d8e671a3ce0612a

      SHA1

      60b8f572210e8112f04d165b515bd63a2eefaebc

      SHA256

      f12abecd7d300f5e0077a910f46adff553a2f3d5492cc076443345ea5c038239

      SHA512

      10c9214615a73582dda0c288d297eacbc9c655977a6a6f01b78f5d0c1c2d748a0cecaf5ce08a54de75baee760629de6c77b81d2647e6c7a22465d844142be478

    • C:\Users\Admin\AppData\Local\Temp\bifhcp.exe
      MD5

      40025a502304d446b8e53205991b96c1

      SHA1

      652b3f88b0521c3abd88290c5d69049e7486312c

      SHA256

      ac6b87cea22911ecafab82748a03eab9d0ea2cfe669191cfbc61c446af809655

      SHA512

      042fb40d8d10657023cdd344f515944ae6b9df644ebe4bf6bf6ed326f0f37d88a7f09a134dc969fc29a727b997c1ee0b06ad15c02f1af0180c4cec5901eefca2

    • C:\Users\Admin\AppData\Local\Temp\bifhcp.exe
      MD5

      40025a502304d446b8e53205991b96c1

      SHA1

      652b3f88b0521c3abd88290c5d69049e7486312c

      SHA256

      ac6b87cea22911ecafab82748a03eab9d0ea2cfe669191cfbc61c446af809655

      SHA512

      042fb40d8d10657023cdd344f515944ae6b9df644ebe4bf6bf6ed326f0f37d88a7f09a134dc969fc29a727b997c1ee0b06ad15c02f1af0180c4cec5901eefca2

    • C:\Users\Admin\AppData\Local\Temp\bifhcp.exe
      MD5

      40025a502304d446b8e53205991b96c1

      SHA1

      652b3f88b0521c3abd88290c5d69049e7486312c

      SHA256

      ac6b87cea22911ecafab82748a03eab9d0ea2cfe669191cfbc61c446af809655

      SHA512

      042fb40d8d10657023cdd344f515944ae6b9df644ebe4bf6bf6ed326f0f37d88a7f09a134dc969fc29a727b997c1ee0b06ad15c02f1af0180c4cec5901eefca2

    • C:\Users\Admin\AppData\Local\Temp\xvipmw
      MD5

      da749731ed6579052c657302b892b44b

      SHA1

      7da4156af0f1e9ef397e836e9f7a75e90bce1a07

      SHA256

      c39222c6207fd53f6836e1dd1726f4d2f3f76622208b8113ce23fcb22cb88470

      SHA512

      e05b3dbd36daabc99edccbee11e31b3cc645b04f41226e2fb1c5772342e47240383d63564955ef35fa5b530e4b404af041f89836ad4ebea8b5c3d65fa3687d92

    • memory/1316-134-0x0000000000CD0000-0x0000000000CD2000-memory.dmp
      Filesize

      8KB

    • memory/1852-141-0x0000000000F50000-0x0000000000F61000-memory.dmp
      Filesize

      68KB

    • memory/1852-144-0x0000000001470000-0x0000000001481000-memory.dmp
      Filesize

      68KB

    • memory/1852-139-0x000000000041D000-0x000000000041E000-memory.dmp
      Filesize

      4KB

    • memory/1852-138-0x0000000000FB0000-0x00000000012FA000-memory.dmp
      Filesize

      3.3MB

    • memory/1852-135-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

    • memory/1852-142-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

    • memory/1852-143-0x000000000041D000-0x000000000041E000-memory.dmp
      Filesize

      4KB

    • memory/2712-140-0x0000000002AB0000-0x0000000002BF5000-memory.dmp
      Filesize

      1.3MB

    • memory/2712-145-0x0000000007C30000-0x0000000007D7B000-memory.dmp
      Filesize

      1.3MB

    • memory/2712-150-0x0000000002DC0000-0x0000000002E78000-memory.dmp
      Filesize

      736KB

    • memory/4696-146-0x0000000000340000-0x000000000034B000-memory.dmp
      Filesize

      44KB

    • memory/4696-147-0x0000000000210000-0x0000000000239000-memory.dmp
      Filesize

      164KB

    • memory/4696-148-0x0000000000BF0000-0x0000000000F3A000-memory.dmp
      Filesize

      3.3MB

    • memory/4696-149-0x0000000000A20000-0x0000000000AB0000-memory.dmp
      Filesize

      576KB