Overview

overview

10

Static

static

1

factura kt...17.exe

windows7_x64

10

factura kt...17.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    155s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220310-en
  • submitted
    18-03-2022 16:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    factura kts 770417.exe

  • Size

    304KB

  • MD5

    dcedadc9e7ab6c8b55aba9a69f0ad589

  • SHA1

    50e3e95a0823484c7729fc42250e310342335551

  • SHA256

    a3722866259ff0b2d2578842e1b1667e17f597c274544bb6e02f24b91cb4dbd4

  • SHA512

    5b7965c65482da6a20e9648b3994e7e4756d75655c5b49a3394277db023fc72cf4e92531cfb3a153c0ae1592b80b84640239e3723334014c24e2d0705df19f1c

Score
10/10
xloadercbgoloaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

cbgo

Decoy

santesha.com

britneysbeautybar.com

sh-cy17.com

jeffcarveragency.com

3117111.com

sobrehosting.net

ddm123.xyz

toxcompliance.com

auditorydesigns.com

vliftfacial.com

ielhii.com

naameliss.com

ritualchariot.com

solchange.com

quatre-vingts.design

lawnmowermashine.com

braceletsstore.net

admappy.com

tollivercoltd.com

vaidix.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 2 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 56 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:688
    • C:\Users\Admin\AppData\Local\Temp\factura kts 770417.exe
      "C:\Users\Admin\AppData\Local\Temp\factura kts 770417.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5088
      • C:\Users\Admin\AppData\Local\Temp\ericguhfpj.exe
        C:\Users\Admin\AppData\Local\Temp\ericguhfpj.exe C:\Users\Admin\AppData\Local\Temp\eqsdwpl
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2324
        • C:\Users\Admin\AppData\Local\Temp\ericguhfpj.exe
          C:\Users\Admin\AppData\Local\Temp\ericguhfpj.exe C:\Users\Admin\AppData\Local\Temp\eqsdwpl
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:1888
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\SysWOW64\wscript.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2208
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\ericguhfpj.exe"
        3⤵
          PID:3528

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\dp5ruz5jjg2zl3aaxx
      MD5

      0cb58837f8940ea4573b23d4a1398a63

      SHA1

      2ca3429d60c566358f49ff930a4777b6decf18b1

      SHA256

      a9e91b74e5ad16d878fd0ccf1dc6234f44b96f47d9cfcc8d7a4cc06c46575d63

      SHA512

      16ebfaf2c2079d361610400dc3bc2e62cf287323fe6760790abc70b4a29e988172349878659613c7ad94fa9ddf21d0a3bbe0ffacaad9ca5e1fb3d048ef554b1c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\eqsdwpl
      MD5

      7517db1c67287f92e41d360adec941d4

      SHA1

      88018bc6214f91f4f2f48cdf5efa7ac0ba21f6c7

      SHA256

      96ba2fe6c460e6e8baf9c02350eddb662baaa6ce02d21769384ecd82ffd2cf0a

      SHA512

      fbe49c8c750bbf86220f1746e8c79cef5fa814453f35f4faff081372939c64be4afa96deb0ce85cbdb41c47fecf67e2814adbc558ac2dfc3e6cf8f6dafa85f7f

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\ericguhfpj.exe
      MD5

      25a662263939ed5c436ebcabe7c01ece

      SHA1

      b6bffae40f91249c2fa2668e6dc2bbe3ade65f20

      SHA256

      ef83946c30ca5b78ae2a0748c2baf78b0e0cd589c4a688238f7f47251aff74f6

      SHA512

      35c17c76254f954bbde735b7bda08e11a923800e1036b079a7ed4b108931a0243c265ad8ebd34120f29fe0cb4f03f9f3a6a205dcbb0db0127be9116622aa2f79

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\ericguhfpj.exe
      MD5

      25a662263939ed5c436ebcabe7c01ece

      SHA1

      b6bffae40f91249c2fa2668e6dc2bbe3ade65f20

      SHA256

      ef83946c30ca5b78ae2a0748c2baf78b0e0cd589c4a688238f7f47251aff74f6

      SHA512

      35c17c76254f954bbde735b7bda08e11a923800e1036b079a7ed4b108931a0243c265ad8ebd34120f29fe0cb4f03f9f3a6a205dcbb0db0127be9116622aa2f79

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\ericguhfpj.exe
      MD5

      25a662263939ed5c436ebcabe7c01ece

      SHA1

      b6bffae40f91249c2fa2668e6dc2bbe3ade65f20

      SHA256

      ef83946c30ca5b78ae2a0748c2baf78b0e0cd589c4a688238f7f47251aff74f6

      SHA512

      35c17c76254f954bbde735b7bda08e11a923800e1036b079a7ed4b108931a0243c265ad8ebd34120f29fe0cb4f03f9f3a6a205dcbb0db0127be9116622aa2f79

      Download Submit
    • memory/688-144-0x00000000085E0000-0x00000000086C5000-memory.dmp
      Filesize

      916KB

      Download
    • memory/688-149-0x00000000086D0000-0x000000000883F000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/1888-140-0x00000000014D0000-0x000000000181A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/1888-142-0x000000000041D000-0x000000000041E000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1888-143-0x0000000001030000-0x0000000001041000-memory.dmp
      Filesize

      68KB

      Download
    • memory/1888-138-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

      Download
    • memory/2208-145-0x0000000000BE0000-0x0000000000C07000-memory.dmp
      Filesize

      156KB

      Download
    • memory/2208-146-0x0000000001130000-0x0000000001159000-memory.dmp
      Filesize

      164KB

      Download
    • memory/2208-147-0x00000000031B0000-0x00000000034FA000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/2208-148-0x0000000002FE0000-0x0000000003070000-memory.dmp
      Filesize

      576KB

      Download