Overview

overview

10

Static

static

1

COMMANDE2022.exe

windows7_x64

10

COMMANDE2022.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    165s
  • max time network
    168s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220331-en
  • submitted
    12-04-2022 13:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    COMMANDE2022.exe

  • Size

    240KB

  • MD5

    b416c05593038ca7e314f102e0dcae6e

  • SHA1

    20ab9278c05a8f278a2daff13951b6d28086db71

  • SHA256

    c0d6833e7ba34a1a05310005fa4e09ad5e1e2b60edf8fe62fc42b7610913496c

  • SHA512

    a3425015be98c426f394e06e37bc945ee52e07c023ca8b7fe7d52baa5761c77c1cb1d16f6806330b8f2e3e71056263e70e8bec922b7dd0dad07962d97713b43a

Score
10/10
xloadercbgoloaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

cbgo

Decoy

santesha.com

britneysbeautybar.com

sh-cy17.com

jeffcarveragency.com

3117111.com

sobrehosting.net

ddm123.xyz

toxcompliance.com

auditorydesigns.com

vliftfacial.com

ielhii.com

naameliss.com

ritualchariot.com

solchange.com

quatre-vingts.design

lawnmowermashine.com

braceletsstore.net

admappy.com

tollivercoltd.com

vaidix.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Xloader Payload 2 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2676
    • C:\Users\Admin\AppData\Local\Temp\COMMANDE2022.exe
      "C:\Users\Admin\AppData\Local\Temp\COMMANDE2022.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3520
      • C:\Users\Admin\AppData\Local\Temp\jgtuubxgos.exe
        C:\Users\Admin\AppData\Local\Temp\jgtuubxgos.exe C:\Users\Admin\AppData\Local\Temp\htcdlhlzf
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4684
        • C:\Users\Admin\AppData\Local\Temp\jgtuubxgos.exe
          C:\Users\Admin\AppData\Local\Temp\jgtuubxgos.exe C:\Users\Admin\AppData\Local\Temp\htcdlhlzf
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:2624
    • C:\Windows\SysWOW64\mstsc.exe
      "C:\Windows\SysWOW64\mstsc.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2488
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\jgtuubxgos.exe"
        3⤵
          PID:3832

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\htcdlhlzf
      Filesize

      4KB

      MD5

      2ef3334ad7021b15415a3d6c2bcad2e5

      SHA1

      559738ae73b169a851c684250f3fd281ae73b59c

      SHA256

      acd6f8529cb6b49fcc51261a8574be51eeb204fe9bdcb4e8dc4131e7ad2d4172

      SHA512

      44ff29341a7e434d13e69c49a5f3703b2d255c40978ea2ab0d869f508e10042affa8f5f59e74eb5295ae7dc61963d2f13fbb172ad48664811dee4e0c8f4b8bc2

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\jgtuubxgos.exe
      Filesize

      5KB

      MD5

      7379cf00c2ceec0b6256dc610ee8dbe2

      SHA1

      0c49ddab376fc45f565dde736c863f93f0195fc8

      SHA256

      da93d14187f32f7a905a8cc4f97c096fd7171049dc01abaa16e5385c6cb9df29

      SHA512

      0aac0c418a119ff5ec2d1e05b98aa7927c2c6e62062aec0101869e5c5ce245db801b9d7849356af276780071e96d237b6b3e699cda5a7273d5a5708633249d8e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\jgtuubxgos.exe
      Filesize

      5KB

      MD5

      7379cf00c2ceec0b6256dc610ee8dbe2

      SHA1

      0c49ddab376fc45f565dde736c863f93f0195fc8

      SHA256

      da93d14187f32f7a905a8cc4f97c096fd7171049dc01abaa16e5385c6cb9df29

      SHA512

      0aac0c418a119ff5ec2d1e05b98aa7927c2c6e62062aec0101869e5c5ce245db801b9d7849356af276780071e96d237b6b3e699cda5a7273d5a5708633249d8e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\jgtuubxgos.exe
      Filesize

      5KB

      MD5

      7379cf00c2ceec0b6256dc610ee8dbe2

      SHA1

      0c49ddab376fc45f565dde736c863f93f0195fc8

      SHA256

      da93d14187f32f7a905a8cc4f97c096fd7171049dc01abaa16e5385c6cb9df29

      SHA512

      0aac0c418a119ff5ec2d1e05b98aa7927c2c6e62062aec0101869e5c5ce245db801b9d7849356af276780071e96d237b6b3e699cda5a7273d5a5708633249d8e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\t90ysxzhlbpy
      Filesize

      214KB

      MD5

      09fad7f6fdd368909ddda0c82a2f4765

      SHA1

      e9657c98a2db2541e9688c4c17bbe72ac98dca63

      SHA256

      40f0f0667c86edd961adec95e071b433aff224eb9cf0ba59e52cd6ef8e3d1106

      SHA512

      20c71f4b10c037d9d47e66b351a46db0855d6f253d1135c1b9ac8bc6182f734bce296814d7dfd7c86fe2bacdf39230766f2b9d7af6cb86dc54e85ef33b43a6bf

      Download Submit
    • memory/2488-137-0x0000000000A90000-0x0000000000BCA000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/2488-136-0x0000000000000000-mapping.dmp
      Download
    • memory/2488-140-0x0000000002CC0000-0x000000000300A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/2488-138-0x0000000000A20000-0x0000000000A49000-memory.dmp
      Filesize

      164KB

      Download
    • memory/2488-141-0x0000000002B30000-0x0000000002BC0000-memory.dmp
      Filesize

      576KB

      Download
    • memory/2624-130-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

      Download
    • memory/2624-129-0x0000000000000000-mapping.dmp
      Download
    • memory/2624-133-0x00000000015E0000-0x000000000192A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/2624-134-0x0000000001580000-0x0000000001591000-memory.dmp
      Filesize

      68KB

      Download
    • memory/2676-135-0x00000000026C0000-0x00000000027A6000-memory.dmp
      Filesize

      920KB

      Download
    • memory/2676-142-0x0000000008410000-0x000000000852C000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/3832-139-0x0000000000000000-mapping.dmp
      Download
    • memory/4684-124-0x0000000000000000-mapping.dmp
      Download