Overview

overview

10

Static

static

Product_Or...22.exe

windows7_x64

10

Product_Or...22.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    26-04-2022 05:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Product_Order#250422.exe

  • Size

    257KB

  • MD5

    265de87c891fc42f378339b4ce0406f5

  • SHA1

    76dee4e7e7c2f22da904b6629880c3f89dca8fed

  • SHA256

    2affbb57b10032083dc1fe15a3c1ff1a2aa0b59f74b4ac6d094e94db6a650faa

  • SHA512

    ca3e0a56c00928958f406ea5841b8c3f21076cd57e31c1818f8801addb7d0436aaf75bc3ae75f0a859fd7601b8dd8569ee658892bff00124324bc76b1a327f4f

Score
10/10
xloaderdx3nloaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

dx3n

Decoy

polebear.xyz

luciamoca.com

185451.com

bookfriendspodcast.net

reliancetechsolutions.com

wuzuiso.com

ig-representative.com

ryotaohno.com

wlnhcl.com

oasispoolth.com

fo71.com

storyandidentity.com

sayarpro.com

arrow-electronics-corps.net

brasbux.com

nigeriaafricasummit.com

choud.store

medicareopenenrollment.info

amlhcz.com

fdklflkdioerklfdke.store

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Xloader Payload 2 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2576
    • C:\Users\Admin\AppData\Local\Temp\Product_Order#250422.exe
      "C:\Users\Admin\AppData\Local\Temp\Product_Order#250422.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4880
      • C:\Users\Admin\AppData\Local\Temp\aueycsx.exe
        C:\Users\Admin\AppData\Local\Temp\aueycsx.exe C:\Users\Admin\AppData\Local\Temp\kfupp
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:5072
        • C:\Users\Admin\AppData\Local\Temp\aueycsx.exe
          C:\Users\Admin\AppData\Local\Temp\aueycsx.exe C:\Users\Admin\AppData\Local\Temp\kfupp
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:4916
    • C:\Windows\SysWOW64\WWAHost.exe
      "C:\Windows\SysWOW64\WWAHost.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5084
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\aueycsx.exe"
        3⤵
          PID:1872

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\2l0ehdjchxpnymplfk
      Filesize

      163KB

      MD5

      6a9be40e3e90d64d41bb5bf5ab045047

      SHA1

      5b46d8d3f0b1b3c3fb1674d741b42e5cee316bff

      SHA256

      06e5128d97870d0c68f6b4c384108b0276fcbc47e1d38456a2f1577769165f7d

      SHA512

      985452bdbe94300017e8cbf35ca1bcaa27016217027bb3a6c1c0ae237d394036949fc4d6afe785255a87ce483ebb75a7ee0d412f041c1de1c842b800108a874e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\aueycsx.exe
      Filesize

      3KB

      MD5

      4447ceaa26383801955378fb5831ee91

      SHA1

      ab3c4d769e9125203ce3dbf7e35e76318c2ce3a4

      SHA256

      3a9b3e044e408c91a6b274d11bb7ec8913aa04b9efa290a899cbf37bed39e930

      SHA512

      1fcc1a10127946c55ccbb314c52edb1b88c45ea99d367ef8bcd98a44005d5ca0495c54e451b1607d29e751592475682982577d492117b513e4ad090f2be42e50

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\aueycsx.exe
      Filesize

      3KB

      MD5

      4447ceaa26383801955378fb5831ee91

      SHA1

      ab3c4d769e9125203ce3dbf7e35e76318c2ce3a4

      SHA256

      3a9b3e044e408c91a6b274d11bb7ec8913aa04b9efa290a899cbf37bed39e930

      SHA512

      1fcc1a10127946c55ccbb314c52edb1b88c45ea99d367ef8bcd98a44005d5ca0495c54e451b1607d29e751592475682982577d492117b513e4ad090f2be42e50

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\aueycsx.exe
      Filesize

      3KB

      MD5

      4447ceaa26383801955378fb5831ee91

      SHA1

      ab3c4d769e9125203ce3dbf7e35e76318c2ce3a4

      SHA256

      3a9b3e044e408c91a6b274d11bb7ec8913aa04b9efa290a899cbf37bed39e930

      SHA512

      1fcc1a10127946c55ccbb314c52edb1b88c45ea99d367ef8bcd98a44005d5ca0495c54e451b1607d29e751592475682982577d492117b513e4ad090f2be42e50

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\kfupp
      Filesize

      4KB

      MD5

      5a873257abf1da214b790721f619fe0d

      SHA1

      80d4635dac8fc7e2b72039bc3a154ef3ed831647

      SHA256

      323f1d55732df50c290ae1fab18f949fce0b0431fe614ff575582afefc389ea7

      SHA512

      0c04e0fa15eb17d8f310a78b3f171d0a5eb8bed33caec8490de1f4b322ca18f857c11a24033074fc5c3a973ad680d538343c6347f6182dbc29df250c6b3af8ab

      Download Submit
    • memory/1872-143-0x0000000000000000-mapping.dmp
      Download
    • memory/2576-141-0x0000000002DF0000-0x0000000002F2C000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/2576-148-0x00000000085D0000-0x0000000008682000-memory.dmp
      Filesize

      712KB

      Download
    • memory/4916-136-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

      Download
    • memory/4916-135-0x0000000000000000-mapping.dmp
      Download
    • memory/4916-138-0x0000000000BF0000-0x0000000000F3A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/4916-140-0x00000000005C0000-0x00000000005D1000-memory.dmp
      Filesize

      68KB

      Download
    • memory/5072-130-0x0000000000000000-mapping.dmp
      Download
    • memory/5084-142-0x0000000000000000-mapping.dmp
      Download
    • memory/5084-145-0x0000000000E30000-0x0000000000E59000-memory.dmp
      Filesize

      164KB

      Download
    • memory/5084-144-0x0000000000EB0000-0x0000000000F8C000-memory.dmp
      Filesize

      880KB

      Download
    • memory/5084-146-0x0000000002280000-0x00000000025CA000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/5084-147-0x0000000001E70000-0x0000000001F00000-memory.dmp
      Filesize

      576KB

      Download