Overview

overview

10

Static

static

ff766cdd10...bb.exe

windows7_x64

10

ff766cdd10...bb.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    142s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    27-04-2022 10:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ff766cdd10083147250eabfcaa76bebb.exe

  • Size

    572KB

  • MD5

    ff766cdd10083147250eabfcaa76bebb

  • SHA1

    936815953ebeb2a771b03d86923079c01d2eb7f9

  • SHA256

    6dcb58ae937b9194609ef51a11f945abb7b82d9f10e032bbef2fda12ee96e6db

  • SHA512

    bdf81fdd836b74762bc22d522c9e6a2da73923a62355395472f8d9cf781bcc1fb8da7a6a165ba834ce18a913753e3463b4f9380e67a2cc136db0b2afcf3adac3

Score
10/10
xloaderr87gloaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

r87g

Decoy

gzjyjzsj.com

rapibest.com

affordablebathroomsbyfrank.net

roboruben.com

xn--dlisucr-byag.com

encoreasso.com

piscire.com

dixiebusybee.com

newrome.xyz

sunshinejon.com

glacierforfcs.xyz

borhanmarket.com

tous-des-cons.club

hsfstea.com

spiniform.info

vaicomfibra.com

shinigami.xyz

kryptoindia.com

listentoappetite.com

securepplpay.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 1 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ff766cdd10083147250eabfcaa76bebb.exe
    "C:\Users\Admin\AppData\Local\Temp\ff766cdd10083147250eabfcaa76bebb.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2204
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\nofaYQfZLH.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1384
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nofaYQfZLH" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3DE4.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:3332
    • C:\Users\Admin\AppData\Local\Temp\ff766cdd10083147250eabfcaa76bebb.exe
      "C:\Users\Admin\AppData\Local\Temp\ff766cdd10083147250eabfcaa76bebb.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:652

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp3DE4.tmp
    Filesize

    1KB

    MD5

    1f9dae69f424275934c1256f7119df53

    SHA1

    222d8c834c02e81bbb8352000d55657b2a2981f7

    SHA256

    ca1b16e099b463ac48326c39b4a6960523644fee3b48ea23648d71c39f617010

    SHA512

    e6573b94b273b8df4ac5116c941a1457041ee514c66dfaa5363675fd9fce838dce63a05dc2bafca6cdb5549b3a62652fa88e113a5d7ce40ac223dfcf3620ee72

    Download Submit
  • memory/652-145-0x00000000019A0000-0x0000000001CEA000-memory.dmp
    Filesize

    3.3MB

    Download
  • memory/652-142-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/652-141-0x0000000000000000-mapping.dmp
    Download
  • memory/1384-136-0x0000000000000000-mapping.dmp
    Download
  • memory/1384-150-0x0000000007AB0000-0x000000000812A000-memory.dmp
    Filesize

    6.5MB

    Download
  • memory/1384-156-0x00000000074E0000-0x00000000074E8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1384-155-0x00000000077A0000-0x00000000077BA000-memory.dmp
    Filesize

    104KB

    Download
  • memory/1384-138-0x0000000002810000-0x0000000002846000-memory.dmp
    Filesize

    216KB

    Download
  • memory/1384-154-0x0000000007440000-0x000000000744E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/1384-140-0x0000000005280000-0x00000000058A8000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/1384-153-0x00000000076E0000-0x0000000007776000-memory.dmp
    Filesize

    600KB

    Download
  • memory/1384-152-0x00000000074B0000-0x00000000074BA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1384-143-0x0000000005180000-0x00000000051A2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/1384-144-0x0000000005A60000-0x0000000005AC6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/1384-151-0x00000000072E0000-0x00000000072FA000-memory.dmp
    Filesize

    104KB

    Download
  • memory/1384-146-0x0000000005AF0000-0x0000000005B0E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1384-147-0x0000000007300000-0x0000000007332000-memory.dmp
    Filesize

    200KB

    Download
  • memory/1384-148-0x0000000071440000-0x000000007148C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/1384-149-0x0000000006570000-0x000000000658E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2204-135-0x0000000008DA0000-0x0000000008E06000-memory.dmp
    Filesize

    408KB

    Download
  • memory/2204-131-0x0000000005980000-0x0000000005F24000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/2204-132-0x00000000053D0000-0x0000000005462000-memory.dmp
    Filesize

    584KB

    Download
  • memory/2204-133-0x0000000005330000-0x000000000533A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/2204-134-0x0000000008A70000-0x0000000008B0C000-memory.dmp
    Filesize

    624KB

    Download
  • memory/2204-130-0x00000000008D0000-0x0000000000962000-memory.dmp
    Filesize

    584KB

    Download
  • memory/3332-137-0x0000000000000000-mapping.dmp
    Download