General
Target

New purchase Order.exe

Filesize

477KB

Completed

21-05-2022 01:44

Task

behavioral1

Score
10/10
MD5

dd481272bd8f9e8ca40868e4a90db854

SHA1

8871b4d7173d89b539aa1b3e91139cb4c0ce744e

SHA256

8edf8a8b1972c8dd05a960b7a79a7a87c8977b69b700ab9db28bab9207b8b267

SHA256

168ed59d8f6edd7b37b44441480e59fdef67beb35487974aec59aa36852407c75d5537532f6cd0104327516fd2e0359fadb6fe56a8def782864413df341761a8

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

a8hq

Decoy

veteransductcleaning.com

beajtjunkies.com

houseofascofi.com

scottsdalemediator.com

atelyadesign.com

profitcase.pro

imtokenio.club

qinglingpai.com

bigsmile-meal.net

daytonlivestream.com

aspiradores10.online

ytybs120.com

hdatelier.com

bearpierce.com

yeson28ca.com

booklearner.com

m8j9.club

mmophamthinhlegend.space

hq4a7o6zb.com

sophiadaki.online

sunraiz.site

calorieup.com

vighneshequipments.com

695522z.xyz

xjfhkjy.com

jcpractice.xyz

micahriffle.com

babiezarena.com

heythatstony.com

bmtjt.com

aete.info

yeyeps.com

chafaouihicham.com

globalider.com

uwksu.com

jimmy.technology

theveatchplantation.com

devondarcy.com

suburbpaw.online

ballsfashion.com

devsecops-maturity-analysis.net

naturealizarte.com

jpvuy.icu

algoworksconsulting.com

51jzsy.com

the-arboretum.net

sportsmachine.xyz

kemanewright.com

transporteslatinoberlin.com

multirollup.xyz

Signatures 9

Filter: none

Discovery
Persistence
  • Xloader

    Description

    Xloader is a rebranded version of Formbook malware.

  • Xloader Payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/832-64-0x0000000000400000-0x000000000042B000-memory.dmpxloader
    behavioral1/memory/832-65-0x000000000041F2C0-mapping.dmpxloader
    behavioral1/memory/832-67-0x0000000000400000-0x000000000042B000-memory.dmpxloader
  • Suspicious use of SetThreadContext
    New purchase Order.exeNew purchase Order.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 884 set thread context of 832884New purchase Order.exeNew purchase Order.exe
    PID 832 set thread context of 1260832New purchase Order.exeExplorer.EXE
    PID 832 set thread context of 1260832New purchase Order.exeExplorer.EXE
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Creates scheduled task(s)
    schtasks.exe

    Description

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    TTPs

    Scheduled Task

    Reported IOCs

    pidprocess
    1172schtasks.exe
  • Suspicious behavior: EnumeratesProcesses
    New purchase Order.exeNew purchase Order.exe

    Reported IOCs

    pidprocess
    884New purchase Order.exe
    832New purchase Order.exe
    832New purchase Order.exe
    832New purchase Order.exe
  • Suspicious behavior: MapViewOfSection
    New purchase Order.exe

    Reported IOCs

    pidprocess
    832New purchase Order.exe
    832New purchase Order.exe
  • Suspicious use of AdjustPrivilegeToken
    New purchase Order.exeNew purchase Order.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege884New purchase Order.exe
    Token: SeDebugPrivilege832New purchase Order.exe
  • Suspicious use of WriteProcessMemory
    New purchase Order.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 884 wrote to memory of 1172884New purchase Order.exeschtasks.exe
    PID 884 wrote to memory of 1172884New purchase Order.exeschtasks.exe
    PID 884 wrote to memory of 1172884New purchase Order.exeschtasks.exe
    PID 884 wrote to memory of 1172884New purchase Order.exeschtasks.exe
    PID 884 wrote to memory of 832884New purchase Order.exeNew purchase Order.exe
    PID 884 wrote to memory of 832884New purchase Order.exeNew purchase Order.exe
    PID 884 wrote to memory of 832884New purchase Order.exeNew purchase Order.exe
    PID 884 wrote to memory of 832884New purchase Order.exeNew purchase Order.exe
    PID 884 wrote to memory of 832884New purchase Order.exeNew purchase Order.exe
    PID 884 wrote to memory of 832884New purchase Order.exeNew purchase Order.exe
    PID 884 wrote to memory of 832884New purchase Order.exeNew purchase Order.exe
Processes 4
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    PID:1260
    • C:\Users\Admin\AppData\Local\Temp\New purchase Order.exe
      "C:\Users\Admin\AppData\Local\Temp\New purchase Order.exe"
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:884
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NADfrJFSUbwNu" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAB4E.tmp"
        Creates scheduled task(s)
        PID:1172
      • C:\Users\Admin\AppData\Local\Temp\New purchase Order.exe
        "{path}"
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        PID:832
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • C:\Users\Admin\AppData\Local\Temp\tmpAB4E.tmp

                        MD5

                        231f63059ec3c0ee73572994bde4bfed

                        SHA1

                        d14200c81c501834b7c21345cee8097d08e07bda

                        SHA256

                        fe3b361ce3bdf2b2deb9e3592190b1ac6ff487ad9966fb111189b6fd8fc53353

                        SHA512

                        9eabd4d37e6b0f7e21c0bb9a934ab85e9324a2d19243ed759bc0e9443c6431f9a76c47eb6ba65b9192abe9e8e50714741854b9fc312f7ad2a89db3e8d722fc2e

                      • memory/832-69-0x0000000000140000-0x0000000000151000-memory.dmp

                      • memory/832-68-0x0000000000A40000-0x0000000000D43000-memory.dmp

                      • memory/832-67-0x0000000000400000-0x000000000042B000-memory.dmp

                      • memory/832-65-0x000000000041F2C0-mapping.dmp

                      • memory/832-72-0x0000000000210000-0x0000000000221000-memory.dmp

                      • memory/832-64-0x0000000000400000-0x000000000042B000-memory.dmp

                      • memory/832-61-0x0000000000400000-0x000000000042B000-memory.dmp

                      • memory/832-62-0x0000000000400000-0x000000000042B000-memory.dmp

                      • memory/884-54-0x0000000000F90000-0x000000000100E000-memory.dmp

                      • memory/884-58-0x0000000000AD0000-0x0000000000B02000-memory.dmp

                      • memory/884-57-0x0000000004EC0000-0x0000000004F42000-memory.dmp

                      • memory/884-56-0x0000000000810000-0x000000000081A000-memory.dmp

                      • memory/884-55-0x0000000075D21000-0x0000000075D23000-memory.dmp

                      • memory/1172-59-0x0000000000000000-mapping.dmp

                      • memory/1260-70-0x0000000006310000-0x0000000006475000-memory.dmp

                      • memory/1260-73-0x0000000006590000-0x0000000006679000-memory.dmp