Analysis

  • max time kernel
    153s
  • max time network
    186s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 11:58

General

  • Target

    Quotation DG-H2091717 Order.exe

  • Size

    491KB

  • MD5

    281adb9d80c76b1d55dd373ea0c9d76a

  • SHA1

    961c9d2108da9e4f91f1c38b3202eb582cea3f94

  • SHA256

    510b24a8ddcc1a99925f07d8ec0b56489930147a95810b787291b3396bd54a7c

  • SHA512

    f6a124e8a412801f5d0c9bac388da732b26bf66b84fcf1cce0bbd13c3f9107132fffe5b9e4d19f3f5f572a835cb0ac700bc83542cedcc39860133536d32aae93

Score
10/10

Malware Config

Extracted

Family

xloader

Version

2.1

Campaign

cvd

Decoy

wanda-dutyfree.net

m399999.com

adultoutopico.com

acappellawebradio.com

geetaisprings.com

californiacredit.repair

view-merchant.review

autoritecenter.com

lke7992.com

carroceriasalchichica.com

shanhaishidai.com

wuyounice.com

ahyingshi.com

eurocrypt.net

zvxhs.info

nxsexyvip.com

suffolkbuildingcontrol.com

sotruemobiledetailing.com

bizsolmx.com

personalidea.net

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • Xloader Payload 4 IoCs
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1220
    • C:\Users\Admin\AppData\Local\Temp\Quotation DG-H2091717 Order.exe
      "C:\Users\Admin\AppData\Local\Temp\Quotation DG-H2091717 Order.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1528
      • C:\Users\Admin\AppData\Local\Temp\Quotation DG-H2091717 Order.exe
        "C:\Users\Admin\AppData\Local\Temp\Quotation DG-H2091717 Order.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1280
        • C:\Windows\SysWOW64\raserver.exe
          "C:\Windows\SysWOW64\raserver.exe"
          4⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1620
          • C:\Windows\SysWOW64\cmd.exe
            /c del "C:\Users\Admin\AppData\Local\Temp\Quotation DG-H2091717 Order.exe"
            5⤵
            • Deletes itself
            PID:1488
    • C:\Windows\SysWOW64\autoconv.exe
      "C:\Windows\SysWOW64\autoconv.exe"
      2⤵
        PID:108
      • C:\Windows\SysWOW64\autoconv.exe
        "C:\Windows\SysWOW64\autoconv.exe"
        2⤵
          PID:1960
        • C:\Windows\SysWOW64\autoconv.exe
          "C:\Windows\SysWOW64\autoconv.exe"
          2⤵
            PID:1836
          • C:\Windows\SysWOW64\autoconv.exe
            "C:\Windows\SysWOW64\autoconv.exe"
            2⤵
              PID:588
            • C:\Windows\SysWOW64\autoconv.exe
              "C:\Windows\SysWOW64\autoconv.exe"
              2⤵
                PID:524
              • C:\Windows\SysWOW64\autoconv.exe
                "C:\Windows\SysWOW64\autoconv.exe"
                2⤵
                  PID:2044
                • C:\Windows\SysWOW64\autoconv.exe
                  "C:\Windows\SysWOW64\autoconv.exe"
                  2⤵
                    PID:320
                  • C:\Windows\SysWOW64\autoconv.exe
                    "C:\Windows\SysWOW64\autoconv.exe"
                    2⤵
                      PID:1708
                    • C:\Windows\SysWOW64\autoconv.exe
                      "C:\Windows\SysWOW64\autoconv.exe"
                      2⤵
                        PID:1688
                      • C:\Windows\SysWOW64\autofmt.exe
                        "C:\Windows\SysWOW64\autofmt.exe"
                        2⤵
                          PID:1888
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\SysWOW64\cmd.exe"
                          2⤵
                            PID:696

                        Network

                        MITRE ATT&CK Matrix

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • memory/1220-67-0x0000000004020000-0x00000000040D6000-memory.dmp
                          Filesize

                          728KB

                        • memory/1220-78-0x0000000004CE0000-0x0000000004E5C000-memory.dmp
                          Filesize

                          1.5MB

                        • memory/1220-70-0x0000000004BB0000-0x0000000004CDA000-memory.dmp
                          Filesize

                          1.2MB

                        • memory/1280-66-0x0000000000130000-0x0000000000140000-memory.dmp
                          Filesize

                          64KB

                        • memory/1280-68-0x0000000000400000-0x0000000000428000-memory.dmp
                          Filesize

                          160KB

                        • memory/1280-59-0x0000000000400000-0x0000000000428000-memory.dmp
                          Filesize

                          160KB

                        • memory/1280-60-0x0000000000400000-0x0000000000428000-memory.dmp
                          Filesize

                          160KB

                        • memory/1280-63-0x000000000041CB50-mapping.dmp
                        • memory/1280-62-0x0000000000400000-0x0000000000428000-memory.dmp
                          Filesize

                          160KB

                        • memory/1280-65-0x00000000009D0000-0x0000000000CD3000-memory.dmp
                          Filesize

                          3.0MB

                        • memory/1280-69-0x00000000003E0000-0x00000000003F0000-memory.dmp
                          Filesize

                          64KB

                        • memory/1488-73-0x0000000000000000-mapping.dmp
                        • memory/1528-57-0x00000000042C0000-0x000000000432C000-memory.dmp
                          Filesize

                          432KB

                        • memory/1528-58-0x0000000002040000-0x000000000207E000-memory.dmp
                          Filesize

                          248KB

                        • memory/1528-54-0x0000000000950000-0x00000000009D0000-memory.dmp
                          Filesize

                          512KB

                        • memory/1528-56-0x0000000000600000-0x0000000000608000-memory.dmp
                          Filesize

                          32KB

                        • memory/1528-55-0x00000000764C1000-0x00000000764C3000-memory.dmp
                          Filesize

                          8KB

                        • memory/1620-71-0x0000000000000000-mapping.dmp
                        • memory/1620-74-0x0000000000070000-0x000000000008C000-memory.dmp
                          Filesize

                          112KB

                        • memory/1620-75-0x00000000000A0000-0x00000000000C8000-memory.dmp
                          Filesize

                          160KB

                        • memory/1620-76-0x0000000001FD0000-0x00000000022D3000-memory.dmp
                          Filesize

                          3.0MB

                        • memory/1620-77-0x0000000000650000-0x00000000006DF000-memory.dmp
                          Filesize

                          572KB