Analysis

  • max time kernel
    112s
  • max time network
    179s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    25-05-2022 14:00

General

  • Target

    INQNEW#PO24052022.qdf.exe

  • Size

    276KB

  • MD5

    ebb0fecde4a2e88c63c27c82810113b5

  • SHA1

    c5658bec21ea4dfe2d0a66089d2d18bf081c778f

  • SHA256

    df1b0eef4f32a5c2527691175375962957db71bc913d37f6e71150e599b2b31c

  • SHA512

    05960c717d5f30ca5b1424a3a2806c2a7a00b6ec4a3949bdb7db4d7f5fd885119cf18cbb752537ddcb7bc277ecf683d060c40baee3ac6bdb6f76cb5a50598ad8

Score
10/10

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

be4o

Decoy

laboratoriobioixcha.com

tictocperushop.online

wild-oceans.com

belaruscountry.com

kicktmall.com

fitcoinweb.tech

mores.one

gogear.one

gxrcksy.com

samrcq.com

impossible-icecream.com

bravesxx.com

bookchainart.com

sleepsolutionsofmboro.com

ocbrazilbusinessclub.com

advisor76.xyz

xitaotech.com

mgsdtytifgf3414.xyz

johnson-brown.net

cr3drt.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • Xloader Payload 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\INQNEW#PO24052022.qdf.exe
    "C:\Users\Admin\AppData\Local\Temp\INQNEW#PO24052022.qdf.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:912
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      2⤵
        PID:4928
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 180
          3⤵
          • Program crash
          PID:2412
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 204
          3⤵
          • Program crash
          PID:2156
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4928 -ip 4928
      1⤵
        PID:1496
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4928 -ip 4928
        1⤵
          PID:1544

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Execution

        Scripting

        1
        T1064

        Defense Evasion

        Scripting

        1
        T1064

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/912-130-0x0000000000AC0000-0x0000000000B0A000-memory.dmp
          Filesize

          296KB

        • memory/912-131-0x0000000005970000-0x0000000005F14000-memory.dmp
          Filesize

          5.6MB

        • memory/4928-132-0x0000000000000000-mapping.dmp
        • memory/4928-133-0x0000000000400000-0x000000000042B000-memory.dmp
          Filesize

          172KB

        • memory/4928-134-0x0000000000F40000-0x0000000000F6B000-memory.dmp
          Filesize

          172KB