Overview

overview

10

Static

static

SecuriteIn...46.exe

windows7_x64

10

SecuriteIn...46.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    49s
  • max time network
    49s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    09-06-2022 10:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.W32.AIDetectNet.01.8546.exe

  • Size

    724KB

  • MD5

    1b053ad5898e7a62a5ba6d5b4614acc1

  • SHA1

    24ec1578605b09fd3da9aef8613358bfbb205398

  • SHA256

    577322e3f941bd8f432e83818ff0e97f411e67e75f9ed5654b856f6e6e2ae9e2

  • SHA512

    f3641c3bcaa88ac62305bec4d42f37ee1455f5979f2f9c6525cc2d183be58dca91fa222d03da5b8d007993750187b37f3980a465291f667d58f2a3626df46f93

Score
10/10
xloadern5mzloaderrat

Malware Config

Extracted

Family

xloader

Version

2.7

Campaign

n5mz

Decoy

ezhuilike.com

broomstickrum.com

ramaniclothing.com

midbots.com

rlxscpe.com

elanagro.online

chahuajie.com

digipubcity.com

predatorstoppers.com

savas-jewelry.com

timinis23.com

homesteaddesignstudio.net

bellezadehoy.online

disintar.xyz

sharinks.tech

redfoxdetroit.com

resscoptheron.com

aspiritualgiftshoppe.com

tematemazo.com

assasa.net

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.8546.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.8546.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1600
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\WoJYlIWNwLUW.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2016
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WoJYlIWNwLUW" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAFE0.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2000
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.8546.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.8546.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1720

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpAFE0.tmp
    Filesize

    1KB

    MD5

    161a7ee87f983893612cb58f619543cc

    SHA1

    2e17e80cdf1dabd5d1dec8164b4e94cb9940237e

    SHA256

    7c6d3420b60cf7daec6280a7479d7cadbb29a6177fc8b8da7181b0d316e1dd7d

    SHA512

    f59f14df0305e23f66c179a1094b88e8a7866b91a37cee6872a1e8063aed221c0acaaa5cfee643b21cf8eff23197c2289dee562ed8d2b1634eed939c65461021

    Download Submit
  • memory/1600-62-0x0000000002170000-0x0000000002176000-memory.dmp
    Filesize

    24KB

    Download
  • memory/1600-55-0x0000000075CD1000-0x0000000075CD3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1600-56-0x0000000000460000-0x0000000000472000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1600-57-0x00000000057C0000-0x000000000584E000-memory.dmp
    Filesize

    568KB

    Download
  • memory/1600-54-0x0000000000980000-0x0000000000A3C000-memory.dmp
    Filesize

    752KB

    Download
  • memory/1600-63-0x0000000004750000-0x0000000004782000-memory.dmp
    Filesize

    200KB

    Download
  • memory/1720-68-0x000000000041F330-mapping.dmp
    Download
  • memory/1720-64-0x0000000000400000-0x000000000042B000-memory.dmp
    Filesize

    172KB

    Download
  • memory/1720-65-0x0000000000400000-0x000000000042B000-memory.dmp
    Filesize

    172KB

    Download
  • memory/1720-67-0x0000000000400000-0x000000000042B000-memory.dmp
    Filesize

    172KB

    Download
  • memory/1720-69-0x0000000000A40000-0x0000000000D43000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/2000-59-0x0000000000000000-mapping.dmp
    Download
  • memory/2016-58-0x0000000000000000-mapping.dmp
    Download
  • memory/2016-70-0x000000006EB70000-0x000000006F11B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2016-71-0x000000006EB70000-0x000000006F11B000-memory.dmp
    Filesize

    5.7MB

    Download