Analysis Overview
SHA256
0a800c4ca408c8d9ff41171144199b8567d42aa3f66e9b0fb01a713baa57f2a7
Threat Level: Known bad
The file 31b0c90facdaab1ed9e0a4f535f8512f was found to be: Known bad.
Malicious Activity Summary
suricata: ET MALWARE FormBook CnC Checkin (GET)
Xloader
Xloader Payload
Deletes itself
Checks computer location settings
Suspicious use of SetThreadContext
N/A.
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-06-16 09:42
Signatures
N/A.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-16 09:42
Reported
2022-06-16 09:47
Platform
win7-20220414-en
Max time kernel
151s
Max time network
155s
Command Line
Signatures
Xloader
Xloader Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\PI.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1688 set thread context of 1988 | N/A | C:\Users\Admin\AppData\Local\Temp\PI.exe | C:\Users\Admin\AppData\Local\Temp\PI.exe |
| PID 1988 set thread context of 1396 | N/A | C:\Users\Admin\AppData\Local\Temp\PI.exe | C:\Windows\Explorer.EXE |
| PID 1988 set thread context of 1396 | N/A | C:\Users\Admin\AppData\Local\Temp\PI.exe | C:\Windows\Explorer.EXE |
| PID 1360 set thread context of 1396 | N/A | C:\Windows\SysWOW64\cscript.exe | C:\Windows\Explorer.EXE |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PI.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cscript.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PI.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cscript.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PI.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\cscript.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.esygbd.com | udp |
| CN | 43.137.0.175:80 | www.esygbd.com | tcp |
Files
memory/1688-54-0x0000000000820000-0x00000000008D4000-memory.dmp
memory/1688-55-0x0000000076391000-0x0000000076393000-memory.dmp
memory/1688-56-0x0000000000440000-0x000000000044A000-memory.dmp
memory/1688-57-0x0000000005CB0000-0x0000000005D52000-memory.dmp
memory/1688-58-0x0000000004AD0000-0x0000000004B3C000-memory.dmp
memory/1988-59-0x0000000000400000-0x000000000042C000-memory.dmp
memory/1988-60-0x0000000000400000-0x000000000042C000-memory.dmp
memory/1988-62-0x0000000000400000-0x000000000042C000-memory.dmp
memory/1988-63-0x000000000041F650-mapping.dmp
memory/1988-65-0x0000000000BB0000-0x0000000000EB3000-memory.dmp
memory/1988-66-0x00000000001D0000-0x00000000001E1000-memory.dmp
memory/1396-67-0x0000000004D90000-0x0000000004ED0000-memory.dmp
memory/1988-68-0x0000000000400000-0x000000000042C000-memory.dmp
memory/1988-69-0x0000000000210000-0x0000000000221000-memory.dmp
memory/1396-70-0x00000000068C0000-0x00000000069FA000-memory.dmp
memory/1988-72-0x0000000000400000-0x000000000042C000-memory.dmp
memory/1360-71-0x0000000000000000-mapping.dmp
memory/1648-73-0x0000000000000000-mapping.dmp
memory/1360-74-0x0000000000BF0000-0x0000000000C12000-memory.dmp
memory/1360-75-0x0000000000070000-0x000000000009C000-memory.dmp
memory/1360-76-0x0000000002020000-0x0000000002323000-memory.dmp
memory/1360-77-0x0000000000A50000-0x0000000000AE0000-memory.dmp
memory/1396-78-0x0000000007880000-0x0000000007A0A000-memory.dmp
memory/1360-79-0x0000000000070000-0x000000000009C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-16 09:42
Reported
2022-06-16 09:47
Platform
win10v2004-20220414-en
Max time kernel
148s
Max time network
154s
Command Line
Signatures
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Xloader Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\PI.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4308 set thread context of 2292 | N/A | C:\Users\Admin\AppData\Local\Temp\PI.exe | C:\Users\Admin\AppData\Local\Temp\PI.exe |
| PID 2292 set thread context of 3048 | N/A | C:\Users\Admin\AppData\Local\Temp\PI.exe | C:\Windows\Explorer.EXE |
| PID 2188 set thread context of 3048 | N/A | C:\Windows\SysWOW64\msdt.exe | C:\Windows\Explorer.EXE |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PI.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msdt.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msdt.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PI.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msdt.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 20.190.160.67:443 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| NL | 20.190.160.8:443 | tcp | |
| IE | 20.50.80.209:443 | tcp | |
| NL | 20.190.160.2:443 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| NL | 178.79.208.1:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| NL | 20.190.160.136:443 | tcp | |
| US | 8.8.8.8:53 | www.pancinobakery.com | udp |
| US | 8.8.8.8:53 | www.mariorovera.com | udp |
| DE | 217.160.0.114:80 | www.mariorovera.com | tcp |
| US | 8.8.8.8:53 | www.onthegotransport.com | udp |
| US | 8.8.8.8:53 | www.cidexfur.com | udp |
| US | 192.200.213.239:80 | www.cidexfur.com | tcp |
| NL | 20.190.160.73:443 | tcp | |
| US | 8.8.8.8:53 | www.ssciencedirect.com | udp |
| US | 199.59.243.220:80 | www.ssciencedirect.com | tcp |
| US | 8.8.8.8:53 | www.associationcepedcameroun.com | udp |
| US | 199.15.163.148:80 | www.associationcepedcameroun.com | tcp |
| US | 8.8.8.8:53 | www.snusmail.com | udp |
| DE | 84.200.110.123:80 | www.snusmail.com | tcp |
| NL | 20.190.160.71:443 | tcp | |
| US | 8.8.8.8:53 | www.compassmarinservices.com | udp |
| US | 8.8.8.8:53 | www.linioshop6.com | udp |
| US | 45.207.44.65:80 | www.linioshop6.com | tcp |
| NL | 20.190.160.132:443 | tcp | |
| US | 8.8.8.8:53 | www.linioshop6.com | udp |
| US | 45.207.44.65:80 | www.linioshop6.com | tcp |
| US | 8.8.8.8:53 | www.achalarya.com | udp |
| US | 34.102.136.180:80 | www.achalarya.com | tcp |
Files
memory/4308-130-0x0000000000030000-0x00000000000E4000-memory.dmp
memory/4308-131-0x0000000004FB0000-0x0000000005554000-memory.dmp
memory/4308-132-0x0000000004A00000-0x0000000004A92000-memory.dmp
memory/4308-133-0x0000000004AA0000-0x0000000004B4A000-memory.dmp
memory/4308-134-0x0000000004BD0000-0x0000000004BDA000-memory.dmp
memory/4308-135-0x0000000007770000-0x000000000780C000-memory.dmp
memory/2292-136-0x0000000000000000-mapping.dmp
memory/2292-137-0x0000000000400000-0x000000000042C000-memory.dmp
memory/2292-139-0x0000000001720000-0x0000000001A6A000-memory.dmp
memory/2292-140-0x0000000001290000-0x00000000012A1000-memory.dmp
memory/3048-141-0x0000000008010000-0x0000000008154000-memory.dmp
memory/2188-142-0x0000000000000000-mapping.dmp
memory/2292-143-0x0000000000400000-0x000000000042C000-memory.dmp
memory/2188-145-0x0000000001100000-0x000000000112C000-memory.dmp
memory/2188-144-0x0000000000260000-0x00000000002B7000-memory.dmp
memory/60-146-0x0000000000000000-mapping.dmp
memory/2188-147-0x0000000003290000-0x00000000035DA000-memory.dmp
memory/2188-148-0x0000000001100000-0x000000000112C000-memory.dmp
memory/2188-149-0x0000000002FC0000-0x0000000003050000-memory.dmp
memory/3048-150-0x0000000007E20000-0x0000000007F4F000-memory.dmp
memory/3048-151-0x0000000007E20000-0x0000000007F4F000-memory.dmp