Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21/06/2022, 10:21

General

  • Target

    networksec.exe

  • Size

    467KB

  • MD5

    0a7ee72e2b57214272b36a91835ece31

  • SHA1

    4f8ba6b8eee9c2f612cd046b34905cd110ec1b12

  • SHA256

    25773608894ed7dced5dd50dc02483ffdd6d9ee3d79333aa8292c5d2a2586e21

  • SHA512

    22d253e97694d8c62bd188c3ce9008445b3e41389672049ff8d768746fff3fba20a5025ca535b804a9bf976435cb7836e8d728009327c55ada359d2ee35c9f5b

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

a2es

Decoy

glutenfreebahrain.com

sportrid.com

js-films.com

cie-revolver.com

outsourcinginstitutebd.com

roboticsdatascience.com

tebrunk.com

needgreatwork.com

df1b8j2iwbl33n.life

voluum-training.com

cherna-roza.com

xiyouap.com

bluefiftyfoundation.com

angolettomc.com

yhcp225.com

keondredejawn.com

ifeelsilky.com

coraorganizing.com

smartmindstutorials.com

tanphucuong.info

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

  • Xloader Payload 6 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1248
    • C:\Users\Admin\AppData\Local\Temp\networksec.exe
      "C:\Users\Admin\AppData\Local\Temp\networksec.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2040
      • C:\Users\Admin\AppData\Local\Temp\networksec.exe
        "C:\Users\Admin\AppData\Local\Temp\networksec.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1632
    • C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\SysWOW64\svchost.exe"
      2⤵
      • Adds policy Run key to start application
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:804
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\networksec.exe"
        3⤵
        • Deletes itself
        PID:1688
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:888

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/804-80-0x0000000000080000-0x00000000000AB000-memory.dmp

            Filesize

            172KB

          • memory/804-78-0x0000000000440000-0x00000000004D0000-memory.dmp

            Filesize

            576KB

          • memory/804-77-0x0000000000080000-0x00000000000AB000-memory.dmp

            Filesize

            172KB

          • memory/804-76-0x0000000000900000-0x0000000000C03000-memory.dmp

            Filesize

            3.0MB

          • memory/804-75-0x00000000008F0000-0x00000000008F8000-memory.dmp

            Filesize

            32KB

          • memory/1248-68-0x0000000006360000-0x00000000064DE000-memory.dmp

            Filesize

            1.5MB

          • memory/1248-71-0x0000000006CF0000-0x0000000006E69000-memory.dmp

            Filesize

            1.5MB

          • memory/1248-81-0x0000000006B10000-0x0000000006C64000-memory.dmp

            Filesize

            1.3MB

          • memory/1248-79-0x0000000006B10000-0x0000000006C64000-memory.dmp

            Filesize

            1.3MB

          • memory/1632-60-0x0000000000400000-0x000000000042B000-memory.dmp

            Filesize

            172KB

          • memory/1632-65-0x0000000000400000-0x000000000042B000-memory.dmp

            Filesize

            172KB

          • memory/1632-70-0x0000000000380000-0x0000000000391000-memory.dmp

            Filesize

            68KB

          • memory/1632-66-0x0000000000820000-0x0000000000B23000-memory.dmp

            Filesize

            3.0MB

          • memory/1632-62-0x0000000000400000-0x000000000042B000-memory.dmp

            Filesize

            172KB

          • memory/1632-73-0x0000000000400000-0x000000000042B000-memory.dmp

            Filesize

            172KB

          • memory/1632-67-0x0000000000250000-0x0000000000261000-memory.dmp

            Filesize

            68KB

          • memory/1632-59-0x0000000000400000-0x000000000042B000-memory.dmp

            Filesize

            172KB

          • memory/2040-57-0x0000000005A60000-0x0000000005ACA000-memory.dmp

            Filesize

            424KB

          • memory/2040-56-0x0000000000520000-0x000000000052E000-memory.dmp

            Filesize

            56KB

          • memory/2040-58-0x00000000007B0000-0x00000000007E2000-memory.dmp

            Filesize

            200KB

          • memory/2040-55-0x0000000076261000-0x0000000076263000-memory.dmp

            Filesize

            8KB

          • memory/2040-54-0x00000000013C0000-0x000000000143C000-memory.dmp

            Filesize

            496KB