Analysis

  • max time kernel
    146s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21/06/2022, 10:21

General

  • Target

    ccc5f7c2dcf83d72150071b31ff3036834f0d26544e2c2c274bce95d234b14ea.exe

  • Size

    963KB

  • MD5

    83dd3acd8f3e455bfd2c4711453399c3

  • SHA1

    8895c917c9a3157939036647ba402f02d98f29e4

  • SHA256

    ccc5f7c2dcf83d72150071b31ff3036834f0d26544e2c2c274bce95d234b14ea

  • SHA512

    72fee0861dad6d8f44f450e00950bb1c486961b7f114d822f1e5e0335c7214800b1c8242a35f409220eac72f8b2dfd56a238c5e10be13d52507e521daa5cb2d2

Score
10/10

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

gd9m

Decoy

screens.ma

coachingdiary.com

cannabisconsultant.xyz

sirenonthemoon.com

gabrielatrejo.com

blumenladentampa.com

sturisticosadmcancun.com

qdygo.net

nubearies.com

thedestinationcrafter.com

fastblacktv.com

sanakatha.com

birdviewsecurityandshipping.com

waterfilterhub.xyz

92658.top

xigen.xyz

barikadcrew.com

herzogbjj.com

veminis.com

thnawya.net

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • Xloader Payload 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ccc5f7c2dcf83d72150071b31ff3036834f0d26544e2c2c274bce95d234b14ea.exe
    "C:\Users\Admin\AppData\Local\Temp\ccc5f7c2dcf83d72150071b31ff3036834f0d26544e2c2c274bce95d234b14ea.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1108
    • C:\Users\Admin\AppData\Local\Temp\ccc5f7c2dcf83d72150071b31ff3036834f0d26544e2c2c274bce95d234b14ea.exe
      "C:\Users\Admin\AppData\Local\Temp\ccc5f7c2dcf83d72150071b31ff3036834f0d26544e2c2c274bce95d234b14ea.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1976

Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1108-130-0x00000000005F0000-0x00000000006E6000-memory.dmp

          Filesize

          984KB

        • memory/1108-131-0x00000000056D0000-0x0000000005C74000-memory.dmp

          Filesize

          5.6MB

        • memory/1108-132-0x0000000005120000-0x00000000051B2000-memory.dmp

          Filesize

          584KB

        • memory/1108-133-0x00000000051C0000-0x000000000525C000-memory.dmp

          Filesize

          624KB

        • memory/1108-134-0x0000000006C30000-0x0000000006C3A000-memory.dmp

          Filesize

          40KB

        • memory/1108-135-0x000000000F890000-0x000000000F8B2000-memory.dmp

          Filesize

          136KB

        • memory/1976-137-0x0000000000400000-0x000000000042B000-memory.dmp

          Filesize

          172KB

        • memory/1976-138-0x00000000019E0000-0x0000000001D2A000-memory.dmp

          Filesize

          3.3MB