Overview

overview

10

Static

static

ef43e97cb6...20.exe

windows7_x64

10

ef43e97cb6...20.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    22-06-2022 05:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ef43e97cb61e5d54d4953a4d3278f220.exe

  • Size

    828KB

  • MD5

    ef43e97cb61e5d54d4953a4d3278f220

  • SHA1

    16e593f0ddae9e67c5dd725d383552a0414ab292

  • SHA256

    45d1b699698ba99b1a8c51ef57d3ed895b762f418cc05f8c54425e3cebcea4c0

  • SHA512

    3e978d30d2bf94a2fe506c44f7bafb94cc3fe8a50a8db1232c2de6b34fd22fd9ec951c63290e3983c42bdf278e00d940c49858b1faa61bdf90bf299532631b71

Score
10/10
xloaderpdrqevasionloaderpersistenceratspywarestealersuricata

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

pdrq

Decoy

welchsunstar.com

mppservicesllc.com

wiresofteflon.com

brabov.xyz

compnonoch.site

yourbuilderworks.com

iamsamirahman.com

eriqoes.com

eastudio.design

skyearth-est.com

teethfitness.com

razaancreates.com

shfbfs.com

joyfulbrokekids.com

kjbolden.com

howirep.com

deedeesmainecoons.website

e-powair.com

aheatea.com

shalfey0009.xyz

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

    suricata: ET MALWARE FormBook CnC Checkin (POST) M2

    suricata
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Xloader Payload 4 IoCs
    rat
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 61 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Drops file in Program Files directory
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1124
    • C:\Users\Admin\AppData\Local\Temp\ef43e97cb61e5d54d4953a4d3278f220.exe
      "C:\Users\Admin\AppData\Local\Temp\ef43e97cb61e5d54d4953a4d3278f220.exe"
      2⤵
      • Looks for VirtualBox Guest Additions in registry
      • Looks for VMWare Tools registry key
      • Checks BIOS information in registry
      • Checks computer location settings
      • Maps connected drives based on registry
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3116
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\lIaHFEbpq.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3452
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lIaHFEbpq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp67D7.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:4212
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:436
    • C:\Windows\SysWOW64\msdt.exe
      "C:\Windows\SysWOW64\msdt.exe"
      2⤵
      • Adds policy Run key to start application
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1320
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
          PID:220
        • C:\Windows\SysWOW64\cmd.exe
          /c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
          3⤵
            PID:2508
          • C:\Windows\SysWOW64\cmd.exe
            /c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
            3⤵
              PID:4772
            • C:\Program Files\Mozilla Firefox\Firefox.exe
              "C:\Program Files\Mozilla Firefox\Firefox.exe"
              3⤵
                PID:1820
            • C:\Program Files (x86)\Kktj8zxp0\IconCachejbcphpxp.exe
              "C:\Program Files (x86)\Kktj8zxp0\IconCachejbcphpxp.exe"
              2⤵
              • Executes dropped EXE
              PID:3656

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Scheduled Task

          1
          T1053

          Persistence

          Registry Run Keys / Startup Folder

          1
          T1060

          Scheduled Task

          1
          T1053

          Privilege Escalation

          Scheduled Task

          1
          T1053

          Defense Evasion

          Virtualization/Sandbox Evasion

          2
          T1497

          Modify Registry

          2
          T1112

          Credential Access

          Credentials in Files

          1
          T1081

          Discovery

          Query Registry

          5
          T1012

          Virtualization/Sandbox Evasion

          2
          T1497

          System Information Discovery

          4
          T1082

          Peripheral Device Discovery

          1
          T1120

          Lateral Movement

          Collection

          Data from Local System

          1
          T1005

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Kktj8zxp0\IconCachejbcphpxp.exe
            Filesize

            44KB

            MD5

            9d352bc46709f0cb5ec974633a0c3c94

            SHA1

            1969771b2f022f9a86d77ac4d4d239becdf08d07

            SHA256

            2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

            SHA512

            13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

            Download Submit
          • C:\Program Files (x86)\Kktj8zxp0\IconCachejbcphpxp.exe
            Filesize

            44KB

            MD5

            9d352bc46709f0cb5ec974633a0c3c94

            SHA1

            1969771b2f022f9a86d77ac4d4d239becdf08d07

            SHA256

            2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

            SHA512

            13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\DB1
            Filesize

            40KB

            MD5

            b608d407fc15adea97c26936bc6f03f6

            SHA1

            953e7420801c76393902c0d6bb56148947e41571

            SHA256

            b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

            SHA512

            cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\DB1
            Filesize

            48KB

            MD5

            349e6eb110e34a08924d92f6b334801d

            SHA1

            bdfb289daff51890cc71697b6322aa4b35ec9169

            SHA256

            c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

            SHA512

            2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\tmp67D7.tmp
            Filesize

            1KB

            MD5

            2258bea626699bd5a009e3bb020e79ea

            SHA1

            474c289b99b4a067ef2b623a4090671292489988

            SHA256

            aba19cfc1a944b742dd03abe39e0fb6c309db102a0bb32cac2567a0bfdee499b

            SHA512

            8c413d9f5e08f9d32dfc870b23558ce0f822fffa9dea753713daebe3dea298c468455c4672c8f9e4fef3ad3960d17d4299d847533864ed4aa86dde1799b0fd55

            Download Submit
          • memory/220-159-0x0000000000000000-mapping.dmp
            Download
          • memory/436-157-0x0000000000400000-0x000000000042B000-memory.dmp
            Filesize

            172KB

            Download
          • memory/436-147-0x0000000001AD0000-0x0000000001E1A000-memory.dmp
            Filesize

            3.3MB

            Download
          • memory/436-141-0x0000000000000000-mapping.dmp
            Download
          • memory/436-142-0x0000000000400000-0x000000000042B000-memory.dmp
            Filesize

            172KB

            Download
          • memory/436-148-0x0000000001440000-0x0000000001451000-memory.dmp
            Filesize

            68KB

            Download
          • memory/1124-169-0x0000000008010000-0x0000000008142000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/1124-167-0x0000000008010000-0x0000000008142000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/1124-149-0x0000000007EC0000-0x0000000008001000-memory.dmp
            Filesize

            1.3MB

            Download
          • memory/1320-166-0x0000000002C50000-0x0000000002CE0000-memory.dmp
            Filesize

            576KB

            Download
          • memory/1320-156-0x0000000000000000-mapping.dmp
            Download
          • memory/1320-168-0x0000000000E80000-0x0000000000EAB000-memory.dmp
            Filesize

            172KB

            Download
          • memory/1320-163-0x0000000002EF0000-0x000000000323A000-memory.dmp
            Filesize

            3.3MB

            Download
          • memory/1320-162-0x0000000000E80000-0x0000000000EAB000-memory.dmp
            Filesize

            172KB

            Download
          • memory/1320-160-0x0000000000070000-0x00000000000C7000-memory.dmp
            Filesize

            348KB

            Download
          • memory/2508-170-0x0000000000000000-mapping.dmp
            Download
          • memory/3116-130-0x0000000000550000-0x0000000000626000-memory.dmp
            Filesize

            856KB

            Download
          • memory/3116-131-0x0000000005550000-0x0000000005AF4000-memory.dmp
            Filesize

            5.6MB

            Download
          • memory/3116-132-0x0000000005040000-0x00000000050D2000-memory.dmp
            Filesize

            584KB

            Download
          • memory/3116-133-0x0000000004FE0000-0x0000000004FEA000-memory.dmp
            Filesize

            40KB

            Download
          • memory/3116-134-0x0000000008A80000-0x0000000008B1C000-memory.dmp
            Filesize

            624KB

            Download
          • memory/3116-135-0x0000000008CC0000-0x0000000008D26000-memory.dmp
            Filesize

            408KB

            Download
          • memory/3452-164-0x0000000007500000-0x000000000751A000-memory.dmp
            Filesize

            104KB

            Download
          • memory/3452-138-0x00000000048D0000-0x0000000004906000-memory.dmp
            Filesize

            216KB

            Download
          • memory/3452-161-0x00000000073F0000-0x00000000073FE000-memory.dmp
            Filesize

            56KB

            Download
          • memory/3452-150-0x00000000064D0000-0x0000000006502000-memory.dmp
            Filesize

            200KB

            Download
          • memory/3452-140-0x0000000004FC0000-0x00000000055E8000-memory.dmp
            Filesize

            6.2MB

            Download
          • memory/3452-143-0x0000000004DD0000-0x0000000004DF2000-memory.dmp
            Filesize

            136KB

            Download
          • memory/3452-152-0x0000000006410000-0x000000000642E000-memory.dmp
            Filesize

            120KB

            Download
          • memory/3452-165-0x00000000074E0000-0x00000000074E8000-memory.dmp
            Filesize

            32KB

            Download
          • memory/3452-136-0x0000000000000000-mapping.dmp
            Download
          • memory/3452-158-0x0000000007440000-0x00000000074D6000-memory.dmp
            Filesize

            600KB

            Download
          • memory/3452-144-0x00000000055F0000-0x0000000005656000-memory.dmp
            Filesize

            408KB

            Download
          • memory/3452-153-0x0000000007800000-0x0000000007E7A000-memory.dmp
            Filesize

            6.5MB

            Download
          • memory/3452-146-0x0000000005EB0000-0x0000000005ECE000-memory.dmp
            Filesize

            120KB

            Download
          • memory/3452-151-0x0000000075440000-0x000000007548C000-memory.dmp
            Filesize

            304KB

            Download
          • memory/3452-154-0x00000000071C0000-0x00000000071DA000-memory.dmp
            Filesize

            104KB

            Download
          • memory/3452-155-0x0000000007230000-0x000000000723A000-memory.dmp
            Filesize

            40KB

            Download
          • memory/3656-174-0x0000000000000000-mapping.dmp
            Download
          • memory/3656-177-0x0000000000FB0000-0x0000000000FBE000-memory.dmp
            Filesize

            56KB

            Download
          • memory/3656-178-0x0000000005760000-0x000000000579C000-memory.dmp
            Filesize

            240KB

            Download
          • memory/4212-137-0x0000000000000000-mapping.dmp
            Download
          • memory/4772-172-0x0000000000000000-mapping.dmp
            Download