Overview

overview

10

Static

static

Invoice B9800177.exe

windows7_x64

10

Invoice B9800177.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    06-07-2022 07:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Invoice B9800177.exe

  • Size

    628KB

  • MD5

    36efa9e34b8055b9e54572997f85099a

  • SHA1

    ceeb08b5411a56c0fc98388bc427b9aa563d8967

  • SHA256

    b87ec1a86d0c11e1183ec3de93241427e393f0016ff662fe6c9d98af2faf22d5

  • SHA512

    e4bbdaad01e7da77457af0420e9f777f59ec08cebc728b6396696317c69329d6c5a385b584abd642f92138324838e9df347b8f61f346aad9583eac115f1a2413

Score
10/10
xloaderloaderpersistenceratsuricata

Malware Config

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Xloader Payload 5 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1264
    • C:\Users\Admin\AppData\Local\Temp\Invoice B9800177.exe
      "C:\Users\Admin\AppData\Local\Temp\Invoice B9800177.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1684
      • C:\Users\Admin\AppData\Local\Temp\Invoice B9800177.exe
        "C:\Users\Admin\AppData\Local\Temp\Invoice B9800177.exe"
        3⤵
        • Checks computer location settings
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:948
    • C:\Windows\SysWOW64\wlanext.exe
      "C:\Windows\SysWOW64\wlanext.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1420
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\Invoice B9800177.exe"
        3⤵
        • Deletes itself
        PID:696
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:1988

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/696-71-0x0000000000000000-mapping.dmp
      Download
    • memory/948-66-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/948-68-0x0000000000270000-0x0000000000281000-memory.dmp
      Filesize

      68KB

      Download
    • memory/948-67-0x00000000009E0000-0x0000000000CE3000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/948-60-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/948-61-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/948-63-0x0000000000400000-0x000000000042D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/948-64-0x00000000004202C0-mapping.dmp
      Download
    • memory/1264-78-0x00000000068F0000-0x0000000006A69000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/1264-76-0x00000000068F0000-0x0000000006A69000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/1264-69-0x0000000004D40000-0x0000000004DFA000-memory.dmp
      Filesize

      744KB

      Download
    • memory/1420-73-0x00000000000E0000-0x000000000010D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/1420-70-0x0000000000000000-mapping.dmp
      Download
    • memory/1420-72-0x00000000003C0000-0x00000000003D6000-memory.dmp
      Filesize

      88KB

      Download
    • memory/1420-74-0x0000000001ED0000-0x00000000021D3000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1420-75-0x0000000001D70000-0x0000000001E00000-memory.dmp
      Filesize

      576KB

      Download
    • memory/1420-77-0x00000000000E0000-0x000000000010D000-memory.dmp
      Filesize

      180KB

      Download
    • memory/1684-57-0x0000000000280000-0x000000000028E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/1684-54-0x0000000000290000-0x0000000000334000-memory.dmp
      Filesize

      656KB

      Download
    • memory/1684-55-0x0000000075761000-0x0000000075763000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1684-56-0x00000000003E0000-0x0000000000400000-memory.dmp
      Filesize

      128KB

      Download
    • memory/1684-59-0x00000000020F0000-0x0000000002122000-memory.dmp
      Filesize

      200KB

      Download
    • memory/1684-58-0x0000000005F50000-0x0000000005FCA000-memory.dmp
      Filesize

      488KB

      Download