Overview

overview

10

Static

static

SecuriteIn...04.exe

windows7_x64

10

SecuriteIn...04.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    12-07-2022 08:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Trojan.Olock.1.12604.exe

  • Size

    848KB

  • MD5

    50968c3535895352d411a89114c20feb

  • SHA1

    449d8d3e5c6a2460a0015ae66a44087ea6920d77

  • SHA256

    af5011d40d9869926e4f208372a75fcd5fd2547f5e406e7e5b5e5aab4a5b7cd3

  • SHA512

    c26830fa525fc03b22cc507234e6c4e39e0f8df677c928f0ac3771c2b2e1fc3950bace8b8ce3a525bd7cb50c1083f964333a84c2cc433a388fe77f5964fcb9cd

Score
10/10
xloaderpdrqevasionloaderpersistenceratspywarestealersuricata

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

pdrq

Decoy

welchsunstar.com

mppservicesllc.com

wiresofteflon.com

brabov.xyz

compnonoch.site

yourbuilderworks.com

iamsamirahman.com

eriqoes.com

eastudio.design

skyearth-est.com

teethfitness.com

razaancreates.com

shfbfs.com

joyfulbrokekids.com

kjbolden.com

howirep.com

deedeesmainecoons.website

e-powair.com

aheatea.com

shalfey0009.xyz

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

    suricata: ET MALWARE FormBook CnC Checkin (POST) M2

    suricata
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Xloader payload 4 IoCs
    rat
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 34 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3004
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Olock.1.12604.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Olock.1.12604.exe"
      2⤵
      • Looks for VirtualBox Guest Additions in registry
      • Looks for VMWare Tools registry key
      • Checks BIOS information in registry
      • Checks computer location settings
      • Maps connected drives based on registry
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3780
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\NQprQRmmRihX.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:764
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NQprQRmmRihX" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBB61.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:1548
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:748
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3780 -s 1928
        3⤵
        • Program crash
        PID:5080
    • C:\Windows\SysWOW64\mstsc.exe
      "C:\Windows\SysWOW64\mstsc.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:876
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
          PID:4228
        • C:\Windows\SysWOW64\cmd.exe
          /c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
          3⤵
            PID:2584
          • C:\Windows\SysWOW64\cmd.exe
            /c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
            3⤵
              PID:4592
            • C:\Program Files\Mozilla Firefox\Firefox.exe
              "C:\Program Files\Mozilla Firefox\Firefox.exe"
              3⤵
                PID:2856
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3780 -ip 3780
            1⤵
              PID:2124

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Scheduled Task

            1
            T1053

            Persistence

            Registry Run Keys / Startup Folder

            1
            T1060

            Scheduled Task

            1
            T1053

            Privilege Escalation

            Scheduled Task

            1
            T1053

            Defense Evasion

            Virtualization/Sandbox Evasion

            2
            T1497

            Modify Registry

            2
            T1112

            Credential Access

            Credentials in Files

            1
            T1081

            Discovery

            Query Registry

            5
            T1012

            Virtualization/Sandbox Evasion

            2
            T1497

            System Information Discovery

            4
            T1082

            Peripheral Device Discovery

            1
            T1120

            Lateral Movement

            Collection

            Data from Local System

            1
            T1005

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\DB1
              Filesize

              40KB

              MD5

              b608d407fc15adea97c26936bc6f03f6

              SHA1

              953e7420801c76393902c0d6bb56148947e41571

              SHA256

              b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

              SHA512

              cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\DB1
              Filesize

              48KB

              MD5

              349e6eb110e34a08924d92f6b334801d

              SHA1

              bdfb289daff51890cc71697b6322aa4b35ec9169

              SHA256

              c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

              SHA512

              2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\tmpBB61.tmp
              Filesize

              1KB

              MD5

              2132a33ff038d936578d19350367873c

              SHA1

              b4fc32df18074f049a4cdb4e3b81ae5b7a0d3ca4

              SHA256

              69ba4a903d5c902c7b603618e00a5178f74da478301ea14781edf75abb31f2b3

              SHA512

              663529effe0d70e6996ec66ef91939e1138efc73657504a522a0a35e22a928b6d05e2f5d7aa6ef8d65a0248a6ecf49b14564eef60d319c3c90b0294870fac51e

              Download Submit
            • memory/748-156-0x0000000000400000-0x000000000042B000-memory.dmp
              Filesize

              172KB

              Download
            • memory/748-148-0x00000000016C0000-0x00000000016D1000-memory.dmp
              Filesize

              68KB

              Download
            • memory/748-147-0x0000000001790000-0x0000000001ADA000-memory.dmp
              Filesize

              3.3MB

              Download
            • memory/748-143-0x0000000000400000-0x000000000042B000-memory.dmp
              Filesize

              172KB

              Download
            • memory/748-142-0x0000000000000000-mapping.dmp
              Download
            • memory/764-151-0x0000000070350000-0x000000007039C000-memory.dmp
              Filesize

              304KB

              Download
            • memory/764-152-0x0000000006E80000-0x0000000006E9E000-memory.dmp
              Filesize

              120KB

              Download
            • memory/764-138-0x0000000005310000-0x0000000005346000-memory.dmp
              Filesize

              216KB

              Download
            • memory/764-141-0x0000000006150000-0x0000000006172000-memory.dmp
              Filesize

              136KB

              Download
            • memory/764-165-0x0000000007F10000-0x0000000007F18000-memory.dmp
              Filesize

              32KB

              Download
            • memory/764-136-0x0000000000000000-mapping.dmp
              Download
            • memory/764-144-0x0000000006220000-0x0000000006286000-memory.dmp
              Filesize

              408KB

              Download
            • memory/764-145-0x00000000068E0000-0x00000000068FE000-memory.dmp
              Filesize

              120KB

              Download
            • memory/764-164-0x0000000007F30000-0x0000000007F4A000-memory.dmp
              Filesize

              104KB

              Download
            • memory/764-139-0x0000000005A70000-0x0000000006098000-memory.dmp
              Filesize

              6.2MB

              Download
            • memory/764-162-0x0000000007E20000-0x0000000007E2E000-memory.dmp
              Filesize

              56KB

              Download
            • memory/764-150-0x0000000006EA0000-0x0000000006ED2000-memory.dmp
              Filesize

              200KB

              Download
            • memory/764-158-0x0000000007E70000-0x0000000007F06000-memory.dmp
              Filesize

              600KB

              Download
            • memory/764-157-0x0000000007C60000-0x0000000007C6A000-memory.dmp
              Filesize

              40KB

              Download
            • memory/764-153-0x0000000008230000-0x00000000088AA000-memory.dmp
              Filesize

              6.5MB

              Download
            • memory/764-154-0x0000000007BF0000-0x0000000007C0A000-memory.dmp
              Filesize

              104KB

              Download
            • memory/876-155-0x0000000000000000-mapping.dmp
              Download
            • memory/876-168-0x0000000000280000-0x00000000002AB000-memory.dmp
              Filesize

              172KB

              Download
            • memory/876-166-0x00000000022E0000-0x0000000002370000-memory.dmp
              Filesize

              576KB

              Download
            • memory/876-159-0x0000000000350000-0x000000000048A000-memory.dmp
              Filesize

              1.2MB

              Download
            • memory/876-160-0x0000000000280000-0x00000000002AB000-memory.dmp
              Filesize

              172KB

              Download
            • memory/876-163-0x0000000002550000-0x000000000289A000-memory.dmp
              Filesize

              3.3MB

              Download
            • memory/1548-137-0x0000000000000000-mapping.dmp
              Download
            • memory/2584-170-0x0000000000000000-mapping.dmp
              Download
            • memory/3004-169-0x0000000002900000-0x0000000002A2D000-memory.dmp
              Filesize

              1.2MB

              Download
            • memory/3004-167-0x0000000002900000-0x0000000002A2D000-memory.dmp
              Filesize

              1.2MB

              Download
            • memory/3004-149-0x00000000080E0000-0x0000000008284000-memory.dmp
              Filesize

              1.6MB

              Download
            • memory/3780-134-0x0000000008BC0000-0x0000000008C5C000-memory.dmp
              Filesize

              624KB

              Download
            • memory/3780-133-0x00000000051E0000-0x00000000051EA000-memory.dmp
              Filesize

              40KB

              Download
            • memory/3780-130-0x0000000000720000-0x00000000007FA000-memory.dmp
              Filesize

              872KB

              Download
            • memory/3780-135-0x0000000008B20000-0x0000000008B86000-memory.dmp
              Filesize

              408KB

              Download
            • memory/3780-132-0x0000000005240000-0x00000000052D2000-memory.dmp
              Filesize

              584KB

              Download
            • memory/3780-131-0x0000000005750000-0x0000000005CF4000-memory.dmp
              Filesize

              5.6MB

              Download
            • memory/4228-161-0x0000000000000000-mapping.dmp
              Download
            • memory/4592-172-0x0000000000000000-mapping.dmp
              Download