Overview

overview

10

Static

static

shipping d...ts.exe

windows7-x64

10

shipping d...ts.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20220715-en
  • resource tags

    arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
  • submitted
    18-07-2022 18:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    shipping documents.exe

  • Size

    1.1MB

  • MD5

    38f1024d533a747d3ada057be9175db1

  • SHA1

    9ab84365d2ab9ef77bda9b75764e1e1780bdae8c

  • SHA256

    0c5f0ad9fb94fbfc2dde1c830cdcdb2c96f27530d500734d0478fd9bc068a8bb

  • SHA512

    d19cb83af73434fedb0efa1585a3a5bc33c478ad3986f15fcbb82c8b2ea4882d8f135f703374b57b2ac5a78fb3e9d1ebf9be2ae26aea09ea551c7d5cb19a3c6d

Score
10/10
xloaderpdrqevasionloaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

pdrq

Decoy

welchsunstar.com

mppservicesllc.com

wiresofteflon.com

brabov.xyz

compnonoch.site

yourbuilderworks.com

iamsamirahman.com

eriqoes.com

eastudio.design

skyearth-est.com

teethfitness.com

razaancreates.com

shfbfs.com

joyfulbrokekids.com

kjbolden.com

howirep.com

deedeesmainecoons.website

e-powair.com

aheatea.com

shalfey0009.xyz

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Xloader payload 5 IoCs
    rat
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1396
    • C:\Users\Admin\AppData\Local\Temp\shipping documents.exe
      "C:\Users\Admin\AppData\Local\Temp\shipping documents.exe"
      2⤵
      • Looks for VirtualBox Guest Additions in registry
      • Looks for VMWare Tools registry key
      • Checks BIOS information in registry
      • Maps connected drives based on registry
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1824
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hpmoZai.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1668
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hpmoZai" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE7E0.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:580
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:840
    • C:\Windows\SysWOW64\systray.exe
      "C:\Windows\SysWOW64\systray.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1004
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
          PID:2004

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Virtualization/Sandbox Evasion

    2
    T1497

    Credential Access

    Discovery

    Query Registry

    4
    T1012

    Virtualization/Sandbox Evasion

    2
    T1497

    System Information Discovery

    3
    T1082

    Peripheral Device Discovery

    1
    T1120

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpE7E0.tmp
      Filesize

      1KB

      MD5

      79aebe118957dba349fac83795be0298

      SHA1

      87dd2501f8f773b06b4cce5f9405d23e2e962839

      SHA256

      ce2832e58e0e172f038bd84666ca23ee665242ed1d2fd3e69e9147197d1ce49a

      SHA512

      6d4c7975829e79209f4e055948d0821d48e49139218345eea4d764770d8f81253eee8d9851c0eff1b94f759720372f0508ec84f8d9d7905df2943c5e5655f1b2

      Download Submit
    • memory/580-66-0x0000000000000000-mapping.dmp
      Download
    • memory/840-82-0x0000000000400000-0x000000000042B000-memory.dmp
      Filesize

      172KB

      Download
    • memory/840-78-0x0000000000290000-0x00000000002A1000-memory.dmp
      Filesize

      68KB

      Download
    • memory/840-77-0x0000000000870000-0x0000000000B73000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/840-74-0x000000000041F270-mapping.dmp
      Download
    • memory/840-73-0x0000000000400000-0x000000000042B000-memory.dmp
      Filesize

      172KB

      Download
    • memory/840-71-0x0000000000400000-0x000000000042B000-memory.dmp
      Filesize

      172KB

      Download
    • memory/840-70-0x0000000000400000-0x000000000042B000-memory.dmp
      Filesize

      172KB

      Download
    • memory/1004-81-0x0000000000000000-mapping.dmp
      Download
    • memory/1004-84-0x0000000000AE0000-0x0000000000AE5000-memory.dmp
      Filesize

      20KB

      Download
    • memory/1004-89-0x00000000000C0000-0x00000000000EB000-memory.dmp
      Filesize

      172KB

      Download
    • memory/1004-87-0x0000000000980000-0x0000000000A10000-memory.dmp
      Filesize

      576KB

      Download
    • memory/1004-86-0x00000000000C0000-0x00000000000EB000-memory.dmp
      Filesize

      172KB

      Download
    • memory/1004-85-0x0000000002080000-0x0000000002383000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1396-79-0x0000000003DD0000-0x0000000003E99000-memory.dmp
      Filesize

      804KB

      Download
    • memory/1396-90-0x0000000006920000-0x0000000006A80000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/1396-88-0x0000000006920000-0x0000000006A80000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/1668-80-0x000000006DD50000-0x000000006E2FB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1668-65-0x0000000000000000-mapping.dmp
      Download
    • memory/1668-75-0x000000006DD50000-0x000000006E2FB000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1824-54-0x0000000000060000-0x0000000000172000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/1824-64-0x0000000004B30000-0x0000000004BAA000-memory.dmp
      Filesize

      488KB

      Download
    • memory/1824-56-0x0000000000AF0000-0x0000000000B04000-memory.dmp
      Filesize

      80KB

      Download
    • memory/1824-60-0x0000000006FD0000-0x0000000006FE4000-memory.dmp
      Filesize

      80KB

      Download
    • memory/1824-55-0x0000000075741000-0x0000000075743000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1824-61-0x0000000007090000-0x00000000070A4000-memory.dmp
      Filesize

      80KB

      Download
    • memory/1824-69-0x0000000004EF0000-0x0000000004F22000-memory.dmp
      Filesize

      200KB

      Download
    • memory/1824-62-0x0000000007970000-0x0000000007984000-memory.dmp
      Filesize

      80KB

      Download
    • memory/1824-63-0x00000000042C0000-0x00000000042CE000-memory.dmp
      Filesize

      56KB

      Download
    • memory/1824-57-0x0000000001F80000-0x0000000001F94000-memory.dmp
      Filesize

      80KB

      Download
    • memory/1824-58-0x0000000002020000-0x0000000002034000-memory.dmp
      Filesize

      80KB

      Download
    • memory/1824-59-0x0000000006ED0000-0x0000000006EE4000-memory.dmp
      Filesize

      80KB

      Download
    • memory/2004-83-0x0000000000000000-mapping.dmp
      Download