Overview

overview

10

Static

static

Invoice&sh...ts.exe

windows7-x64

10

Invoice&sh...ts.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    16-08-2022 06:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Invoice&shipments documents.exe

  • Size

    68KB

  • MD5

    851f82e1941a676ce825320ebff94857

  • SHA1

    30b9dbf2b97c20401b42188a335897994bce073e

  • SHA256

    724856634d2e8796b6f0b6950ebdf98d32679ed73a8a65b995447ecd9098a0dc

  • SHA512

    33f78bad1244d8c4859c1ed2f2276d10e821b14485213291cdb8d546415177884e8dfa710cbc48937d62eb8d75716b212c5811e5499a97de9de2a9cca83a408e

Score
10/10
xloaderv4qploaderpersistencerat

Malware Config

Extracted

Family

xloader

Version

2.9

Campaign

v4qp

Decoy

je1XQKU1LfJPVLk=

nvf41a7FsTLs6uB/g+CR

U7mryF6DctZn6GEjr9Bm4g==

1SONGrPdh7wGEOXp3g==

2xX859r7qOFq7GYkr9Bm4g==

IYtzVUx0Oo0HmZawLQAARDvBf4dL

NH3iuBPNSzZTvpw/4KaG

rDehfiqIPbdMBS8G1g==

xhb2uJ0eBwo7k3djqxh60xoNt4VoeQ==

AFtKux3JgPGRkx3xUsciR6piSg==

m+3VoJadWcBvOAPpzKUNPoAxyplS

1DWKULdka3mxIKhEqGxQr7gxyplS

DGlFGBqWi5CtrCX9alyTuPzq

muvVM4slyTfxORwAZisVksCM78aSEVo=

D3biNgUbyg9E5pl+

/+1QLPssvl/Xxg==

I4lzTjaAcc1iBS8G1g==

wSwc4MmbShojhlZCrniTuPzq

jN5YO6ZXSfJPVLk=

4TUS4+ANuqHCRTM9sniTuPzq

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader payload 5 IoCs
    rat
  • Blocklisted process makes network request 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1212
    • C:\Users\Admin\AppData\Local\Temp\Invoice&shipments documents.exe
      "C:\Users\Admin\AppData\Local\Temp\Invoice&shipments documents.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1132
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAOAA=
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:756
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1708
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1624
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        3⤵
          PID:1704

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/756-58-0x0000000000000000-mapping.dmp
      Download
    • memory/756-61-0x000000006EED0000-0x000000006F47B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/756-60-0x000000006EED0000-0x000000006F47B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/1132-54-0x0000000000DA0000-0x0000000000DB6000-memory.dmp
      Filesize

      88KB

      Download
    • memory/1132-57-0x00000000041C0000-0x00000000041EA000-memory.dmp
      Filesize

      168KB

      Download
    • memory/1132-56-0x0000000005910000-0x0000000005ABE000-memory.dmp
      Filesize

      1.7MB

      Download
    • memory/1132-55-0x0000000075561000-0x0000000075563000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1212-81-0x00000000060C0000-0x0000000006218000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/1212-79-0x00000000060C0000-0x0000000006218000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/1212-71-0x0000000005F70000-0x00000000060B6000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/1624-80-0x0000000000090000-0x00000000000BC000-memory.dmp
      Filesize

      176KB

      Download
    • memory/1624-78-0x0000000000A50000-0x0000000000AE0000-memory.dmp
      Filesize

      576KB

      Download
    • memory/1624-77-0x0000000002340000-0x0000000002643000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1624-74-0x0000000000F20000-0x0000000000F34000-memory.dmp
      Filesize

      80KB

      Download
    • memory/1624-75-0x0000000000090000-0x00000000000BC000-memory.dmp
      Filesize

      176KB

      Download
    • memory/1624-72-0x0000000000000000-mapping.dmp
      Download
    • memory/1704-76-0x0000000000000000-mapping.dmp
      Download
    • memory/1708-70-0x0000000000160000-0x0000000000171000-memory.dmp
      Filesize

      68KB

      Download
    • memory/1708-69-0x0000000000A40000-0x0000000000D43000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1708-68-0x0000000000400000-0x000000000042C000-memory.dmp
      Filesize

      176KB

      Download
    • memory/1708-66-0x000000000041F6E0-mapping.dmp
      Download
    • memory/1708-65-0x0000000000400000-0x000000000042C000-memory.dmp
      Filesize

      176KB

      Download
    • memory/1708-63-0x0000000000400000-0x000000000042C000-memory.dmp
      Filesize

      176KB

      Download
    • memory/1708-62-0x0000000000400000-0x000000000042C000-memory.dmp
      Filesize

      176KB

      Download