Overview

overview

10

Static

static

10

33.exe

windows10-2004-x64

10

34.exe

windows10-2004-x64

10

35.exe

windows10-2004-x64

10

36.exe

windows10-2004-x64

10

37.exe

windows10-2004-x64

10

38.exe

windows10-2004-x64

10

39.exe

windows10-2004-x64

10

40.exe

windows10-2004-x64

10

41.exe

windows10-2004-x64

10

42.exe

windows10-2004-x64

10

43.exe

windows10-2004-x64

10

44.exe

windows10-2004-x64

10

45.exe

windows10-2004-x64

10

46.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    160s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-09-2022 03:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    41.exe

  • Size

    176KB

  • MD5

    228b0bc29a751779e97f60e14a1b9f57

  • SHA1

    0c735257db6d9afc8ee6a656a8634310411a049f

  • SHA256

    5480ecfb5e60326a88fe45eb2adf3d9bc67e26fc2fc7800609a467e6a5f77444

  • SHA512

    9a22551428299be14f05dfe3f0f1d710a1a15b794da3e0671abadd934fc576ba022458579d73cfe777c3599fd3c8859c118fa1b632cc7ce2c67108ad42af95f1

  • SSDEEP

    3072:yTjyF3P55Z+0IhW59LQUlOsdZNjIZfR5/VUmhFaIItneeVw65z:33h5JI8LQKj3NjIZfR5/uCFaIItlVw6

Score
10/10
xloaderloaderpersistenceratspywarestealer

Malware Config

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader payload 2 IoCs
    rat
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Blocklisted process makes network request 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 58 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:3092
    • C:\Users\Admin\AppData\Local\Temp\41.exe
      "C:\Users\Admin\AppData\Local\Temp\41.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      PID:380
    • C:\Windows\SysWOW64\cmstp.exe
      "C:\Windows\SysWOW64\cmstp.exe"
      2⤵
      • Adds policy Run key to start application
      • Blocklisted process makes network request
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4928
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\41.exe"
        3⤵
          PID:1288
        • C:\Program Files\Mozilla Firefox\Firefox.exe
          "C:\Program Files\Mozilla Firefox\Firefox.exe"
          3⤵
            PID:2312

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      3
      T1112

      Credential Access

      Credentials in Files

      1
      T1081

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/380-132-0x0000000000AC0000-0x0000000000E0A000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/380-133-0x00000000005F0000-0x0000000000601000-memory.dmp
        Filesize

        68KB

        Download
      • memory/1288-136-0x0000000000000000-mapping.dmp
        Download
      • memory/3092-134-0x0000000007CD0000-0x0000000007D99000-memory.dmp
        Filesize

        804KB

        Download
      • memory/3092-142-0x0000000008620000-0x0000000008792000-memory.dmp
        Filesize

        1.4MB

        Download
      • memory/3092-143-0x0000000008620000-0x0000000008792000-memory.dmp
        Filesize

        1.4MB

        Download
      • memory/4928-135-0x0000000000000000-mapping.dmp
        Download
      • memory/4928-137-0x00000000008C0000-0x00000000008D6000-memory.dmp
        Filesize

        88KB

        Download
      • memory/4928-139-0x0000000002B40000-0x0000000002E8A000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/4928-138-0x0000000000C00000-0x0000000000C2C000-memory.dmp
        Filesize

        176KB

        Download
      • memory/4928-140-0x0000000000C00000-0x0000000000C2C000-memory.dmp
        Filesize

        176KB

        Download
      • memory/4928-141-0x00000000028E0000-0x0000000002970000-memory.dmp
        Filesize

        576KB

        Download