Overview

overview

10

Static

static

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-09-2022 04:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    293KB

  • MD5

    960b0f8219762d17f6f47ee76275c7c1

  • SHA1

    ed0eaa1b2d7636d74713c86548842cdb72b8c8cd

  • SHA256

    b47cf0eaed7e3798e77eaf01aac5783f2c03f7db7802a5215523d4ccdc631bc5

  • SHA512

    06d9751f85266c92e666400dc911271e3354ca550a12a6e45386f46f23c56e02986d8a763f394ecbe470952379a752cb0ab26dee5dcc8d4cab84d28e34104ccc

  • SSDEEP

    6144:eqJT5/+TVlkf7jWDUaLOjYmCVdKrLVi2D9y4CUFHHv:e61+BIjbaafCi/Vi2D9yJU1

Score
10/10
xloaderzgtbloaderpersistenceratspywarestealer

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

zgtb

Decoy

gabriellep.com

honghe4.xyz

anisaofrendas.com

happy-tile.com

thesulkies.com

international-ipo.com

tazeco.info

hhhzzz.xyz

vrmonster.xyz

theearthresidencia.com

sportape.xyz

elshadaibaterias.com

koredeiihibi.com

taxtaa.com

globalcityb.com

fxivcama.com

dagsmith.com

elmar-bhp.com

peakice.net

jhcdjewelry.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader payload 5 IoCs
    rat
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Blocklisted process makes network request 2 IoCs
  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 52 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2576
    • C:\Users\Admin\AppData\Local\Temp\tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1224
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
        "Powershell" Copy-Item 'C:\Users\Admin\AppData\Local\Temp\tmp.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%Namee%'
        3⤵
        • Drops startup file
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:884
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        3⤵
          PID:3464
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
          3⤵
            PID:5068
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
            3⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            PID:820
        • C:\Windows\SysWOW64\cmstp.exe
          "C:\Windows\SysWOW64\cmstp.exe"
          2⤵
          • Adds policy Run key to start application
          • Blocklisted process makes network request
          • Suspicious use of SetThreadContext
          • Drops file in Program Files directory
          • Modifies Internet Explorer settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:3780
          • C:\Windows\SysWOW64\cmd.exe
            /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
            3⤵
              PID:2244
            • C:\Windows\SysWOW64\cmd.exe
              /c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
              3⤵
                PID:1072
              • C:\Windows\SysWOW64\cmd.exe
                /c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
                3⤵
                  PID:1392
                • C:\Program Files\Mozilla Firefox\Firefox.exe
                  "C:\Program Files\Mozilla Firefox\Firefox.exe"
                  3⤵
                    PID:1168

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Initial Access

              Execution

              Persistence

              Registry Run Keys / Startup Folder

              1
              T1060

              Privilege Escalation

              Defense Evasion

              Modify Registry

              3
              T1112

              Credential Access

              Credentials in Files

              1
              T1081

              Discovery

              Lateral Movement

              Collection

              Data from Local System

              1
              T1005

              Exfiltration

              Command and Control

              Impact

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\DB1
                Filesize

                40KB

                MD5

                b608d407fc15adea97c26936bc6f03f6

                SHA1

                953e7420801c76393902c0d6bb56148947e41571

                SHA256

                b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

                SHA512

                cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\DB1
                Filesize

                48KB

                MD5

                349e6eb110e34a08924d92f6b334801d

                SHA1

                bdfb289daff51890cc71697b6322aa4b35ec9169

                SHA256

                c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

                SHA512

                2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

                Download Submit
              • memory/820-148-0x0000000001590000-0x00000000015A1000-memory.dmp
                Filesize

                68KB

                Download
              • memory/820-157-0x0000000000400000-0x000000000042B000-memory.dmp
                Filesize

                172KB

                Download
              • memory/820-154-0x00000000015F0000-0x0000000001601000-memory.dmp
                Filesize

                68KB

                Download
              • memory/820-153-0x0000000000400000-0x000000000042B000-memory.dmp
                Filesize

                172KB

                Download
              • memory/820-147-0x0000000001A90000-0x0000000001DDA000-memory.dmp
                Filesize

                3.3MB

                Download
              • memory/820-139-0x0000000000000000-mapping.dmp
                Download
              • memory/820-140-0x0000000000400000-0x000000000042B000-memory.dmp
                Filesize

                172KB

                Download
              • memory/884-151-0x00000000062B0000-0x00000000062CA000-memory.dmp
                Filesize

                104KB

                Download
              • memory/884-135-0x0000000000000000-mapping.dmp
                Download
              • memory/884-143-0x0000000005700000-0x0000000005766000-memory.dmp
                Filesize

                408KB

                Download
              • memory/884-144-0x0000000005770000-0x00000000057D6000-memory.dmp
                Filesize

                408KB

                Download
              • memory/884-146-0x0000000005DD0000-0x0000000005DEE000-memory.dmp
                Filesize

                120KB

                Download
              • memory/884-141-0x00000000050D0000-0x00000000056F8000-memory.dmp
                Filesize

                6.2MB

                Download
              • memory/884-142-0x0000000004E10000-0x0000000004E32000-memory.dmp
                Filesize

                136KB

                Download
              • memory/884-137-0x00000000024D0000-0x0000000002506000-memory.dmp
                Filesize

                216KB

                Download
              • memory/884-150-0x0000000006DB0000-0x0000000006E46000-memory.dmp
                Filesize

                600KB

                Download
              • memory/884-152-0x0000000006330000-0x0000000006352000-memory.dmp
                Filesize

                136KB

                Download
              • memory/1072-167-0x0000000000000000-mapping.dmp
                Download
              • memory/1224-133-0x0000000005F40000-0x00000000064E4000-memory.dmp
                Filesize

                5.6MB

                Download
              • memory/1224-132-0x0000000000F50000-0x0000000000FA0000-memory.dmp
                Filesize

                320KB

                Download
              • memory/1224-134-0x0000000005A30000-0x0000000005ACC000-memory.dmp
                Filesize

                624KB

                Download
              • memory/1392-169-0x0000000000000000-mapping.dmp
                Download
              • memory/2244-158-0x0000000000000000-mapping.dmp
                Download
              • memory/2576-164-0x0000000008900000-0x0000000008A16000-memory.dmp
                Filesize

                1.1MB

                Download
              • memory/2576-155-0x00000000087E0000-0x00000000088FC000-memory.dmp
                Filesize

                1.1MB

                Download
              • memory/2576-149-0x00000000077D0000-0x0000000007932000-memory.dmp
                Filesize

                1.4MB

                Download
              • memory/2576-162-0x00000000087E0000-0x00000000088FC000-memory.dmp
                Filesize

                1.1MB

                Download
              • memory/2576-166-0x0000000008900000-0x0000000008A16000-memory.dmp
                Filesize

                1.1MB

                Download
              • memory/3464-136-0x0000000000000000-mapping.dmp
                Download
              • memory/3780-156-0x0000000000000000-mapping.dmp
                Download
              • memory/3780-165-0x0000000000B70000-0x0000000000B9B000-memory.dmp
                Filesize

                172KB

                Download
              • memory/3780-163-0x0000000002AA0000-0x0000000002B30000-memory.dmp
                Filesize

                576KB

                Download
              • memory/3780-161-0x0000000002C70000-0x0000000002FBA000-memory.dmp
                Filesize

                3.3MB

                Download
              • memory/3780-159-0x0000000000BD0000-0x0000000000BE6000-memory.dmp
                Filesize

                88KB

                Download
              • memory/3780-160-0x0000000000B70000-0x0000000000B9B000-memory.dmp
                Filesize

                172KB

                Download
              • memory/5068-138-0x0000000000000000-mapping.dmp
                Download