xloader | e4c8d479759c6e189b3fa55159cb4399e47934d39cc3cbd28e2e75ba826ba86a

General

Target

e4c8d479759c6e189b3fa55159cb4399e47934d39cc3cbd28e2e75ba826ba86a.exe
Size

206KB
MD5

5617428ac63756a9a47d7c52603406d4
SHA1

5bc937e71aa0aab508360370a557f683675dc832
SHA256

e4c8d479759c6e189b3fa55159cb4399e47934d39cc3cbd28e2e75ba826ba86a
SHA512

25ef32b02505f1f334e4e86a6ef181ba531890219d6662152d71fbef7165e65bcfe84e347ff5f2d418c1c102781b2d6f38da7a84b7559be1a3180e14fbbd254d
SSDEEP

6144:59X0GvV6IedPyUuHwdkOGlQm52B/qsAs1SZXKyL/Klm:/0SV/Ui4GlQm52NqsAs1SUK7

Score

10^/10

xloader siwq loader rat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

siwq

Decoy

pestcontrolcleaning.com

openpandoras.com

timmsoski.com

viva-hair.com

icebergpeakgaming.com

pebblecreatives.com

marydilip.info

ashtonmaker.com

aclarandocafe.com

apibet365.com

maddykellyactor.com

sxtengchi.com

victoriamassage.net

html15.com

bamabailbonding.com

ltknudsen.com

haziee.com

knenglishkor.com

inpolychrome.com

inishcorp.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/760-141-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/760-146-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/4928-149-0x0000000000F40000-0x0000000000F69000-memory.dmp	xloader
behavioral2/memory/4928-153-0x0000000000F40000-0x0000000000F69000-memory.dmp	xloader

Executes dropped EXE 2 IoCs

Processes:

tiv727shx.exetiv727shx.exe

pid process

532 tiv727shx.exe
760 tiv727shx.exe
Loads dropped DLL 1 IoCs

Processes:

tiv727shx.exe

pid process

532 tiv727shx.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

tiv727shx.exetiv727shx.execolorcpl.exe

description	pid	process	target process
PID 532 set thread context of 760	532	tiv727shx.exe	tiv727shx.exe
PID 760 set thread context of 1028	760	tiv727shx.exe	Explorer.EXE
PID 4928 set thread context of 1028	4928	colorcpl.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

tiv727shx.exetiv727shx.execolorcpl.exe

pid	process
532	tiv727shx.exe
532	tiv727shx.exe
532	tiv727shx.exe
532	tiv727shx.exe
532	tiv727shx.exe
532	tiv727shx.exe
532	tiv727shx.exe
532	tiv727shx.exe
760	tiv727shx.exe
760	tiv727shx.exe
760	tiv727shx.exe
760	tiv727shx.exe
4928	colorcpl.exe
4928	colorcpl.exe
4928	colorcpl.exe
4928	colorcpl.exe
4928	colorcpl.exe
4928	colorcpl.exe
4928	colorcpl.exe
4928	colorcpl.exe
4928	colorcpl.exe
4928	colorcpl.exe
4928	colorcpl.exe
4928	colorcpl.exe
4928	colorcpl.exe
4928	colorcpl.exe
4928	colorcpl.exe
4928	colorcpl.exe
4928	colorcpl.exe
4928	colorcpl.exe
4928	colorcpl.exe
4928	colorcpl.exe
4928	colorcpl.exe
4928	colorcpl.exe
4928	colorcpl.exe
4928	colorcpl.exe
4928	colorcpl.exe
4928	colorcpl.exe
4928	colorcpl.exe
4928	colorcpl.exe
4928	colorcpl.exe
4928	colorcpl.exe
4928	colorcpl.exe
4928	colorcpl.exe
4928	colorcpl.exe
4928	colorcpl.exe
4928	colorcpl.exe
4928	colorcpl.exe
4928	colorcpl.exe
4928	colorcpl.exe
4928	colorcpl.exe
4928	colorcpl.exe
4928	colorcpl.exe
4928	colorcpl.exe
4928	colorcpl.exe
4928	colorcpl.exe
4928	colorcpl.exe
4928	colorcpl.exe
4928	colorcpl.exe
4928	colorcpl.exe
4928	colorcpl.exe
4928	colorcpl.exe
4928	colorcpl.exe
4928	colorcpl.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1028 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

tiv727shx.exetiv727shx.execolorcpl.exe

pid process

532 tiv727shx.exe
760 tiv727shx.exe
760 tiv727shx.exe
760 tiv727shx.exe
4928 colorcpl.exe
4928 colorcpl.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tiv727shx.execolorcpl.exe

description pid process

Token: SeDebugPrivilege 760 tiv727shx.exe
Token: SeDebugPrivilege 4928 colorcpl.exe

pid	process
1028	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	760	tiv727shx.exe
Token: SeDebugPrivilege	4928	colorcpl.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

e4c8d479759c6e189b3fa55159cb4399e47934d39cc3cbd28e2e75ba826ba86a.exetiv727shx.exeExplorer.EXEcolorcpl.exe

description	pid	process	target process
PID 2212 wrote to memory of 532	2212	e4c8d479759c6e189b3fa55159cb4399e47934d39cc3cbd28e2e75ba826ba86a.exe	tiv727shx.exe
PID 2212 wrote to memory of 532	2212	e4c8d479759c6e189b3fa55159cb4399e47934d39cc3cbd28e2e75ba826ba86a.exe	tiv727shx.exe
PID 2212 wrote to memory of 532	2212	e4c8d479759c6e189b3fa55159cb4399e47934d39cc3cbd28e2e75ba826ba86a.exe	tiv727shx.exe
PID 532 wrote to memory of 760	532	tiv727shx.exe	tiv727shx.exe
PID 532 wrote to memory of 760	532	tiv727shx.exe	tiv727shx.exe
PID 532 wrote to memory of 760	532	tiv727shx.exe	tiv727shx.exe
PID 532 wrote to memory of 760	532	tiv727shx.exe	tiv727shx.exe
PID 1028 wrote to memory of 4928	1028	Explorer.EXE	colorcpl.exe
PID 1028 wrote to memory of 4928	1028	Explorer.EXE	colorcpl.exe
PID 1028 wrote to memory of 4928	1028	Explorer.EXE	colorcpl.exe
PID 4928 wrote to memory of 372	4928	colorcpl.exe	cmd.exe
PID 4928 wrote to memory of 372	4928	colorcpl.exe	cmd.exe
PID 4928 wrote to memory of 372	4928	colorcpl.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1028

C:\Users\Admin\AppData\Local\Temp\e4c8d479759c6e189b3fa55159cb4399e47934d39cc3cbd28e2e75ba826ba86a.exe
"C:\Users\Admin\AppData\Local\Temp\e4c8d479759c6e189b3fa55159cb4399e47934d39cc3cbd28e2e75ba826ba86a.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2212

C:\Users\Admin\AppData\Local\Temp\tiv727shx.exe
"C:\Users\Admin\AppData\Local\Temp\tiv727shx.exe" "C:\Users\Admin\AppData\Local\Temp\olac3zs7jm3rr4i.dll" "C:\Users\Admin\AppData\Local\Temp\jjessap.d"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:532

C:\Users\Admin\AppData\Local\Temp\tiv727shx.exe
"C:\Users\Admin\AppData\Local\Temp\tiv727shx.exe" "C:\Users\Admin\AppData\Local\Temp\olac3zs7jm3rr4i.dll" "C:\Users\Admin\AppData\Local\Temp\jjessap.d"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:760

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4928

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\tiv727shx.exe"
3⤵
PID:372

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jjessap.d
Filesize
161KB

MD5
f0321013d66a05ad984d95f978e4d7e4

SHA1
62233a1aad01dc0044c91fa54431ad0110cf9288

SHA256
835734f506366a4ee16f26febc1a8dece7df7692e4f1dbc4f1fb6f4a2fbc7027

SHA512
56b073d76fb1055547bdbcebe03e6cf287acda67ac05168d75de981fc6c12d8a305a513cc7cb31ed6764f0a02da8b3630a8f71b412f87c4d6947ebaf22a4dd25

Download Submit
C:\Users\Admin\AppData\Local\Temp\olac3zs7jm3rr4i.dll
Filesize
12KB

MD5
5d58523f0a1d1cf356ae4975bddf6877

SHA1
29f74dcdb22286f06d611ac9870729e98fbb3d4c

SHA256
88cdd8bb77b8f457d9b2b5a011392d82acdbd848e6440f0563ecf37058d7c554

SHA512
afee0847e1627f7ccf76fd524867bd486e95c3acf0890e00ca117ef4dfebff71c890478dc20b9fec12b954449842593661e623edf9849b5bee613624cc0be498

Download Submit
C:\Users\Admin\AppData\Local\Temp\olac3zs7jm3rr4i.dll
Filesize
12KB

MD5
5d58523f0a1d1cf356ae4975bddf6877

SHA1
29f74dcdb22286f06d611ac9870729e98fbb3d4c

SHA256
88cdd8bb77b8f457d9b2b5a011392d82acdbd848e6440f0563ecf37058d7c554

SHA512
afee0847e1627f7ccf76fd524867bd486e95c3acf0890e00ca117ef4dfebff71c890478dc20b9fec12b954449842593661e623edf9849b5bee613624cc0be498

Download Submit
C:\Users\Admin\AppData\Local\Temp\tiv727shx.exe
Filesize
3KB

MD5
2f1d8da9ad48cdefe35d05d56e02e453

SHA1
37fb5e77ebe2b30d021bc5a4021efd679de6dd49

SHA256
83e70a9a3067a8deb5ec5e472a80d3e5f6d82f90c0b5067c973c3077e43d2ca1

SHA512
55c1e8618dad28fa2e40666e9707374604a980ae6791b5b2253d137b77af57fa30a3410da836cdeabee0dd9b3356e7ba53dc113dc13e1016e1f4b74273f2921f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tiv727shx.exe
Filesize
3KB

MD5
2f1d8da9ad48cdefe35d05d56e02e453

SHA1
37fb5e77ebe2b30d021bc5a4021efd679de6dd49

SHA256
83e70a9a3067a8deb5ec5e472a80d3e5f6d82f90c0b5067c973c3077e43d2ca1

SHA512
55c1e8618dad28fa2e40666e9707374604a980ae6791b5b2253d137b77af57fa30a3410da836cdeabee0dd9b3356e7ba53dc113dc13e1016e1f4b74273f2921f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tiv727shx.exe
Filesize
3KB

MD5
2f1d8da9ad48cdefe35d05d56e02e453

SHA1
37fb5e77ebe2b30d021bc5a4021efd679de6dd49

SHA256
83e70a9a3067a8deb5ec5e472a80d3e5f6d82f90c0b5067c973c3077e43d2ca1

SHA512
55c1e8618dad28fa2e40666e9707374604a980ae6791b5b2253d137b77af57fa30a3410da836cdeabee0dd9b3356e7ba53dc113dc13e1016e1f4b74273f2921f

Download Submit
memory/372-147-0x0000000000000000-mapping.dmp

Download
memory/532-132-0x0000000000000000-mapping.dmp

Download
memory/532-140-0x0000000074380000-0x0000000074387000-memory.dmp

Filesize
28KB

Download
memory/760-138-0x0000000000000000-mapping.dmp

Download
memory/760-143-0x0000000000ED0000-0x0000000000EE1000-memory.dmp

Filesize
68KB

Download
memory/760-146-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/760-141-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/760-142-0x00000000009F0000-0x0000000000D3A000-memory.dmp

Filesize
3.3MB

Download
memory/1028-152-0x0000000007F20000-0x0000000008037000-memory.dmp

Filesize
1.1MB

Download
memory/1028-144-0x00000000080E0000-0x000000000825E000-memory.dmp

Filesize
1.5MB

Download
memory/1028-154-0x0000000007F20000-0x0000000008037000-memory.dmp

Filesize
1.1MB

Download
memory/4928-148-0x00000000003B0000-0x00000000003C9000-memory.dmp

Filesize
100KB

Download
memory/4928-150-0x0000000003110000-0x000000000345A000-memory.dmp

Filesize
3.3MB

Download
memory/4928-151-0x0000000002E60000-0x0000000002EF0000-memory.dmp

Filesize
576KB

Download
memory/4928-149-0x0000000000F40000-0x0000000000F69000-memory.dmp

Filesize
164KB

Download
memory/4928-153-0x0000000000F40000-0x0000000000F69000-memory.dmp

Filesize
164KB

Download
memory/4928-145-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads