Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    24/12/2023, 22:57

General

  • Target

    Sales Order.exe

  • Size

    1014KB

  • MD5

    fd84eb337a51966294ba08722170bf46

  • SHA1

    1f529d60e2dc50deaac59af322708039da33c3be

  • SHA256

    8da806444010084307c77bf3a69f66ca36c15920bd7b9f60fdcf35fccd460701

  • SHA512

    a522ba8c6daddbf69f711ef859c7e8fb79e2ab00372e6626af9119d82ef8cf22b0e2ebcc1897cd88810be5ee01b11e0950dbf0853ceb630de3e916ac3bacd847

  • SSDEEP

    12288:rFhlsU1cTDO+emag5IFyPK7yMmeP1vwdyAook1GZEUFA1Vk82C867LiuNyxv2AdU:rFhlXcOyeL3JStX+PbLk2QHQ

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

p6f2

Decoy

redsnews.com

vr859.com

postmasterstudios.com

hampsteadorganizer.com

hangshop.net

maheshwaramlawcollege.com

5156087.com

gtaaddict.com

faj.xyz

drivechicagoillinois.com

neerutech.com

b2brahmas.com

freshlookks.com

propertyparallel.tech

tlwbyads.com

sellektorkids.com

dexs.fyi

kileybrock.com

nervstudio.com

tosg-ltd.com

Signatures

  • Detect ZGRat V1 1 IoCs
  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • ZGRat

    ZGRat is remote access trojan written in C#.

  • Xloader payload 4 IoCs
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1384
    • C:\Users\Admin\AppData\Local\Temp\Sales Order.exe
      "C:\Users\Admin\AppData\Local\Temp\Sales Order.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2184
      • C:\Users\Admin\AppData\Local\Temp\Sales Order.exe
        "C:\Users\Admin\AppData\Local\Temp\Sales Order.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2712
    • C:\Windows\SysWOW64\mstsc.exe
      "C:\Windows\SysWOW64\mstsc.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2588
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\Sales Order.exe"
        3⤵
        • Deletes itself
        PID:2616

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1384-25-0x0000000006B20000-0x0000000006C3D000-memory.dmp

    Filesize

    1.1MB

  • memory/1384-16-0x0000000006B20000-0x0000000006C3D000-memory.dmp

    Filesize

    1.1MB

  • memory/1384-14-0x0000000003580000-0x0000000003680000-memory.dmp

    Filesize

    1024KB

  • memory/2184-3-0x0000000000540000-0x00000000005C0000-memory.dmp

    Filesize

    512KB

  • memory/2184-4-0x0000000000440000-0x0000000000456000-memory.dmp

    Filesize

    88KB

  • memory/2184-0-0x0000000000940000-0x0000000000A44000-memory.dmp

    Filesize

    1.0MB

  • memory/2184-10-0x0000000074310000-0x00000000749FE000-memory.dmp

    Filesize

    6.9MB

  • memory/2184-2-0x0000000004E50000-0x0000000004E90000-memory.dmp

    Filesize

    256KB

  • memory/2184-1-0x0000000074310000-0x00000000749FE000-memory.dmp

    Filesize

    6.9MB

  • memory/2588-17-0x0000000000650000-0x0000000000754000-memory.dmp

    Filesize

    1.0MB

  • memory/2588-23-0x0000000001FC0000-0x000000000204F000-memory.dmp

    Filesize

    572KB

  • memory/2588-21-0x00000000000D0000-0x00000000000F8000-memory.dmp

    Filesize

    160KB

  • memory/2588-20-0x00000000020C0000-0x00000000023C3000-memory.dmp

    Filesize

    3.0MB

  • memory/2588-19-0x00000000000D0000-0x00000000000F8000-memory.dmp

    Filesize

    160KB

  • memory/2588-18-0x0000000000650000-0x0000000000754000-memory.dmp

    Filesize

    1.0MB

  • memory/2712-5-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

  • memory/2712-15-0x0000000000120000-0x0000000000130000-memory.dmp

    Filesize

    64KB

  • memory/2712-13-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

  • memory/2712-11-0x0000000000A50000-0x0000000000D53000-memory.dmp

    Filesize

    3.0MB

  • memory/2712-9-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

  • memory/2712-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2712-6-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB