Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    27/12/2023, 22:57

General

  • Target

    b9b9932c5a7b698cb2d56cdf8b1223c8.exe

  • Size

    1.6MB

  • MD5

    b9b9932c5a7b698cb2d56cdf8b1223c8

  • SHA1

    e38d3f830cde75c3ecf0d7081f8f9054fe0cf12e

  • SHA256

    bed07b0251d8d888bf2f397fbeca98f581aa8cbea1e460024dd0ecfdb14d0105

  • SHA512

    47401b3b48257dc59d2dd490c9f27102cf77a35de146736ab88339f697e37632726710021d899a63e4cb0d687b699738072f4594dde7760d82d6fb65c6c10b8f

  • SSDEEP

    24576:ZPT/2rW5oaXpcB7mVSaccPuvcd5OGQT/1/0nS+7n4SYwqK4zf3RTsAHWAgqChJ+B:dCyiecVBKSJT2mS+TdpNQuiNB/e

Score
10/10

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

dt9v

Decoy

scandinavianview.com

120x600businessskyscraper.fail

livebigrace.com

fussygang.net

afiyetmarket.com

shopcerygensan.com

iregentos.info

anidonia.com

vtnywvebm.club

envcons.com

blackpharaohbeards.com

shortsnsuits.com

digitalvv.com

czechagents.com

texasadvancedsurgery.com

erhob.com

fastypro.com

singlemomsurvival.com

mohitiitr.com

airsoftoutlet.store

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • Xloader payload 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b9b9932c5a7b698cb2d56cdf8b1223c8.exe
    "C:\Users\Admin\AppData\Local\Temp\b9b9932c5a7b698cb2d56cdf8b1223c8.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:888
    • C:\Users\Admin\AppData\Local\Temp\b9b9932c5a7b698cb2d56cdf8b1223c8.exe
      "C:\Users\Admin\AppData\Local\Temp\b9b9932c5a7b698cb2d56cdf8b1223c8.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2492

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/888-6-0x0000000005400000-0x0000000005478000-memory.dmp

    Filesize

    480KB

  • memory/888-7-0x0000000000580000-0x00000000005B0000-memory.dmp

    Filesize

    192KB

  • memory/888-2-0x0000000004B60000-0x0000000004BA0000-memory.dmp

    Filesize

    256KB

  • memory/888-3-0x0000000000410000-0x0000000000446000-memory.dmp

    Filesize

    216KB

  • memory/888-4-0x0000000074E50000-0x000000007553E000-memory.dmp

    Filesize

    6.9MB

  • memory/888-5-0x0000000004B60000-0x0000000004BA0000-memory.dmp

    Filesize

    256KB

  • memory/888-13-0x0000000074E50000-0x000000007553E000-memory.dmp

    Filesize

    6.9MB

  • memory/888-0-0x0000000000B40000-0x0000000000CD6000-memory.dmp

    Filesize

    1.6MB

  • memory/888-1-0x0000000074E50000-0x000000007553E000-memory.dmp

    Filesize

    6.9MB

  • memory/2492-8-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

  • memory/2492-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2492-9-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

  • memory/2492-14-0x0000000000730000-0x0000000000A33000-memory.dmp

    Filesize

    3.0MB

  • memory/2492-12-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB