Analysis

  • max time kernel
    118s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2023, 06:47

General

  • Target

    116824e0971300e9e2efe0f1c2d3f8c6.exe

  • Size

    527KB

  • MD5

    116824e0971300e9e2efe0f1c2d3f8c6

  • SHA1

    f5d38b9fc94e20f2dfed7b3e691ff65f7071bb65

  • SHA256

    9f019f0bf99f5d64605c844792ed965f8be65b9378404c8792311ba56edd83cc

  • SHA512

    78ac49e39f70d96b778aed2208962e0a222e19d0a1b7d438455a4aa474562d2e8be8fa29e90203cb99391468bd71fbd75a4f62495d12b6fac24a678cdca6d7f5

  • SSDEEP

    12288:5hQVh9a17gNm5YnXDdx2OjKhNHySntn/jZF+xF/M+lNuXYQ5xOOahZwE:5hQVh9FDdx2GKzSStrKxF/MtHrah2E

Score
10/10

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

fznn

Decoy

petmarketsolutions.com

themummymarketplace.com

themidnightcollectivepdx.com

detoxshake.site

ross76.com

tom-tours2020.com

domoservis.com

allcombuildingsvc.com

padelshop.online

wosaying.com

heafg.com

inglesbrasileiro.com

santaclausonline.net

voiceofmagic.com

lafayettelc.com

communal-sleeve.net

extremecouponing.online

mypomate.com

rtdrillbit.com

therealtortaylor.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • Xloader payload 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\116824e0971300e9e2efe0f1c2d3f8c6.exe
    "C:\Users\Admin\AppData\Local\Temp\116824e0971300e9e2efe0f1c2d3f8c6.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2536
    • C:\Users\Admin\AppData\Local\Temp\116824e0971300e9e2efe0f1c2d3f8c6.exe
      "C:\Users\Admin\AppData\Local\Temp\116824e0971300e9e2efe0f1c2d3f8c6.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2800
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 36
        3⤵
        • Program crash
        PID:2168

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2536-0-0x00000000011A0000-0x00000000011F4000-memory.dmp

    Filesize

    336KB

  • memory/2536-1-0x00000000000F0000-0x00000000000F2000-memory.dmp

    Filesize

    8KB

  • memory/2536-4-0x00000000011A0000-0x00000000011F4000-memory.dmp

    Filesize

    336KB

  • memory/2800-2-0x0000000000080000-0x00000000000A8000-memory.dmp

    Filesize

    160KB