Analysis

  • max time kernel
    145s
  • max time network
    161s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/12/2023, 06:47

General

  • Target

    116824e0971300e9e2efe0f1c2d3f8c6.exe

  • Size

    527KB

  • MD5

    116824e0971300e9e2efe0f1c2d3f8c6

  • SHA1

    f5d38b9fc94e20f2dfed7b3e691ff65f7071bb65

  • SHA256

    9f019f0bf99f5d64605c844792ed965f8be65b9378404c8792311ba56edd83cc

  • SHA512

    78ac49e39f70d96b778aed2208962e0a222e19d0a1b7d438455a4aa474562d2e8be8fa29e90203cb99391468bd71fbd75a4f62495d12b6fac24a678cdca6d7f5

  • SSDEEP

    12288:5hQVh9a17gNm5YnXDdx2OjKhNHySntn/jZF+xF/M+lNuXYQ5xOOahZwE:5hQVh9FDdx2GKzSStrKxF/MtHrah2E

Score
10/10

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

fznn

Decoy

petmarketsolutions.com

themummymarketplace.com

themidnightcollectivepdx.com

detoxshake.site

ross76.com

tom-tours2020.com

domoservis.com

allcombuildingsvc.com

padelshop.online

wosaying.com

heafg.com

inglesbrasileiro.com

santaclausonline.net

voiceofmagic.com

lafayettelc.com

communal-sleeve.net

extremecouponing.online

mypomate.com

rtdrillbit.com

therealtortaylor.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • Xloader payload 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\116824e0971300e9e2efe0f1c2d3f8c6.exe
    "C:\Users\Admin\AppData\Local\Temp\116824e0971300e9e2efe0f1c2d3f8c6.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1448
    • C:\Users\Admin\AppData\Local\Temp\116824e0971300e9e2efe0f1c2d3f8c6.exe
      "C:\Users\Admin\AppData\Local\Temp\116824e0971300e9e2efe0f1c2d3f8c6.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2992

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1448-1-0x0000000003130000-0x0000000003132000-memory.dmp

    Filesize

    8KB

  • memory/1448-0-0x00000000000F0000-0x0000000000144000-memory.dmp

    Filesize

    336KB

  • memory/1448-5-0x00000000000F0000-0x0000000000144000-memory.dmp

    Filesize

    336KB

  • memory/2992-2-0x0000000000360000-0x0000000000388000-memory.dmp

    Filesize

    160KB

  • memory/2992-6-0x0000000000DE0000-0x000000000112A000-memory.dmp

    Filesize

    3.3MB