Overview

overview

10

Static

static

3

IMG_501327.exe

windows7-x64

10

IMG_501327.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    16-07-2024 23:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    IMG_501327.exe

  • Size

    462KB

  • MD5

    1f11cb76d8f9643820a756448b4b3a0e

  • SHA1

    c00db72ff5681b1f26db430a71b35dcfe3978d1c

  • SHA256

    aaf1000d1f4822bb6e7424123c807a333a8696783ab029b49df8250b115c27ae

  • SHA512

    2e1c2c46233b1a995e234ff7dd5a876a2230e06dc5ee6da3fdd3a890ce2f43bb57e0faee14c3094c80d99f435d42b7e13c845d885f82c2b2d31961cc1db2b3cc

  • SSDEEP

    12288:pFda+FdagEMYLZsUN8dgHgY8RfuydvDZ0da7Af:bEMfrdc8Zhdd

Score
10/10
xloadermt6eexecutionloaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

mt6e

Decoy

morozolga.com

selimtokdemir.com

deluxeweldingsupply.com

allannateddyrose.com

iconsneakersfr.com

vicenteconchilla.com

themediatenow.com

finishmybasemint.com

blaseskincare.com

betwho.site

madewithrealmeat.com

scratchpatchinc.com

daysad.com

kraftwater.com

prolifictrades.com

usdtmgm.com

mooneworms.com

grandspecialiste.com

mirzaassociates.com

bilaltahirofficial.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Beds Protector Packer 1 IoCs

    Detects Beds Protector packer used to load .NET malware.

  • Xloader payload 3 IoCs
    rat
  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1196
    • C:\Users\Admin\AppData\Local\Temp\IMG_501327.exe
      "C:\Users\Admin\AppData\Local\Temp\IMG_501327.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1676
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
        "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\IMG_501327.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe'
        3⤵
        • Drops startup file
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2680
      • C:\Users\Admin\AppData\Local\Temp\IMG_501327.exe
        "C:\Users\Admin\AppData\Local\Temp\IMG_501327.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2732
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2632
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\IMG_501327.exe"
        3⤵
        • Deletes itself
        PID:2468

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1196-34-0x00000000070A0000-0x0000000007237000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/1196-25-0x00000000070A0000-0x0000000007237000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/1676-0-0x0000000073F7E000-0x0000000073F7F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1676-3-0x0000000000400000-0x000000000045E000-memory.dmp

    Filesize

    376KB

    Download

  • memory/1676-4-0x0000000073F7E000-0x0000000073F7F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1676-5-0x0000000073F70000-0x000000007465E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1676-22-0x0000000073F70000-0x000000007465E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1676-2-0x0000000073F70000-0x000000007465E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1676-14-0x00000000004C0000-0x00000000004D6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1676-1-0x0000000000CF0000-0x0000000000D6A000-memory.dmp

    Filesize

    488KB

    Download

  • memory/2632-30-0x00000000000D0000-0x00000000000F9000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2632-29-0x0000000000610000-0x0000000000624000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2632-27-0x0000000000610000-0x0000000000624000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2680-8-0x000000006EDF1000-0x000000006EDF2000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2680-13-0x000000006EDF0000-0x000000006F39B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2680-11-0x000000006EDF0000-0x000000006F39B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2680-10-0x000000006EDF0000-0x000000006F39B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2680-9-0x000000006EDF0000-0x000000006F39B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2732-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2732-17-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2732-21-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2732-23-0x0000000000880000-0x0000000000B83000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2732-15-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2732-26-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download