Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
28-09-2024 11:03
General
-
Target
Invoice#00086770.exe
-
Size
681KB
-
MD5
9959299149ec0cc5d9c380a308f69f31
-
SHA1
2b98e45b2dd60c8e3f154e80f10b2bcc07bfca90
-
SHA256
b9e50b873e6ca85c0ebcd953a403425a5c7da2e57ffe47723e21cccf8cebde06
-
SHA512
60fd97abd4fa62686266cecb9832ba50118671dce411dfcda9dc7b6db516eb0405a0783739fe1e9e920feb90e51f73b0bd6a9cc9decb75288edab0923b87ada1
-
SSDEEP
12288:w5cYv2tasGHW/NqrFnHqgpztNwN/wgHQHewItAVjmRg2W9fvEwsJ:wvutasoWFEHjzIwoQ+w9Ycf9sJ
Malware Config
Extracted
xloader
2.3
d8ak
bossmatter.com
intanmandirilestari.com
goldsgymclermont.com
nythraa.com
xbfcyy.com
precitaparktownhome.com
medicalmarijuanamississippi.net
mademoisellepierre.com
duantui.run
freebay.info
gabimslogistics.com
planethomrlending.com
thesockboutique.net
freiundgeist.com
nouvellechina.com
hkamlcc.com
heti-lainaa.com
forehead-effort.com
productsim.com
dualexpressions.com
Signatures
-
Xloader
Xloader is a rebranded version of Formbook malware.
-
Xloader payload 3 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 50 IoCs
-
Suspicious behavior: MapViewOfSection 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Invoice#00086770.exe"C:\Users\Admin\AppData\Local\Temp\Invoice#00086770.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Invoice#00086770.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Invoice#00086770.exe"3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4252,i,2727319350781907497,7925939240893079607,262144 --variations-seed-version --mojo-platform-channel-handle=3952 /prefetch:81⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.7MB
-
Filesize
32KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
624KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
552KB
-
Filesize
704KB
-
Filesize
164KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
708KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
708KB
-
Filesize
708KB
-
Filesize
68KB
-
Filesize
3.3MB
-
Filesize
164KB
-
Filesize
164KB