Overview

overview

10

Static

static

3

4sMcGGeBVCjd9IZ.exe

windows7-x64

10

4sMcGGeBVCjd9IZ.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2024 22:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4sMcGGeBVCjd9IZ.exe

  • Size

    766KB

  • MD5

    a66b604ab210053291aa9c3a4434d5b9

  • SHA1

    6841f037bc909103da8a43857dd05f91ca95cfd3

  • SHA256

    7112b5fbfabba6a257da8523a6a1a982272941e48e072d8f8b7de372561dca48

  • SHA512

    d95498915818517431e7523f3a10ebb9c4ea35857b7a247d576985195cbefc41c60034d78a1406bec804d5bf1183decfcbebaec67932e05123802cd9671368f3

  • SSDEEP

    12288:QmK1ELtN5TE0ZQKLWy4JjbIoWiblbPgQ3WwiUKxwCA2aabp77DsjTIzgyf5A3FsE:DTESCBLxDgLZxi2aaF77Dswgyf5A3FsE

Score
10/10
xloaderp89mdiscoveryloaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

p89m

Decoy

wrapapplausechutney.xyz

covidmobiletestingmd.com

convey.gifts

b148tlrfee9evtvorgm5947.com

zmlhtjfls.com

mctrumpthyism.com

lilaixi.store

interstatehardwarenj.com

horakokode.com

42wilsonavenue.com

muskanphysio.com

absoluteuniquecrafts.store

donategame.online

greenlinkengineering.net

pinchanzosloyalty.com

companyintel.network

resumewriterguru.com

oakalleyatcimarron.com

sriyawealthplan.com

mpcollection.online

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader family
    xloader
  • Xloader payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3436
    • C:\Users\Admin\AppData\Local\Temp\4sMcGGeBVCjd9IZ.exe
      "C:\Users\Admin\AppData\Local\Temp\4sMcGGeBVCjd9IZ.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3400
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        3⤵
          PID:1028
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:2744
      • C:\Windows\SysWOW64\ipconfig.exe
        "C:\Windows\SysWOW64\ipconfig.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Gathers network information
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:832
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:1916

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/832-23-0x0000000000FA0000-0x0000000000FC9000-memory.dmp

      Filesize

      164KB

      Download

    • memory/832-22-0x00000000008F0000-0x00000000008FB000-memory.dmp

      Filesize

      44KB

      Download

    • memory/832-21-0x00000000008F0000-0x00000000008FB000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2744-13-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/2744-18-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/2744-19-0x0000000000A10000-0x0000000000A21000-memory.dmp

      Filesize

      68KB

      Download

    • memory/2744-16-0x0000000000F60000-0x00000000012AA000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3400-12-0x0000000006810000-0x000000000687C000-memory.dmp

      Filesize

      432KB

      Download

    • memory/3400-5-0x0000000004B00000-0x0000000004B0A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3400-9-0x0000000075200000-0x00000000759B0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3400-10-0x0000000006660000-0x000000000670E000-memory.dmp

      Filesize

      696KB

      Download

    • memory/3400-11-0x0000000006880000-0x00000000068E6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3400-0-0x000000007520E000-0x000000007520F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3400-7-0x0000000004F10000-0x0000000004F1A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3400-15-0x0000000075200000-0x00000000759B0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3400-6-0x0000000075200000-0x00000000759B0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3400-8-0x000000007520E000-0x000000007520F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3400-4-0x0000000004BA0000-0x0000000004C3C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/3400-1-0x00000000000D0000-0x000000000019A000-memory.dmp

      Filesize

      808KB

      Download

    • memory/3400-3-0x0000000004A20000-0x0000000004AB2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/3400-2-0x00000000050B0000-0x0000000005654000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3436-20-0x0000000009010000-0x0000000009143000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/3436-27-0x00000000032A0000-0x0000000003364000-memory.dmp

      Filesize

      784KB

      Download

    • memory/3436-28-0x00000000032A0000-0x0000000003364000-memory.dmp

      Filesize

      784KB

      Download

    • memory/3436-30-0x00000000032A0000-0x0000000003364000-memory.dmp

      Filesize

      784KB

      Download