Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-11-2024 20:19

General

  • Target

    Order-940211730-pdf.exe

  • Size

    316KB

  • MD5

    48f5cf7cce8a7c481bd42065f64cda06

  • SHA1

    573b9f300a295e80c5d61f676b3cb847db5c9a17

  • SHA256

    8469a2a0268409d60d0d78dec451e520796106f8920dd4476e8fac728d0cc9b9

  • SHA512

    a56bf21244448ffc0bdfb72e047ab8c2eccab9fc1f56c3afcf1d5bbc11390b711fac8b826ec297d716ebdf779013a91c390d7587e0efa9473fb25c37346502ac

  • SSDEEP

    6144:owzgftmXE/z/dijeNOetfxvsgPzIFXrIN1QXghMoMhkC:ofFrrNJfxvPPzIFMN1QXghMoMhkC

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

nqs9

Decoy

lgingood.com

shopgeti.com

christianuomo.com

sportsxuk.com

markidesignstore.com

tjhuoliao.com

docomobb.xyz

ilrespirodelmare.com

kfconline.rest

paramusrepair.com

w3zand.com

unguamtruppe.quest

bethesdagardensloveland.net

bostonstretchlimousine.com

yycsmj.net

creatorgela.com

bestalcoholfreebeer.com

jorgeforfr.com

dlzxd.com

rajaranicoupon.xyz

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • Xloader family
  • Xloader payload 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1184
    • C:\Users\Admin\AppData\Local\Temp\Order-940211730-pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\Order-940211730-pdf.exe"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2692
      • C:\Users\Admin\AppData\Local\Temp\kmnjg.exe
        C:\Users\Admin\AppData\Local\Temp\kmnjg.exe C:\Users\Admin\AppData\Local\Temp\bodyzweapn
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2856
        • C:\Users\Admin\AppData\Local\Temp\kmnjg.exe
          C:\Users\Admin\AppData\Local\Temp\kmnjg.exe C:\Users\Admin\AppData\Local\Temp\bodyzweapn
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:2696
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1748
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 268
        3⤵
        • Program crash
        PID:796

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\bodyzweapn

    Filesize

    5KB

    MD5

    d161975bcaf7cfd3de8dc4a37653c1d5

    SHA1

    b5e61fb06c2fb114430d63f8cad1927d77993da0

    SHA256

    c5c71f13e5bc6fbbb15b0660a962bd34d63f6cbcff17530bc48a9ab8cfa42a88

    SHA512

    e89f413acf9e83bee249fdd3dd32ce6eae7bb9cb1889c65b7998bc432f966cc7d1d4e873403326dccdbdb4689e63abc8a4fbdc10a771ec8277783c73ae16660a

  • C:\Users\Admin\AppData\Local\Temp\hrvch4heo1xaa

    Filesize

    211KB

    MD5

    3f9f5918baeecd565f401ab5af3b2d08

    SHA1

    b62677d128241fa345cf44979294f55a7fcfde8c

    SHA256

    c8b0d215336ad28fa42bb569e63f809c5006366d0a9030b7cb3399af6104003d

    SHA512

    83043b15c08899334fb03b57c53761ab82120034a85e96facbe1ad168862a4b91db9a89cc552b0d10fce8feac39a9a2fdd9dc05bf20e4368fbdf2ce6c3e2680f

  • \Users\Admin\AppData\Local\Temp\kmnjg.exe

    Filesize

    170KB

    MD5

    53face3b36237ca409c4f8c277842fbe

    SHA1

    bca858bff9d11ffc6c5772c01aceee84e52a8eec

    SHA256

    8a4451db9a95c45c952c228c36d5976d5d9164077d6c9969f9206b6248963f81

    SHA512

    813ea54c1b643f5f4222bb97f82a73bcc07c9fa3ae459a748936dcff810caf19cb9771e09035e13efc1bae0ad611647dad0862d9132adf92bf01abfa7e33e31f

  • memory/1184-17-0x00000000046E0000-0x00000000047AC000-memory.dmp

    Filesize

    816KB

  • memory/1184-20-0x00000000046E0000-0x00000000047AC000-memory.dmp

    Filesize

    816KB

  • memory/1184-21-0x00000000063D0000-0x00000000064F6000-memory.dmp

    Filesize

    1.1MB

  • memory/1184-30-0x00000000063D0000-0x00000000064F6000-memory.dmp

    Filesize

    1.1MB

  • memory/1748-24-0x00000000002F0000-0x0000000000304000-memory.dmp

    Filesize

    80KB

  • memory/1748-25-0x00000000002F0000-0x0000000000304000-memory.dmp

    Filesize

    80KB

  • memory/1748-27-0x00000000002F0000-0x0000000000304000-memory.dmp

    Filesize

    80KB

  • memory/2696-12-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2696-16-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2696-19-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2856-9-0x00000000002E0000-0x00000000002E2000-memory.dmp

    Filesize

    8KB