Overview

overview

10

Static

static

3

PAYMENT.exe

windows7-x64

10

PAYMENT.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-11-2024 20:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PAYMENT.exe

  • Size

    753KB

  • MD5

    dceac041ccf4756470e11a7cf926f060

  • SHA1

    3f887b2125c55ddb0b4dcfe4b49b9bf7f0271510

  • SHA256

    1def824855543f8011e65445f549f01648856e222215078ebc99281415bc1268

  • SHA512

    06ecd9b19fc3b1a7fdb6a621b9219407c3512330ccb0c405157373b64675ffa4c6d9e2ebacf2440b3ae6c6bceec24b0331d645961b1fb846d246486d42d14b7b

  • SSDEEP

    12288:cetA1TrromUStJaIYZULyQHFoeqYsTFop4Cd1k4ONdL38arAbNjsyaUVKnp:7IHL72DNTUvkHb0zahp

Score
10/10
xloaderf4utdiscoveryloaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

f4ut

Decoy

studiokventura.com

rmnslashes.com

oklahomapropertybuyersllc.com

pmfce.net

yingkuncy.com

theailearning.com

artistic1cleaning.com

shqinyue.com

dentaldunya.com

karatuhotel.com

renttoownhomephoenix.com

0087wt.com

hotelsearchkwnet.com

dentavangart.com

98700l.com

seattleproducecompany.com

magicparadigm.com

cunix88.com

vr646.com

calmonleiloes.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader family
    xloader
  • Xloader payload 3 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1152
    • C:\Users\Admin\AppData\Local\Temp\PAYMENT.exe
      "C:\Users\Admin\AppData\Local\Temp\PAYMENT.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1852
      • C:\Users\Admin\AppData\Local\Temp\PAYMENT.exe
        "C:\Users\Admin\AppData\Local\Temp\PAYMENT.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2012
    • C:\Windows\SysWOW64\autochk.exe
      "C:\Windows\SysWOW64\autochk.exe"
      2⤵
        PID:2820
      • C:\Windows\SysWOW64\autochk.exe
        "C:\Windows\SysWOW64\autochk.exe"
        2⤵
          PID:2872
        • C:\Windows\SysWOW64\autochk.exe
          "C:\Windows\SysWOW64\autochk.exe"
          2⤵
            PID:2560
          • C:\Windows\SysWOW64\autochk.exe
            "C:\Windows\SysWOW64\autochk.exe"
            2⤵
              PID:2556
            • C:\Windows\SysWOW64\autochk.exe
              "C:\Windows\SysWOW64\autochk.exe"
              2⤵
                PID:2576
              • C:\Windows\SysWOW64\autochk.exe
                "C:\Windows\SysWOW64\autochk.exe"
                2⤵
                  PID:2604
                • C:\Windows\SysWOW64\autochk.exe
                  "C:\Windows\SysWOW64\autochk.exe"
                  2⤵
                    PID:2612
                  • C:\Windows\SysWOW64\autochk.exe
                    "C:\Windows\SysWOW64\autochk.exe"
                    2⤵
                      PID:2636
                    • C:\Windows\SysWOW64\autochk.exe
                      "C:\Windows\SysWOW64\autochk.exe"
                      2⤵
                        PID:2680
                      • C:\Windows\SysWOW64\autochk.exe
                        "C:\Windows\SysWOW64\autochk.exe"
                        2⤵
                          PID:1056
                        • C:\Windows\SysWOW64\autochk.exe
                          "C:\Windows\SysWOW64\autochk.exe"
                          2⤵
                            PID:3036
                          • C:\Windows\SysWOW64\autochk.exe
                            "C:\Windows\SysWOW64\autochk.exe"
                            2⤵
                              PID:3040
                            • C:\Windows\SysWOW64\autochk.exe
                              "C:\Windows\SysWOW64\autochk.exe"
                              2⤵
                                PID:2140
                              • C:\Windows\SysWOW64\autochk.exe
                                "C:\Windows\SysWOW64\autochk.exe"
                                2⤵
                                  PID:2152
                                • C:\Windows\SysWOW64\autochk.exe
                                  "C:\Windows\SysWOW64\autochk.exe"
                                  2⤵
                                    PID:2112
                                  • C:\Windows\SysWOW64\autochk.exe
                                    "C:\Windows\SysWOW64\autochk.exe"
                                    2⤵
                                      PID:3052
                                    • C:\Windows\SysWOW64\autochk.exe
                                      "C:\Windows\SysWOW64\autochk.exe"
                                      2⤵
                                        PID:1800
                                      • C:\Windows\SysWOW64\autochk.exe
                                        "C:\Windows\SysWOW64\autochk.exe"
                                        2⤵
                                          PID:652
                                        • C:\Windows\SysWOW64\autochk.exe
                                          "C:\Windows\SysWOW64\autochk.exe"
                                          2⤵
                                            PID:2324
                                          • C:\Windows\SysWOW64\autochk.exe
                                            "C:\Windows\SysWOW64\autochk.exe"
                                            2⤵
                                              PID:2628
                                            • C:\Windows\SysWOW64\autochk.exe
                                              "C:\Windows\SysWOW64\autochk.exe"
                                              2⤵
                                                PID:1644
                                              • C:\Windows\SysWOW64\autochk.exe
                                                "C:\Windows\SysWOW64\autochk.exe"
                                                2⤵
                                                  PID:2920
                                                • C:\Windows\SysWOW64\autochk.exe
                                                  "C:\Windows\SysWOW64\autochk.exe"
                                                  2⤵
                                                    PID:2796
                                                  • C:\Windows\SysWOW64\autochk.exe
                                                    "C:\Windows\SysWOW64\autochk.exe"
                                                    2⤵
                                                      PID:2928
                                                    • C:\Windows\SysWOW64\autochk.exe
                                                      "C:\Windows\SysWOW64\autochk.exe"
                                                      2⤵
                                                        PID:2884
                                                      • C:\Windows\SysWOW64\cmmon32.exe
                                                        "C:\Windows\SysWOW64\cmmon32.exe"
                                                        2⤵
                                                        • Suspicious use of SetThreadContext
                                                        • System Location Discovery: System Language Discovery
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious behavior: MapViewOfSection
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        • Suspicious use of WriteProcessMemory
                                                        PID:792
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          /c del "C:\Users\Admin\AppData\Local\Temp\PAYMENT.exe"
                                                          3⤵
                                                          • Deletes itself
                                                          • System Location Discovery: System Language Discovery
                                                          PID:1368

                                                    Network

                                                    MITRE ATT&CK Enterprise v15

                                                    Replay Monitor

                                                    Loading Replay Monitor...

                                                    Downloads

                                                    • memory/792-21-0x0000000000D50000-0x0000000000D5D000-memory.dmp

                                                      Filesize

                                                      52KB

                                                      Download

                                                    • memory/792-22-0x0000000000D50000-0x0000000000D5D000-memory.dmp

                                                      Filesize

                                                      52KB

                                                      Download

                                                    • memory/792-23-0x00000000000D0000-0x00000000000F9000-memory.dmp

                                                      Filesize

                                                      164KB

                                                      Download

                                                    • memory/1152-24-0x00000000040E0000-0x000000000419D000-memory.dmp

                                                      Filesize

                                                      756KB

                                                      Download

                                                    • memory/1152-20-0x00000000040E0000-0x000000000419D000-memory.dmp

                                                      Filesize

                                                      756KB

                                                      Download

                                                    • memory/1852-3-0x00000000003A0000-0x00000000003C2000-memory.dmp

                                                      Filesize

                                                      136KB

                                                      Download

                                                    • memory/1852-6-0x0000000005C80000-0x0000000005CFA000-memory.dmp

                                                      Filesize

                                                      488KB

                                                      Download

                                                    • memory/1852-7-0x0000000001E40000-0x0000000001E72000-memory.dmp

                                                      Filesize

                                                      200KB

                                                      Download

                                                    • memory/1852-5-0x0000000074240000-0x000000007492E000-memory.dmp

                                                      Filesize

                                                      6.9MB

                                                      Download

                                                    • memory/1852-4-0x000000007424E000-0x000000007424F000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/1852-0-0x000000007424E000-0x000000007424F000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/1852-2-0x0000000074240000-0x000000007492E000-memory.dmp

                                                      Filesize

                                                      6.9MB

                                                      Download

                                                    • memory/1852-15-0x0000000074240000-0x000000007492E000-memory.dmp

                                                      Filesize

                                                      6.9MB

                                                      Download

                                                    • memory/1852-1-0x0000000000970000-0x0000000000A34000-memory.dmp

                                                      Filesize

                                                      784KB

                                                      Download

                                                    • memory/2012-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/2012-18-0x0000000000400000-0x0000000000429000-memory.dmp

                                                      Filesize

                                                      164KB

                                                      Download

                                                    • memory/2012-19-0x0000000000340000-0x0000000000351000-memory.dmp

                                                      Filesize

                                                      68KB

                                                      Download

                                                    • memory/2012-16-0x0000000000A40000-0x0000000000D43000-memory.dmp

                                                      Filesize

                                                      3.0MB

                                                      Download

                                                    • memory/2012-10-0x0000000000400000-0x0000000000429000-memory.dmp

                                                      Filesize

                                                      164KB

                                                      Download

                                                    • memory/2012-14-0x0000000000400000-0x0000000000429000-memory.dmp

                                                      Filesize

                                                      164KB

                                                      Download

                                                    • memory/2012-9-0x0000000000400000-0x0000000000429000-memory.dmp

                                                      Filesize

                                                      164KB

                                                      Download