Malware Analysis Report

2024-11-30 22:22

Sample ID 241121-yk6m8swkcw
Target be55efe027389032b9759fab2cae070ec16fe7f17ec802002fbe70f4f6d4e117
SHA256 be55efe027389032b9759fab2cae070ec16fe7f17ec802002fbe70f4f6d4e117
Tags
xloader de52 discovery loader rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

be55efe027389032b9759fab2cae070ec16fe7f17ec802002fbe70f4f6d4e117

Threat Level: Known bad

The file be55efe027389032b9759fab2cae070ec16fe7f17ec802002fbe70f4f6d4e117 was found to be: Known bad.

Malicious Activity Summary

xloader de52 discovery loader rat

Xloader

Xloader family

Xloader payload

Deletes itself

Loads dropped DLL

Suspicious use of SetThreadContext

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

NSIS installer

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-21 19:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-21 19:51

Reported

2024-11-21 19:54

Platform

win7-20240903-en

Max time kernel

147s

Max time network

119s

Command Line

C:\Windows\Explorer.EXE

Signatures

Xloader

loader xloader

Xloader family

xloader

Xloader payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Order.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Order.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2768 set thread context of 2964 N/A C:\Users\Admin\AppData\Local\Temp\New Order.exe C:\Users\Admin\AppData\Local\Temp\New Order.exe
PID 2964 set thread context of 1200 N/A C:\Users\Admin\AppData\Local\Temp\New Order.exe C:\Windows\Explorer.EXE
PID 2964 set thread context of 1200 N/A C:\Users\Admin\AppData\Local\Temp\New Order.exe C:\Windows\Explorer.EXE
PID 2644 set thread context of 1200 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\Explorer.EXE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New Order.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Order.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Order.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Order.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Order.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2768 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\New Order.exe C:\Users\Admin\AppData\Local\Temp\New Order.exe
PID 2768 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\New Order.exe C:\Users\Admin\AppData\Local\Temp\New Order.exe
PID 2768 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\New Order.exe C:\Users\Admin\AppData\Local\Temp\New Order.exe
PID 2768 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\New Order.exe C:\Users\Admin\AppData\Local\Temp\New Order.exe
PID 2768 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\New Order.exe C:\Users\Admin\AppData\Local\Temp\New Order.exe
PID 1200 wrote to memory of 2644 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1200 wrote to memory of 2644 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1200 wrote to memory of 2644 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1200 wrote to memory of 2644 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 2644 wrote to memory of 2572 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 2644 wrote to memory of 2572 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 2644 wrote to memory of 2572 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 2644 wrote to memory of 2572 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\New Order.exe

"C:\Users\Admin\AppData\Local\Temp\New Order.exe"

C:\Users\Admin\AppData\Local\Temp\New Order.exe

"C:\Users\Admin\AppData\Local\Temp\New Order.exe"

C:\Windows\SysWOW64\explorer.exe

"C:\Windows\SysWOW64\explorer.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Local\Temp\New Order.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsi5D9B.tmp\System.dll

MD5 56a321bd011112ec5d8a32b2f6fd3231
SHA1 df20e3a35a1636de64df5290ae5e4e7572447f78
SHA256 bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1
SHA512 5354890cbc53ce51081a78c64ba9c4c8c4dc9e01141798c1e916e19c5776dac7c82989fad0f08c73e81aaba332dad81205f90d0663119af45550b97b338b9cc3

memory/2964-11-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2964-13-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1200-14-0x0000000004EF0000-0x0000000004FBF000-memory.dmp

memory/2964-16-0x0000000000400000-0x0000000000428000-memory.dmp

memory/1200-17-0x0000000004EF0000-0x0000000004FBF000-memory.dmp

memory/1200-18-0x0000000007750000-0x0000000007869000-memory.dmp

memory/2644-21-0x0000000000560000-0x00000000007E1000-memory.dmp

memory/2644-23-0x0000000000560000-0x00000000007E1000-memory.dmp

memory/2644-24-0x00000000000C0000-0x00000000000E8000-memory.dmp

memory/1200-25-0x0000000007750000-0x0000000007869000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-21 19:51

Reported

2024-11-21 19:54

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\New Order.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Order.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Order.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\New Order.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\New Order.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\New Order.exe

"C:\Users\Admin\AppData\Local\Temp\New Order.exe"

C:\Users\Admin\AppData\Local\Temp\New Order.exe

"C:\Users\Admin\AppData\Local\Temp\New Order.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4360 -ip 4360

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 924

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 168.36.72.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nslC768.tmp\System.dll

MD5 56a321bd011112ec5d8a32b2f6fd3231
SHA1 df20e3a35a1636de64df5290ae5e4e7572447f78
SHA256 bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1
SHA512 5354890cbc53ce51081a78c64ba9c4c8c4dc9e01141798c1e916e19c5776dac7c82989fad0f08c73e81aaba332dad81205f90d0663119af45550b97b338b9cc3

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-21 19:51

Reported

2024-11-21 19:54

Platform

win7-20240903-en

Max time kernel

117s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 224

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-21 19:51

Reported

2024-11-21 19:54

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 716 wrote to memory of 4628 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 716 wrote to memory of 4628 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 716 wrote to memory of 4628 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4628 -ip 4628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 11.179.89.13.in-addr.arpa udp

Files

N/A