Overview

overview

10

Static

static

1

881b82a44e...8a.exe

windows7-x64

10

881b82a44e...8a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2024 19:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    881b82a44e8578b6034c504725c33b6a22d1980affa052c4bf492c168915dc8a.exe

  • Size

    802KB

  • MD5

    66fe9fc4a048631ec4ac9bc4ad55f501

  • SHA1

    302188f68b430e20f0f28d8ec9697a216e341d79

  • SHA256

    881b82a44e8578b6034c504725c33b6a22d1980affa052c4bf492c168915dc8a

  • SHA512

    71b6fa38cc25d2ceb360b6b6ac6d725cd2137d8e4cd660bd1829997d2223ea9123d247006b3afee96e650b9014871b1d9579d69faa590c6501016a3152243530

  • SSDEEP

    24576:dLa/diQs7a/ichDPvzoKndNQ2dliGBUam:dLlW/Nz/TNqNam

Score
10/10
xloaderq3c8discoveryevasionexecutionloaderpersistencerattrojan

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

q3c8

Decoy

illstarttommorow.com

ll-safe-keepingtoyof5.xyz

mygreenequity.com

albionadesign.com

byzalikha.com

robinson.tools

mrd68.com

mw13racing.com

pirankaliyar.com

nropes.com

indigosrc.com

drsyverson.com

aprendes.academy

mundohightech.com

sarms-research.com

ilmarijuanadispensary.com

qabeta3473437.com

businessmastercenturion.com

axissol.net

market-oplata-23v.xyz

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 5 IoCs
    evasiontrojan
  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader family
    xloader
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Xloader payload 2 IoCs
    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3556
    • C:\Users\Admin\AppData\Local\Temp\881b82a44e8578b6034c504725c33b6a22d1980affa052c4bf492c168915dc8a.exe
      "C:\Users\Admin\AppData\Local\Temp\881b82a44e8578b6034c504725c33b6a22d1980affa052c4bf492c168915dc8a.exe"
      2⤵
      • UAC bypass
      • Windows security bypass
      • Looks for VirtualBox Guest Additions in registry
      • Looks for VMWare Tools registry key
      • Checks BIOS information in registry
      • Checks computer location settings
      • Windows security modification
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Maps connected drives based on registry
      • Suspicious use of SetThreadContext
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4432
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\0r6lS7c\svchost.exe" -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3380
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\0r6lS7c\svchost.exe" -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:348
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\881b82a44e8578b6034c504725c33b6a22d1980affa052c4bf492c168915dc8a.exe" -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1716
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\881b82a44e8578b6034c504725c33b6a22d1980affa052c4bf492c168915dc8a.exe" -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3200
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionExtension "exe" -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1188
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\881b82a44e8578b6034c504725c33b6a22d1980affa052c4bf492c168915dc8a.exe" -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1100
      • C:\Windows\SysWOW64\rdrleakdiag.exe
        "C:\Windows\SysWOW64\rdrleakdiag.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2468
    • C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2508
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\SysWOW64\rdrleakdiag.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

3
T1562

Disable or Modify Tools

3
T1562.001

Modify Registry

5
T1112

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

5
T1012

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Virtualization/Sandbox Evasion

2
T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    968cb9309758126772781b83adb8a28f

    SHA1

    8da30e71accf186b2ba11da1797cf67f8f78b47c

    SHA256

    92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

    SHA512

    4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    06712a73a342fa69f39f8e8001e22f76

    SHA1

    1bc9f686a1d3bb58be4cd7130410a4b6f881df25

    SHA256

    2164229f4d58cf79995cde057d842a8c028cb25f629a56e2847e8fd3961d9ee4

    SHA512

    83939dcf92624bf000438aef8e1e2d53786a3d3416f761d3811692c7b468f8526c5731ab5dc5d0c4a1ac5f1c836d6c1724994a66b6f3e1ca4af5264b4944ae45

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    3f43001fe7348c73d754b507d59056ed

    SHA1

    3c3245d43a2824fd7780839e14e2fce2463cc09d

    SHA256

    e53afe85c34a193c55825a6809a5c1b5e206cf3d029ef86cd5d56875f417e2b5

    SHA512

    981a6f44cb2783f90df9cb6b31cc44d7d918f74faa3932d5faa0399c9c8d337567b745999c8ded8a9f4c6d5e718b49c0394e4bf5a63e20ceafeb0828800c4dd2

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    4b1c930765bad751727b636f36290189

    SHA1

    14005ff14ad0e590c77befdba6e2fc47132ab758

    SHA256

    6b13538cf69b683b9cd7b0fefa830fa9d6a1adad4e7ab9bce3fda2db8cfd30d4

    SHA512

    a5c2f04b60b85ae4bb5d05d4319160fd6309b4b12e1a023e1582f9e469e542d07addde97cff2a8045b10aefbb135eb7e7da718bbc7b03c307fa4cc1e772cd054

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    c64a007edd61099d2319006a063941ab

    SHA1

    2a7bce936e1c8261f2d572e0e8fcbe2f20b90ca2

    SHA256

    1a6085b109aade075864b92e2ed9d4304d7517f552b3cfe6e2288f825128193f

    SHA512

    ca4f085d15432c2ab0d2a5fe0d0fb5e08a8b3ec3797c4601d077e8bcc579e69beb5e36666ce6a3e0bc3ddb82e88cc1c7429cccb464ea72f5f71cc5f5598cbdd7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gn4bxm41.idx.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/348-13-0x0000000074520000-0x0000000074CD0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/348-14-0x0000000074520000-0x0000000074CD0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/348-100-0x000000006F880000-0x000000006F8CC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/348-10-0x0000000002C90000-0x0000000002CC6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/348-165-0x0000000074520000-0x0000000074CD0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/348-156-0x0000000007CA0000-0x0000000007CA8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/348-155-0x0000000007CB0000-0x0000000007CCA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1100-143-0x000000006F880000-0x000000006F8CC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1188-123-0x000000006F880000-0x000000006F8CC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1716-158-0x0000000074520000-0x0000000074CD0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1716-17-0x0000000074520000-0x0000000074CD0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1716-21-0x0000000074520000-0x0000000074CD0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1716-110-0x000000006F880000-0x000000006F8CC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1716-171-0x0000000074520000-0x0000000074CD0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2468-28-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2508-85-0x0000000000950000-0x0000000000D83000-memory.dmp

    Filesize

    4.2MB

    Download

  • memory/2508-164-0x0000000000910000-0x0000000000939000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2508-96-0x0000000000950000-0x0000000000D83000-memory.dmp

    Filesize

    4.2MB

    Download

  • memory/3200-124-0x000000006F880000-0x000000006F8CC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3380-16-0x0000000074520000-0x0000000074CD0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3380-166-0x0000000074520000-0x0000000074CD0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3380-53-0x0000000006EF0000-0x0000000006F3C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3380-52-0x0000000006960000-0x000000000697E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3380-84-0x000000006F880000-0x000000006F8CC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3380-83-0x0000000007960000-0x0000000007992000-memory.dmp

    Filesize

    200KB

    Download

  • memory/3380-97-0x0000000007BA0000-0x0000000007C43000-memory.dmp

    Filesize

    652KB

    Download

  • memory/3380-95-0x0000000006F40000-0x0000000006F5E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3380-98-0x00000000082D0000-0x000000000894A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/3380-99-0x0000000007C80000-0x0000000007C9A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3380-22-0x00000000063B0000-0x0000000006704000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3380-18-0x0000000074520000-0x0000000074CD0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3380-120-0x0000000007CF0000-0x0000000007CFA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3380-121-0x0000000007F00000-0x0000000007F96000-memory.dmp

    Filesize

    600KB

    Download

  • memory/3380-19-0x00000000061C0000-0x00000000061E2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3380-20-0x0000000006260000-0x00000000062C6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3380-122-0x0000000007E80000-0x0000000007E91000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3380-11-0x0000000074520000-0x0000000074CD0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3380-153-0x0000000007EB0000-0x0000000007EBE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3380-154-0x0000000007EC0000-0x0000000007ED4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/3380-157-0x0000000074520000-0x0000000074CD0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3380-12-0x0000000005AA0000-0x00000000060C8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/3556-180-0x0000000008B00000-0x0000000008C19000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4432-15-0x0000000007AD0000-0x0000000007ADA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4432-0-0x000000007452E000-0x000000007452F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4432-8-0x0000000007590000-0x00000000075F6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4432-82-0x0000000074520000-0x0000000074CD0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4432-7-0x0000000005BA0000-0x0000000005BE6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/4432-6-0x0000000005C10000-0x0000000005CCA000-memory.dmp

    Filesize

    744KB

    Download

  • memory/4432-5-0x0000000074520000-0x0000000074CD0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4432-4-0x00000000059C0000-0x0000000005A52000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4432-3-0x0000000005F70000-0x0000000006514000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4432-2-0x0000000005920000-0x00000000059BC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4432-1-0x0000000000E40000-0x0000000000F0E000-memory.dmp

    Filesize

    824KB

    Download