Overview

overview

10

Static

static

3

PAYMENT.exe

windows7-x64

10

PAYMENT.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2024 19:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PAYMENT.exe

  • Size

    753KB

  • MD5

    dceac041ccf4756470e11a7cf926f060

  • SHA1

    3f887b2125c55ddb0b4dcfe4b49b9bf7f0271510

  • SHA256

    1def824855543f8011e65445f549f01648856e222215078ebc99281415bc1268

  • SHA512

    06ecd9b19fc3b1a7fdb6a621b9219407c3512330ccb0c405157373b64675ffa4c6d9e2ebacf2440b3ae6c6bceec24b0331d645961b1fb846d246486d42d14b7b

  • SSDEEP

    12288:cetA1TrromUStJaIYZULyQHFoeqYsTFop4Cd1k4ONdL38arAbNjsyaUVKnp:7IHL72DNTUvkHb0zahp

Score
10/10
xloaderf4utdiscoveryloaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

f4ut

Decoy

studiokventura.com

rmnslashes.com

oklahomapropertybuyersllc.com

pmfce.net

yingkuncy.com

theailearning.com

artistic1cleaning.com

shqinyue.com

dentaldunya.com

karatuhotel.com

renttoownhomephoenix.com

0087wt.com

hotelsearchkwnet.com

dentavangart.com

98700l.com

seattleproducecompany.com

magicparadigm.com

cunix88.com

vr646.com

calmonleiloes.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader family
    xloader
  • Xloader payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 44 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3488
    • C:\Users\Admin\AppData\Local\Temp\PAYMENT.exe
      "C:\Users\Admin\AppData\Local\Temp\PAYMENT.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3668
      • C:\Users\Admin\AppData\Local\Temp\PAYMENT.exe
        "C:\Users\Admin\AppData\Local\Temp\PAYMENT.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:5000
    • C:\Windows\SysWOW64\autofmt.exe
      "C:\Windows\SysWOW64\autofmt.exe"
      2⤵
        PID:3912
      • C:\Windows\SysWOW64\ipconfig.exe
        "C:\Windows\SysWOW64\ipconfig.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Gathers network information
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1628
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\PAYMENT.exe"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:3684

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1628-23-0x0000000000A30000-0x0000000000A59000-memory.dmp

      Filesize

      164KB

      Download

    • memory/1628-22-0x0000000000F80000-0x0000000000F8B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1628-21-0x0000000000F80000-0x0000000000F8B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/3488-20-0x0000000007FF0000-0x000000000813D000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/3488-31-0x00000000025C0000-0x000000000269F000-memory.dmp

      Filesize

      892KB

      Download

    • memory/3488-29-0x00000000025C0000-0x000000000269F000-memory.dmp

      Filesize

      892KB

      Download

    • memory/3488-28-0x00000000025C0000-0x000000000269F000-memory.dmp

      Filesize

      892KB

      Download

    • memory/3488-24-0x0000000007FF0000-0x000000000813D000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/3668-6-0x0000000074830000-0x0000000074FE0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3668-1-0x0000000000E90000-0x0000000000F54000-memory.dmp

      Filesize

      784KB

      Download

    • memory/3668-10-0x0000000074830000-0x0000000074FE0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3668-11-0x0000000008400000-0x000000000847A000-memory.dmp

      Filesize

      488KB

      Download

    • memory/3668-12-0x0000000008490000-0x00000000084C2000-memory.dmp

      Filesize

      200KB

      Download

    • memory/3668-9-0x000000007483E000-0x000000007483F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3668-15-0x0000000074830000-0x0000000074FE0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3668-4-0x0000000005A50000-0x0000000005AE2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/3668-2-0x00000000059B0000-0x0000000005A4C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/3668-3-0x0000000006000000-0x00000000065A4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3668-8-0x0000000006CA0000-0x0000000006CC2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3668-7-0x0000000005C50000-0x0000000005CA6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/3668-0-0x000000007483E000-0x000000007483F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3668-5-0x0000000005950000-0x000000000595A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/5000-13-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/5000-18-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/5000-19-0x0000000001660000-0x0000000001671000-memory.dmp

      Filesize

      68KB

      Download

    • memory/5000-16-0x0000000001980000-0x0000000001CCA000-memory.dmp

      Filesize

      3.3MB

      Download