Analysis
-
max time kernel
148s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
21-11-2024 20:03
General
-
Target
HAWB AND INV.exe
-
Size
724KB
-
MD5
42662765a94ce5ece11529509f937711
-
SHA1
da57dd4c137c47fc9b906caaf067c6ed13fa2da6
-
SHA256
2138325dd5e2825ee4086187a944af336476b0327e1ddae7563bb24523836e08
-
SHA512
101d7bb5f778e779133f005c801fa26cf1bc147fed9f2774808526c50b3ae8e12863bc7ee3dfb060153d4b0b3a5ef66f357e44d477e1558060fe54df990b4b95
-
SSDEEP
12288:vFAPrYNczrMFJxdNkJ41cx7acIXBFwbk2ldYaZPCwdwfPyfK8vW6M+:vFAjYysyCcGTqnCfPwK8vnt
Malware Config
Extracted
xloader
2.3
maw9
jaimericart.com
mayavantcard.com
romanzava.site
forefrontunderground.com
grafikirmarketing.com
airpoppoff.com
captureq.com
vph.ventures
historiclocation.com
theoxfordway.com
springersells.com
huther.mobi
networkingmaderas.com
reggatech.com
dollfacela.com
moneycrypt.net
calidad-precio.net
hamnsk165.com
victoriabrownrealtor.com
itechfreak.com
Signatures
-
Xloader
Xloader is a rebranded version of Formbook malware.
-
Xloader family
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Xloader payload 3 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: MapViewOfSection 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 27 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\HAWB AND INV.exe"C:\Users\Admin\AppData\Local\Temp\HAWB AND INV.exe"2⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\HAWB AND INV.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\qxnptkmQbHB.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qxnptkmQbHB" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2D19.tmp"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\qxnptkmQbHB.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\HAWB AND INV.exe"C:\Users\Admin\AppData\Local\Temp\HAWB AND INV.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\wlanext.exe"C:\Windows\SysWOW64\wlanext.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57fe8b08f00a3d19862f71ff428f97c24
SHA150e58889ce8e9002e5c607f2a1b769f399efb070
SHA256d7470aee793c6e514af41f0887a65cdb3ac067338434e2c637a51ef2eeab8257
SHA5127848752c3b8058b5518b764292715f6a1ac436e9eb45e408d49ad2f6b837abdf2725a06091f0cc660a1c7bca770929a248d259de4a6dcdf2a869393517b99da8
-
Filesize
7KB
MD53384863c844266bf34d8ea0f4ec91b40
SHA1e41b2565affe38cdd07794c463ba1d97fcf50aa5
SHA256360dd25ab45009ed643935ec196b76c49aebbc7f2060bb3f5aebd6fc622fa041
SHA512c81a29dd325decf01ed6459af25f00f2ecded4dc7c8fdb38c3f7b03f07db14f0252396463c422fc48f4e2cc86064b399c5840262e07418069f072055f254c0df
-
Filesize
1.5MB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
688KB
-
Filesize
400KB
-
Filesize
80KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
744KB
-
Filesize
164KB
-
Filesize
88KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
4KB
-
Filesize
164KB