xloader | 587dbf96979d7f8de55234e0b9c2f41332ecbfcbe9260b5ed2ddca34bfbc4391

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions	HAWB AND INV.exe

Xloader payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/4572-49-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/512-109-0x00000000009D0000-0x00000000009F9000-memory.dmp	xloader

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
116	powershell.exe
2576	powershell.exe
3156	powershell.exe

Looks for VMWare Tools registry key 2 TTPs 1 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	HAWB AND INV.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	HAWB AND INV.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	HAWB AND INV.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	HAWB AND INV.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	HAWB AND INV.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	HAWB AND INV.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2716 set thread context of 4572	2716	HAWB AND INV.exe	113
PID 4572 set thread context of 3340	4572	HAWB AND INV.exe	55
PID 512 set thread context of 3340	512	netsh.exe	55

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HAWB AND INV.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
2132	schtasks.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
116	powershell.exe
116	powershell.exe
2576	powershell.exe
2576	powershell.exe
2716	HAWB AND INV.exe
2716	HAWB AND INV.exe
2716	HAWB AND INV.exe
2716	HAWB AND INV.exe
4572	HAWB AND INV.exe
4572	HAWB AND INV.exe
4572	HAWB AND INV.exe
4572	HAWB AND INV.exe
3156	powershell.exe
3156	powershell.exe
512	netsh.exe
512	netsh.exe
512	netsh.exe
512	netsh.exe
512	netsh.exe
512	netsh.exe
512	netsh.exe
512	netsh.exe
512	netsh.exe
512	netsh.exe
512	netsh.exe
512	netsh.exe
512	netsh.exe
512	netsh.exe
512	netsh.exe
512	netsh.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
4572	HAWB AND INV.exe
4572	HAWB AND INV.exe
4572	HAWB AND INV.exe
512	netsh.exe
512	netsh.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	116	powershell.exe
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeDebugPrivilege	2716	HAWB AND INV.exe
Token: SeDebugPrivilege	4572	HAWB AND INV.exe
Token: SeDebugPrivilege	3156	powershell.exe
Token: SeShutdownPrivilege	3340	Explorer.EXE
Token: SeCreatePagefilePrivilege	3340	Explorer.EXE
Token: SeDebugPrivilege	512	netsh.exe
Token: SeShutdownPrivilege	3340	Explorer.EXE
Token: SeCreatePagefilePrivilege	3340	Explorer.EXE
Token: SeShutdownPrivilege	3340	Explorer.EXE
Token: SeCreatePagefilePrivilege	3340	Explorer.EXE

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 116	2716	HAWB AND INV.exe	102
PID 2716 wrote to memory of 116	2716	HAWB AND INV.exe	102
PID 2716 wrote to memory of 116	2716	HAWB AND INV.exe	102
PID 2716 wrote to memory of 2576	2716	HAWB AND INV.exe	105
PID 2716 wrote to memory of 2576	2716	HAWB AND INV.exe	105
PID 2716 wrote to memory of 2576	2716	HAWB AND INV.exe	105
PID 2716 wrote to memory of 2132	2716	HAWB AND INV.exe	107
PID 2716 wrote to memory of 2132	2716	HAWB AND INV.exe	107
PID 2716 wrote to memory of 2132	2716	HAWB AND INV.exe	107
PID 2716 wrote to memory of 3156	2716	HAWB AND INV.exe	109
PID 2716 wrote to memory of 3156	2716	HAWB AND INV.exe	109
PID 2716 wrote to memory of 3156	2716	HAWB AND INV.exe	109
PID 2716 wrote to memory of 1308	2716	HAWB AND INV.exe	110
PID 2716 wrote to memory of 1308	2716	HAWB AND INV.exe	110
PID 2716 wrote to memory of 1308	2716	HAWB AND INV.exe	110
PID 2716 wrote to memory of 4372	2716	HAWB AND INV.exe	112
PID 2716 wrote to memory of 4372	2716	HAWB AND INV.exe	112
PID 2716 wrote to memory of 4372	2716	HAWB AND INV.exe	112
PID 2716 wrote to memory of 4572	2716	HAWB AND INV.exe	113
PID 2716 wrote to memory of 4572	2716	HAWB AND INV.exe	113
PID 2716 wrote to memory of 4572	2716	HAWB AND INV.exe	113
PID 2716 wrote to memory of 4572	2716	HAWB AND INV.exe	113
PID 2716 wrote to memory of 4572	2716	HAWB AND INV.exe	113
PID 2716 wrote to memory of 4572	2716	HAWB AND INV.exe	113
PID 3340 wrote to memory of 512	3340	Explorer.EXE	114
PID 3340 wrote to memory of 512	3340	Explorer.EXE	114
PID 3340 wrote to memory of 512	3340	Explorer.EXE	114

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3340
- C:\Users\Admin\AppData\Local\Temp\HAWB AND INV.exe
  "C:\Users\Admin\AppData\Local\Temp\HAWB AND INV.exe"
  2⤵
  - Looks for VirtualBox Guest Additions in registry
  - Looks for VMWare Tools registry key
  - Checks BIOS information in registry
  - Checks computer location settings
  - Maps connected drives based on registry
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\HAWB AND INV.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:116
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\qxnptkmQbHB.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2576
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qxnptkmQbHB" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4404.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2132
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\qxnptkmQbHB.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3156
- - C:\Users\Admin\AppData\Local\Temp\HAWB AND INV.exe
    "C:\Users\Admin\AppData\Local\Temp\HAWB AND INV.exe"
    3⤵
    PID:1308
- - C:\Users\Admin\AppData\Local\Temp\HAWB AND INV.exe
    "C:\Users\Admin\AppData\Local\Temp\HAWB AND INV.exe"
    3⤵
    PID:4372
- - C:\Users\Admin\AppData\Local\Temp\HAWB AND INV.exe
    "C:\Users\Admin\AppData\Local\Temp\HAWB AND INV.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:4572
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\SysWOW64\netsh.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  PID:512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion