Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

SHIPPING D...BL.exe

windows7-x64

10

SHIPPING D...BL.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/11/2024, 20:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SHIPPING DOC CICOOPLBL.exe

  • Size

    471KB

  • MD5

    73eb22341ce8fcc60593432d2d37c872

  • SHA1

    9aad11376e92a7b87ae2296e1c146ef88e2b3e15

  • SHA256

    985c930f9f983d8ec93977335ebff73b477d7aaa678c163be58714525fb9f273

  • SHA512

    d8735d3a85a992a5e14fcfc4fa6df9b2eed7039c118cfb6536e1242b9b995b1924b97d1ad16b7f90dd692d0d06f1f262fb0828e45558d8d4ce73bc89ff72911e

  • SSDEEP

    6144:g34P86jIlgv5aK9rj5vVFfAb04v+M4/Vf9fkhqx4YYAdCSjtDU/5hL5WwHPc+nfe:eYd9rjB14v4//f13RcatDAL5Wwv9f6u

Score
10/10
xloaderxftsdiscoveryloaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

xfts

Decoy

dailiesplatform.com

krlanka.com

koms.info

chesslearner.com

softwarefully.com

yogiplayground.com

learhee.com

faithbook.info

pepperrefo.com

kratochvil-elektro.com

artbyg2.com

123-e.com

levelupyourbody.info

ecommercebusinessowner.com

floraseriestrilogy.com

sdyykt.com

swchof.com

huaxinhui.tech

sems-iress2016.com

vasudhalibrary.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader family
    xloader
  • Xloader payload 4 IoCs
    rat
  • Blocklisted process makes network request 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Suspicious behavior: EnumeratesProcesses 51 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3464
    • C:\Users\Admin\AppData\Local\Temp\SHIPPING DOC CICOOPLBL.exe
      "C:\Users\Admin\AppData\Local\Temp\SHIPPING DOC CICOOPLBL.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2472
      • C:\Users\Admin\AppData\Local\Temp\SHIPPING DOC CICOOPLBL.exe
        "{path}"
        3⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        PID:1044
      • C:\Users\Admin\AppData\Local\Temp\SHIPPING DOC CICOOPLBL.exe
        "{path}"
        3⤵
        • Suspicious use of SetThreadContext
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:4636
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\SysWOW64\wscript.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2716
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\SHIPPING DOC CICOOPLBL.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        PID:4172

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2472-8-0x0000000074CAE000-0x0000000074CAF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2472-9-0x0000000074CA0000-0x0000000075450000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2472-2-0x00000000053E0000-0x0000000005984000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2472-3-0x0000000004E30000-0x0000000004EC2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2472-4-0x0000000004ED0000-0x0000000004F6C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/2472-5-0x0000000004E10000-0x0000000004E1A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2472-1-0x00000000003C0000-0x000000000043C000-memory.dmp

    Filesize

    496KB

    Download

  • memory/2472-6-0x0000000074CA0000-0x0000000075450000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2472-0-0x0000000074CAE000-0x0000000074CAF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2472-7-0x00000000053B0000-0x00000000053B8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2472-10-0x0000000007A30000-0x0000000007AB2000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2472-11-0x000000000A130000-0x000000000A160000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2472-14-0x0000000074CA0000-0x0000000075450000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2716-27-0x0000000001110000-0x0000000001139000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2716-25-0x0000000000620000-0x0000000000647000-memory.dmp

    Filesize

    156KB

    Download

  • memory/2716-26-0x0000000000620000-0x0000000000647000-memory.dmp

    Filesize

    156KB

    Download

  • memory/3464-24-0x0000000002BD0000-0x0000000002CE3000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3464-19-0x0000000002BD0000-0x0000000002CE3000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3464-23-0x0000000008A40000-0x0000000008BA5000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/3464-28-0x0000000008A40000-0x0000000008BA5000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/3464-31-0x0000000008C70000-0x0000000008DB0000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3464-33-0x0000000008C70000-0x0000000008DB0000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3464-34-0x0000000008C70000-0x0000000008DB0000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4636-22-0x0000000002D90000-0x0000000002DA1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4636-21-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/4636-17-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/4636-18-0x0000000001440000-0x0000000001451000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4636-15-0x0000000000FB0000-0x00000000012FA000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4636-12-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download