Overview

overview

10

Static

static

3

An Urgent-...74.exe

windows7-x64

10

An Urgent-...74.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2024 20:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    An Urgent-Enquiry-for-quotaion-Petrogas Agencies Power Plant Project Abu Dhabi-47574.exe

  • Size

    706KB

  • MD5

    16d5446ad4d79662113a4e8a669b896d

  • SHA1

    dbe94c4fa5e7eda91e40480a8ce4d6ac5638b8a7

  • SHA256

    d55802936c5be4116efa2f7e18a019c1adbcd8cc7c8e9682eb3f4ae5bb3f8da8

  • SHA512

    3463d75a008ba0db42b28d0f1493efa1f740a8bb0982db1ad348ed61d4035e15313b2df0b0989f108c8fd20c5745120421eed9508a6b7ca3fe3e8b93957d8835

  • SSDEEP

    12288:Q5oWJlP2jj5HxpyxL1D3pQKfK/aoppiyJ5bLBnB6w6:Q5oWJgj1a1DZQKupLNBBY

Score
10/10
xloaderkijediscoveryloaderrat

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

kije

Decoy

apyturkey.com

mgthehandyman.com

dick-kick.com

burntflare.com

amsecvault-services.com

moot-art.com

podemosleer.com

you-success.online

delbellointerior.com

polleriabrujas.xyz

yorkingmoroow.com

songlong8833.com

562erf.com

dhozeaccesorios.com

citychurchlloyd.com

rift-ralley.com

healsbox.com

domaindonuts.com

elversonpet.supply

texasmr.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader family
    xloader
  • Xloader payload 4 IoCs
    rat
  • Suspicious use of SetThreadContext 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3356
    • C:\Users\Admin\AppData\Local\Temp\An Urgent-Enquiry-for-quotaion-Petrogas Agencies Power Plant Project Abu Dhabi-47574.exe
      "C:\Users\Admin\AppData\Local\Temp\An Urgent-Enquiry-for-quotaion-Petrogas Agencies Power Plant Project Abu Dhabi-47574.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3140
      • C:\Users\Admin\AppData\Local\Temp\An Urgent-Enquiry-for-quotaion-Petrogas Agencies Power Plant Project Abu Dhabi-47574.exe
        "C:\Users\Admin\AppData\Local\Temp\An Urgent-Enquiry-for-quotaion-Petrogas Agencies Power Plant Project Abu Dhabi-47574.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1308
    • C:\Windows\SysWOW64\raserver.exe
      "C:\Windows\SysWOW64\raserver.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1020
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\An Urgent-Enquiry-for-quotaion-Petrogas Agencies Power Plant Project Abu Dhabi-47574.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1364

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1020-29-0x0000000000390000-0x00000000003BB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1020-28-0x0000000000CD0000-0x0000000000CEF000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1020-26-0x0000000000CD0000-0x0000000000CEF000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1308-13-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1308-22-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1308-23-0x00000000018E0000-0x00000000018F1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1308-19-0x0000000001460000-0x0000000001471000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1308-18-0x0000000000400000-0x000000000042B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/1308-16-0x0000000001930000-0x0000000001C7A000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3140-7-0x0000000007EB0000-0x0000000007EB8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3140-5-0x0000000005040000-0x000000000504A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3140-11-0x0000000008400000-0x0000000008466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3140-12-0x0000000008390000-0x00000000083C6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/3140-9-0x0000000074490000-0x0000000074C40000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3140-15-0x0000000074490000-0x0000000074C40000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3140-8-0x000000007449E000-0x000000007449F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3140-0-0x000000007449E000-0x000000007449F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3140-6-0x0000000074490000-0x0000000074C40000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3140-1-0x0000000000580000-0x0000000000636000-memory.dmp

    Filesize

    728KB

    Download

  • memory/3140-2-0x0000000005610000-0x0000000005BB4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3140-10-0x00000000082D0000-0x0000000008358000-memory.dmp

    Filesize

    544KB

    Download

  • memory/3140-4-0x0000000005100000-0x000000000519C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/3140-3-0x0000000005060000-0x00000000050F2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3356-25-0x00000000031B0000-0x0000000003300000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/3356-24-0x0000000008D70000-0x0000000008E8A000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3356-20-0x00000000031B0000-0x0000000003300000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/3356-30-0x0000000008D70000-0x0000000008E8A000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3356-33-0x0000000008F40000-0x0000000009083000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/3356-35-0x0000000008F40000-0x0000000009083000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/3356-36-0x0000000008F40000-0x0000000009083000-memory.dmp

    Filesize

    1.3MB

    Download