Overview

overview

10

Static

static

3

Y0GEeY1WOWNMYni.exe

windows7-x64

10

Y0GEeY1WOWNMYni.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2024 20:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Y0GEeY1WOWNMYni.exe

  • Size

    678KB

  • MD5

    7c45a8542757d9ed6871c12d1d8e733b

  • SHA1

    6ffdb6f2b38f45fe00ebd82a074336596938eaae

  • SHA256

    7300768cbf7406a287c49de81c675dadd3d5bd4d181afabc533380eac73f944a

  • SHA512

    d3fb0653ce229de6f885e7e24ae8fd4ad7de7eaebedbad7e07aff1d08be3b7c95c7133d65b9f72b1b087a634af3ace93e39102c77ded7bc82a1a14e63ab280a7

  • SSDEEP

    6144:m4fxbbFJLgGo+lkVSuc8gGzBLAcFiR+Kt15f/OSjFiTTVFcXbCdp8o78HfVNNBI9:ZhlkVJcYB0igX5f/mj2Cd6iN53JJA

Score
10/10
xloaderbfhmdiscoveryloaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

bfhm

Decoy

martensromania.com

e-cans.com

solarinverter.pro

threadluvapparel.com

livesarchitecture.com

velozgroup.net

xdcasdg.xyz

parsindoor.com

orderdonki.com

jingbangjy.com

dfjdfjtriurti548548548.xyz

au-cl8.com

workingclasscompany.com

wrjunk.com

debratreesaudiology.com

nuwearco.com

theteaverse.com

quanxinpdd.com

dabanse.com

pyztsl.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader family
    xloader
  • Xloader payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 44 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3448
    • C:\Users\Admin\AppData\Local\Temp\Y0GEeY1WOWNMYni.exe
      "C:\Users\Admin\AppData\Local\Temp\Y0GEeY1WOWNMYni.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4928
      • C:\Users\Admin\AppData\Local\Temp\Y0GEeY1WOWNMYni.exe
        "C:\Users\Admin\AppData\Local\Temp\Y0GEeY1WOWNMYni.exe"
        3⤵
          PID:4484
        • C:\Users\Admin\AppData\Local\Temp\Y0GEeY1WOWNMYni.exe
          "C:\Users\Admin\AppData\Local\Temp\Y0GEeY1WOWNMYni.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:948
      • C:\Windows\SysWOW64\wscript.exe
        "C:\Windows\SysWOW64\wscript.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:404
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\Y0GEeY1WOWNMYni.exe"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:944

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/404-21-0x0000000000620000-0x0000000000647000-memory.dmp

      Filesize

      156KB

      Download

    • memory/404-22-0x0000000000790000-0x00000000007B8000-memory.dmp

      Filesize

      160KB

      Download

    • memory/404-20-0x0000000000620000-0x0000000000647000-memory.dmp

      Filesize

      156KB

      Download

    • memory/948-12-0x0000000000400000-0x0000000000428000-memory.dmp

      Filesize

      160KB

      Download

    • memory/948-15-0x0000000001320000-0x000000000166A000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/948-17-0x0000000000400000-0x0000000000428000-memory.dmp

      Filesize

      160KB

      Download

    • memory/948-18-0x0000000000D70000-0x0000000000D80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3448-30-0x0000000008620000-0x0000000008728000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3448-28-0x0000000008620000-0x0000000008728000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3448-27-0x0000000008620000-0x0000000008728000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3448-23-0x0000000002CE0000-0x0000000002DB0000-memory.dmp

      Filesize

      832KB

      Download

    • memory/3448-19-0x0000000002CE0000-0x0000000002DB0000-memory.dmp

      Filesize

      832KB

      Download

    • memory/4928-9-0x0000000075060000-0x0000000075810000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4928-14-0x0000000075060000-0x0000000075810000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4928-0-0x000000007506E000-0x000000007506F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4928-11-0x000000000E560000-0x000000000E58E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/4928-10-0x000000000BB60000-0x000000000BBC6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4928-4-0x0000000004ED0000-0x0000000004EDA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4928-3-0x0000000004F30000-0x0000000004FC2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4928-2-0x0000000005440000-0x00000000059E4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4928-1-0x0000000000420000-0x00000000004D0000-memory.dmp

      Filesize

      704KB

      Download

    • memory/4928-8-0x000000007506E000-0x000000007506F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4928-7-0x000000000B790000-0x000000000B82C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/4928-6-0x0000000005140000-0x000000000515C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/4928-5-0x0000000075060000-0x0000000075810000-memory.dmp

      Filesize

      7.7MB

      Download