Overview

overview

10

Static

static

3

Purchase Order.exe

windows7-x64

10

Purchase Order.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-11-2024 20:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Purchase Order.exe

  • Size

    746KB

  • MD5

    fc644e1753c0f510615c969a037a53df

  • SHA1

    594cf60d934b1aa008a24608f2aa781238d5bf52

  • SHA256

    766f746c512714ce38f8d0d43f7a0aba6fee673b77211c11542f5133ff25ead0

  • SHA512

    0d5ebc07a9614ac71a5189fee599d4ee8b05603ec8eecb06a6c30b723f8173df9b0b096ec2f1ce68d510422089a369b1713f1589600a47877edccfb0417c11df

  • SSDEEP

    12288:Dj/+raF5JN45uvfRqCdXb6GYkExocVDKl4IVBzI9bH1FCDtWHmawPuvnCuxFn+CO:DjW23J59dXb6zBxocVmP89jq

Score
10/10
xloaderhow6discoveryloaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

how6

Decoy

wealthcabana.com

fourfortyfourcreations.com

cqqcsy.com

bhwzjd.com

niftyfashionrewards.com

andersongiftemporium.com

smarttradingcoin.com

ilarealty.com

sherrywine.net

fsecg.info

xoti.top

pirosconsulting.com

fundapie.com

bbgm4egda.xyz

legalfortmyers.com

improvizy.com

yxdyhs.com

lucky2balls.com

panelmall.com

davenportkartway.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader family
    xloader
  • Xloader payload 3 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1192
    • C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
      "C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2100
      • C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
        "{path}"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2340
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\SysWOW64\wscript.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2860
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"
        3⤵
        • Deletes itself
        • System Location Discovery: System Language Discovery
        PID:2724

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1192-25-0x0000000005060000-0x0000000005206000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/1192-21-0x0000000005060000-0x0000000005206000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2100-16-0x0000000074B20000-0x000000007520E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2100-2-0x0000000074B20000-0x000000007520E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2100-1-0x0000000000050000-0x0000000000110000-memory.dmp

    Filesize

    768KB

    Download

  • memory/2100-0-0x0000000074B2E000-0x0000000074B2F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2100-4-0x0000000074B2E000-0x0000000074B2F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2100-5-0x0000000074B20000-0x000000007520E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2100-6-0x0000000004C90000-0x0000000004D12000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2100-7-0x00000000021A0000-0x00000000021D0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2100-3-0x0000000000560000-0x000000000056A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2340-15-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2340-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2340-17-0x0000000000870000-0x0000000000B73000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2340-20-0x0000000000290000-0x00000000002A1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2340-19-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2340-9-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2340-10-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

    Download

  • memory/2860-23-0x0000000000390000-0x00000000003B6000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2860-22-0x0000000000390000-0x00000000003B6000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2860-24-0x0000000000070000-0x0000000000099000-memory.dmp

    Filesize

    164KB

    Download