Overview

overview

10

Static

static

3

d080ca9f39...1b.exe

windows7-x64

10

d080ca9f39...1b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-11-2024 20:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d080ca9f39e30376eebb0d8a0c171ef29f24b5d3aa3b7c7f5ff35f6af9d67b1b.exe

  • Size

    877KB

  • MD5

    79a8396afa4bafa7fa10abf4d9742460

  • SHA1

    0b44500dc9152a7fa8a26243e240e63a46097d41

  • SHA256

    d080ca9f39e30376eebb0d8a0c171ef29f24b5d3aa3b7c7f5ff35f6af9d67b1b

  • SHA512

    8b24ff09b77cb0bf7c8cfde7cbcf3c285370e7390452dc2dfeba18d588a93c17ed3196b61e3d9a58bf3fdc4bf136a38910b09af83523ceea0fbf28277e8631c0

  • SSDEEP

    12288:wgEf1smrkBTZsJwO80kgSxeZgitF1McwLVmadIdzZjOUv0wOf3gq8jqGJ5g7d6D3:UzrvJw6k1xIEpRazBd1sjE5g7d0Cq

Score
10/10
xloadershbcdiscoveryexecutionloaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

shbc

Decoy

ccee77.com

rkfb11.website

dhanwantarifirstaid.com

lindakmiller.store

cedarparkproperty.com

one9online.com

universecells.com

spanshlifepace.com

eternityprivatewealth.com

rocknripple.com

lk-safe-keepingtoyof6.xyz

settacorp.com

bhy8.com

hxkpcom.com

woyaobudan8.com

geleisi168.com

movilitatelectrica.com

jhesuveels.quest

nijigenutopia.com

odlublina.xyz

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader family
    xloader
  • Xloader payload 1 IoCs
    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d080ca9f39e30376eebb0d8a0c171ef29f24b5d3aa3b7c7f5ff35f6af9d67b1b.exe
    "C:\Users\Admin\AppData\Local\Temp\d080ca9f39e30376eebb0d8a0c171ef29f24b5d3aa3b7c7f5ff35f6af9d67b1b.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2012
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ZmwVUlufxBPsEC.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2728
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZmwVUlufxBPsEC" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2F89.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2736
    • C:\Users\Admin\AppData\Local\Temp\d080ca9f39e30376eebb0d8a0c171ef29f24b5d3aa3b7c7f5ff35f6af9d67b1b.exe
      "C:\Users\Admin\AppData\Local\Temp\d080ca9f39e30376eebb0d8a0c171ef29f24b5d3aa3b7c7f5ff35f6af9d67b1b.exe"
      2⤵
        PID:2052
      • C:\Users\Admin\AppData\Local\Temp\d080ca9f39e30376eebb0d8a0c171ef29f24b5d3aa3b7c7f5ff35f6af9d67b1b.exe
        "C:\Users\Admin\AppData\Local\Temp\d080ca9f39e30376eebb0d8a0c171ef29f24b5d3aa3b7c7f5ff35f6af9d67b1b.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2896

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp2F89.tmp
      Filesize

      1KB

      MD5

      8046a241ecc2a0a4ea03509977aa21f6

      SHA1

      0737c6b510c811cdb4bd7f1c1dc5e06bc4a28db8

      SHA256

      7ff49aff492c50393cf2cffb3b44e81a2ef90230b978a010b71700f67c0d3c74

      SHA512

      ff9907f64ec2f6f4b06adf3971706c94b4e9a7e3f75e885ea256094d19cbebffbbaf20373504c51f51607082d9c94eb9605049bce93c240ceaa3169f2a2cc104

      Download Submit

    • memory/2012-3-0x00000000003C0000-0x00000000003D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2012-2-0x00000000748A0000-0x0000000074F8E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2012-0-0x00000000748AE000-0x00000000748AF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2012-4-0x00000000748A0000-0x0000000074F8E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2012-5-0x00000000059D0000-0x0000000005A90000-memory.dmp

      Filesize

      768KB

      Download

    • memory/2012-1-0x0000000000140000-0x0000000000222000-memory.dmp

      Filesize

      904KB

      Download

    • memory/2012-13-0x00000000020A0000-0x00000000020E2000-memory.dmp

      Filesize

      264KB

      Download

    • memory/2012-20-0x00000000748A0000-0x0000000074F8E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2896-14-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/2896-19-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/2896-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2896-16-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download