Overview

overview

10

Static

static

3

d080ca9f39...1b.exe

windows7-x64

10

d080ca9f39...1b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2024 20:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d080ca9f39e30376eebb0d8a0c171ef29f24b5d3aa3b7c7f5ff35f6af9d67b1b.exe

  • Size

    877KB

  • MD5

    79a8396afa4bafa7fa10abf4d9742460

  • SHA1

    0b44500dc9152a7fa8a26243e240e63a46097d41

  • SHA256

    d080ca9f39e30376eebb0d8a0c171ef29f24b5d3aa3b7c7f5ff35f6af9d67b1b

  • SHA512

    8b24ff09b77cb0bf7c8cfde7cbcf3c285370e7390452dc2dfeba18d588a93c17ed3196b61e3d9a58bf3fdc4bf136a38910b09af83523ceea0fbf28277e8631c0

  • SSDEEP

    12288:wgEf1smrkBTZsJwO80kgSxeZgitF1McwLVmadIdzZjOUv0wOf3gq8jqGJ5g7d6D3:UzrvJw6k1xIEpRazBd1sjE5g7d0Cq

Score
10/10
xloadershbcdiscoveryexecutionloaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

shbc

Decoy

ccee77.com

rkfb11.website

dhanwantarifirstaid.com

lindakmiller.store

cedarparkproperty.com

one9online.com

universecells.com

spanshlifepace.com

eternityprivatewealth.com

rocknripple.com

lk-safe-keepingtoyof6.xyz

settacorp.com

bhy8.com

hxkpcom.com

woyaobudan8.com

geleisi168.com

movilitatelectrica.com

jhesuveels.quest

nijigenutopia.com

odlublina.xyz

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader family
    xloader
  • Xloader payload 1 IoCs
    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d080ca9f39e30376eebb0d8a0c171ef29f24b5d3aa3b7c7f5ff35f6af9d67b1b.exe
    "C:\Users\Admin\AppData\Local\Temp\d080ca9f39e30376eebb0d8a0c171ef29f24b5d3aa3b7c7f5ff35f6af9d67b1b.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3656
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ZmwVUlufxBPsEC.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4488
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZmwVUlufxBPsEC" /XML "C:\Users\Admin\AppData\Local\Temp\tmp39F7.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:1212
    • C:\Users\Admin\AppData\Local\Temp\d080ca9f39e30376eebb0d8a0c171ef29f24b5d3aa3b7c7f5ff35f6af9d67b1b.exe
      "C:\Users\Admin\AppData\Local\Temp\d080ca9f39e30376eebb0d8a0c171ef29f24b5d3aa3b7c7f5ff35f6af9d67b1b.exe"
      2⤵
        PID:1904
      • C:\Users\Admin\AppData\Local\Temp\d080ca9f39e30376eebb0d8a0c171ef29f24b5d3aa3b7c7f5ff35f6af9d67b1b.exe
        "C:\Users\Admin\AppData\Local\Temp\d080ca9f39e30376eebb0d8a0c171ef29f24b5d3aa3b7c7f5ff35f6af9d67b1b.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2744

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qtllrplw.3vd.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp39F7.tmp
      Filesize

      1KB

      MD5

      ced8663cebbfcfb885404c47a87f0978

      SHA1

      fa4c7c94f00c893d8506ea73598cfbf716e974fe

      SHA256

      968a73fc3e94167f4de97a16509e7a3b1a2989574e236d89ae7f2d06a5a54b97

      SHA512

      f7074bcedf43d3d36cc45f1f65a7d4efb103ef6f93e03ec5a3f730559bc401fdcde39c356044c97c1832c32618a386268cc009ec448faa1b239fd99e80e3fa00

      Download Submit

    • memory/2744-23-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/2744-29-0x00000000016C0000-0x0000000001A0A000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3656-4-0x0000000074C70000-0x0000000075420000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3656-5-0x0000000005180000-0x000000000518A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3656-6-0x00000000053C0000-0x00000000053D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3656-7-0x0000000074C7E000-0x0000000074C7F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3656-8-0x0000000074C70000-0x0000000075420000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3656-9-0x0000000007BC0000-0x0000000007C5C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/3656-10-0x0000000007C60000-0x0000000007D20000-memory.dmp

      Filesize

      768KB

      Download

    • memory/3656-0-0x0000000074C7E000-0x0000000074C7F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3656-3-0x0000000005190000-0x0000000005222000-memory.dmp

      Filesize

      584KB

      Download

    • memory/3656-2-0x00000000056A0000-0x0000000005C44000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3656-1-0x00000000007C0000-0x00000000008A2000-memory.dmp

      Filesize

      904KB

      Download

    • memory/3656-28-0x0000000074C70000-0x0000000075420000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3656-20-0x0000000007D20000-0x0000000007D62000-memory.dmp

      Filesize

      264KB

      Download

    • memory/4488-15-0x0000000002D80000-0x0000000002DB6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/4488-55-0x0000000002E40000-0x0000000002E50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4488-18-0x0000000074C70000-0x0000000075420000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4488-27-0x0000000006000000-0x0000000006066000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4488-16-0x0000000074C70000-0x0000000075420000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4488-17-0x00000000058F0000-0x0000000005F18000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/4488-26-0x0000000005F90000-0x0000000005FF6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4488-25-0x00000000058C0000-0x00000000058E2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4488-39-0x0000000006080000-0x00000000063D4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4488-40-0x0000000006670000-0x000000000668E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4488-41-0x00000000066B0000-0x00000000066FC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4488-42-0x000000007F8F0000-0x000000007F900000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4488-43-0x0000000007630000-0x0000000007662000-memory.dmp

      Filesize

      200KB

      Download

    • memory/4488-44-0x0000000071160000-0x00000000711AC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4488-56-0x0000000006C50000-0x0000000006C6E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4488-22-0x0000000074C70000-0x0000000075420000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4488-54-0x0000000002E40000-0x0000000002E50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4488-57-0x0000000007670000-0x0000000007713000-memory.dmp

      Filesize

      652KB

      Download

    • memory/4488-58-0x0000000008050000-0x00000000086CA000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/4488-59-0x00000000079D0000-0x00000000079EA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4488-60-0x0000000007A30000-0x0000000007A3A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4488-61-0x0000000007C40000-0x0000000007CD6000-memory.dmp

      Filesize

      600KB

      Download

    • memory/4488-62-0x0000000007BC0000-0x0000000007BD1000-memory.dmp

      Filesize

      68KB

      Download

    • memory/4488-63-0x0000000074C70000-0x0000000075420000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4488-64-0x0000000007BF0000-0x0000000007BFE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4488-65-0x0000000007C00000-0x0000000007C14000-memory.dmp

      Filesize

      80KB

      Download

    • memory/4488-66-0x0000000007D00000-0x0000000007D1A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4488-67-0x0000000007CE0000-0x0000000007CE8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4488-68-0x0000000074C70000-0x0000000075420000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4488-71-0x0000000074C70000-0x0000000075420000-memory.dmp

      Filesize

      7.7MB

      Download