Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
21-11-2024 20:36
General
-
Target
Original BL Invoice & Packing List pdf.exe
-
Size
1.2MB
-
MD5
32edc7a227ce30813c73756c2fdc90cd
-
SHA1
bcf54c69b988f72a819f15692f53f5eb839a4be7
-
SHA256
3f88232fbf581d4a628de3b80c624fdabea29d159917ef596fe13b2f49f8268e
-
SHA512
c97da96cd175f107538eae3a7eef076b24faf69721ab52a2d01b0a5b2c67f3140c2b8eef48d51a4b74334eac8f678116102705aff66cc127eef8c82693a9f989
-
SSDEEP
24576:aYNkCmS4OsBgo0q4wMZa3mK/vfW+t3leBsAU8:aEZoHMZa2K3P1eB
Malware Config
Extracted
xloader
2.3
c3sc
vnye2037.com
adopttongling.com
miss-bim.com
ylyqrbii.icu
iregentos.info
teseipropiedades.com
jsprimer.com
keepminkowicz.com
7999399.com
bdgooddq.com
komovnrebi.com
politicalswim.com
justokaydrawings.com
eglidons.com
ici-voyant.com
thirstymarketing.com
viajesyturismo360.com
shadesofshadow.com
learnenglishinceret.com
notnotdown.club
Signatures
-
Xloader
Xloader is a rebranded version of Formbook malware.
-
Xloader family
-
CustAttr .NET packer 1 IoCs
Detects CustAttr .NET packer in memory.
-
Xloader payload 3 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 40 IoCs
-
Suspicious behavior: MapViewOfSection 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Original BL Invoice & Packing List pdf.exe"C:\Users\Admin\AppData\Local\Temp\Original BL Invoice & Packing List pdf.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Original BL Invoice & Packing List pdf.exe"C:\Users\Admin\AppData\Local\Temp\Original BL Invoice & Packing List pdf.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Original BL Invoice & Packing List pdf.exe"3⤵
- System Location Discovery: System Language Discovery
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
164KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
760KB
-
Filesize
760KB
-
Filesize
760KB
-
Filesize
852KB
-
Filesize
852KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
64KB
-
Filesize
3.3MB
-
Filesize
7.7MB
-
Filesize
344KB
-
Filesize
7.7MB
-
Filesize
480KB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
192KB
-
Filesize
4KB
-
Filesize
40KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
624KB
-
Filesize
1.2MB