Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    21-11-2024 20:42

General

  • Target

    $PLUGINSDIR/772vhhojj684oi.dll

  • Size

    5KB

  • MD5

    5e3d3dadd742c63f01034fb9175caef2

  • SHA1

    a3c3cdd8ba24655f36ef248678efe1fade8bc6e8

  • SHA256

    c5e4e3bca252502d2c1b4dd9af51de6f14f495b97965e6f0cb9689ce2501afe1

  • SHA512

    6d19e6f22dd4442baf620111e4370ebe83acde452240dfb171c6492051f9cbede8d1c0a7de538d012e20ef98e07d61ed1e126050a890425f4a868f27a4d66440

  • SSDEEP

    96:EBxUgFl44+MRTXtEm1Rtwz6SJtxuR3kx:E1lRTv1Rtwz6

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

u8nw

Decoy

constructionjadams.com

organicwellnessfarm.com

beautiful.tours

medvows.com

foxparanormal.com

fsmxmc.com

graniterealestategroup.net

qgi1.com

astrologicsolutions.com

rafbar.com

bastiontools.net

emotist.com

stacyleets.com

bloodtypealpha.com

healtybenenfitsplus.com

vavadadoa3.com

chefbenhk.com

dotgz.com

xn--z4qm188e645c.com

ethyi.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • Xloader family
  • Xloader payload 3 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1204
    • C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\772vhhojj684oi.dll,#1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3036
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\772vhhojj684oi.dll,#1
        3⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2432
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\772vhhojj684oi.dll,#1
          4⤵
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2360
          • C:\Windows\SysWOW64\msiexec.exe
            "C:\Windows\SysWOW64\msiexec.exe"
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2152
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 268
              6⤵
              • Program crash
              PID:2840

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1204-10-0x0000000004520000-0x00000000045DE000-memory.dmp

    Filesize

    760KB

  • memory/1204-18-0x0000000006950000-0x0000000006A72000-memory.dmp

    Filesize

    1.1MB

  • memory/1204-6-0x0000000004520000-0x00000000045DE000-memory.dmp

    Filesize

    760KB

  • memory/1204-11-0x0000000006950000-0x0000000006A72000-memory.dmp

    Filesize

    1.1MB

  • memory/2152-15-0x0000000000AF0000-0x0000000000B04000-memory.dmp

    Filesize

    80KB

  • memory/2152-12-0x0000000000AF0000-0x0000000000B04000-memory.dmp

    Filesize

    80KB

  • memory/2152-13-0x0000000000AF0000-0x0000000000B04000-memory.dmp

    Filesize

    80KB

  • memory/2360-5-0x00000000000E0000-0x00000000000F0000-memory.dmp

    Filesize

    64KB

  • memory/2360-9-0x0000000000230000-0x0000000000240000-memory.dmp

    Filesize

    64KB

  • memory/2360-8-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2360-4-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2360-2-0x00000000020B0000-0x00000000023B3000-memory.dmp

    Filesize

    3.0MB

  • memory/2360-1-0x0000000000400000-0x0000000000429000-memory.dmp

    Filesize

    164KB

  • memory/2432-0-0x0000000000140000-0x0000000000142000-memory.dmp

    Filesize

    8KB