Overview

overview

10

Static

static

6

captured_m...lK.exe

windows7-x64

10

captured_m...lK.exe

windows10-2004-x64

10

captured_m...gn.apk

android-9-x86

captured_m...22.apk

windows7-x64

3

captured_m...22.apk

windows10-2004-x64

3

captured_m...22.apk

android-9-x86

captured_m...22.apk

android-9-x86

captured_m...22.apk

android-9-x86

captured_m...cE.exe

windows7-x64

10

captured_m...cE.exe

windows10-2004-x64

10

captured_m...ak.exe

windows7-x64

10

captured_m...ak.exe

windows10-2004-x64

10

captured_m...ly.exe

windows7-x64

10

captured_m...ly.exe

windows10-2004-x64

10

captured_m...Ql.exe

windows7-x64

10

captured_m...Ql.exe

windows10-2004-x64

10

captured_m...tU.exe

windows7-x64

10

captured_m...tU.exe

windows10-2004-x64

10

captured_m...2z.exe

windows7-x64

3

captured_m...2z.exe

windows10-2004-x64

3

captured_m...MU.exe

windows7-x64

10

captured_m...MU.exe

windows10-2004-x64

10

captured_m...EU.exe

windows7-x64

3

captured_m...EU.exe

windows10-2004-x64

3

captured_m...Gs.exe

windows7-x64

3

captured_m...Gs.exe

windows10-2004-x64

3

captured_m...i6.exe

windows7-x64

3

captured_m...i6.exe

windows10-2004-x64

3

captured_m...CW.exe

windows7-x64

10

captured_m...CW.exe

windows10-2004-x64

10

captured_m...s6.exe

windows7-x64

10

captured_m...s6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-11-2024 20:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    captured_malware/6th july.exe

  • Size

    780KB

  • MD5

    09f8303a0b3321883bd45bc8a306c8b1

  • SHA1

    983164073f1b89c80a328b11b574d2a1df9f5a4d

  • SHA256

    17d143d76b7279d4a2aba0ec3c614714384bbc57f7b5c1018a76ae7b60da7049

  • SHA512

    93cbd57bc4ef41e8174e072b2685e0825925848bb516430ae56c0950ea50fffac8206af0616b24243da78454b1d592b807bf2c99b22dccc6ab9dd109897a50fa

  • SSDEEP

    12288:cK1MfoCRVXN5GnTOdU+CHpZszsAI5arGXbqFEjUKcvLFK2yxjRSxo80i5h5HsX:cK+QCRBIcGXbqdvzyxjRCoxi5hWX

Score
10/10
xloaderaqu2discoveryexecutionloaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

aqu2

Decoy

thenewzhut.com

biovisionchemicalspvtltd.com

yanderyn.site

safiaccountant.com

covidrecess.com

danielmondoc.com

therealtortaylor.com

bermudesfcrasettlement.com

golloctror.com

render-products.com

dropshipsusa.com

sunburnedfeet.com

zambezeactuariosconsultores.com

mylove4tees.com

sanaall.life

southernbredandread.com

rirehub.com

safetyturk.com

income-academy.net

mahadevhomoeo.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader family
    xloader
  • Xloader payload 2 IoCs
    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1160
    • C:\Users\Admin\AppData\Local\Temp\captured_malware\6th july.exe
      "C:\Users\Admin\AppData\Local\Temp\captured_malware\6th july.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2512
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\captured_malware\6th july.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2688
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\zUtAWZm.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2672
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zUtAWZm" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD4EC.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2884
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\zUtAWZm.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2628
      • C:\Users\Admin\AppData\Local\Temp\captured_malware\6th july.exe
        "C:\Users\Admin\AppData\Local\Temp\captured_malware\6th july.exe"
        3⤵
          PID:2508
        • C:\Users\Admin\AppData\Local\Temp\captured_malware\6th july.exe
          "C:\Users\Admin\AppData\Local\Temp\captured_malware\6th july.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:1596
      • C:\Windows\SysWOW64\cscript.exe
        "C:\Windows\SysWOW64\cscript.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1800
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\captured_malware\6th july.exe"
          3⤵
          • Deletes itself
          • System Location Discovery: System Language Discovery
          PID:1524

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpD4EC.tmp
      Filesize

      1KB

      MD5

      4ed051b822393f4aa8b1c4d264663659

      SHA1

      7e8d4c6cfa3026e112bda84bd331b79a447aff79

      SHA256

      768c929460de9f6ddcf7c41df413dd7f2a385bad1687ff3981fd48fa2619f811

      SHA512

      78d4bee107e24f18010d91be13971e1f0d5d85608bf7cb8b9f968cb621a504b8fcbed5ca6cfee865b39046347a882187c9655eef9cfdde6d99c2cdb9b49951e5

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
      Filesize

      7KB

      MD5

      bd8308e0ea7390147b349b8bda050026

      SHA1

      da35e71438b65fcc450a9f70607dc59df6127308

      SHA256

      87a2debfb12e68fe2ba79c796aa820aba0af60f00e1a9893d82499a09cc011c2

      SHA512

      be125ec9cd07cd1e5bbb40dbb14d82348ed48f335eb898522eccd1bab72e42482539aa1722d530ad5bc9bc0df39bb798a48c0cda72b9199a5e9ea3ceae124c46

      Download Submit

    • memory/1596-20-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/1596-22-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/1596-25-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/1596-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1800-34-0x0000000000070000-0x0000000000099000-memory.dmp

      Filesize

      164KB

      Download

    • memory/1800-33-0x0000000000320000-0x0000000000342000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2512-1-0x00000000009A0000-0x0000000000A6A000-memory.dmp

      Filesize

      808KB

      Download

    • memory/2512-3-0x00000000002D0000-0x00000000002E6000-memory.dmp

      Filesize

      88KB

      Download

    • memory/2512-2-0x00000000744D0000-0x0000000074BBE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2512-7-0x0000000000580000-0x00000000005B4000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2512-0-0x00000000744DE000-0x00000000744DF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2512-6-0x0000000005CB0000-0x0000000005D2A000-memory.dmp

      Filesize

      488KB

      Download

    • memory/2512-31-0x00000000744D0000-0x0000000074BBE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2512-5-0x00000000744D0000-0x0000000074BBE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2512-4-0x00000000744DE000-0x00000000744DF000-memory.dmp

      Filesize

      4KB

      Download