Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2024 20:43

General

  • Target

    USD $.exe

  • Size

    1.0MB

  • MD5

    7098068c07032900ff073b55a8ad8e0b

  • SHA1

    5bdda0bc06b935689f29d55b297d0523d82c6bfa

  • SHA256

    2d7aac32ea8a8329262ead70ec2f030c1a4061e4edafdf03e605bb9ce606836e

  • SHA512

    c5568a37cd6cfa600af5742acd1143d434035e2b5d7caa515ccbf182c6f72030e28a3562ee9f5e9341bcc5aeef45f498434fb8ff6835bc07c04220440d0aaf39

  • SSDEEP

    12288:WA72Z5kzykTvNYf3ACtYKWBAZcQEuanCJ4ZTuWnCT2EypSTU0KfOgzUhr2X0GSGl:WAaZ5k7TvqfwCqiZ9149O21FCWZ

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

weni

Decoy

sdmdwang.com

konversationswithkoshie.net

carap.club

eagldeream.com

856380585.xyz

elgallocoffee.com

magetu.info

lovertons.com

theichallenge.com

advancedautorepairsonline.com

wingsstyling.info

tapdaugusta.com

wiloasbanhsgtarewdasc.solutions

donjrisdumb.com

experienceddoctor.com

cloverhillconsultants.com

underwear.show

karensgonewild2020.com

arodsr.com

thefucktardmanual.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • Xloader family
  • Xloader payload 4 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 47 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3488
      • C:\Users\Admin\AppData\Local\Temp\USD $.exe
        "C:\Users\Admin\AppData\Local\Temp\USD $.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3224
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "{path}"
          3⤵
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1932
          • C:\Windows\SysWOW64\cmmon32.exe
            "C:\Windows\SysWOW64\cmmon32.exe"
            4⤵
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4936
            • C:\Windows\SysWOW64\cmd.exe
              /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:4420
      • C:\Windows\SysWOW64\autofmt.exe
        "C:\Windows\SysWOW64\autofmt.exe"
        2⤵
          PID:5092
        • C:\Windows\SysWOW64\autofmt.exe
          "C:\Windows\SysWOW64\autofmt.exe"
          2⤵
            PID:2452

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1932-12-0x0000000000400000-0x0000000000428000-memory.dmp

          Filesize

          160KB

        • memory/1932-21-0x0000000000400000-0x0000000000428000-memory.dmp

          Filesize

          160KB

        • memory/1932-22-0x0000000002F30000-0x0000000002F40000-memory.dmp

          Filesize

          64KB

        • memory/1932-17-0x0000000000400000-0x0000000000428000-memory.dmp

          Filesize

          160KB

        • memory/1932-18-0x0000000000DD0000-0x0000000000DE0000-memory.dmp

          Filesize

          64KB

        • memory/1932-15-0x0000000001220000-0x000000000156A000-memory.dmp

          Filesize

          3.3MB

        • memory/3224-7-0x0000000005990000-0x0000000005998000-memory.dmp

          Filesize

          32KB

        • memory/3224-2-0x00000000082B0000-0x0000000008854000-memory.dmp

          Filesize

          5.6MB

        • memory/3224-8-0x00000000744AE000-0x00000000744AF000-memory.dmp

          Filesize

          4KB

        • memory/3224-9-0x00000000744A0000-0x0000000074C50000-memory.dmp

          Filesize

          7.7MB

        • memory/3224-10-0x0000000005E00000-0x0000000005E8C000-memory.dmp

          Filesize

          560KB

        • memory/3224-11-0x00000000058A0000-0x00000000058DA000-memory.dmp

          Filesize

          232KB

        • memory/3224-6-0x0000000005A20000-0x0000000005ABC000-memory.dmp

          Filesize

          624KB

        • memory/3224-14-0x00000000744A0000-0x0000000074C50000-memory.dmp

          Filesize

          7.7MB

        • memory/3224-5-0x0000000003300000-0x000000000330A000-memory.dmp

          Filesize

          40KB

        • memory/3224-4-0x00000000744A0000-0x0000000074C50000-memory.dmp

          Filesize

          7.7MB

        • memory/3224-3-0x0000000007DA0000-0x0000000007E32000-memory.dmp

          Filesize

          584KB

        • memory/3224-0-0x00000000744AE000-0x00000000744AF000-memory.dmp

          Filesize

          4KB

        • memory/3224-1-0x0000000000DE0000-0x0000000000EE6000-memory.dmp

          Filesize

          1.0MB

        • memory/3488-19-0x0000000003130000-0x00000000031FB000-memory.dmp

          Filesize

          812KB

        • memory/3488-23-0x0000000008610000-0x000000000873E000-memory.dmp

          Filesize

          1.2MB

        • memory/3488-24-0x0000000003130000-0x00000000031FB000-memory.dmp

          Filesize

          812KB

        • memory/3488-27-0x0000000008610000-0x000000000873E000-memory.dmp

          Filesize

          1.2MB

        • memory/3488-31-0x0000000008080000-0x0000000008130000-memory.dmp

          Filesize

          704KB

        • memory/3488-32-0x0000000008080000-0x0000000008130000-memory.dmp

          Filesize

          704KB

        • memory/3488-34-0x0000000008080000-0x0000000008130000-memory.dmp

          Filesize

          704KB

        • memory/4936-26-0x0000000000BB0000-0x0000000000BBC000-memory.dmp

          Filesize

          48KB

        • memory/4936-25-0x0000000000BB0000-0x0000000000BBC000-memory.dmp

          Filesize

          48KB

        • memory/4936-28-0x0000000000130000-0x0000000000158000-memory.dmp

          Filesize

          160KB