Overview

overview

10

Static

static

3

EPDA MV.Sw...df.exe

windows7-x64

10

EPDA MV.Sw...df.exe

windows10-2004-x64

7

3bp6xookqs5b.dll

windows7-x64

3

3bp6xookqs5b.dll

windows10-2004-x64

3

c0qit2o.exe

windows7-x64

3

c0qit2o.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    150s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-11-2024 20:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    EPDA MV.Sweet Lady.lll_pdf.exe

  • Size

    205KB

  • MD5

    a89f3213f565db4ec7d6daa25ccf5bb5

  • SHA1

    8764eccfa6c1689d8cfe90a652becce02ad94692

  • SHA256

    0bc4d1e45ab93d84a42b64fc2d0514440e13dc7afbed98e51e38f1d5d5229844

  • SHA512

    405cc3880b2eafc91f5cf06175b21de2f4d9b534db7dcc7f42325891d1573cde6b80646e72ddcbd7366610a5cb1bc2000f3de524b667310b7fb03d42167f29dd

  • SSDEEP

    6144:r9X0GfXLULFwWCnObVvM7FroK5W9JuqJ4d:F0qX45sObyloK5WXTOd

Score
10/10
xloaderoeandiscoveryloaderrat

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

oean

Decoy

kallitheasolutions.com

k-kard.com

mattvasilevski.com

gralg.com

lpbbxsfwwp.xyz

sahinligrup.com

forestgreens.club

qianduoduo.ink

futbolzone.site

rulesofvegas.com

theternarygroup.com

basenic.club

profitcenterresearch.com

cottonwoodcollection.com

chicagosecuritygates.com

hochfranken-feuilleton.com

carpetilo.com

adapt-2-nature.com

shasyaveda.com

altinovahotel.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader family
    xloader
  • Xloader payload 3 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 36 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1192
    • C:\Users\Admin\AppData\Local\Temp\EPDA MV.Sweet Lady.lll_pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\EPDA MV.Sweet Lady.lll_pdf.exe"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1288
      • C:\Users\Admin\AppData\Local\Temp\c0qit2o.exe
        "C:\Users\Admin\AppData\Local\Temp\c0qit2o.exe" "C:\Users\Admin\AppData\Local\Temp\3bp6xookqs5b.dll" "C:\Users\Admin\AppData\Local\Temp\rngdwqew.pa"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2000
        • C:\Users\Admin\AppData\Local\Temp\c0qit2o.exe
          "C:\Users\Admin\AppData\Local\Temp\c0qit2o.exe" "C:\Users\Admin\AppData\Local\Temp\3bp6xookqs5b.dll" "C:\Users\Admin\AppData\Local\Temp\rngdwqew.pa"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:2176
    • C:\Windows\SysWOW64\wuapp.exe
      "C:\Windows\SysWOW64\wuapp.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2320
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\c0qit2o.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2840

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\3bp6xookqs5b.dll
    Filesize

    11KB

    MD5

    ee224cf89c92d8b8d08cbd9dc183e6a7

    SHA1

    8ab4416951d706730fdcf9422ac39a7308bd3443

    SHA256

    bd5ba137ea2f0162b1baaa6483f5f8d56a3327818c0c96a2b04842638625a8f3

    SHA512

    261a568b8b3ee4a3b8fef2dd99889495ef91c05a1e593c23d36ebb495872e6623f8be20630a52126dbde8720aabd24f047b3cc654f744afe9310a4da01702005

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\rngdwqew.pa
    Filesize

    160KB

    MD5

    01c084425646663c72aca37f6d264116

    SHA1

    0e386be132328bd1c43d811be34c02b2a1bd80ad

    SHA256

    80c94eec38b6643d285080dfdb4aaf80d0657c05745df2f2c87538286d64777f

    SHA512

    acdb151145d06703516368ff46f4cd46c80280a90ac98700668c39fddfb3dbbd661721004dabdaab6902eb33788c852c9507a0dc591a1445e169f2a54e1de857

    Download Submit

  • \Users\Admin\AppData\Local\Temp\c0qit2o.exe
    Filesize

    3KB

    MD5

    2632c0058c899f8a94077b5abab7cc96

    SHA1

    2b2e620c7964d27828f903ebe4cf9359390a5f06

    SHA256

    10241509299a29e8bd8c016b7ede6703a00915f65ae5165268f58bae93cdf37e

    SHA512

    a662a4ff0bfe8fafd3216ec98930a9805b8771d05fb803d3d9a9a99ce04e145ae60bcc4ed63574c712994e6aec90f03a1900a64e6a0021d010b0f016913d801e

    Download Submit

  • memory/1192-24-0x0000000004490000-0x00000000045BC000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1192-32-0x00000000051B0000-0x0000000005305000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1192-18-0x0000000004490000-0x00000000045BC000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1192-30-0x00000000051B0000-0x0000000005305000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1192-29-0x00000000051B0000-0x0000000005305000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2000-9-0x0000000010000000-0x0000000010006000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2000-15-0x0000000010000000-0x0000000010006000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2176-17-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2176-13-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2320-23-0x0000000000090000-0x00000000000B8000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2320-21-0x0000000000C70000-0x0000000000C7B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2320-22-0x0000000000C70000-0x0000000000C7B000-memory.dmp

    Filesize

    44KB

    Download