Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-12-2024 12:40

General

  • Target

    USD $.exe

  • Size

    1.0MB

  • MD5

    7098068c07032900ff073b55a8ad8e0b

  • SHA1

    5bdda0bc06b935689f29d55b297d0523d82c6bfa

  • SHA256

    2d7aac32ea8a8329262ead70ec2f030c1a4061e4edafdf03e605bb9ce606836e

  • SHA512

    c5568a37cd6cfa600af5742acd1143d434035e2b5d7caa515ccbf182c6f72030e28a3562ee9f5e9341bcc5aeef45f498434fb8ff6835bc07c04220440d0aaf39

  • SSDEEP

    12288:WA72Z5kzykTvNYf3ACtYKWBAZcQEuanCJ4ZTuWnCT2EypSTU0KfOgzUhr2X0GSGl:WAaZ5k7TvqfwCqiZ9149O21FCWZ

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

weni

Decoy

sdmdwang.com

konversationswithkoshie.net

carap.club

eagldeream.com

856380585.xyz

elgallocoffee.com

magetu.info

lovertons.com

theichallenge.com

advancedautorepairsonline.com

wingsstyling.info

tapdaugusta.com

wiloasbanhsgtarewdasc.solutions

donjrisdumb.com

experienceddoctor.com

cloverhillconsultants.com

underwear.show

karensgonewild2020.com

arodsr.com

thefucktardmanual.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • Xloader family
  • Xloader payload 3 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 51 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3476
    • C:\Users\Admin\AppData\Local\Temp\USD $.exe
      "C:\Users\Admin\AppData\Local\Temp\USD $.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:728
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "{path}"
        3⤵
          PID:4628
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "{path}"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:2956
      • C:\Windows\SysWOW64\help.exe
        "C:\Windows\SysWOW64\help.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:824
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:3144

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/728-6-0x0000000005340000-0x00000000053DC000-memory.dmp

      Filesize

      624KB

    • memory/728-1-0x00000000006E0000-0x00000000007E6000-memory.dmp

      Filesize

      1.0MB

    • memory/728-2-0x0000000007BD0000-0x0000000008174000-memory.dmp

      Filesize

      5.6MB

    • memory/728-3-0x0000000007700000-0x0000000007792000-memory.dmp

      Filesize

      584KB

    • memory/728-5-0x0000000002B90000-0x0000000002B9A000-memory.dmp

      Filesize

      40KB

    • memory/728-4-0x0000000074690000-0x0000000074E40000-memory.dmp

      Filesize

      7.7MB

    • memory/728-14-0x0000000074690000-0x0000000074E40000-memory.dmp

      Filesize

      7.7MB

    • memory/728-7-0x00000000052B0000-0x00000000052B8000-memory.dmp

      Filesize

      32KB

    • memory/728-8-0x000000007469E000-0x000000007469F000-memory.dmp

      Filesize

      4KB

    • memory/728-9-0x0000000074690000-0x0000000074E40000-memory.dmp

      Filesize

      7.7MB

    • memory/728-10-0x0000000005720000-0x00000000057AC000-memory.dmp

      Filesize

      560KB

    • memory/728-11-0x0000000005220000-0x000000000525A000-memory.dmp

      Filesize

      232KB

    • memory/728-0-0x000000007469E000-0x000000007469F000-memory.dmp

      Filesize

      4KB

    • memory/824-21-0x0000000000930000-0x0000000000937000-memory.dmp

      Filesize

      28KB

    • memory/824-20-0x0000000000930000-0x0000000000937000-memory.dmp

      Filesize

      28KB

    • memory/824-22-0x0000000000610000-0x0000000000638000-memory.dmp

      Filesize

      160KB

    • memory/2956-15-0x0000000001590000-0x00000000018DA000-memory.dmp

      Filesize

      3.3MB

    • memory/2956-18-0x0000000001120000-0x0000000001130000-memory.dmp

      Filesize

      64KB

    • memory/2956-17-0x0000000000400000-0x0000000000428000-memory.dmp

      Filesize

      160KB

    • memory/2956-12-0x0000000000400000-0x0000000000428000-memory.dmp

      Filesize

      160KB

    • memory/3476-19-0x0000000002B30000-0x0000000002BE9000-memory.dmp

      Filesize

      740KB

    • memory/3476-23-0x0000000002B30000-0x0000000002BE9000-memory.dmp

      Filesize

      740KB

    • memory/3476-27-0x0000000008860000-0x0000000008997000-memory.dmp

      Filesize

      1.2MB

    • memory/3476-29-0x0000000008860000-0x0000000008997000-memory.dmp

      Filesize

      1.2MB