Analysis
-
max time kernel
145s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
06-02-2025 06:57
General
-
Target
Documents_pdf03243232 SHPMT.exe
-
Size
975KB
-
MD5
7e31f4f040cec802a5608cdd9b356f5c
-
SHA1
e1b37eaba8fd77fc8aabbc5dfe2bc7b06943ef98
-
SHA256
64b9f04e500e377972f23c923e678d2d3ec4aecc42d0634de4e09570b1d58d35
-
SHA512
705a3c7b0b3d0f61dc3fb80d34d3eda60e901ce8b7de6a60bfa913397bb75ddf602ba2c0219e0aadadfcd95ce5bdc6ad7465834722d4a975494fb32f8e8042ee
-
SSDEEP
24576:vfVoFufS+s4AG5pZxln2hJoGlIF22Gk2PSGQOs8D:HaFurAGpZxd+tlIF2m2aGd
Malware Config
Extracted
xloader
2.6
n8it
360-nft.com
reversedwarbler.com
corefina.com
pettigestudio.com
bienvenidomiami.com
directoriobid.com
ydshine.com
xuemengyc.com
crossfitlaquila.com
strongdigits.com
goldendtatedermatology.com
onlinecryptoarbitrage.com
ziyuechloezhang.com
khaijd.com
pickleballgiant.info
shopcycles3.com
dynamicmetalbuildings.com
vandorainvestmentpartners.com
syzbf15.xyz
directbizlending.xyz
Signatures
-
Xloader
Xloader is a rebranded version of Formbook malware.
-
Xloader family
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Xloader payload 3 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 25 IoCs
-
Suspicious behavior: MapViewOfSection 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 27 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Documents_pdf03243232 SHPMT.exe"C:\Users\Admin\AppData\Local\Temp\Documents_pdf03243232 SHPMT.exe"2⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Documents_pdf03243232 SHPMT.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\itovgklgs.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\itovgklgs" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCDF9.tmp"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Local\Temp\Documents_pdf03243232 SHPMT.exe"C:\Users\Admin\AppData\Local\Temp\Documents_pdf03243232 SHPMT.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Documents_pdf03243232 SHPMT.exe"3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e399578e87d069e1cd99eec77cad4f91
SHA1bd5749e9c0899d2f1822365ef5f4e54d86f1e97f
SHA256df5bc67a78799a523a3b3c16115629a0b8c7d78017f5cccb7be278da9cc4936d
SHA51225a63daabf237ffba8cef660a529e91e2ba63a74cfc26ec346f945d4786225fea4ef1f3fd9b14ead7abfdee288b2718da45589af0d86787f692a6f06251d0fbd
-
Filesize
7KB
MD5533b7800b55663ba8cd3fb771f4d2899
SHA150ff83227e10d38587605bfb0521858b84e06d0d
SHA256f95d1cbbc8096b83962c895c72843946c525517eabedf7fcd22ecb1725eb0064
SHA51269ba2fa40a17372f0d6096940303e162d02a562d1e4ae6326d84a5759eba28981d112c0e1a1b3dd721bccccc96cadfb25f7624188f54aa9cc8ea77b2fd6c641a
-
Filesize
1.5MB
-
Filesize
172KB
-
Filesize
152KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
172KB
-
Filesize
200KB
-
Filesize
4KB
-
Filesize
480KB
-
Filesize
56KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
104KB
-
Filesize
6.9MB
-
Filesize
992KB