xloader | 64b9f04e500e377972f23c923e678d2d3ec4aecc42d0634de4e09570b1d58d35

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions	Documents_pdf03243232 SHPMT.exe

Xloader payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/2712-49-0x0000000000400000-0x000000000042B000-memory.dmp	xloader
behavioral2/memory/4020-92-0x00000000008D0000-0x00000000008FB000-memory.dmp	xloader

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4124	powershell.exe
5116	powershell.exe

Looks for VMWare Tools registry key 2 TTPs 1 IoCs

defense_evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	Documents_pdf03243232 SHPMT.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Documents_pdf03243232 SHPMT.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Documents_pdf03243232 SHPMT.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation	Documents_pdf03243232 SHPMT.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Documents_pdf03243232 SHPMT.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	Documents_pdf03243232 SHPMT.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4248 set thread context of 2712	4248	Documents_pdf03243232 SHPMT.exe	106
PID 2712 set thread context of 3428	2712	Documents_pdf03243232 SHPMT.exe	56
PID 4020 set thread context of 3428	4020	help.exe	56

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	help.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Documents_pdf03243232 SHPMT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
3460	schtasks.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
4248	Documents_pdf03243232 SHPMT.exe
4124	powershell.exe
5116	powershell.exe
5116	powershell.exe
4248	Documents_pdf03243232 SHPMT.exe
4248	Documents_pdf03243232 SHPMT.exe
5116	powershell.exe
4124	powershell.exe
4124	powershell.exe
4248	Documents_pdf03243232 SHPMT.exe
2712	Documents_pdf03243232 SHPMT.exe
2712	Documents_pdf03243232 SHPMT.exe
2712	Documents_pdf03243232 SHPMT.exe
2712	Documents_pdf03243232 SHPMT.exe
4020	help.exe
4020	help.exe
4020	help.exe
4020	help.exe
4020	help.exe
4020	help.exe
4020	help.exe
4020	help.exe
4020	help.exe
4020	help.exe
4020	help.exe
4020	help.exe
4020	help.exe
4020	help.exe
4020	help.exe
4020	help.exe
4020	help.exe
4020	help.exe
4020	help.exe
4020	help.exe
4020	help.exe
4020	help.exe
4020	help.exe
4020	help.exe
4020	help.exe
4020	help.exe
4020	help.exe
4020	help.exe
4020	help.exe
4020	help.exe
4020	help.exe
4020	help.exe
4020	help.exe
4020	help.exe
4020	help.exe
4020	help.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2712	Documents_pdf03243232 SHPMT.exe
2712	Documents_pdf03243232 SHPMT.exe
2712	Documents_pdf03243232 SHPMT.exe
4020	help.exe
4020	help.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	4248	Documents_pdf03243232 SHPMT.exe
Token: SeDebugPrivilege	4124	powershell.exe
Token: SeDebugPrivilege	5116	powershell.exe
Token: SeDebugPrivilege	2712	Documents_pdf03243232 SHPMT.exe
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeDebugPrivilege	4020	help.exe
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3428	Explorer.EXE

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4248 wrote to memory of 4124	4248	Documents_pdf03243232 SHPMT.exe	100
PID 4248 wrote to memory of 4124	4248	Documents_pdf03243232 SHPMT.exe	100
PID 4248 wrote to memory of 4124	4248	Documents_pdf03243232 SHPMT.exe	100
PID 4248 wrote to memory of 5116	4248	Documents_pdf03243232 SHPMT.exe	102
PID 4248 wrote to memory of 5116	4248	Documents_pdf03243232 SHPMT.exe	102
PID 4248 wrote to memory of 5116	4248	Documents_pdf03243232 SHPMT.exe	102
PID 4248 wrote to memory of 3460	4248	Documents_pdf03243232 SHPMT.exe	104
PID 4248 wrote to memory of 3460	4248	Documents_pdf03243232 SHPMT.exe	104
PID 4248 wrote to memory of 3460	4248	Documents_pdf03243232 SHPMT.exe	104
PID 4248 wrote to memory of 2712	4248	Documents_pdf03243232 SHPMT.exe	106
PID 4248 wrote to memory of 2712	4248	Documents_pdf03243232 SHPMT.exe	106
PID 4248 wrote to memory of 2712	4248	Documents_pdf03243232 SHPMT.exe	106
PID 4248 wrote to memory of 2712	4248	Documents_pdf03243232 SHPMT.exe	106
PID 4248 wrote to memory of 2712	4248	Documents_pdf03243232 SHPMT.exe	106
PID 4248 wrote to memory of 2712	4248	Documents_pdf03243232 SHPMT.exe	106
PID 3428 wrote to memory of 4020	3428	Explorer.EXE	107
PID 3428 wrote to memory of 4020	3428	Explorer.EXE	107
PID 3428 wrote to memory of 4020	3428	Explorer.EXE	107
PID 4020 wrote to memory of 5000	4020	help.exe	108
PID 4020 wrote to memory of 5000	4020	help.exe	108
PID 4020 wrote to memory of 5000	4020	help.exe	108

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3428
- C:\Users\Admin\AppData\Local\Temp\Documents_pdf03243232 SHPMT.exe
  "C:\Users\Admin\AppData\Local\Temp\Documents_pdf03243232 SHPMT.exe"
  2⤵
  - Looks for VirtualBox Guest Additions in registry
  - Looks for VMWare Tools registry key
  - Checks BIOS information in registry
  - Checks computer location settings
  - Maps connected drives based on registry
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4248
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Documents_pdf03243232 SHPMT.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4124
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\itovgklgs.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5116
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\itovgklgs" /XML "C:\Users\Admin\AppData\Local\Temp\tmp273A.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3460
- - C:\Users\Admin\AppData\Local\Temp\Documents_pdf03243232 SHPMT.exe
    "C:\Users\Admin\AppData\Local\Temp\Documents_pdf03243232 SHPMT.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2712
- C:\Windows\SysWOW64\help.exe
  "C:\Windows\SysWOW64\help.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4020
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\Documents_pdf03243232 SHPMT.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion