Analysis
-
max time kernel
147s -
max time network
89s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
12-01-2021 18:00
Static task
static1
Behavioral task
behavioral1
Sample
Doc_74657456348374.xlsx.exe
Resource
win7v20201028
General
-
Target
Doc_74657456348374.xlsx.exe
-
Size
731KB
-
MD5
1e8f1e78b590bd90b327429d233c2fe9
-
SHA1
83eb02aa8a04deb275763d0ca93b130241d241a2
-
SHA256
180444e71cfbd639cea07e4cdc28099a444839f5ad3eb024b87dc9664fdfd5ec
-
SHA512
fb6133a86040405c7063effed12866f9964ff3fe323726624806c3f718296de9fa9930235acb4ef28090fa2bc9c5194bc4f0bb9e0b29399f0ffc936c40025c55
Malware Config
Extracted
formbook
http://www.mczx.net/hpg3/
icheapwdshop.com
ilhemayad.com
visionaries-global.com
bondibootybuilder.com
largeprintonline.com
imoney.life
yin.finance
serrurier-depannage-lyon.com
bettar.xyz
robet89.com
sxqfuisju.icu
dveri-interior.com
propertyexpertsmiami.com
tawetap.com
agencykiller.pro
usableclassics.com
elocdigital.com
tronelite.com
aeshahcosmetics.com
comproticket.com
happyhours.life
wheelofmes.com
defendertools.com
strongfamilyfarms.com
telewaremail.com
antwerpdeclaration.info
henselectrlc.com
renownedafricanamericans.com
bodycandybyrose.com
benefitdiscovery.com
chintekec.com
libertyandgrit.com
iregentos.info
americamedsales.com
outsource-service.info
shirkhanigroup.com
kewangdz.com
nexus-ink.com
steak-shoyoju.com
dayinwhite.com
religionism-convection.com
nogginnaked.com
thesaffrongrp.com
canhelpcbd.com
fashionclothingonline.net
orcidstore.com
behome-garden.com
silentmoneyuk.com
takkibyhandan.com
mokkojikorea.net
realtyelitellc.com
everestgrup.xyz
unlikelypolitician.com
avito-rf.website
lovellengineering.com
bolzes.com
joyfulnose.com
storeathouse.com
julianasmithus.com
pawwild.com
mymakemoneyonlinefast.com
aaliyahchhabra.com
yyzacypzs.icu
bdxwines.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/400-9-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral1/memory/400-10-0x000000000041D030-mapping.dmp xloader behavioral1/memory/1028-11-0x0000000000000000-mapping.dmp xloader -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 920 cmd.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
Doc_74657456348374.xlsx.exeDoc_74657456348374.xlsx.exesystray.exedescription pid process target process PID 1204 set thread context of 400 1204 Doc_74657456348374.xlsx.exe Doc_74657456348374.xlsx.exe PID 400 set thread context of 1264 400 Doc_74657456348374.xlsx.exe Explorer.EXE PID 400 set thread context of 1264 400 Doc_74657456348374.xlsx.exe Explorer.EXE PID 1028 set thread context of 1264 1028 systray.exe Explorer.EXE -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
Doc_74657456348374.xlsx.exesystray.exepid process 400 Doc_74657456348374.xlsx.exe 400 Doc_74657456348374.xlsx.exe 400 Doc_74657456348374.xlsx.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe 1028 systray.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
Doc_74657456348374.xlsx.exesystray.exepid process 400 Doc_74657456348374.xlsx.exe 400 Doc_74657456348374.xlsx.exe 400 Doc_74657456348374.xlsx.exe 400 Doc_74657456348374.xlsx.exe 1028 systray.exe 1028 systray.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Doc_74657456348374.xlsx.exesystray.exedescription pid process Token: SeDebugPrivilege 400 Doc_74657456348374.xlsx.exe Token: SeDebugPrivilege 1028 systray.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1264 Explorer.EXE 1264 Explorer.EXE 1264 Explorer.EXE 1264 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1264 Explorer.EXE 1264 Explorer.EXE 1264 Explorer.EXE 1264 Explorer.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
Doc_74657456348374.xlsx.exeExplorer.EXEsystray.exedescription pid process target process PID 1204 wrote to memory of 1684 1204 Doc_74657456348374.xlsx.exe schtasks.exe PID 1204 wrote to memory of 1684 1204 Doc_74657456348374.xlsx.exe schtasks.exe PID 1204 wrote to memory of 1684 1204 Doc_74657456348374.xlsx.exe schtasks.exe PID 1204 wrote to memory of 1684 1204 Doc_74657456348374.xlsx.exe schtasks.exe PID 1204 wrote to memory of 400 1204 Doc_74657456348374.xlsx.exe Doc_74657456348374.xlsx.exe PID 1204 wrote to memory of 400 1204 Doc_74657456348374.xlsx.exe Doc_74657456348374.xlsx.exe PID 1204 wrote to memory of 400 1204 Doc_74657456348374.xlsx.exe Doc_74657456348374.xlsx.exe PID 1204 wrote to memory of 400 1204 Doc_74657456348374.xlsx.exe Doc_74657456348374.xlsx.exe PID 1204 wrote to memory of 400 1204 Doc_74657456348374.xlsx.exe Doc_74657456348374.xlsx.exe PID 1204 wrote to memory of 400 1204 Doc_74657456348374.xlsx.exe Doc_74657456348374.xlsx.exe PID 1204 wrote to memory of 400 1204 Doc_74657456348374.xlsx.exe Doc_74657456348374.xlsx.exe PID 1264 wrote to memory of 1028 1264 Explorer.EXE systray.exe PID 1264 wrote to memory of 1028 1264 Explorer.EXE systray.exe PID 1264 wrote to memory of 1028 1264 Explorer.EXE systray.exe PID 1264 wrote to memory of 1028 1264 Explorer.EXE systray.exe PID 1028 wrote to memory of 920 1028 systray.exe cmd.exe PID 1028 wrote to memory of 920 1028 systray.exe cmd.exe PID 1028 wrote to memory of 920 1028 systray.exe cmd.exe PID 1028 wrote to memory of 920 1028 systray.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Doc_74657456348374.xlsx.exe"C:\Users\Admin\AppData\Local\Temp\Doc_74657456348374.xlsx.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vGJzEtsAZlyR" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB413.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Doc_74657456348374.xlsx.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\systray.exe"C:\Windows\SysWOW64\systray.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Doc_74657456348374.xlsx.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpB413.tmpMD5
04bb7edf5f4be6b6a25879a88e12326b
SHA1bd3e77470cfdcda3312da6a8a408f4ac56be952a
SHA2565ce02fb616808b773e4f627cfa858f363e7e59e8bb42aa66569f6c83f101ce59
SHA51215096a8bd9aa2abee33cd17dbef89b2014635dfa0f9d2107d33ccbc898115fdd66529a31c6f8f7dbe6c1f4b9f820ff80eeee044099cf4250c11a5b3a43c2c385
-
memory/400-9-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/400-10-0x000000000041D030-mapping.dmp
-
memory/920-13-0x0000000000000000-mapping.dmp
-
memory/1028-11-0x0000000000000000-mapping.dmp
-
memory/1028-12-0x0000000000FF0000-0x0000000000FF5000-memory.dmpFilesize
20KB
-
memory/1028-14-0x0000000004160000-0x00000000042B8000-memory.dmpFilesize
1.3MB
-
memory/1204-2-0x0000000073E00000-0x00000000744EE000-memory.dmpFilesize
6.9MB
-
memory/1204-3-0x0000000000EB0000-0x0000000000EB1000-memory.dmpFilesize
4KB
-
memory/1204-5-0x0000000000840000-0x000000000084E000-memory.dmpFilesize
56KB
-
memory/1204-6-0x0000000005730000-0x00000000057B2000-memory.dmpFilesize
520KB
-
memory/1684-7-0x0000000000000000-mapping.dmp