xloader | 03e7588bbb5ace7f22485dee84bf149aa8129504b19b3727bf24ae8b1afd506c

General

Target

Copia_de_pago_12_03.xlsm
Size

197KB
MD5

b5192b8607edf0e0d159f5510576cf24
SHA1

ea830c1f6a158b362cdfd7a1c9ac250efe2143bf
SHA256

03e7588bbb5ace7f22485dee84bf149aa8129504b19b3727bf24ae8b1afd506c
SHA512

3d5548ddb32670faf5df4a5a74c8c766268990c9cd4edafe41b739f352beb0c9927b89abefdc248a65f1f224622d8681d6ba85468331831ca7e0a519e642b4c4

Score

10^/10

xloader loader rat

Malware Config

Extracted

Family

xloader

C2

http://www.basiclablife.com/8zdn/

Decoy

yourherogarden.net

onlineharambee.net

cerrajeriaurgencias24horas.com

distritoforex.com

verifyclientserverssr.com

dandwg.com

co2-zero.global

joshssl.com

meckwt.com

theammf.com

rawclectic.com

gzgnetwork.com

richmondavenuecoc.com

nicolelyte.com

thetinyclosetboutique.com

llt-group.net

seven-sky-design.com

joganifinancialgrp.com

elementsvapes.com

bingent.info

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cscript.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1552	1020	cscript.exe	EXCEL.EXE

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1312-30-0x0000000000400000-0x0000000000428000-memory.dmp	xloader
behavioral1/memory/1312-31-0x000000000041D020-mapping.dmp	xloader
behavioral1/memory/1188-43-0x0000000000080000-0x00000000000A8000-memory.dmp	xloader

Blocklisted process makes network request 2 IoCs

Processes:

cscript.execscript.exe

flow pid process

4 1552 cscript.exe
5 1132 cscript.exe
Executes dropped EXE 2 IoCs

Processes:

putty.exeputty.exe

pid process

1636 putty.exe
1312 putty.exe
Loads dropped DLL 1 IoCs

Processes:

cscript.exe

pid process

1552 cscript.exe

flow	pid	process
4	1552	cscript.exe
5	1132	cscript.exe

pid	process
1636	putty.exe
1312	putty.exe

pid	process
1552	cscript.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

putty.exeputty.exemstsc.exe

description	pid	process	target process
PID 1636 set thread context of 1312	1636	putty.exe	putty.exe
PID 1312 set thread context of 1200	1312	putty.exe	Explorer.EXE
PID 1312 set thread context of 1200	1312	putty.exe	Explorer.EXE
PID 1188 set thread context of 1200	1188	mstsc.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

2012 EQNEDT32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
2012	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE

NTFS ADS 1 IoCs

Processes:

EXCEL.EXE

description ioc process

File opened for modification C:\programdata\asc.txt:script1.vbs EXCEL.EXE

description	ioc	process
File opened for modification	C:\programdata\asc.txt:script1.vbs	EXCEL.EXE

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	4	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	5	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1020 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

putty.exemstsc.exe

pid process

1312 putty.exe
1312 putty.exe
1312 putty.exe
1188 mstsc.exe
1188 mstsc.exe
1188 mstsc.exe
1188 mstsc.exe
1188 mstsc.exe
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

putty.exemstsc.exe

pid process

1312 putty.exe
1312 putty.exe
1312 putty.exe
1312 putty.exe
1188 mstsc.exe
1188 mstsc.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

putty.exemstsc.exe

description pid process

Token: SeDebugPrivilege 1312 putty.exe
Token: SeDebugPrivilege 1188 mstsc.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

1020 EXCEL.EXE
1020 EXCEL.EXE
1020 EXCEL.EXE

pid	process
1020	EXCEL.EXE

pid	process
1312	putty.exe
1312	putty.exe
1312	putty.exe
1188	mstsc.exe
1188	mstsc.exe
1188	mstsc.exe
1188	mstsc.exe
1188	mstsc.exe

pid	process
1312	putty.exe
1312	putty.exe
1312	putty.exe
1312	putty.exe
1188	mstsc.exe
1188	mstsc.exe

description	pid	process
Token: SeDebugPrivilege	1312	putty.exe
Token: SeDebugPrivilege	1188	mstsc.exe

pid	process
1020	EXCEL.EXE
1020	EXCEL.EXE
1020	EXCEL.EXE

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

EQNEDT32.EXEcmD.exewscript.execmd.exeEXCEL.EXEcscript.exeputty.exeExplorer.EXEmstsc.exe

description	pid	process	target process
PID 2012 wrote to memory of 1244	2012	EQNEDT32.EXE	cmD.exe
PID 2012 wrote to memory of 1244	2012	EQNEDT32.EXE	cmD.exe
PID 2012 wrote to memory of 1244	2012	EQNEDT32.EXE	cmD.exe
PID 2012 wrote to memory of 1244	2012	EQNEDT32.EXE	cmD.exe
PID 1244 wrote to memory of 276	1244	cmD.exe	wscript.exe
PID 1244 wrote to memory of 276	1244	cmD.exe	wscript.exe
PID 1244 wrote to memory of 276	1244	cmD.exe	wscript.exe
PID 1244 wrote to memory of 276	1244	cmD.exe	wscript.exe
PID 276 wrote to memory of 1744	276	wscript.exe	cmd.exe
PID 276 wrote to memory of 1744	276	wscript.exe	cmd.exe
PID 276 wrote to memory of 1744	276	wscript.exe	cmd.exe
PID 276 wrote to memory of 1744	276	wscript.exe	cmd.exe
PID 1744 wrote to memory of 1132	1744	cmd.exe	cscript.exe
PID 1744 wrote to memory of 1132	1744	cmd.exe	cscript.exe
PID 1744 wrote to memory of 1132	1744	cmd.exe	cscript.exe
PID 1744 wrote to memory of 1132	1744	cmd.exe	cscript.exe
PID 1020 wrote to memory of 1552	1020	EXCEL.EXE	cscript.exe
PID 1020 wrote to memory of 1552	1020	EXCEL.EXE	cscript.exe
PID 1020 wrote to memory of 1552	1020	EXCEL.EXE	cscript.exe
PID 1020 wrote to memory of 1552	1020	EXCEL.EXE	cscript.exe
PID 1552 wrote to memory of 1636	1552	cscript.exe	putty.exe
PID 1552 wrote to memory of 1636	1552	cscript.exe	putty.exe
PID 1552 wrote to memory of 1636	1552	cscript.exe	putty.exe
PID 1552 wrote to memory of 1636	1552	cscript.exe	putty.exe
PID 1636 wrote to memory of 1312	1636	putty.exe	putty.exe
PID 1636 wrote to memory of 1312	1636	putty.exe	putty.exe
PID 1636 wrote to memory of 1312	1636	putty.exe	putty.exe
PID 1636 wrote to memory of 1312	1636	putty.exe	putty.exe
PID 1636 wrote to memory of 1312	1636	putty.exe	putty.exe
PID 1636 wrote to memory of 1312	1636	putty.exe	putty.exe
PID 1636 wrote to memory of 1312	1636	putty.exe	putty.exe
PID 1200 wrote to memory of 1188	1200	Explorer.EXE	mstsc.exe
PID 1200 wrote to memory of 1188	1200	Explorer.EXE	mstsc.exe
PID 1200 wrote to memory of 1188	1200	Explorer.EXE	mstsc.exe
PID 1200 wrote to memory of 1188	1200	Explorer.EXE	mstsc.exe
PID 1188 wrote to memory of 1624	1188	mstsc.exe	cmd.exe
PID 1188 wrote to memory of 1624	1188	mstsc.exe	cmd.exe
PID 1188 wrote to memory of 1624	1188	mstsc.exe	cmd.exe
PID 1188 wrote to memory of 1624	1188	mstsc.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1200

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Copia_de_pago_12_03.xlsm
2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1020

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\System32\cscript.exe" C:\programdata\asc.txt:script1.vbs
3⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1552

C:\programdata\putty.exe
"C:\programdata\putty.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1636

C:\programdata\putty.exe
"C:\programdata\putty.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1312

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1188

C:\Windows\SysWOW64\cmd.exe
/c del "C:\programdata\putty.exe"
3⤵
PID:1624

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\SysWOW64\cmD.exe
cmD /c ReN %Tmp%\q v& WSCrIpT %tmp%\v?..wsf C
2⤵
- Suspicious use of WriteProcessMemory
PID:1244

C:\Windows\SysWOW64\wscript.exe
WSCrIpT C:\Users\Admin\AppData\Local\Temp\v?..wsf C
3⤵
- Suspicious use of WriteProcessMemory
PID:276

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cscript C:\Users\Admin\AppData\Local\Temp\xx.vbs
4⤵
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp\xx.vbs
5⤵
- Blocklisted process makes network request
PID:1132

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\putty.exe
MD5
0c646642ed1f66939d1f6ceb9e8e00fc

SHA1
7dc7588378602e1fba5866c27769acae2cd3d07f

SHA256
f719aad4625bef6cc036b8d11f0f3550001b518a14aec7684e80671e761b8365

SHA512
eed334026e31532757453976bf56f01afb0288a0badd91823101aca746f485a43335177b461d3fa9b879672b5ba1b976841ea9a7ad1cf9d28823b278af291765

Download Submit
C:\ProgramData\putty.exe
MD5
0c646642ed1f66939d1f6ceb9e8e00fc

SHA1
7dc7588378602e1fba5866c27769acae2cd3d07f

SHA256
f719aad4625bef6cc036b8d11f0f3550001b518a14aec7684e80671e761b8365

SHA512
eed334026e31532757453976bf56f01afb0288a0badd91823101aca746f485a43335177b461d3fa9b879672b5ba1b976841ea9a7ad1cf9d28823b278af291765

Download Submit
C:\Users\Admin\AppData\Local\Temp\q
MD5
5dde8136e30cc7223ef4eabcecf9c1ad

SHA1
87a8bd0d6ef64a3013bd268fab78ac9bb7f53ac7

SHA256
c2ea928dc6e0b75ac6eeecd5b519fed8320875a0d12a66ac70624e799bc2ddf7

SHA512
ad89efaba6cb092f393ef6b5e7aa601517a99393dc9d9387d77a047b0def9fe0cab87d2a6941f0d052bc2f3f80aeed1c4fb9784b737c51ce37baeef60da9ba49

Download Submit
C:\Users\Admin\AppData\Local\Temp\xx
MD5
ae4f663fed2b4ab5045f866d563f1696

SHA1
5a1ad388774e928ac191cce2f876210ee23d2f2d

SHA256
49b4c2b0da8b86f5fb173f85e0825c50b139731bbe3556279ee0a5a60d9533f3

SHA512
ca6d57a2a22929c5bf5d47263b49aad623ee1e67ba8c4405e69b5e5f274e0353f9ef63df6f816f2ad70195d49d75afd2da66ecc0478d86fa1068b03fd051f4b5

Download Submit
C:\programdata\asc.txt:script1.vbs
MD5
e383b657f76541d555856e702637c047

SHA1
a3516519c49e5a1c2016d579884b37080e885284

SHA256
d78a6024f8307fc8385c7eb49eb1d21ef10fafe593f9b794f1c960ac78d115f0

SHA512
23a143c9257cafb197275d643f03d97a1e8a464124671074d35171ce567741795c9dae252c2e82586e0e7c457690ffade7ee96503ba2b805c6918a6b3c397fb1

Download Submit
C:\programdata\putty.exe
MD5
0c646642ed1f66939d1f6ceb9e8e00fc

SHA1
7dc7588378602e1fba5866c27769acae2cd3d07f

SHA256
f719aad4625bef6cc036b8d11f0f3550001b518a14aec7684e80671e761b8365

SHA512
eed334026e31532757453976bf56f01afb0288a0badd91823101aca746f485a43335177b461d3fa9b879672b5ba1b976841ea9a7ad1cf9d28823b278af291765

Download Submit
\ProgramData\putty.exe
MD5
0c646642ed1f66939d1f6ceb9e8e00fc

SHA1
7dc7588378602e1fba5866c27769acae2cd3d07f

SHA256
f719aad4625bef6cc036b8d11f0f3550001b518a14aec7684e80671e761b8365

SHA512
eed334026e31532757453976bf56f01afb0288a0badd91823101aca746f485a43335177b461d3fa9b879672b5ba1b976841ea9a7ad1cf9d28823b278af291765

Download Submit
memory/276-8-0x0000000000000000-mapping.dmp

Download
memory/276-12-0x0000000002750000-0x0000000002754000-memory.dmp

Filesize
16KB

Download
memory/1020-3-0x0000000070DE1000-0x0000000070DE3000-memory.dmp

Filesize
8KB

Download
memory/1020-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1020-2-0x000000002F831000-0x000000002F834000-memory.dmp

Filesize
12KB

Download
memory/1132-24-0x0000000002630000-0x0000000002634000-memory.dmp

Filesize
16KB

Download
memory/1132-13-0x0000000000000000-mapping.dmp

Download
memory/1188-45-0x0000000001FE0000-0x000000000206F000-memory.dmp

Filesize
572KB

Download
memory/1188-42-0x0000000000AD0000-0x0000000000BD4000-memory.dmp

Filesize
1.0MB

Download
memory/1188-44-0x0000000002170000-0x0000000002473000-memory.dmp

Filesize
3.0MB

Download
memory/1188-43-0x0000000000080000-0x00000000000A8000-memory.dmp

Filesize
160KB

Download
memory/1188-39-0x0000000000000000-mapping.dmp

Download
memory/1200-36-0x0000000003F30000-0x000000000406C000-memory.dmp

Filesize
1.2MB

Download
memory/1200-38-0x00000000064C0000-0x000000000661E000-memory.dmp

Filesize
1.4MB

Download
memory/1244-6-0x0000000000000000-mapping.dmp

Download
memory/1312-31-0x000000000041D020-mapping.dmp

Download
memory/1312-37-0x0000000000450000-0x0000000000460000-memory.dmp

Filesize
64KB

Download
memory/1312-30-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1312-34-0x0000000000900000-0x0000000000C03000-memory.dmp

Filesize
3.0MB

Download
memory/1312-35-0x0000000000270000-0x0000000000280000-memory.dmp

Filesize
64KB

Download
memory/1552-15-0x0000000000000000-mapping.dmp

Download
memory/1552-21-0x0000000002730000-0x0000000002734000-memory.dmp

Filesize
16KB

Download
memory/1624-41-0x0000000000000000-mapping.dmp

Download
memory/1636-25-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download
memory/1636-27-0x0000000000320000-0x000000000032C000-memory.dmp

Filesize
48KB

Download
memory/1636-29-0x00000000048A0000-0x00000000048FD000-memory.dmp

Filesize
372KB

Download
memory/1636-28-0x0000000004E00000-0x0000000004E01000-memory.dmp

Filesize
4KB

Download
memory/1636-23-0x000000006ADF0000-0x000000006B4DE000-memory.dmp

Filesize
6.9MB

Download
memory/1636-19-0x0000000000000000-mapping.dmp

Download
memory/1744-11-0x0000000000000000-mapping.dmp

Download
memory/2012-5-0x00000000753E1000-0x00000000753E3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads