Overview

overview

10

Static

static

8

Copia_de_p...3.xlsm

windows7_x64

10

Copia_de_p...3.xlsm

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    130s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    12-03-2021 12:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Copia_de_pago_12_03.xlsm

  • Size

    197KB

  • MD5

    b5192b8607edf0e0d159f5510576cf24

  • SHA1

    ea830c1f6a158b362cdfd7a1c9ac250efe2143bf

  • SHA256

    03e7588bbb5ace7f22485dee84bf149aa8129504b19b3727bf24ae8b1afd506c

  • SHA512

    3d5548ddb32670faf5df4a5a74c8c766268990c9cd4edafe41b739f352beb0c9927b89abefdc248a65f1f224622d8681d6ba85468331831ca7e0a519e642b4c4

Score
10/10
xloaderloaderrat

Malware Config

Extracted

Family

xloader

C2

http://www.basiclablife.com/8zdn/

Decoy

yourherogarden.net

onlineharambee.net

cerrajeriaurgencias24horas.com

distritoforex.com

verifyclientserverssr.com

dandwg.com

co2-zero.global

joshssl.com

meckwt.com

theammf.com

rawclectic.com

gzgnetwork.com

richmondavenuecoc.com

nicolelyte.com

thetinyclosetboutique.com

llt-group.net

seven-sky-design.com

joganifinancialgrp.com

elementsvapes.com

bingent.info

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 3 IoCs
    rat
  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • NTFS ADS 3 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3020
    • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Copia_de_pago_12_03.xlsm"
      2⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • NTFS ADS
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1908
      • C:\Windows\System32\cscript.exe
        "C:\Windows\System32\cscript.exe" C:\programdata\asc.txt:script1.vbs
        3⤵
        • Process spawned unexpected child process
        • Blocklisted process makes network request
        • Suspicious use of WriteProcessMemory
        PID:1272
        • C:\programdata\putty.exe
          "C:\programdata\putty.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3136
          • C:\programdata\putty.exe
            "C:\programdata\putty.exe"
            5⤵
            • Executes dropped EXE
            PID:2740
          • C:\programdata\putty.exe
            "C:\programdata\putty.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            PID:2744
    • C:\Windows\SysWOW64\help.exe
      "C:\Windows\SysWOW64\help.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1540
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\programdata\putty.exe"
        3⤵
          PID:4048

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\putty.exe
      MD5

      0c646642ed1f66939d1f6ceb9e8e00fc

      SHA1

      7dc7588378602e1fba5866c27769acae2cd3d07f

      SHA256

      f719aad4625bef6cc036b8d11f0f3550001b518a14aec7684e80671e761b8365

      SHA512

      eed334026e31532757453976bf56f01afb0288a0badd91823101aca746f485a43335177b461d3fa9b879672b5ba1b976841ea9a7ad1cf9d28823b278af291765

      Download Submit
    • C:\ProgramData\putty.exe
      MD5

      0c646642ed1f66939d1f6ceb9e8e00fc

      SHA1

      7dc7588378602e1fba5866c27769acae2cd3d07f

      SHA256

      f719aad4625bef6cc036b8d11f0f3550001b518a14aec7684e80671e761b8365

      SHA512

      eed334026e31532757453976bf56f01afb0288a0badd91823101aca746f485a43335177b461d3fa9b879672b5ba1b976841ea9a7ad1cf9d28823b278af291765

      Download Submit
    • C:\ProgramData\putty.exe
      MD5

      0c646642ed1f66939d1f6ceb9e8e00fc

      SHA1

      7dc7588378602e1fba5866c27769acae2cd3d07f

      SHA256

      f719aad4625bef6cc036b8d11f0f3550001b518a14aec7684e80671e761b8365

      SHA512

      eed334026e31532757453976bf56f01afb0288a0badd91823101aca746f485a43335177b461d3fa9b879672b5ba1b976841ea9a7ad1cf9d28823b278af291765

      Download Submit
    • C:\programdata\asc.txt:script1.vbs
      MD5

      e383b657f76541d555856e702637c047

      SHA1

      a3516519c49e5a1c2016d579884b37080e885284

      SHA256

      d78a6024f8307fc8385c7eb49eb1d21ef10fafe593f9b794f1c960ac78d115f0

      SHA512

      23a143c9257cafb197275d643f03d97a1e8a464124671074d35171ce567741795c9dae252c2e82586e0e7c457690ffade7ee96503ba2b805c6918a6b3c397fb1

      Download Submit
    • C:\programdata\putty.exe
      MD5

      0c646642ed1f66939d1f6ceb9e8e00fc

      SHA1

      7dc7588378602e1fba5866c27769acae2cd3d07f

      SHA256

      f719aad4625bef6cc036b8d11f0f3550001b518a14aec7684e80671e761b8365

      SHA512

      eed334026e31532757453976bf56f01afb0288a0badd91823101aca746f485a43335177b461d3fa9b879672b5ba1b976841ea9a7ad1cf9d28823b278af291765

      Download Submit
    • memory/1272-7-0x0000000000000000-mapping.dmp
      Download
    • memory/1540-33-0x00000000002E0000-0x0000000000308000-memory.dmp
      Filesize

      160KB

      Download
    • memory/1540-37-0x0000000002AF0000-0x0000000002B7F000-memory.dmp
      Filesize

      572KB

      Download
    • memory/1540-35-0x0000000002CA0000-0x0000000002FC0000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/1540-32-0x0000000000340000-0x0000000000347000-memory.dmp
      Filesize

      28KB

      Download
    • memory/1540-31-0x0000000000000000-mapping.dmp
      Download
    • memory/1908-6-0x00007FFC7E0E0000-0x00007FFC7E0F0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1908-5-0x00007FFCA1F50000-0x00007FFCA2587000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/1908-4-0x00007FFC7E0E0000-0x00007FFC7E0F0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1908-2-0x00007FFC7E0E0000-0x00007FFC7E0F0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1908-3-0x00007FFC7E0E0000-0x00007FFC7E0F0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2744-28-0x0000000000EE0000-0x0000000001200000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/2744-29-0x0000000000980000-0x0000000000990000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2744-25-0x000000000041D020-mapping.dmp
      Download
    • memory/2744-24-0x0000000000400000-0x0000000000428000-memory.dmp
      Filesize

      160KB

      Download
    • memory/3020-30-0x0000000002B20000-0x0000000002BFB000-memory.dmp
      Filesize

      876KB

      Download
    • memory/3020-38-0x0000000005330000-0x0000000005496000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/3136-18-0x0000000002E60000-0x0000000002E61000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3136-19-0x0000000005600000-0x0000000005601000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3136-17-0x00000000054A0000-0x00000000054A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3136-20-0x0000000002EA0000-0x0000000002EAC000-memory.dmp
      Filesize

      48KB

      Download
    • memory/3136-21-0x00000000056A0000-0x00000000056A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3136-16-0x00000000059A0000-0x00000000059A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3136-15-0x0000000005400000-0x0000000005401000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3136-13-0x00000000009C0000-0x00000000009C1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3136-12-0x0000000073920000-0x000000007400E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/3136-9-0x0000000000000000-mapping.dmp
      Download
    • memory/3136-22-0x0000000005940000-0x000000000599D000-memory.dmp
      Filesize

      372KB

      Download
    • memory/4048-34-0x0000000000000000-mapping.dmp
      Download