Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    30-04-2021 09:05

General

  • Target

    d801e424_by_Libranalysis.doc

  • Size

    10KB

  • MD5

    d801e4244d30d948a98f68d37abbaed3

  • SHA1

    0f82739fc9522c5b06f591df09755f98316fc7e4

  • SHA256

    5e918aec8ebdbc9ca2fd81f3685740d087332635e9c78cbd3616c482469054d0

  • SHA512

    187059596d5842fbf2db9ccc435964c554ffcf72b557815f39eed18ab5c37cab372e11cddae4b074744b9b97fca8e1325fb9d479330ee6a38923f14c74ef56d4

Score
10/10

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.gailrichardson.com/qjnt/

Decoy

funeralinsurancetoppro.info

californiaredstate.com

xn--jpr220deud640b.com

playx.finance

siamfellow.com

tekirdagvethelp.com

forrealmodels.com

desenergie.info

whynotplus.com

graniteinaminute.com

satgurucolorlabs.com

potviper.com

racevx.xyz

thebluefishhotel.net

elletesla.com

4608capaydrive.com

buckhead-meat.com

garage-repair-near-me.com

ubique.works

markokuzmanovicpreduzetnik.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • Xloader Payload 3 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Abuses OpenXML format to download file from external location 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 17 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1272
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\d801e424_by_Libranalysis.doc"
      2⤵
      • Abuses OpenXML format to download file from external location
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1824
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1988
      • C:\Windows\SysWOW64\ipconfig.exe
        "C:\Windows\SysWOW64\ipconfig.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Gathers network information
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1608
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Public\vbc.exe"
          3⤵
            PID:1100
      • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
        "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
        1⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Launches Equation Editor
        • Suspicious use of WriteProcessMemory
        PID:1100
        • C:\Users\Public\vbc.exe
          "C:\Users\Public\vbc.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:344
          • C:\Users\Public\vbc.exe
            "C:\Users\Public\vbc.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            PID:280

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Execution

      Scripting

      1
      T1064

      Command-Line Interface

      1
      T1059

      Exploitation for Client Execution

      1
      T1203

      Defense Evasion

      Scripting

      1
      T1064

      Modify Registry

      1
      T1112

      Discovery

      System Information Discovery

      1
      T1082

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Public\vbc.exe
        MD5

        1d0d4b1031abf4a7e6da58d81bc98d6b

        SHA1

        65ffa307e1b9888f83cc554c818ad5e061963d0b

        SHA256

        ea55c997bae5ff028521b962c3077a56c962cf44b82686e549641ef7057d5852

        SHA512

        1e06e28f995469b7fd65f2c58d00b16e3f500cbd2abeaf97b419a08ee91df89b8bb0356581548897b1e2b7505f1db1995e5ef1eb568f134022bc789ee9248669

      • C:\Users\Public\vbc.exe
        MD5

        1d0d4b1031abf4a7e6da58d81bc98d6b

        SHA1

        65ffa307e1b9888f83cc554c818ad5e061963d0b

        SHA256

        ea55c997bae5ff028521b962c3077a56c962cf44b82686e549641ef7057d5852

        SHA512

        1e06e28f995469b7fd65f2c58d00b16e3f500cbd2abeaf97b419a08ee91df89b8bb0356581548897b1e2b7505f1db1995e5ef1eb568f134022bc789ee9248669

      • C:\Users\Public\vbc.exe
        MD5

        1d0d4b1031abf4a7e6da58d81bc98d6b

        SHA1

        65ffa307e1b9888f83cc554c818ad5e061963d0b

        SHA256

        ea55c997bae5ff028521b962c3077a56c962cf44b82686e549641ef7057d5852

        SHA512

        1e06e28f995469b7fd65f2c58d00b16e3f500cbd2abeaf97b419a08ee91df89b8bb0356581548897b1e2b7505f1db1995e5ef1eb568f134022bc789ee9248669

      • \Users\Public\vbc.exe
        MD5

        1d0d4b1031abf4a7e6da58d81bc98d6b

        SHA1

        65ffa307e1b9888f83cc554c818ad5e061963d0b

        SHA256

        ea55c997bae5ff028521b962c3077a56c962cf44b82686e549641ef7057d5852

        SHA512

        1e06e28f995469b7fd65f2c58d00b16e3f500cbd2abeaf97b419a08ee91df89b8bb0356581548897b1e2b7505f1db1995e5ef1eb568f134022bc789ee9248669

      • \Users\Public\vbc.exe
        MD5

        1d0d4b1031abf4a7e6da58d81bc98d6b

        SHA1

        65ffa307e1b9888f83cc554c818ad5e061963d0b

        SHA256

        ea55c997bae5ff028521b962c3077a56c962cf44b82686e549641ef7057d5852

        SHA512

        1e06e28f995469b7fd65f2c58d00b16e3f500cbd2abeaf97b419a08ee91df89b8bb0356581548897b1e2b7505f1db1995e5ef1eb568f134022bc789ee9248669

      • memory/280-71-0x0000000000400000-0x0000000000429000-memory.dmp
        Filesize

        164KB

      • memory/280-78-0x00000000003D0000-0x00000000003E1000-memory.dmp
        Filesize

        68KB

      • memory/280-77-0x0000000000970000-0x0000000000C73000-memory.dmp
        Filesize

        3.0MB

      • memory/280-72-0x000000000041D090-mapping.dmp
      • memory/344-66-0x0000000000000000-mapping.dmp
      • memory/1100-82-0x0000000000000000-mapping.dmp
      • memory/1100-63-0x0000000075D51000-0x0000000075D53000-memory.dmp
        Filesize

        8KB

      • memory/1272-79-0x0000000006B50000-0x0000000006CB2000-memory.dmp
        Filesize

        1.4MB

      • memory/1272-87-0x0000000004990000-0x0000000004A40000-memory.dmp
        Filesize

        704KB

      • memory/1608-84-0x0000000000080000-0x00000000000A9000-memory.dmp
        Filesize

        164KB

      • memory/1608-80-0x0000000000000000-mapping.dmp
      • memory/1608-83-0x0000000000C50000-0x0000000000C5A000-memory.dmp
        Filesize

        40KB

      • memory/1608-85-0x0000000002380000-0x0000000002683000-memory.dmp
        Filesize

        3.0MB

      • memory/1608-86-0x00000000004A0000-0x0000000000530000-memory.dmp
        Filesize

        576KB

      • memory/1824-61-0x0000000070261000-0x0000000070263000-memory.dmp
        Filesize

        8KB

      • memory/1824-62-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

      • memory/1824-60-0x00000000727E1000-0x00000000727E4000-memory.dmp
        Filesize

        12KB

      • memory/1824-88-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

      • memory/1988-75-0x000007FEFBC31000-0x000007FEFBC33000-memory.dmp
        Filesize

        8KB

      • memory/1988-74-0x0000000000000000-mapping.dmp