Analysis

  • max time kernel
    153s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-en
  • submitted
    14-09-2021 08:29

General

  • Target

    Po2142021.xlsx

  • Size

    587KB

  • MD5

    76ea81747e2e9370b97e4d47ddfbabdd

  • SHA1

    169fcccd26f30b2bdc6374efe085d5a45812f194

  • SHA256

    100738b518fd653a4244f947f6793b69896cb4ef75876588c758e1d521c535c1

  • SHA512

    5b8eb3eb4c6af0cf3035e7a8af940c0b1239058a4448f937d7494eb8107b6b069f4e14692aa25de21a5b2478b9d9ce0e5771c8d3bc2389a1edce428002caf9d5

Score
10/10

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

b6a4

C2

http://www.helpmovingandstorage.com/b6a4/

Decoy

gr2future.com

asteroid.finance

skoba-plast.com

rnerfrfw5z3ki.net

thesmartroadtoretirement.com

avisdrummondhomes.com

banban365.net

profesyonelkampcadiri.net

royalloanhs.com

yulujy.com

xn--naqejahan-n3b.com

msalee.net

dollyvee.com

albertagamehawkersclub.com

cbspecialists.com

findingforeverrealty.com

mrtireshop.com

wadamasanari.com

growtechinfo.com

qipai039.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • Xloader Payload 2 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 54 IoCs
  • Suspicious use of SendNotifyMessage 54 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1236
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Po2142021.xlsx
      2⤵
      • Enumerates system info in registry
      • Modifies Internet Explorer settings
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1984
    • C:\Windows\SysWOW64\cmmon32.exe
      "C:\Windows\SysWOW64\cmmon32.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      PID:1632
  • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    1⤵
    • Blocklisted process makes network request
    • Loads dropped DLL
    • Launches Equation Editor
    • Suspicious use of WriteProcessMemory
    PID:1476
    • C:\Users\Public\vbc.exe
      "C:\Users\Public\vbc.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1296
      • C:\Users\Public\vbc.exe
        "C:\Users\Public\vbc.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1540

Network

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\vbc.exe
    MD5

    866d1aeb69daac5e6e4dda938edf8d26

    SHA1

    184f3ae0508d5004a9e3fe981cbc830092d41ed7

    SHA256

    a41ba93183d03c4cf6b138170fab1d15c306918bb4acd1c2cbc3ee53765e5564

    SHA512

    e488ee1b612c683c72c9ce7d33727d1f6daa6f1bdb599b9f77fd2cf6f0b7122d650a4347bfb836bf4b5e111c92057ecfb91fd517821c32cf7b1fc246ec8bfcee

  • C:\Users\Public\vbc.exe
    MD5

    866d1aeb69daac5e6e4dda938edf8d26

    SHA1

    184f3ae0508d5004a9e3fe981cbc830092d41ed7

    SHA256

    a41ba93183d03c4cf6b138170fab1d15c306918bb4acd1c2cbc3ee53765e5564

    SHA512

    e488ee1b612c683c72c9ce7d33727d1f6daa6f1bdb599b9f77fd2cf6f0b7122d650a4347bfb836bf4b5e111c92057ecfb91fd517821c32cf7b1fc246ec8bfcee

  • C:\Users\Public\vbc.exe
    MD5

    866d1aeb69daac5e6e4dda938edf8d26

    SHA1

    184f3ae0508d5004a9e3fe981cbc830092d41ed7

    SHA256

    a41ba93183d03c4cf6b138170fab1d15c306918bb4acd1c2cbc3ee53765e5564

    SHA512

    e488ee1b612c683c72c9ce7d33727d1f6daa6f1bdb599b9f77fd2cf6f0b7122d650a4347bfb836bf4b5e111c92057ecfb91fd517821c32cf7b1fc246ec8bfcee

  • \Users\Public\vbc.exe
    MD5

    866d1aeb69daac5e6e4dda938edf8d26

    SHA1

    184f3ae0508d5004a9e3fe981cbc830092d41ed7

    SHA256

    a41ba93183d03c4cf6b138170fab1d15c306918bb4acd1c2cbc3ee53765e5564

    SHA512

    e488ee1b612c683c72c9ce7d33727d1f6daa6f1bdb599b9f77fd2cf6f0b7122d650a4347bfb836bf4b5e111c92057ecfb91fd517821c32cf7b1fc246ec8bfcee

  • \Users\Public\vbc.exe
    MD5

    866d1aeb69daac5e6e4dda938edf8d26

    SHA1

    184f3ae0508d5004a9e3fe981cbc830092d41ed7

    SHA256

    a41ba93183d03c4cf6b138170fab1d15c306918bb4acd1c2cbc3ee53765e5564

    SHA512

    e488ee1b612c683c72c9ce7d33727d1f6daa6f1bdb599b9f77fd2cf6f0b7122d650a4347bfb836bf4b5e111c92057ecfb91fd517821c32cf7b1fc246ec8bfcee

  • \Users\Public\vbc.exe
    MD5

    866d1aeb69daac5e6e4dda938edf8d26

    SHA1

    184f3ae0508d5004a9e3fe981cbc830092d41ed7

    SHA256

    a41ba93183d03c4cf6b138170fab1d15c306918bb4acd1c2cbc3ee53765e5564

    SHA512

    e488ee1b612c683c72c9ce7d33727d1f6daa6f1bdb599b9f77fd2cf6f0b7122d650a4347bfb836bf4b5e111c92057ecfb91fd517821c32cf7b1fc246ec8bfcee

  • memory/1236-79-0x0000000006230000-0x0000000006343000-memory.dmp
    Filesize

    1.1MB

  • memory/1236-68-0x00000000073D0000-0x000000000755C000-memory.dmp
    Filesize

    1.5MB

  • memory/1236-81-0x000007FEF5A90000-0x000007FEF5BD3000-memory.dmp
    Filesize

    1.3MB

  • memory/1236-82-0x000007FF57730000-0x000007FF5773A000-memory.dmp
    Filesize

    40KB

  • memory/1296-60-0x0000000000000000-mapping.dmp
  • memory/1296-64-0x0000000000150000-0x0000000000152000-memory.dmp
    Filesize

    8KB

  • memory/1476-56-0x0000000075351000-0x0000000075353000-memory.dmp
    Filesize

    8KB

  • memory/1540-66-0x00000000009C0000-0x0000000000CC3000-memory.dmp
    Filesize

    3.0MB

  • memory/1540-65-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

  • memory/1540-67-0x00000000000F0000-0x0000000000100000-memory.dmp
    Filesize

    64KB

  • memory/1540-62-0x000000000041D0B0-mapping.dmp
  • memory/1632-74-0x0000000000E40000-0x0000000000E4D000-memory.dmp
    Filesize

    52KB

  • memory/1632-73-0x0000000000000000-mapping.dmp
  • memory/1632-75-0x0000000000A60000-0x0000000000D63000-memory.dmp
    Filesize

    3.0MB

  • memory/1632-76-0x0000000000080000-0x00000000000A9000-memory.dmp
    Filesize

    164KB

  • memory/1632-78-0x0000000000820000-0x00000000008AF000-memory.dmp
    Filesize

    572KB

  • memory/1984-72-0x0000000005E30000-0x0000000006A7A000-memory.dmp
    Filesize

    12.3MB

  • memory/1984-71-0x0000000005E30000-0x0000000006A7A000-memory.dmp
    Filesize

    12.3MB

  • memory/1984-53-0x000000002F321000-0x000000002F324000-memory.dmp
    Filesize

    12KB

  • memory/1984-70-0x0000000005E30000-0x0000000006A7A000-memory.dmp
    Filesize

    12.3MB

  • memory/1984-69-0x0000000005E30000-0x0000000006A7A000-memory.dmp
    Filesize

    12.3MB

  • memory/1984-80-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

  • memory/1984-55-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

  • memory/1984-54-0x0000000071601000-0x0000000071603000-memory.dmp
    Filesize

    8KB