Overview

overview

10

Static

static

Po2142021.xlsx

windows7_x64

10

Po2142021.xlsx

windows10_x64

1

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-en
  • submitted
    14-09-2021 09:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Po2142021.xlsx

  • Size

    587KB

  • MD5

    76ea81747e2e9370b97e4d47ddfbabdd

  • SHA1

    169fcccd26f30b2bdc6374efe085d5a45812f194

  • SHA256

    100738b518fd653a4244f947f6793b69896cb4ef75876588c758e1d521c535c1

  • SHA512

    5b8eb3eb4c6af0cf3035e7a8af940c0b1239058a4448f937d7494eb8107b6b069f4e14692aa25de21a5b2478b9d9ce0e5771c8d3bc2389a1edce428002caf9d5

Score
10/10
xloaderb6a4loaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

b6a4

C2

http://www.helpmovingandstorage.com/b6a4/

Decoy

gr2future.com

asteroid.finance

skoba-plast.com

rnerfrfw5z3ki.net

thesmartroadtoretirement.com

avisdrummondhomes.com

banban365.net

profesyonelkampcadiri.net

royalloanhs.com

yulujy.com

xn--naqejahan-n3b.com

msalee.net

dollyvee.com

albertagamehawkersclub.com

cbspecialists.com

findingforeverrealty.com

mrtireshop.com

wadamasanari.com

growtechinfo.com

qipai039.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata
  • Xloader Payload 2 IoCs
    rat
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 49 IoCs
  • Suspicious use of SendNotifyMessage 49 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1280
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Po2142021.xlsx
      2⤵
      • Enumerates system info in registry
      • Modifies Internet Explorer settings
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2036
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      PID:1608
  • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    1⤵
    • Blocklisted process makes network request
    • Loads dropped DLL
    • Launches Equation Editor
    • Suspicious use of WriteProcessMemory
    PID:1728
    • C:\Users\Public\vbc.exe
      "C:\Users\Public\vbc.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1128
      • C:\Users\Public\vbc.exe
        "C:\Users\Public\vbc.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1992

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\vbc.exe
    MD5

    866d1aeb69daac5e6e4dda938edf8d26

    SHA1

    184f3ae0508d5004a9e3fe981cbc830092d41ed7

    SHA256

    a41ba93183d03c4cf6b138170fab1d15c306918bb4acd1c2cbc3ee53765e5564

    SHA512

    e488ee1b612c683c72c9ce7d33727d1f6daa6f1bdb599b9f77fd2cf6f0b7122d650a4347bfb836bf4b5e111c92057ecfb91fd517821c32cf7b1fc246ec8bfcee

    Download Submit
  • C:\Users\Public\vbc.exe
    MD5

    866d1aeb69daac5e6e4dda938edf8d26

    SHA1

    184f3ae0508d5004a9e3fe981cbc830092d41ed7

    SHA256

    a41ba93183d03c4cf6b138170fab1d15c306918bb4acd1c2cbc3ee53765e5564

    SHA512

    e488ee1b612c683c72c9ce7d33727d1f6daa6f1bdb599b9f77fd2cf6f0b7122d650a4347bfb836bf4b5e111c92057ecfb91fd517821c32cf7b1fc246ec8bfcee

    Download Submit
  • C:\Users\Public\vbc.exe
    MD5

    866d1aeb69daac5e6e4dda938edf8d26

    SHA1

    184f3ae0508d5004a9e3fe981cbc830092d41ed7

    SHA256

    a41ba93183d03c4cf6b138170fab1d15c306918bb4acd1c2cbc3ee53765e5564

    SHA512

    e488ee1b612c683c72c9ce7d33727d1f6daa6f1bdb599b9f77fd2cf6f0b7122d650a4347bfb836bf4b5e111c92057ecfb91fd517821c32cf7b1fc246ec8bfcee

    Download Submit
  • \Users\Public\vbc.exe
    MD5

    866d1aeb69daac5e6e4dda938edf8d26

    SHA1

    184f3ae0508d5004a9e3fe981cbc830092d41ed7

    SHA256

    a41ba93183d03c4cf6b138170fab1d15c306918bb4acd1c2cbc3ee53765e5564

    SHA512

    e488ee1b612c683c72c9ce7d33727d1f6daa6f1bdb599b9f77fd2cf6f0b7122d650a4347bfb836bf4b5e111c92057ecfb91fd517821c32cf7b1fc246ec8bfcee

    Download Submit
  • \Users\Public\vbc.exe
    MD5

    866d1aeb69daac5e6e4dda938edf8d26

    SHA1

    184f3ae0508d5004a9e3fe981cbc830092d41ed7

    SHA256

    a41ba93183d03c4cf6b138170fab1d15c306918bb4acd1c2cbc3ee53765e5564

    SHA512

    e488ee1b612c683c72c9ce7d33727d1f6daa6f1bdb599b9f77fd2cf6f0b7122d650a4347bfb836bf4b5e111c92057ecfb91fd517821c32cf7b1fc246ec8bfcee

    Download Submit
  • \Users\Public\vbc.exe
    MD5

    866d1aeb69daac5e6e4dda938edf8d26

    SHA1

    184f3ae0508d5004a9e3fe981cbc830092d41ed7

    SHA256

    a41ba93183d03c4cf6b138170fab1d15c306918bb4acd1c2cbc3ee53765e5564

    SHA512

    e488ee1b612c683c72c9ce7d33727d1f6daa6f1bdb599b9f77fd2cf6f0b7122d650a4347bfb836bf4b5e111c92057ecfb91fd517821c32cf7b1fc246ec8bfcee

    Download Submit
  • memory/1128-63-0x0000000000250000-0x0000000000252000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1128-59-0x0000000000000000-mapping.dmp
    Download
  • memory/1280-67-0x00000000049F0000-0x0000000004B26000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/1280-82-0x000007FEF5F80000-0x000007FEF60C3000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/1280-80-0x0000000006B60000-0x0000000006C7B000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1280-83-0x000007FF05EB0000-0x000007FF05EBA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1608-79-0x0000000000B20000-0x0000000000BAF000-memory.dmp
    Filesize

    572KB

    Download
  • memory/1608-77-0x0000000000090000-0x00000000000B9000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1608-78-0x00000000022E0000-0x00000000025E3000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1608-76-0x0000000000BF0000-0x0000000000C04000-memory.dmp
    Filesize

    80KB

    Download
  • memory/1608-73-0x0000000000000000-mapping.dmp
    Download
  • memory/1728-55-0x0000000075B51000-0x0000000075B53000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1992-64-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1992-65-0x0000000000890000-0x0000000000B93000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1992-66-0x00000000000F0000-0x0000000000100000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1992-61-0x000000000041D0B0-mapping.dmp
    Download
  • memory/2036-52-0x000000002F141000-0x000000002F144000-memory.dmp
    Filesize

    12KB

    Download
  • memory/2036-53-0x0000000070E41000-0x0000000070E43000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2036-71-0x0000000006120000-0x0000000006D6A000-memory.dmp
    Filesize

    12.3MB

    Download
  • memory/2036-72-0x0000000006120000-0x0000000006D6A000-memory.dmp
    Filesize

    12.3MB

    Download
  • memory/2036-70-0x0000000006120000-0x0000000006D6A000-memory.dmp
    Filesize

    12.3MB

    Download
  • memory/2036-69-0x0000000006120000-0x0000000006D6A000-memory.dmp
    Filesize

    12.3MB

    Download
  • memory/2036-81-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2036-68-0x0000000006120000-0x0000000006D6A000-memory.dmp
    Filesize

    12.3MB

    Download
  • memory/2036-54-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download