Overview

overview

10

Static

static

SALES CONT...1.xlsx

windows7_x64

10

SALES CONT...1.xlsx

windows10_x64

1

Analysis

  • max time kernel
    150s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    21-09-2021 08:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SALES CONTRACT 914 VIPA ORDER 213581.xlsx

  • Size

    587KB

  • MD5

    57d15b392c41d1fef88631aa16d1717f

  • SHA1

    19edf447fb1f102d85f22df4bdc13f8b5a3504bc

  • SHA256

    16b2ff1b7878c49d974b08f7a91669a472c4bfacbfbf486209c6cefe2c117302

  • SHA512

    6eba268985edf22d1cd0f6e9f905fc6b1896009fed103b221b100447a6c8d85c8d5316f22a333be61594361bf71c3b411ae30f588e933bb73cc32f745519147d

Score
10/10
xloader9gdgloaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

9gdg

C2

http://www.dechocolate.online/9gdg/

Decoy

cao-catos.ca

humanityumbrella.com

heatherflintford.com

paddyjulian.com

venturedart.com

pimpyoursmile.com

shellbacklabs.com

acesteeisupply.com

socotrajeweltours.com

aykutozden.com

corncobmeal.com

lesbiansforever.com

picknock.com

pawspetreiki.com

waikikidesignco.com

lelittnpasumo4.xyz

billing-updating.info

barangdapo.com

gatorfirerescue.com

jmovt.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016

    suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016

    suricata
  • Xloader Payload 2 IoCs
    rat
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 14 IoCs
    installer
  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1408
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\SALES CONTRACT 914 VIPA ORDER 213581.xlsx"
      2⤵
      • Enumerates system info in registry
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1740
    • C:\Windows\SysWOW64\cmmon32.exe
      "C:\Windows\SysWOW64\cmmon32.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1924
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Public\vbc.exe"
        3⤵
          PID:1160
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:1544
      • C:\Users\Public\vbc.exe
        "C:\Users\Public\vbc.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:1176
        • C:\Users\Public\vbc.exe
          "C:\Users\Public\vbc.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:1100

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scripting

    1
    T1064

    Exploitation for Client Execution

    1
    T1203

    Persistence

    Privilege Escalation

    Defense Evasion

    Scripting

    1
    T1064

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    2
    T1082

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Public\vbc.exe
      MD5

      9d38faec3253e9ce395c8970d03d8180

      SHA1

      53128b83b922c39ed32065c9d8baae2c13059719

      SHA256

      1771bccdd4c4fdc7d50d97ac10e5b1e0f980a4ff31233c59e9cfa17e9cd36a24

      SHA512

      0c883d98ff5f255f3c4cdc1664f726606e44280e867dd727caa19cd6aa3aee849c4dc5d9555b118310f2b648a2c217d30d297005648c61edd40969e21dd2271a

      Download Submit
    • C:\Users\Public\vbc.exe
      MD5

      9d38faec3253e9ce395c8970d03d8180

      SHA1

      53128b83b922c39ed32065c9d8baae2c13059719

      SHA256

      1771bccdd4c4fdc7d50d97ac10e5b1e0f980a4ff31233c59e9cfa17e9cd36a24

      SHA512

      0c883d98ff5f255f3c4cdc1664f726606e44280e867dd727caa19cd6aa3aee849c4dc5d9555b118310f2b648a2c217d30d297005648c61edd40969e21dd2271a

      Download Submit
    • C:\Users\Public\vbc.exe
      MD5

      9d38faec3253e9ce395c8970d03d8180

      SHA1

      53128b83b922c39ed32065c9d8baae2c13059719

      SHA256

      1771bccdd4c4fdc7d50d97ac10e5b1e0f980a4ff31233c59e9cfa17e9cd36a24

      SHA512

      0c883d98ff5f255f3c4cdc1664f726606e44280e867dd727caa19cd6aa3aee849c4dc5d9555b118310f2b648a2c217d30d297005648c61edd40969e21dd2271a

      Download Submit
    • \Users\Admin\AppData\Local\Temp\nsgCA51.tmp\chav.dll
      MD5

      03cae9032f6d2d44d8ecd93c87f1313f

      SHA1

      fe8f16836750db7d7fcb42d1d0ea77d55d145832

      SHA256

      ba8dc1fbfac80564485d83433578839c4ffe432e4ec3e81182fb7eadcc54c6b8

      SHA512

      5871980c59e457f47e47c86232640b2211c89bc6d3a9da7f89bf73f8f09fc6a8a48c9b88412c84367d7162349103192107ec24af637cd96227edd0db320fdc67

      Download Submit
    • \Users\Public\vbc.exe
      MD5

      9d38faec3253e9ce395c8970d03d8180

      SHA1

      53128b83b922c39ed32065c9d8baae2c13059719

      SHA256

      1771bccdd4c4fdc7d50d97ac10e5b1e0f980a4ff31233c59e9cfa17e9cd36a24

      SHA512

      0c883d98ff5f255f3c4cdc1664f726606e44280e867dd727caa19cd6aa3aee849c4dc5d9555b118310f2b648a2c217d30d297005648c61edd40969e21dd2271a

      Download Submit
    • \Users\Public\vbc.exe
      MD5

      9d38faec3253e9ce395c8970d03d8180

      SHA1

      53128b83b922c39ed32065c9d8baae2c13059719

      SHA256

      1771bccdd4c4fdc7d50d97ac10e5b1e0f980a4ff31233c59e9cfa17e9cd36a24

      SHA512

      0c883d98ff5f255f3c4cdc1664f726606e44280e867dd727caa19cd6aa3aee849c4dc5d9555b118310f2b648a2c217d30d297005648c61edd40969e21dd2271a

      Download Submit
    • \Users\Public\vbc.exe
      MD5

      9d38faec3253e9ce395c8970d03d8180

      SHA1

      53128b83b922c39ed32065c9d8baae2c13059719

      SHA256

      1771bccdd4c4fdc7d50d97ac10e5b1e0f980a4ff31233c59e9cfa17e9cd36a24

      SHA512

      0c883d98ff5f255f3c4cdc1664f726606e44280e867dd727caa19cd6aa3aee849c4dc5d9555b118310f2b648a2c217d30d297005648c61edd40969e21dd2271a

      Download Submit
    • \Users\Public\vbc.exe
      MD5

      9d38faec3253e9ce395c8970d03d8180

      SHA1

      53128b83b922c39ed32065c9d8baae2c13059719

      SHA256

      1771bccdd4c4fdc7d50d97ac10e5b1e0f980a4ff31233c59e9cfa17e9cd36a24

      SHA512

      0c883d98ff5f255f3c4cdc1664f726606e44280e867dd727caa19cd6aa3aee849c4dc5d9555b118310f2b648a2c217d30d297005648c61edd40969e21dd2271a

      Download Submit
    • memory/1100-69-0x0000000000810000-0x0000000000B13000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1100-66-0x000000000041D4A0-mapping.dmp
      Download
    • memory/1100-68-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

      Download
    • memory/1100-70-0x00000000002C0000-0x00000000002D1000-memory.dmp
      Filesize

      68KB

      Download
    • memory/1160-81-0x0000000000000000-mapping.dmp
      Download
    • memory/1176-61-0x0000000000000000-mapping.dmp
      Download
    • memory/1408-71-0x0000000006890000-0x0000000006969000-memory.dmp
      Filesize

      868KB

      Download
    • memory/1408-83-0x0000000006F80000-0x0000000007063000-memory.dmp
      Filesize

      908KB

      Download
    • memory/1544-56-0x00000000765A1000-0x00000000765A3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1740-74-0x0000000005CD0000-0x000000000691A000-memory.dmp
      Filesize

      12.3MB

      Download
    • memory/1740-54-0x0000000071C51000-0x0000000071C53000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1740-53-0x000000002F2B1000-0x000000002F2B4000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1740-85-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1740-76-0x0000000005CD0000-0x000000000691A000-memory.dmp
      Filesize

      12.3MB

      Download
    • memory/1740-77-0x0000000005CD0000-0x000000000691A000-memory.dmp
      Filesize

      12.3MB

      Download
    • memory/1740-73-0x0000000005CD0000-0x000000000691A000-memory.dmp
      Filesize

      12.3MB

      Download
    • memory/1740-55-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1740-78-0x0000000005CD0000-0x000000000691A000-memory.dmp
      Filesize

      12.3MB

      Download
    • memory/1924-80-0x0000000000080000-0x00000000000A9000-memory.dmp
      Filesize

      164KB

      Download
    • memory/1924-72-0x0000000000000000-mapping.dmp
      Download
    • memory/1924-82-0x0000000001DE0000-0x0000000001E70000-memory.dmp
      Filesize

      576KB

      Download
    • memory/1924-79-0x0000000000840000-0x000000000084D000-memory.dmp
      Filesize

      52KB

      Download
    • memory/1924-75-0x0000000001F70000-0x0000000002273000-memory.dmp
      Filesize

      3.0MB

      Download