Analysis

  • max time kernel
    150s
  • max time network
    200s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    23-09-2021 06:14

General

  • Target

    DHL_Sender_Documents_Details_021230900.xlsx

  • Size

    355KB

  • MD5

    e5c6389fe4c43e736bbe304ac2aa9912

  • SHA1

    5d4bb21ef27c9b712c33a367c461ea78defb2849

  • SHA256

    c996c6e47abe7b54c652692c1aa2bd7b1c63b4927a8da78ca2d1de3ca7232198

  • SHA512

    2138ffc7b261c3c81467d8ca7fb9638f82896e74fb5147588a50edf5fc619a26994992bc6de1e455157bf65e2f14bf8fdcc771a8188f1a6a45c7b957bffe0287

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

m0np

C2

http://www.devmedicalcentre.com/m0np/

Decoy

gruppovimar.com

seniordatingtv.com

pinpinyouqian.website

retreatreflectreplenish.com

baby-handmade.store

econsupplies.com

helloaustinpodcast.com

europe-lodging.com

ferahanaokulu.com

thehomeinspo.com

rawhoneytnpasumo6.xyz

tyckasei.quest

scissorsandbuffer.com

jatinvestmentsmaldives.com

softandcute.store

afuturemakerspromotions.online

leonsigntech.com

havetheshortscovered.com

cvkf.email

iplyyu.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

  • suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016

    suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016

  • Xloader Payload 3 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 12 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1204
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\DHL_Sender_Documents_Details_021230900.xlsx
      2⤵
      • Enumerates system info in registry
      • Modifies Internet Explorer settings
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:520
    • C:\Windows\SysWOW64\NETSTAT.EXE
      "C:\Windows\SysWOW64\NETSTAT.EXE"
      2⤵
      • Suspicious use of SetThreadContext
      • Gathers network information
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:540
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Public\vbc.exe"
        3⤵
          PID:1788
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:1724
      • C:\Users\Public\vbc.exe
        "C:\Users\Public\vbc.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:924
        • C:\Users\Public\vbc.exe
          "C:\Users\Public\vbc.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:812

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Execution

    Scripting

    1
    T1064

    Command-Line Interface

    1
    T1059

    Exploitation for Client Execution

    1
    T1203

    Defense Evasion

    Scripting

    1
    T1064

    Modify Registry

    1
    T1112

    Discovery

    System Information Discovery

    3
    T1082

    Query Registry

    1
    T1012

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Public\vbc.exe
      MD5

      62c72f781d7001dff6d747ee91e33e32

      SHA1

      ed9fb1d769fd4655a335884d26875758fe67433c

      SHA256

      990a8fa7e96d2cd90b09ab39794df984bc153d0dcd390afbca19a42b689d4e7d

      SHA512

      2b4e491681ddeebbf0eadb0f86923cedd6bc22c168c33aaa0363069df317a6bf5bde74f614abc97dde35185aa8f1f8fd5c0340a4b4c509fdf3f1837bbfb6473d

    • C:\Users\Public\vbc.exe
      MD5

      62c72f781d7001dff6d747ee91e33e32

      SHA1

      ed9fb1d769fd4655a335884d26875758fe67433c

      SHA256

      990a8fa7e96d2cd90b09ab39794df984bc153d0dcd390afbca19a42b689d4e7d

      SHA512

      2b4e491681ddeebbf0eadb0f86923cedd6bc22c168c33aaa0363069df317a6bf5bde74f614abc97dde35185aa8f1f8fd5c0340a4b4c509fdf3f1837bbfb6473d

    • C:\Users\Public\vbc.exe
      MD5

      62c72f781d7001dff6d747ee91e33e32

      SHA1

      ed9fb1d769fd4655a335884d26875758fe67433c

      SHA256

      990a8fa7e96d2cd90b09ab39794df984bc153d0dcd390afbca19a42b689d4e7d

      SHA512

      2b4e491681ddeebbf0eadb0f86923cedd6bc22c168c33aaa0363069df317a6bf5bde74f614abc97dde35185aa8f1f8fd5c0340a4b4c509fdf3f1837bbfb6473d

    • \Users\Admin\AppData\Local\Temp\nsq50FD.tmp\ojcwnasg.dll
      MD5

      a1c31e0436d00eb00481b5c0f39fa849

      SHA1

      1c71dc6fb7b93c99722dba7deee53dda9e19f5a5

      SHA256

      856362062f444906aa7cce79dab2727d9fbcdfc3d6ac5241819c1586d3693f8b

      SHA512

      466bbf168192502b718eca1e83f5120e4b144f77754ac276b577ec7cddd30dd93c3a3465e1e6ff9db0884cf4c3ca9a62867a9522dd88f20cf93200be3287768b

    • \Users\Public\vbc.exe
      MD5

      62c72f781d7001dff6d747ee91e33e32

      SHA1

      ed9fb1d769fd4655a335884d26875758fe67433c

      SHA256

      990a8fa7e96d2cd90b09ab39794df984bc153d0dcd390afbca19a42b689d4e7d

      SHA512

      2b4e491681ddeebbf0eadb0f86923cedd6bc22c168c33aaa0363069df317a6bf5bde74f614abc97dde35185aa8f1f8fd5c0340a4b4c509fdf3f1837bbfb6473d

    • \Users\Public\vbc.exe
      MD5

      62c72f781d7001dff6d747ee91e33e32

      SHA1

      ed9fb1d769fd4655a335884d26875758fe67433c

      SHA256

      990a8fa7e96d2cd90b09ab39794df984bc153d0dcd390afbca19a42b689d4e7d

      SHA512

      2b4e491681ddeebbf0eadb0f86923cedd6bc22c168c33aaa0363069df317a6bf5bde74f614abc97dde35185aa8f1f8fd5c0340a4b4c509fdf3f1837bbfb6473d

    • \Users\Public\vbc.exe
      MD5

      62c72f781d7001dff6d747ee91e33e32

      SHA1

      ed9fb1d769fd4655a335884d26875758fe67433c

      SHA256

      990a8fa7e96d2cd90b09ab39794df984bc153d0dcd390afbca19a42b689d4e7d

      SHA512

      2b4e491681ddeebbf0eadb0f86923cedd6bc22c168c33aaa0363069df317a6bf5bde74f614abc97dde35185aa8f1f8fd5c0340a4b4c509fdf3f1837bbfb6473d

    • memory/520-86-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

    • memory/520-61-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

    • memory/520-59-0x000000002F331000-0x000000002F334000-memory.dmp
      Filesize

      12KB

    • memory/520-60-0x00000000716A1000-0x00000000716A3000-memory.dmp
      Filesize

      8KB

    • memory/540-84-0x0000000001E80000-0x0000000001F10000-memory.dmp
      Filesize

      576KB

    • memory/540-79-0x0000000000000000-mapping.dmp
    • memory/540-83-0x0000000002090000-0x0000000002393000-memory.dmp
      Filesize

      3.0MB

    • memory/540-81-0x0000000000180000-0x0000000000189000-memory.dmp
      Filesize

      36KB

    • memory/540-82-0x0000000000080000-0x00000000000A9000-memory.dmp
      Filesize

      164KB

    • memory/812-72-0x000000000041D450-mapping.dmp
    • memory/812-77-0x0000000000540000-0x0000000000551000-memory.dmp
      Filesize

      68KB

    • memory/812-75-0x00000000003E0000-0x00000000003F1000-memory.dmp
      Filesize

      68KB

    • memory/812-74-0x0000000000950000-0x0000000000C53000-memory.dmp
      Filesize

      3.0MB

    • memory/812-71-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

    • memory/924-66-0x0000000000000000-mapping.dmp
    • memory/1204-78-0x0000000006F60000-0x00000000070A5000-memory.dmp
      Filesize

      1.3MB

    • memory/1204-76-0x00000000041D0000-0x00000000042B4000-memory.dmp
      Filesize

      912KB

    • memory/1204-85-0x0000000007140000-0x0000000007285000-memory.dmp
      Filesize

      1.3MB

    • memory/1724-62-0x0000000075891000-0x0000000075893000-memory.dmp
      Filesize

      8KB

    • memory/1788-80-0x0000000000000000-mapping.dmp