Overview

overview

10

Static

static

JEP Sports...g.xlsx

windows7_x64

10

JEP Sports...g.xlsx

windows10_x64

1

Analysis

  • max time kernel
    147s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    21-10-2021 06:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JEP Sports Player Rating.xlsx

  • Size

    366KB

  • MD5

    4fb3e59606677f24794e9d10668cebeb

  • SHA1

    8f8e1f1c84523cbc96d934c4ba30f910772f4754

  • SHA256

    7f1234fef1cd3abb7a451afc69c458b03fd125e1a553b5af679bc79297986be5

  • SHA512

    2c5cd7e0747caf6f7e93323da826fd515fdcf2b29f7f3aa01c16818d5a238089b84547b7eced1b20dc868d79d442f9c1f7fb675c992a2b6e004bb8fcf2d9662f

Score
10/10
xloadersb6nloaderpersistenceratsuricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

sb6n

C2

http://www.best5amazon.com/sb6n/

Decoy

bogosamba.com

inmobiliariapuertalavilla.com

nopressurewellness.com

hairshopamity.com

epicmoments360.com

tutorgpa.com

fucibou.xyz

135631.com

portraydashcam.com

raqsarabia.com

okantis.net

vongquaykimcuongfreefire.online

prodom.online

5537sbishop.info

lisakenneyinc.com

fivetime.xyz

borzv.com

joungla.com

mas-urbano.com

sjczyw.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata
  • Xloader Payload 3 IoCs
    rat
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Modifies registry key 1 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1364
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\JEP Sports Player Rating.xlsx"
      2⤵
      • Enumerates system info in registry
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1080
    • C:\Windows\SysWOW64\colorcpl.exe
      "C:\Windows\SysWOW64\colorcpl.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1072
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\SysWOW64\DpiScaling.exe"
        3⤵
          PID:524
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:268
      • C:\Users\Public\vbc.exe
        "C:\Users\Public\vbc.exe"
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:852
        • C:\Windows\SysWOW64\DpiScaling.exe
          C:\Windows\System32\DpiScaling.exe
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:1048
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Public\Trast.bat" "
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1900
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1168
            • C:\Windows\SysWOW64\reg.exe
              reg delete hkcu\Environment /v windir /f
              5⤵
              • Modifies registry key
              PID:1584
            • C:\Windows\SysWOW64\reg.exe
              reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "
              5⤵
              • Modifies registry key
              PID:1576
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
              5⤵
                PID:948
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\Users\Public\nest.bat" "
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1564
            • C:\Windows\SysWOW64\reg.exe
              reg delete hkcu\Environment /v windir /f
              4⤵
              • Modifies registry key
              PID:364

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scripting

      1
      T1064

      Exploitation for Client Execution

      1
      T1203

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Scripting

      1
      T1064

      Modify Registry

      3
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Public\Trast.bat
        MD5

        4068c9f69fcd8a171c67f81d4a952a54

        SHA1

        4d2536a8c28cdcc17465e20d6693fb9e8e713b36

        SHA256

        24222300c78180b50ed1f8361ba63cb27316ec994c1c9079708a51b4a1a9d810

        SHA512

        a64f9319acc51fffd0491c74dcd9c9084c2783b82f95727e4bfe387a8528c6dcf68f11418e88f1e133d115daf907549c86dd7ad866b2a7938add5225fbb2811d

        Download Submit
      • C:\Users\Public\UKO.bat
        MD5

        eaf8d967454c3bbddbf2e05a421411f8

        SHA1

        6170880409b24de75c2dc3d56a506fbff7f6622c

        SHA256

        f35f2658455a2e40f151549a7d6465a836c33fa9109e67623916f889849eac56

        SHA512

        fe5be5c673e99f70c93019d01abb0a29dd2ecf25b2d895190ff551f020c28e7d8f99f65007f440f0f76c5bcac343b2a179a94d190c938ea3b9e1197890a412e9

        Download Submit
      • C:\Users\Public\nest.bat
        MD5

        8ada51400b7915de2124baaf75e3414c

        SHA1

        1a7b9db12184ab7fd7fce1c383f9670a00adb081

        SHA256

        45aa3957c29865260a78f03eef18ae9aebdbf7bea751ecc88be4a799f2bb46c7

        SHA512

        9afc138157a4565294ca49942579cdb6f5d8084e56f9354738de62b585f4c0fa3e7f2cbc9541827f2084e3ff36c46eed29b46f5dd2444062ffcd05c599992e68

        Download Submit
      • C:\Users\Public\vbc.exe
        MD5

        51cd4ea4c20552f51824b13af3a93360

        SHA1

        1f85673268160d356cc66056e18e721646a51034

        SHA256

        891ff9447dec210b5897080666b8281d7387206c14dba7587465e16bd2efa117

        SHA512

        add0bc6bec599694cdd9c19101edf0b66a914aa4198ed9f10d23e4c14b8bf2708c992917326974007c59c4e6e5c49063c0e1ade25556cdc19ae9dc1a8c79fbcf

        Download Submit
      • C:\Users\Public\vbc.exe
        MD5

        51cd4ea4c20552f51824b13af3a93360

        SHA1

        1f85673268160d356cc66056e18e721646a51034

        SHA256

        891ff9447dec210b5897080666b8281d7387206c14dba7587465e16bd2efa117

        SHA512

        add0bc6bec599694cdd9c19101edf0b66a914aa4198ed9f10d23e4c14b8bf2708c992917326974007c59c4e6e5c49063c0e1ade25556cdc19ae9dc1a8c79fbcf

        Download Submit
      • \Users\Public\vbc.exe
        MD5

        51cd4ea4c20552f51824b13af3a93360

        SHA1

        1f85673268160d356cc66056e18e721646a51034

        SHA256

        891ff9447dec210b5897080666b8281d7387206c14dba7587465e16bd2efa117

        SHA512

        add0bc6bec599694cdd9c19101edf0b66a914aa4198ed9f10d23e4c14b8bf2708c992917326974007c59c4e6e5c49063c0e1ade25556cdc19ae9dc1a8c79fbcf

        Download Submit
      • \Users\Public\vbc.exe
        MD5

        51cd4ea4c20552f51824b13af3a93360

        SHA1

        1f85673268160d356cc66056e18e721646a51034

        SHA256

        891ff9447dec210b5897080666b8281d7387206c14dba7587465e16bd2efa117

        SHA512

        add0bc6bec599694cdd9c19101edf0b66a914aa4198ed9f10d23e4c14b8bf2708c992917326974007c59c4e6e5c49063c0e1ade25556cdc19ae9dc1a8c79fbcf

        Download Submit
      • memory/268-56-0x0000000075FC1000-0x0000000075FC3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/364-92-0x0000000000000000-mapping.dmp
        Download
      • memory/524-87-0x0000000000000000-mapping.dmp
        Download
      • memory/852-59-0x0000000000000000-mapping.dmp
        Download
      • memory/852-62-0x0000000000251000-0x0000000000265000-memory.dmp
        Filesize

        80KB

        Download
      • memory/852-61-0x00000000001B0000-0x00000000001B1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/948-78-0x0000000000000000-mapping.dmp
        Download
      • memory/1048-65-0x0000000072480000-0x00000000724A9000-memory.dmp
        Filesize

        164KB

        Download
      • memory/1048-66-0x00000000000A0000-0x00000000000A1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1048-68-0x0000000000000000-mapping.dmp
        Download
      • memory/1048-72-0x0000000072480000-0x00000000724A9000-memory.dmp
        Filesize

        164KB

        Download
      • memory/1048-71-0x00000000000B0000-0x00000000000B1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1048-81-0x0000000000230000-0x0000000000241000-memory.dmp
        Filesize

        68KB

        Download
      • memory/1048-80-0x0000000001F00000-0x0000000002203000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/1072-85-0x00000000004E0000-0x00000000004F8000-memory.dmp
        Filesize

        96KB

        Download
      • memory/1072-89-0x00000000003C0000-0x0000000000450000-memory.dmp
        Filesize

        576KB

        Download
      • memory/1072-88-0x0000000001EF0000-0x00000000021F3000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/1072-86-0x0000000000080000-0x00000000000A9000-memory.dmp
        Filesize

        164KB

        Download
      • memory/1072-83-0x0000000000000000-mapping.dmp
        Download
      • memory/1080-53-0x000000002FB91000-0x000000002FB94000-memory.dmp
        Filesize

        12KB

        Download
      • memory/1080-55-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1080-54-0x00000000717B1000-0x00000000717B3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1080-94-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1168-74-0x0000000000000000-mapping.dmp
        Download
      • memory/1364-82-0x0000000004900000-0x00000000049B2000-memory.dmp
        Filesize

        712KB

        Download
      • memory/1364-93-0x0000000007190000-0x0000000007315000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/1564-90-0x0000000000000000-mapping.dmp
        Download
      • memory/1576-77-0x0000000000000000-mapping.dmp
        Download
      • memory/1584-76-0x0000000000000000-mapping.dmp
        Download
      • memory/1900-70-0x0000000000000000-mapping.dmp
        Download