Analysis
-
max time kernel
152s -
max time network
159s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
21-10-2021 06:14
General
-
Target
BM09 INV.PL.xlsx
-
Size
369KB
-
MD5
b03819cd2356392079a49fa5f0477ff9
-
SHA1
c6d295042dbad6daa7eccedddd354f9e90643b31
-
SHA256
0b9c4c0a71c0262d0af9cabc0b3cdc179ed4114e0ede23afce8342f48714adbb
-
SHA512
15ccab47909ffbe46f7cc995d36d93191cf1e541cf6653ad771dd869b71a9eb3d321dc5c0569064dc2feceb40e495ea19aba1c71c055b62a4fcb7dc3f99ccf5e
Malware Config
Extracted
xloader
2.5
ons6
http://www.parasitevhs.net/ons6/
946acc.net
ilkermulla.com
edificationhub.com
aptbaby.com
luisrgonzalez.com
postandpine.com
objective-object.com
storeydrive.rentals
mobile-find.com
africanbridaluk.com
zzjn12.xyz
ritechoiceinvestmentgroup.com
zitzies.xyz
trulyproofreading.com
ktndetermine.xyz
advertising.land
keywordgomuwk.xyz
niecliomusicspirit.com
lhortelecom.com
cryptochieftan.com
Signatures
-
Xloader
Xloader is a rebranded version of Formbook malware.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
-
Xloader Payload 4 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 4 IoCs
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 12 IoCs
-
Enumerates system info in registry 2 TTPs 1 IoCs
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Modifies Internet Explorer settings 1 TTPs 31 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 26 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SendNotifyMessage 2 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 19 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\BM09 INV.PL.xlsx"2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Public\vbc.exe"5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
5e9c6466f89089a73465bec3e84f6731
SHA17faa635ff81bf5a1ff5b56109f9d0a7088b5c1d1
SHA2567d1119a09c3f150ab964941c3a539fa3d1257cdb980df7e1535012378ae3974e
SHA51284241a9a1d1e700c52a736cf9d1225300c4d5c14485533aa08429b2c01f0d712067ba90c334ec474f997d8686e8433b08d1e5c925b6aeda6892c71cd17ad842b
-
C:\Users\Public\vbc.exeMD5
5e9c6466f89089a73465bec3e84f6731
SHA17faa635ff81bf5a1ff5b56109f9d0a7088b5c1d1
SHA2567d1119a09c3f150ab964941c3a539fa3d1257cdb980df7e1535012378ae3974e
SHA51284241a9a1d1e700c52a736cf9d1225300c4d5c14485533aa08429b2c01f0d712067ba90c334ec474f997d8686e8433b08d1e5c925b6aeda6892c71cd17ad842b
-
C:\Users\Public\vbc.exeMD5
5e9c6466f89089a73465bec3e84f6731
SHA17faa635ff81bf5a1ff5b56109f9d0a7088b5c1d1
SHA2567d1119a09c3f150ab964941c3a539fa3d1257cdb980df7e1535012378ae3974e
SHA51284241a9a1d1e700c52a736cf9d1225300c4d5c14485533aa08429b2c01f0d712067ba90c334ec474f997d8686e8433b08d1e5c925b6aeda6892c71cd17ad842b
-
\Users\Admin\AppData\Local\Temp\nsy44FD.tmp\rnzyao.dllMD5
70e70786ba2215991447cbbf5706f54f
SHA15477a0ec6586cff23039a387f3a1c8968a945d6d
SHA256cc86b72fe9369a197c80b38555433c296e0e46808b74d75ad719799087642be0
SHA51235471023269d350004827ee5565804eaddf01f75ecfa4944e339ae8ec1dd73470a3b11301b00739bd924de1fda9bd2d03d1437455fe78dace83bb6dadd9fda9a
-
\Users\Public\vbc.exeMD5
5e9c6466f89089a73465bec3e84f6731
SHA17faa635ff81bf5a1ff5b56109f9d0a7088b5c1d1
SHA2567d1119a09c3f150ab964941c3a539fa3d1257cdb980df7e1535012378ae3974e
SHA51284241a9a1d1e700c52a736cf9d1225300c4d5c14485533aa08429b2c01f0d712067ba90c334ec474f997d8686e8433b08d1e5c925b6aeda6892c71cd17ad842b
-
\Users\Public\vbc.exeMD5
5e9c6466f89089a73465bec3e84f6731
SHA17faa635ff81bf5a1ff5b56109f9d0a7088b5c1d1
SHA2567d1119a09c3f150ab964941c3a539fa3d1257cdb980df7e1535012378ae3974e
SHA51284241a9a1d1e700c52a736cf9d1225300c4d5c14485533aa08429b2c01f0d712067ba90c334ec474f997d8686e8433b08d1e5c925b6aeda6892c71cd17ad842b
-
\Users\Public\vbc.exeMD5
5e9c6466f89089a73465bec3e84f6731
SHA17faa635ff81bf5a1ff5b56109f9d0a7088b5c1d1
SHA2567d1119a09c3f150ab964941c3a539fa3d1257cdb980df7e1535012378ae3974e
SHA51284241a9a1d1e700c52a736cf9d1225300c4d5c14485533aa08429b2c01f0d712067ba90c334ec474f997d8686e8433b08d1e5c925b6aeda6892c71cd17ad842b
-
memory/660-58-0x00000000758C1000-0x00000000758C3000-memory.dmpFilesize
8KB
-
memory/1168-78-0x0000000000000000-mapping.dmp
-
memory/1280-75-0x0000000000580000-0x0000000000591000-memory.dmpFilesize
68KB
-
memory/1280-67-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1280-68-0x000000000041D400-mapping.dmp
-
memory/1280-71-0x0000000000950000-0x0000000000C53000-memory.dmpFilesize
3.0MB
-
memory/1280-72-0x00000000003C0000-0x00000000003D1000-memory.dmpFilesize
68KB
-
memory/1280-74-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1300-83-0x0000000006440000-0x000000000658F000-memory.dmpFilesize
1.3MB
-
memory/1300-76-0x00000000072B0000-0x00000000073BE000-memory.dmpFilesize
1.1MB
-
memory/1300-73-0x00000000070D0000-0x00000000071F4000-memory.dmpFilesize
1.1MB
-
memory/1700-56-0x00000000719F1000-0x00000000719F3000-memory.dmpFilesize
8KB
-
memory/1700-55-0x000000002F601000-0x000000002F604000-memory.dmpFilesize
12KB
-
memory/1700-57-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1700-84-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1928-62-0x0000000000000000-mapping.dmp
-
memory/1964-77-0x0000000000000000-mapping.dmp
-
memory/1964-80-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/1964-81-0x0000000002100000-0x0000000002403000-memory.dmpFilesize
3.0MB
-
memory/1964-79-0x0000000000CF0000-0x0000000000CFD000-memory.dmpFilesize
52KB
-
memory/1964-82-0x0000000000890000-0x0000000000920000-memory.dmpFilesize
576KB