Overview

overview

10

Static

static

9aaf287388...24.rtf

windows7_x64

10

9aaf287388...24.rtf

windows10_x64

1

Resubmissions

21-10-2021 12:23

211021-pkzp9aacd9 10

21-10-2021 09:57

211021-lyxk9sahgr 10

Analysis

  • max time kernel
    1801s
  • max time network
    1800s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    21-10-2021 12:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9aaf287388698afd5ef8bfeb1fb8ee24.rtf

  • Size

    23KB

  • MD5

    9aaf287388698afd5ef8bfeb1fb8ee24

  • SHA1

    97c0f28698ddc4e9b512a37f0230de3846922649

  • SHA256

    c01942eeca190f7672db0e7e3322a21b52c66f669b41f1dd0ef852c8dd003cb3

  • SHA512

    e634eea49486d6cc8a0f3227b674184eff9ba57afa1a26f708687ef92f21d4ac979be19fad65c4430f4fb31e9746b286cad83ed3c1f668823bc66667e6c8dfe3

Score
10/10
formbookxloadermxnuloaderpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

mxnu

C2

http://www.naplesconciergerealty.com/mxnu/

Decoy

insightmyhome.com

gabriellamaxey.com

029atk.xyz

marshconstructions.com

technichoffghosts.com

blue-ivy-boutique-au.com

1sunsetgroup.com

elfkuhnispb.store

caoliudh.club

verifiedpaypal.net

jellyice-tr.com

gatescres.com

bloomberq.online

crystaltopagent.net

uggs-line.com

ecommerceplatform.xyz

historyofcambridge.com

sattaking-gaziabad.xyz

digisor.com

beachpawsmobilegrooming.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 5 IoCs
    rat
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 5 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 5 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 18 IoCs
    installer
  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 32 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of FindShellTrayWindow 14 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Drops file in Program Files directory
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1392
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9aaf287388698afd5ef8bfeb1fb8ee24.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1632
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1636
      • C:\Program Files (x86)\Cox4dufwh\winhh1lxj9.exe
        "C:\Program Files (x86)\Cox4dufwh\winhh1lxj9.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1048
        • C:\Program Files (x86)\Cox4dufwh\winhh1lxj9.exe
          "C:\Program Files (x86)\Cox4dufwh\winhh1lxj9.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:1348
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:984
      • C:\Users\Public\vbc.exe
        "C:\Users\Public\vbc.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1788
        • C:\Users\Public\vbc.exe
          "C:\Users\Public\vbc.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:924
          • C:\Windows\SysWOW64\netsh.exe
            "C:\Windows\SysWOW64\netsh.exe"
            4⤵
            • Adds Run key to start application
            • Suspicious use of SetThreadContext
            • Drops file in Program Files directory
            • Modifies Internet Explorer settings
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1592
            • C:\Windows\SysWOW64\cmd.exe
              /c del "C:\Users\Public\vbc.exe"
              5⤵
                PID:1700
              • C:\Program Files\Mozilla Firefox\Firefox.exe
                "C:\Program Files\Mozilla Firefox\Firefox.exe"
                5⤵
                  PID:1916

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Scripting

        1
        T1064

        Exploitation for Client Execution

        1
        T1203

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Scripting

        1
        T1064

        Modify Registry

        2
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Cox4dufwh\winhh1lxj9.exe
          MD5

          36e60a2ecd13869a78ad7bc9312681d0

          SHA1

          8ef2422980fe2641a0d101fa1649fc24c43c2e97

          SHA256

          b6d84072166800bd1d35ca9265107d6f26496c7375411ca818046c5a28dee9d9

          SHA512

          bcdfe6f2b4db1dedac564e4e50de65ef1387e9613a063bc118b9da3f66c08587aebd90923a6706ca22ddd334e7796d7c214b3636ce49c5acf0b533fd2d834a36

          Download Submit
        • C:\Program Files (x86)\Cox4dufwh\winhh1lxj9.exe
          MD5

          36e60a2ecd13869a78ad7bc9312681d0

          SHA1

          8ef2422980fe2641a0d101fa1649fc24c43c2e97

          SHA256

          b6d84072166800bd1d35ca9265107d6f26496c7375411ca818046c5a28dee9d9

          SHA512

          bcdfe6f2b4db1dedac564e4e50de65ef1387e9613a063bc118b9da3f66c08587aebd90923a6706ca22ddd334e7796d7c214b3636ce49c5acf0b533fd2d834a36

          Download Submit
        • C:\Program Files (x86)\Cox4dufwh\winhh1lxj9.exe
          MD5

          36e60a2ecd13869a78ad7bc9312681d0

          SHA1

          8ef2422980fe2641a0d101fa1649fc24c43c2e97

          SHA256

          b6d84072166800bd1d35ca9265107d6f26496c7375411ca818046c5a28dee9d9

          SHA512

          bcdfe6f2b4db1dedac564e4e50de65ef1387e9613a063bc118b9da3f66c08587aebd90923a6706ca22ddd334e7796d7c214b3636ce49c5acf0b533fd2d834a36

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\v3v4fyxld38pebqq
          MD5

          bdc3505c88522a01db5c675983355a86

          SHA1

          8465c710eb29a7a0696bb5e83d27961da67a03a0

          SHA256

          620ccc5897f1c5dca0e6a71bd47c6c8d9ef8aeb6d25b7fc1cdd46e6873587915

          SHA512

          717fdc1b782f2c4d78bf4588e3dee614f95a91f3213201f33f6546cbf2daa29c4e9e5b8b4911abe196cdd6b7c5c5ae6a3b7efddecd75cc5d38f09b6e10e8c58b

          Download Submit
        • C:\Users\Public\vbc.exe
          MD5

          36e60a2ecd13869a78ad7bc9312681d0

          SHA1

          8ef2422980fe2641a0d101fa1649fc24c43c2e97

          SHA256

          b6d84072166800bd1d35ca9265107d6f26496c7375411ca818046c5a28dee9d9

          SHA512

          bcdfe6f2b4db1dedac564e4e50de65ef1387e9613a063bc118b9da3f66c08587aebd90923a6706ca22ddd334e7796d7c214b3636ce49c5acf0b533fd2d834a36

          Download Submit
        • C:\Users\Public\vbc.exe
          MD5

          36e60a2ecd13869a78ad7bc9312681d0

          SHA1

          8ef2422980fe2641a0d101fa1649fc24c43c2e97

          SHA256

          b6d84072166800bd1d35ca9265107d6f26496c7375411ca818046c5a28dee9d9

          SHA512

          bcdfe6f2b4db1dedac564e4e50de65ef1387e9613a063bc118b9da3f66c08587aebd90923a6706ca22ddd334e7796d7c214b3636ce49c5acf0b533fd2d834a36

          Download Submit
        • C:\Users\Public\vbc.exe
          MD5

          36e60a2ecd13869a78ad7bc9312681d0

          SHA1

          8ef2422980fe2641a0d101fa1649fc24c43c2e97

          SHA256

          b6d84072166800bd1d35ca9265107d6f26496c7375411ca818046c5a28dee9d9

          SHA512

          bcdfe6f2b4db1dedac564e4e50de65ef1387e9613a063bc118b9da3f66c08587aebd90923a6706ca22ddd334e7796d7c214b3636ce49c5acf0b533fd2d834a36

          Download Submit
        • \Users\Admin\AppData\Local\Temp\nsb2B36.tmp\dzksq.dll
          MD5

          52a665d244ddb5192b3494f4ca1bd978

          SHA1

          07bd3f140917cd3992e9b9ffc120c84af834472d

          SHA256

          63466cfda81d5da190e8d3198ccff849e7c651f472efd58d277add978a50f131

          SHA512

          c892de4792dd99d8d9eb3da0e42d80132bb613062cec56faa0429019ca3e8e32804e2d065f72cbc8c960000013e113753bcd15b836e4d19f147f37f2f12e5648

          Download Submit
        • \Users\Admin\AppData\Local\Temp\nst5294.tmp\dzksq.dll
          MD5

          52a665d244ddb5192b3494f4ca1bd978

          SHA1

          07bd3f140917cd3992e9b9ffc120c84af834472d

          SHA256

          63466cfda81d5da190e8d3198ccff849e7c651f472efd58d277add978a50f131

          SHA512

          c892de4792dd99d8d9eb3da0e42d80132bb613062cec56faa0429019ca3e8e32804e2d065f72cbc8c960000013e113753bcd15b836e4d19f147f37f2f12e5648

          Download Submit
        • \Users\Public\vbc.exe
          MD5

          36e60a2ecd13869a78ad7bc9312681d0

          SHA1

          8ef2422980fe2641a0d101fa1649fc24c43c2e97

          SHA256

          b6d84072166800bd1d35ca9265107d6f26496c7375411ca818046c5a28dee9d9

          SHA512

          bcdfe6f2b4db1dedac564e4e50de65ef1387e9613a063bc118b9da3f66c08587aebd90923a6706ca22ddd334e7796d7c214b3636ce49c5acf0b533fd2d834a36

          Download Submit
        • \Users\Public\vbc.exe
          MD5

          36e60a2ecd13869a78ad7bc9312681d0

          SHA1

          8ef2422980fe2641a0d101fa1649fc24c43c2e97

          SHA256

          b6d84072166800bd1d35ca9265107d6f26496c7375411ca818046c5a28dee9d9

          SHA512

          bcdfe6f2b4db1dedac564e4e50de65ef1387e9613a063bc118b9da3f66c08587aebd90923a6706ca22ddd334e7796d7c214b3636ce49c5acf0b533fd2d834a36

          Download Submit
        • \Users\Public\vbc.exe
          MD5

          36e60a2ecd13869a78ad7bc9312681d0

          SHA1

          8ef2422980fe2641a0d101fa1649fc24c43c2e97

          SHA256

          b6d84072166800bd1d35ca9265107d6f26496c7375411ca818046c5a28dee9d9

          SHA512

          bcdfe6f2b4db1dedac564e4e50de65ef1387e9613a063bc118b9da3f66c08587aebd90923a6706ca22ddd334e7796d7c214b3636ce49c5acf0b533fd2d834a36

          Download Submit
        • memory/924-76-0x0000000000570000-0x0000000000581000-memory.dmp
          Filesize

          68KB

          Download
        • memory/924-68-0x0000000000400000-0x0000000000429000-memory.dmp
          Filesize

          164KB

          Download
        • memory/924-71-0x0000000000950000-0x0000000000C53000-memory.dmp
          Filesize

          3.0MB

          Download
        • memory/924-73-0x00000000003C0000-0x00000000003D1000-memory.dmp
          Filesize

          68KB

          Download
        • memory/924-75-0x0000000000400000-0x0000000000429000-memory.dmp
          Filesize

          164KB

          Download
        • memory/924-69-0x000000000041D4A0-mapping.dmp
          Download
        • memory/1048-89-0x0000000000000000-mapping.dmp
          Download
        • memory/1348-98-0x0000000000820000-0x0000000000B23000-memory.dmp
          Filesize

          3.0MB

          Download
        • memory/1348-96-0x000000000041D4A0-mapping.dmp
          Download
        • memory/1392-77-0x0000000004220000-0x0000000004308000-memory.dmp
          Filesize

          928KB

          Download
        • memory/1392-74-0x0000000007220000-0x000000000733C000-memory.dmp
          Filesize

          1.1MB

          Download
        • memory/1392-86-0x0000000006010000-0x00000000060CE000-memory.dmp
          Filesize

          760KB

          Download
        • memory/1592-80-0x0000000000000000-mapping.dmp
          Download
        • memory/1592-82-0x0000000000D50000-0x0000000000D6B000-memory.dmp
          Filesize

          108KB

          Download
        • memory/1592-84-0x0000000002170000-0x0000000002473000-memory.dmp
          Filesize

          3.0MB

          Download
        • memory/1592-83-0x0000000000080000-0x00000000000A9000-memory.dmp
          Filesize

          164KB

          Download
        • memory/1592-85-0x0000000000980000-0x0000000000A10000-memory.dmp
          Filesize

          576KB

          Download
        • memory/1632-57-0x000000005FFF0000-0x0000000060000000-memory.dmp
          Filesize

          64KB

          Download
        • memory/1632-58-0x0000000076241000-0x0000000076243000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1632-87-0x000000005FFF0000-0x0000000060000000-memory.dmp
          Filesize

          64KB

          Download
        • memory/1632-55-0x0000000072DB1000-0x0000000072DB4000-memory.dmp
          Filesize

          12KB

          Download
        • memory/1632-56-0x0000000070831000-0x0000000070833000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1636-79-0x000007FEFC461000-0x000007FEFC463000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1636-78-0x0000000000000000-mapping.dmp
          Download
        • memory/1700-81-0x0000000000000000-mapping.dmp
          Download
        • memory/1788-63-0x0000000000000000-mapping.dmp
          Download