Overview

overview

10

Static

static

REMITTANCE...E.xlsx

windows7_x64

10

REMITTANCE...E.xlsx

windows10_x64

1

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    25-11-2021 16:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    REMITTANCE ADVICE.xlsx

  • Size

    228KB

  • MD5

    2caab2292b282e6a5dea1cf78f84924a

  • SHA1

    86f37c31091b15cca135490a84eb52027bb1a4df

  • SHA256

    4c84124c87cd46ce58a7a8208ad1674c4a270793f9a6158e80fd28f96b3cc844

  • SHA512

    70590f55c98c31fb7b2a95cb6d6b63917e1fa0f868c3af852a805d45cbb176356a4b1dc1431ef908c680821730d0d02948956c03388fcee6fcf6bbd661d55733

Score
10/10
xloaderm07floaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

m07f

C2

http://www.ff4cu6twc.xyz/m07f/

Decoy

khitthit.club

kczu.net

caylalamar.com

iixiazai.com

nickatwoodrealestate.com

006664.com

strimsbdltd.com

mykyhouse.com

flyestkicks.com

campingwithoutcanvas.com

sarishamisen.com

retrorecycling.com

zw4azsjb3cuj.biz

lokasennaservices.com

charleswagner.xyz

smmbazar.net

rebornmkt.com

clicktoreach.com

alendigital.xyz

carehrc.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata
  • Xloader Payload 3 IoCs
    rat
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 12 IoCs
    installer
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1380
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\REMITTANCE ADVICE.xlsx"
      2⤵
      • Enumerates system info in registry
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1664
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\SysWOW64\rundll32.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:988
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Public\vbc.exe"
        3⤵
          PID:1732
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:1112
      • C:\Users\Public\vbc.exe
        "C:\Users\Public\vbc.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1824
        • C:\Users\Public\vbc.exe
          "C:\Users\Public\vbc.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:1704

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scripting

    1
    T1064

    Exploitation for Client Execution

    1
    T1203

    Persistence

    Privilege Escalation

    Defense Evasion

    Scripting

    1
    T1064

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    2
    T1082

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Public\vbc.exe
      MD5

      1624595e2354ff7be9e7dc6def2ed69e

      SHA1

      1dcfaae594e3690d3fef5fd4de855d02e9cbb2a5

      SHA256

      4b50745e74fea6faa516b4d46b7c9fbe36fdae2301b76ec940635d033707a2c8

      SHA512

      aebd6e6d28ecab56e48b037836c2ffc573a8493b576ea3b59ac6932c6e782fc99ad1da7a67a231830a2c4612c89e24f0e7f483d24080f29d6133d81c7207971e

      Download Submit
    • C:\Users\Public\vbc.exe
      MD5

      1624595e2354ff7be9e7dc6def2ed69e

      SHA1

      1dcfaae594e3690d3fef5fd4de855d02e9cbb2a5

      SHA256

      4b50745e74fea6faa516b4d46b7c9fbe36fdae2301b76ec940635d033707a2c8

      SHA512

      aebd6e6d28ecab56e48b037836c2ffc573a8493b576ea3b59ac6932c6e782fc99ad1da7a67a231830a2c4612c89e24f0e7f483d24080f29d6133d81c7207971e

      Download Submit
    • C:\Users\Public\vbc.exe
      MD5

      1624595e2354ff7be9e7dc6def2ed69e

      SHA1

      1dcfaae594e3690d3fef5fd4de855d02e9cbb2a5

      SHA256

      4b50745e74fea6faa516b4d46b7c9fbe36fdae2301b76ec940635d033707a2c8

      SHA512

      aebd6e6d28ecab56e48b037836c2ffc573a8493b576ea3b59ac6932c6e782fc99ad1da7a67a231830a2c4612c89e24f0e7f483d24080f29d6133d81c7207971e

      Download Submit
    • \Users\Admin\AppData\Local\Temp\nsd3DCC.tmp\otav.dll
      MD5

      a55ce7f1cf8df8b06a15140a3e9e3f9b

      SHA1

      5f787501f1d8b2a93d1df6d5c91cde0dd2ba14ce

      SHA256

      b6a12bc611f92d3d793ce5c3c9cff8a906ca96bd6b1d5c0da8ebf9080ff4428a

      SHA512

      544823425ee681acf6fa08ceb4a64840a16317573f2d6b6c6e4559199164d92c3f599521aea245340cc6c756ed808c1f4e2c131239bfdc67ee9ae376aef8ba4d

      Download Submit
    • \Users\Public\vbc.exe
      MD5

      1624595e2354ff7be9e7dc6def2ed69e

      SHA1

      1dcfaae594e3690d3fef5fd4de855d02e9cbb2a5

      SHA256

      4b50745e74fea6faa516b4d46b7c9fbe36fdae2301b76ec940635d033707a2c8

      SHA512

      aebd6e6d28ecab56e48b037836c2ffc573a8493b576ea3b59ac6932c6e782fc99ad1da7a67a231830a2c4612c89e24f0e7f483d24080f29d6133d81c7207971e

      Download Submit
    • \Users\Public\vbc.exe
      MD5

      1624595e2354ff7be9e7dc6def2ed69e

      SHA1

      1dcfaae594e3690d3fef5fd4de855d02e9cbb2a5

      SHA256

      4b50745e74fea6faa516b4d46b7c9fbe36fdae2301b76ec940635d033707a2c8

      SHA512

      aebd6e6d28ecab56e48b037836c2ffc573a8493b576ea3b59ac6932c6e782fc99ad1da7a67a231830a2c4612c89e24f0e7f483d24080f29d6133d81c7207971e

      Download Submit
    • \Users\Public\vbc.exe
      MD5

      1624595e2354ff7be9e7dc6def2ed69e

      SHA1

      1dcfaae594e3690d3fef5fd4de855d02e9cbb2a5

      SHA256

      4b50745e74fea6faa516b4d46b7c9fbe36fdae2301b76ec940635d033707a2c8

      SHA512

      aebd6e6d28ecab56e48b037836c2ffc573a8493b576ea3b59ac6932c6e782fc99ad1da7a67a231830a2c4612c89e24f0e7f483d24080f29d6133d81c7207971e

      Download Submit
    • memory/988-80-0x00000000003B0000-0x0000000000440000-memory.dmp
      Filesize

      576KB

      Download
    • memory/988-77-0x00000000003A0000-0x00000000003AE000-memory.dmp
      Filesize

      56KB

      Download
    • memory/988-79-0x0000000002250000-0x0000000002553000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/988-74-0x0000000000000000-mapping.dmp
      Download
    • memory/988-78-0x0000000000110000-0x0000000000139000-memory.dmp
      Filesize

      164KB

      Download
    • memory/1112-58-0x00000000762D1000-0x00000000762D3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1380-81-0x0000000008C20000-0x0000000008D6D000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/1380-73-0x0000000006590000-0x0000000006663000-memory.dmp
      Filesize

      844KB

      Download
    • memory/1664-57-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1664-55-0x000000002F441000-0x000000002F444000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1664-56-0x0000000071821000-0x0000000071823000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1664-82-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1704-68-0x000000000041D430-mapping.dmp
      Download
    • memory/1704-71-0x0000000000820000-0x0000000000B23000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1704-72-0x00000000002C0000-0x00000000002D1000-memory.dmp
      Filesize

      68KB

      Download
    • memory/1704-67-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

      Download
    • memory/1732-76-0x0000000000000000-mapping.dmp
      Download
    • memory/1824-62-0x0000000000000000-mapping.dmp
      Download