Overview

overview

10

Static

static

SHIPPING D...T.xlsx

windows7_x64

10

SHIPPING D...T.xlsx

windows10_x64

1

Analysis

  • max time kernel
    154s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-en-20211104
  • submitted
    30-11-2021 18:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SHIPPING DOCUMENT.xlsx

  • Size

    228KB

  • MD5

    ee219c2a0145e821ac0b89f0ee081ddb

  • SHA1

    a22a66920171bb0968b627e627645418a4ab983f

  • SHA256

    54793f5d71ebed0c4db8be0e4a9ba91f873b00cde08244f28601148c4d9b7996

  • SHA512

    cf5950deb832c0d864e9a5c845df83d1955462029fa297183b9f041de8d43512f92a9a74b495b3d6fa80dc4e5af88263b3d188d65fbda310fbd5878557cdcdcc

Score
10/10
xloadermwevloaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

mwev

C2

http://www.scion-go-getter.com/mwev/

Decoy

9linefarms.com

meadow-spring.com

texascountrycharts.com

chinatowndeliver.com

grindsword.com

thegurusigavebirthto.com

rip-online.com

lm-safe-keepingtoyof6.xyz

plumbtechconsulting.com

jgoerlach.com

inbloomsolutions.com

foxandmew.com

tikomobile.store

waybunch.com

thepatriottutor.com

qask.top

pharmacylinked.com

ishii-miona.com

sugarandrocks.com

anabolenpower.net

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata
  • Xloader Payload 4 IoCs
    rat
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1360
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENT.xlsx"
      2⤵
      • Enumerates system info in registry
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1072
    • C:\Windows\SysWOW64\autochk.exe
      "C:\Windows\SysWOW64\autochk.exe"
      2⤵
        PID:1888
      • C:\Windows\SysWOW64\autochk.exe
        "C:\Windows\SysWOW64\autochk.exe"
        2⤵
          PID:1760
        • C:\Windows\SysWOW64\autochk.exe
          "C:\Windows\SysWOW64\autochk.exe"
          2⤵
            PID:1896
          • C:\Windows\SysWOW64\autochk.exe
            "C:\Windows\SysWOW64\autochk.exe"
            2⤵
              PID:1572
            • C:\Windows\SysWOW64\autochk.exe
              "C:\Windows\SysWOW64\autochk.exe"
              2⤵
                PID:1600
              • C:\Windows\SysWOW64\autochk.exe
                "C:\Windows\SysWOW64\autochk.exe"
                2⤵
                  PID:1596
                • C:\Windows\SysWOW64\autochk.exe
                  "C:\Windows\SysWOW64\autochk.exe"
                  2⤵
                    PID:1592
                  • C:\Windows\SysWOW64\rundll32.exe
                    "C:\Windows\SysWOW64\rundll32.exe"
                    2⤵
                    • Suspicious use of SetThreadContext
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious behavior: MapViewOfSection
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1192
                    • C:\Windows\SysWOW64\cmd.exe
                      /c del "C:\Users\Public\vbc.exe"
                      3⤵
                        PID:2044
                  • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                    "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                    1⤵
                    • Blocklisted process makes network request
                    • Loads dropped DLL
                    • Launches Equation Editor
                    • Suspicious use of WriteProcessMemory
                    PID:1432
                    • C:\Users\Public\vbc.exe
                      "C:\Users\Public\vbc.exe"
                      2⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      • Suspicious use of WriteProcessMemory
                      PID:1860
                      • C:\Users\Public\vbc.exe
                        "C:\Users\Public\vbc.exe"
                        3⤵
                        • Executes dropped EXE
                        • Suspicious use of SetThreadContext
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious behavior: MapViewOfSection
                        • Suspicious use of AdjustPrivilegeToken
                        PID:888

                  Network

                  MITRE ATT&CK Matrix ATT&CK v6

                  Initial Access

                  Execution

                  Scripting

                  1
                  T1064

                  Exploitation for Client Execution

                  1
                  T1203

                  Persistence

                  Privilege Escalation

                  Defense Evasion

                  Scripting

                  1
                  T1064

                  Modify Registry

                  1
                  T1112

                  Credential Access

                  Discovery

                  Query Registry

                  1
                  T1012

                  System Information Discovery

                  1
                  T1082

                  Lateral Movement

                  Collection

                  Exfiltration

                  Command and Control

                  Impact

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Public\vbc.exe
                    MD5

                    f4eb13ef6fef846933c731aecae8f978

                    SHA1

                    f27a8de41120825fc9a59b05e79bb92ccc766b2d

                    SHA256

                    cd53040ec21c86fa58a23ef8a844b96b05454800c6aabe0e9d5772e3ab07bce6

                    SHA512

                    b5bd82041cd093a42aca06b7628dd1d3c93948c4919bab0a3e88bca828e87240a9e755f5759a9c092d9b67351952c589cecb251ff97f52ccff5c8d60c68f02c0

                    Download Submit
                  • C:\Users\Public\vbc.exe
                    MD5

                    f4eb13ef6fef846933c731aecae8f978

                    SHA1

                    f27a8de41120825fc9a59b05e79bb92ccc766b2d

                    SHA256

                    cd53040ec21c86fa58a23ef8a844b96b05454800c6aabe0e9d5772e3ab07bce6

                    SHA512

                    b5bd82041cd093a42aca06b7628dd1d3c93948c4919bab0a3e88bca828e87240a9e755f5759a9c092d9b67351952c589cecb251ff97f52ccff5c8d60c68f02c0

                    Download Submit
                  • C:\Users\Public\vbc.exe
                    MD5

                    f4eb13ef6fef846933c731aecae8f978

                    SHA1

                    f27a8de41120825fc9a59b05e79bb92ccc766b2d

                    SHA256

                    cd53040ec21c86fa58a23ef8a844b96b05454800c6aabe0e9d5772e3ab07bce6

                    SHA512

                    b5bd82041cd093a42aca06b7628dd1d3c93948c4919bab0a3e88bca828e87240a9e755f5759a9c092d9b67351952c589cecb251ff97f52ccff5c8d60c68f02c0

                    Download Submit
                  • \Users\Public\vbc.exe
                    MD5

                    f4eb13ef6fef846933c731aecae8f978

                    SHA1

                    f27a8de41120825fc9a59b05e79bb92ccc766b2d

                    SHA256

                    cd53040ec21c86fa58a23ef8a844b96b05454800c6aabe0e9d5772e3ab07bce6

                    SHA512

                    b5bd82041cd093a42aca06b7628dd1d3c93948c4919bab0a3e88bca828e87240a9e755f5759a9c092d9b67351952c589cecb251ff97f52ccff5c8d60c68f02c0

                    Download Submit
                  • \Users\Public\vbc.exe
                    MD5

                    f4eb13ef6fef846933c731aecae8f978

                    SHA1

                    f27a8de41120825fc9a59b05e79bb92ccc766b2d

                    SHA256

                    cd53040ec21c86fa58a23ef8a844b96b05454800c6aabe0e9d5772e3ab07bce6

                    SHA512

                    b5bd82041cd093a42aca06b7628dd1d3c93948c4919bab0a3e88bca828e87240a9e755f5759a9c092d9b67351952c589cecb251ff97f52ccff5c8d60c68f02c0

                    Download Submit
                  • \Users\Public\vbc.exe
                    MD5

                    f4eb13ef6fef846933c731aecae8f978

                    SHA1

                    f27a8de41120825fc9a59b05e79bb92ccc766b2d

                    SHA256

                    cd53040ec21c86fa58a23ef8a844b96b05454800c6aabe0e9d5772e3ab07bce6

                    SHA512

                    b5bd82041cd093a42aca06b7628dd1d3c93948c4919bab0a3e88bca828e87240a9e755f5759a9c092d9b67351952c589cecb251ff97f52ccff5c8d60c68f02c0

                    Download Submit
                  • \Users\Public\vbc.exe
                    MD5

                    f4eb13ef6fef846933c731aecae8f978

                    SHA1

                    f27a8de41120825fc9a59b05e79bb92ccc766b2d

                    SHA256

                    cd53040ec21c86fa58a23ef8a844b96b05454800c6aabe0e9d5772e3ab07bce6

                    SHA512

                    b5bd82041cd093a42aca06b7628dd1d3c93948c4919bab0a3e88bca828e87240a9e755f5759a9c092d9b67351952c589cecb251ff97f52ccff5c8d60c68f02c0

                    Download Submit
                  • memory/888-73-0x0000000000400000-0x0000000000429000-memory.dmp
                    Filesize

                    164KB

                    Download
                  • memory/888-82-0x00000000002A0000-0x00000000002B1000-memory.dmp
                    Filesize

                    68KB

                    Download
                  • memory/888-81-0x0000000000400000-0x0000000000429000-memory.dmp
                    Filesize

                    164KB

                    Download
                  • memory/888-78-0x0000000000AE0000-0x0000000000DE3000-memory.dmp
                    Filesize

                    3.0MB

                    Download
                  • memory/888-79-0x0000000000140000-0x0000000000151000-memory.dmp
                    Filesize

                    68KB

                    Download
                  • memory/888-72-0x0000000000400000-0x0000000000429000-memory.dmp
                    Filesize

                    164KB

                    Download
                  • memory/888-74-0x0000000000400000-0x0000000000429000-memory.dmp
                    Filesize

                    164KB

                    Download
                  • memory/888-75-0x000000000041D480-mapping.dmp
                    Download
                  • memory/1072-56-0x0000000071B61000-0x0000000071B63000-memory.dmp
                    Filesize

                    8KB

                    Download
                  • memory/1072-91-0x000000005FFF0000-0x0000000060000000-memory.dmp
                    Filesize

                    64KB

                    Download
                  • memory/1072-57-0x000000005FFF0000-0x0000000060000000-memory.dmp
                    Filesize

                    64KB

                    Download
                  • memory/1072-55-0x000000002F461000-0x000000002F464000-memory.dmp
                    Filesize

                    12KB

                    Download
                  • memory/1192-84-0x0000000000000000-mapping.dmp
                    Download
                  • memory/1192-87-0x0000000000130000-0x000000000013E000-memory.dmp
                    Filesize

                    56KB

                    Download
                  • memory/1192-90-0x0000000001E10000-0x0000000001EA0000-memory.dmp
                    Filesize

                    576KB

                    Download
                  • memory/1192-89-0x0000000002120000-0x0000000002423000-memory.dmp
                    Filesize

                    3.0MB

                    Download
                  • memory/1192-88-0x0000000000090000-0x00000000000B9000-memory.dmp
                    Filesize

                    164KB

                    Download
                  • memory/1360-80-0x0000000006100000-0x00000000061AD000-memory.dmp
                    Filesize

                    692KB

                    Download
                  • memory/1360-92-0x00000000048E0000-0x0000000004975000-memory.dmp
                    Filesize

                    596KB

                    Download
                  • memory/1360-83-0x0000000007220000-0x000000000737F000-memory.dmp
                    Filesize

                    1.4MB

                    Download
                  • memory/1432-58-0x0000000075801000-0x0000000075803000-memory.dmp
                    Filesize

                    8KB

                    Download
                  • memory/1860-69-0x0000000004D20000-0x0000000004D21000-memory.dmp
                    Filesize

                    4KB

                    Download
                  • memory/1860-63-0x0000000000000000-mapping.dmp
                    Download
                  • memory/1860-66-0x0000000001350000-0x0000000001351000-memory.dmp
                    Filesize

                    4KB

                    Download
                  • memory/1860-71-0x00000000012D0000-0x0000000001329000-memory.dmp
                    Filesize

                    356KB

                    Download
                  • memory/1860-70-0x0000000000510000-0x0000000000516000-memory.dmp
                    Filesize

                    24KB

                    Download
                  • memory/2044-86-0x0000000000000000-mapping.dmp
                    Download