Analysis

  • max time kernel
    152s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    10-01-2022 15:07

General

  • Target

    QUOTATION REQUEST DTD311221 - Mopcoms TurkeyPDF.xlsx

  • Size

    310KB

  • MD5

    95cbc1f3891ed39e56fa3196a060f94e

  • SHA1

    ca003b9444c4eebeb468985bf53db7f7db52a4a8

  • SHA256

    2fe50cd698c141231db5d547de06e846312bbddaa3d5e8be0e012cc61de114ed

  • SHA512

    163f3d915abdc6042c6f7c39e0b7f7adc7a79a6e7ec96908d352ac1de3292a3c59b3bf7c5be56967249ea0dbc6a8763a0c18efd269195d3d44973aec0023b57c

Score
10/10

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

pnug

Decoy

natureate.com

ita-pots.website

sucohansmushroom.com

produrielrosen.com

gosystemupdatenow.online

jiskra.art

janwiench.com

norfolkfoodhall.com

iloveaddictss.com

pogozip.com

buyinstapva.com

teardirectionfreedom.xyz

0205168.com

apaixonadosporpugs.online

jawscoinc.com

crafter.quest

wikipedianow.com

radiopuls.net

kendama-co.com

goodstudycanada.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • Xloader Payload 3 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 12 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1392
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\QUOTATION REQUEST DTD311221 - Mopcoms TurkeyPDF.xlsx"
      2⤵
      • Enumerates system info in registry
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1292
    • C:\Windows\SysWOW64\systray.exe
      "C:\Windows\SysWOW64\systray.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1680
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Public\vbc.exe"
        3⤵
          PID:1624
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:1324
      • C:\Users\Public\vbc.exe
        "C:\Users\Public\vbc.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1272
        • C:\Users\Public\vbc.exe
          "C:\Users\Public\vbc.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:1184

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Execution

    Scripting

    1
    T1064

    Exploitation for Client Execution

    1
    T1203

    Defense Evasion

    Scripting

    1
    T1064

    Modify Registry

    1
    T1112

    Discovery

    System Information Discovery

    2
    T1082

    Query Registry

    1
    T1012

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Public\vbc.exe
      MD5

      175f006164182d3a95bf61ea207b7944

      SHA1

      e6586c82b4f92784edbf7640a63c0425dc51705b

      SHA256

      5f9bc09e4b5b782ff1b0cb564bd217b31c79e0ca253c136b7f5e4744460b2bb9

      SHA512

      6266b69aae421079890fb7f189a0c913af5a42a2fdf91b6189fa6e394f4272d00a5114aa7888012d14049e78db70f48fd1f51d883a9cbbedfcdbe3ea217576c0

    • C:\Users\Public\vbc.exe
      MD5

      175f006164182d3a95bf61ea207b7944

      SHA1

      e6586c82b4f92784edbf7640a63c0425dc51705b

      SHA256

      5f9bc09e4b5b782ff1b0cb564bd217b31c79e0ca253c136b7f5e4744460b2bb9

      SHA512

      6266b69aae421079890fb7f189a0c913af5a42a2fdf91b6189fa6e394f4272d00a5114aa7888012d14049e78db70f48fd1f51d883a9cbbedfcdbe3ea217576c0

    • C:\Users\Public\vbc.exe
      MD5

      175f006164182d3a95bf61ea207b7944

      SHA1

      e6586c82b4f92784edbf7640a63c0425dc51705b

      SHA256

      5f9bc09e4b5b782ff1b0cb564bd217b31c79e0ca253c136b7f5e4744460b2bb9

      SHA512

      6266b69aae421079890fb7f189a0c913af5a42a2fdf91b6189fa6e394f4272d00a5114aa7888012d14049e78db70f48fd1f51d883a9cbbedfcdbe3ea217576c0

    • \Users\Admin\AppData\Local\Temp\nsy5265.tmp\ecmyip.dll
      MD5

      587e0148246f200131e685053a52c0a5

      SHA1

      e6a0568b40d9ec45b85d5104ab48a0e3ca211a48

      SHA256

      81b25e92a746fdefe306e54c486f4ee3b070250e1f0c0f8baf5570054a04fc17

      SHA512

      99d4803fa9005707e81ae1b2aeb6c585783459a6d1635907c35fcf52cc8083c9154f25a6af2f0b105350090d580430d04bcefbaca191db2d9c053c823b7d2393

    • \Users\Public\vbc.exe
      MD5

      175f006164182d3a95bf61ea207b7944

      SHA1

      e6586c82b4f92784edbf7640a63c0425dc51705b

      SHA256

      5f9bc09e4b5b782ff1b0cb564bd217b31c79e0ca253c136b7f5e4744460b2bb9

      SHA512

      6266b69aae421079890fb7f189a0c913af5a42a2fdf91b6189fa6e394f4272d00a5114aa7888012d14049e78db70f48fd1f51d883a9cbbedfcdbe3ea217576c0

    • \Users\Public\vbc.exe
      MD5

      175f006164182d3a95bf61ea207b7944

      SHA1

      e6586c82b4f92784edbf7640a63c0425dc51705b

      SHA256

      5f9bc09e4b5b782ff1b0cb564bd217b31c79e0ca253c136b7f5e4744460b2bb9

      SHA512

      6266b69aae421079890fb7f189a0c913af5a42a2fdf91b6189fa6e394f4272d00a5114aa7888012d14049e78db70f48fd1f51d883a9cbbedfcdbe3ea217576c0

    • \Users\Public\vbc.exe
      MD5

      175f006164182d3a95bf61ea207b7944

      SHA1

      e6586c82b4f92784edbf7640a63c0425dc51705b

      SHA256

      5f9bc09e4b5b782ff1b0cb564bd217b31c79e0ca253c136b7f5e4744460b2bb9

      SHA512

      6266b69aae421079890fb7f189a0c913af5a42a2fdf91b6189fa6e394f4272d00a5114aa7888012d14049e78db70f48fd1f51d883a9cbbedfcdbe3ea217576c0

    • memory/1184-67-0x000000000041D400-mapping.dmp
    • memory/1184-66-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

    • memory/1184-70-0x0000000000770000-0x0000000000A73000-memory.dmp
      Filesize

      3.0MB

    • memory/1184-71-0x00000000002D0000-0x00000000002E1000-memory.dmp
      Filesize

      68KB

    • memory/1272-61-0x0000000000000000-mapping.dmp
    • memory/1292-80-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

    • memory/1292-56-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

    • memory/1292-54-0x000000002F9B1000-0x000000002F9B4000-memory.dmp
      Filesize

      12KB

    • memory/1292-55-0x0000000071411000-0x0000000071413000-memory.dmp
      Filesize

      8KB

    • memory/1324-57-0x0000000075AE1000-0x0000000075AE3000-memory.dmp
      Filesize

      8KB

    • memory/1392-72-0x0000000006FA0000-0x0000000007094000-memory.dmp
      Filesize

      976KB

    • memory/1392-79-0x0000000008C00000-0x0000000008D3C000-memory.dmp
      Filesize

      1.2MB

    • memory/1624-76-0x0000000000000000-mapping.dmp
    • memory/1680-74-0x00000000004D0000-0x00000000004D5000-memory.dmp
      Filesize

      20KB

    • memory/1680-75-0x0000000000080000-0x00000000000A9000-memory.dmp
      Filesize

      164KB

    • memory/1680-77-0x0000000001ED0000-0x00000000021D3000-memory.dmp
      Filesize

      3.0MB

    • memory/1680-78-0x0000000001C90000-0x0000000001D20000-memory.dmp
      Filesize

      576KB

    • memory/1680-73-0x0000000000000000-mapping.dmp