Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    17-01-2022 14:03

General

  • Target

    tmp/55294d13ba1d75f9daa7e87c0025c3efc6092ea3de41d3807ab5f50b87df9e89.xls

  • Size

    299KB

  • MD5

    5c899ea523fc5a003a2ee3de8f11bd02

  • SHA1

    ef20b0be5970fc46faa0ff9bdfcd6e00f134653f

  • SHA256

    55294d13ba1d75f9daa7e87c0025c3efc6092ea3de41d3807ab5f50b87df9e89

  • SHA512

    6ad715cb75f4bde32e4eebea96ca2f6091b68eaa6a370a0f4739edb883d72e920fe01e5b8cd110456f23d007f1b5037d0e70d62f15bbe2f40ee0e930264714db

Score
10/10

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

pnug

Decoy

natureate.com

ita-pots.website

sucohansmushroom.com

produrielrosen.com

gosystemupdatenow.online

jiskra.art

janwiench.com

norfolkfoodhall.com

iloveaddictss.com

pogozip.com

buyinstapva.com

teardirectionfreedom.xyz

0205168.com

apaixonadosporpugs.online

jawscoinc.com

crafter.quest

wikipedianow.com

radiopuls.net

kendama-co.com

goodstudycanada.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • Xloader Payload 3 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1448
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\tmp\55294d13ba1d75f9daa7e87c0025c3efc6092ea3de41d3807ab5f50b87df9e89.xls
      2⤵
      • Enumerates system info in registry
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1192
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\SysWOW64\wscript.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1972
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Public\vbc.exe"
        3⤵
          PID:112
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:1072
      • C:\Users\Public\vbc.exe
        "C:\Users\Public\vbc.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1108
        • C:\Users\Public\vbc.exe
          "C:\Users\Public\vbc.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:1948

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Execution

    Scripting

    1
    T1064

    Exploitation for Client Execution

    1
    T1203

    Defense Evasion

    Scripting

    1
    T1064

    Modify Registry

    1
    T1112

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    1
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Public\vbc.exe
      MD5

      f8e05f051c4151136ab7da1002e4c915

      SHA1

      23bd18eee8c7cdc3fe21ecb778af9a89e855b71e

      SHA256

      10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74

      SHA512

      427a04103a5fbede6f2ebe2e5e82a5fc4790b5108ac9bb165f96cc04871d655ca12a92d2bbaea13491a56e76122aa0412595613560e392fa1a7365c81e829463

    • C:\Users\Public\vbc.exe
      MD5

      f8e05f051c4151136ab7da1002e4c915

      SHA1

      23bd18eee8c7cdc3fe21ecb778af9a89e855b71e

      SHA256

      10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74

      SHA512

      427a04103a5fbede6f2ebe2e5e82a5fc4790b5108ac9bb165f96cc04871d655ca12a92d2bbaea13491a56e76122aa0412595613560e392fa1a7365c81e829463

    • C:\Users\Public\vbc.exe
      MD5

      f8e05f051c4151136ab7da1002e4c915

      SHA1

      23bd18eee8c7cdc3fe21ecb778af9a89e855b71e

      SHA256

      10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74

      SHA512

      427a04103a5fbede6f2ebe2e5e82a5fc4790b5108ac9bb165f96cc04871d655ca12a92d2bbaea13491a56e76122aa0412595613560e392fa1a7365c81e829463

    • \Users\Public\vbc.exe
      MD5

      f8e05f051c4151136ab7da1002e4c915

      SHA1

      23bd18eee8c7cdc3fe21ecb778af9a89e855b71e

      SHA256

      10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74

      SHA512

      427a04103a5fbede6f2ebe2e5e82a5fc4790b5108ac9bb165f96cc04871d655ca12a92d2bbaea13491a56e76122aa0412595613560e392fa1a7365c81e829463

    • \Users\Public\vbc.exe
      MD5

      f8e05f051c4151136ab7da1002e4c915

      SHA1

      23bd18eee8c7cdc3fe21ecb778af9a89e855b71e

      SHA256

      10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74

      SHA512

      427a04103a5fbede6f2ebe2e5e82a5fc4790b5108ac9bb165f96cc04871d655ca12a92d2bbaea13491a56e76122aa0412595613560e392fa1a7365c81e829463

    • \Users\Public\vbc.exe
      MD5

      f8e05f051c4151136ab7da1002e4c915

      SHA1

      23bd18eee8c7cdc3fe21ecb778af9a89e855b71e

      SHA256

      10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74

      SHA512

      427a04103a5fbede6f2ebe2e5e82a5fc4790b5108ac9bb165f96cc04871d655ca12a92d2bbaea13491a56e76122aa0412595613560e392fa1a7365c81e829463

    • \Users\Public\vbc.exe
      MD5

      f8e05f051c4151136ab7da1002e4c915

      SHA1

      23bd18eee8c7cdc3fe21ecb778af9a89e855b71e

      SHA256

      10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74

      SHA512

      427a04103a5fbede6f2ebe2e5e82a5fc4790b5108ac9bb165f96cc04871d655ca12a92d2bbaea13491a56e76122aa0412595613560e392fa1a7365c81e829463

    • \Users\Public\vbc.exe
      MD5

      f8e05f051c4151136ab7da1002e4c915

      SHA1

      23bd18eee8c7cdc3fe21ecb778af9a89e855b71e

      SHA256

      10d7529f4fbf887796b8d6110dcf18bc77f9225a8be593235be080caf10b7d74

      SHA512

      427a04103a5fbede6f2ebe2e5e82a5fc4790b5108ac9bb165f96cc04871d655ca12a92d2bbaea13491a56e76122aa0412595613560e392fa1a7365c81e829463

    • memory/112-82-0x0000000000000000-mapping.dmp
    • memory/1072-58-0x0000000075831000-0x0000000075833000-memory.dmp
      Filesize

      8KB

    • memory/1108-63-0x0000000000000000-mapping.dmp
    • memory/1108-66-0x0000000000B00000-0x0000000000B9A000-memory.dmp
      Filesize

      616KB

    • memory/1108-67-0x0000000000B00000-0x0000000000B9A000-memory.dmp
      Filesize

      616KB

    • memory/1108-68-0x0000000004A40000-0x0000000004A41000-memory.dmp
      Filesize

      4KB

    • memory/1108-69-0x0000000000310000-0x0000000000320000-memory.dmp
      Filesize

      64KB

    • memory/1108-70-0x0000000004DB0000-0x0000000004E10000-memory.dmp
      Filesize

      384KB

    • memory/1192-57-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

    • memory/1192-87-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

    • memory/1192-55-0x000000002F781000-0x000000002F784000-memory.dmp
      Filesize

      12KB

    • memory/1192-56-0x00000000713C1000-0x00000000713C3000-memory.dmp
      Filesize

      8KB

    • memory/1448-80-0x00000000073B0000-0x0000000007541000-memory.dmp
      Filesize

      1.6MB

    • memory/1448-88-0x00000000090B0000-0x0000000009237000-memory.dmp
      Filesize

      1.5MB

    • memory/1948-73-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

    • memory/1948-74-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

    • memory/1948-75-0x000000000041D400-mapping.dmp
    • memory/1948-79-0x0000000000150000-0x0000000000161000-memory.dmp
      Filesize

      68KB

    • memory/1948-78-0x0000000000BA0000-0x0000000000EA3000-memory.dmp
      Filesize

      3.0MB

    • memory/1948-72-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

    • memory/1972-81-0x0000000000000000-mapping.dmp
    • memory/1972-85-0x0000000001F30000-0x0000000002233000-memory.dmp
      Filesize

      3.0MB

    • memory/1972-86-0x00000000022D0000-0x0000000002360000-memory.dmp
      Filesize

      576KB

    • memory/1972-84-0x0000000000070000-0x0000000000099000-memory.dmp
      Filesize

      164KB

    • memory/1972-83-0x00000000007E0000-0x0000000000806000-memory.dmp
      Filesize

      152KB