Analysis

  • max time kernel
    152s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    25-01-2022 11:06

General

  • Target

    QUOTATION REQUEST - SUPPLY OF PRODUCTS - DTD JANUARY 2022PDF.xlsx

  • Size

    187KB

  • MD5

    60d3ade3f69380d4511b967cb46d8074

  • SHA1

    f59d67dba64addfb3a6c76c5d5ef8dceb89291eb

  • SHA256

    68169adeb038ace16ed5f3e0af92a7710f06badcb918db0c29f942df032ef439

  • SHA512

    6003e141180fefcb827e9b19a3f331142d401bf400dcdd4b2b18a56f6c4062a8f570d7687fed258a1d663f744a877a889b04e6fdb69652d280c2133f2191b31e

Score
10/10

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

pnug

Decoy

natureate.com

ita-pots.website

sucohansmushroom.com

produrielrosen.com

gosystemupdatenow.online

jiskra.art

janwiench.com

norfolkfoodhall.com

iloveaddictss.com

pogozip.com

buyinstapva.com

teardirectionfreedom.xyz

0205168.com

apaixonadosporpugs.online

jawscoinc.com

crafter.quest

wikipedianow.com

radiopuls.net

kendama-co.com

goodstudycanada.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • Xloader Payload 2 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1416
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\QUOTATION REQUEST - SUPPLY OF PRODUCTS - DTD JANUARY 2022PDF.xlsx"
      2⤵
      • Enumerates system info in registry
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:832
    • C:\Windows\SysWOW64\NETSTAT.EXE
      "C:\Windows\SysWOW64\NETSTAT.EXE"
      2⤵
      • Suspicious use of SetThreadContext
      • Gathers network information
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:544
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Public\vbc.exe"
        3⤵
          PID:1752
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:1388
      • C:\Users\Public\vbc.exe
        "C:\Users\Public\vbc.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2004
        • C:\Users\Public\vbc.exe
          "C:\Users\Public\vbc.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:1932

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Execution

    Scripting

    1
    T1064

    Command-Line Interface

    1
    T1059

    Exploitation for Client Execution

    1
    T1203

    Defense Evasion

    Scripting

    1
    T1064

    Modify Registry

    1
    T1112

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Public\vbc.exe
      MD5

      e28fd2c13a6bc4dbc7b7836fcb1b224e

      SHA1

      0b68827fbf894303055c9565abdeb85c5fa08b4d

      SHA256

      d2c9827978276132cc38a69bb87dbf7ab682d04d194271f460f3bd14d76f9c2c

      SHA512

      1b407de96390a32a8a050265fc47e1289d16c89f08cac0eb116f7fd3ba6a8644c1b80cd4a50fd14a66dcfc9fedbda3ed2c54969f94272b3d7963c4e3f2f36022

    • C:\Users\Public\vbc.exe
      MD5

      e28fd2c13a6bc4dbc7b7836fcb1b224e

      SHA1

      0b68827fbf894303055c9565abdeb85c5fa08b4d

      SHA256

      d2c9827978276132cc38a69bb87dbf7ab682d04d194271f460f3bd14d76f9c2c

      SHA512

      1b407de96390a32a8a050265fc47e1289d16c89f08cac0eb116f7fd3ba6a8644c1b80cd4a50fd14a66dcfc9fedbda3ed2c54969f94272b3d7963c4e3f2f36022

    • C:\Users\Public\vbc.exe
      MD5

      e28fd2c13a6bc4dbc7b7836fcb1b224e

      SHA1

      0b68827fbf894303055c9565abdeb85c5fa08b4d

      SHA256

      d2c9827978276132cc38a69bb87dbf7ab682d04d194271f460f3bd14d76f9c2c

      SHA512

      1b407de96390a32a8a050265fc47e1289d16c89f08cac0eb116f7fd3ba6a8644c1b80cd4a50fd14a66dcfc9fedbda3ed2c54969f94272b3d7963c4e3f2f36022

    • \Users\Public\vbc.exe
      MD5

      e28fd2c13a6bc4dbc7b7836fcb1b224e

      SHA1

      0b68827fbf894303055c9565abdeb85c5fa08b4d

      SHA256

      d2c9827978276132cc38a69bb87dbf7ab682d04d194271f460f3bd14d76f9c2c

      SHA512

      1b407de96390a32a8a050265fc47e1289d16c89f08cac0eb116f7fd3ba6a8644c1b80cd4a50fd14a66dcfc9fedbda3ed2c54969f94272b3d7963c4e3f2f36022

    • \Users\Public\vbc.exe
      MD5

      e28fd2c13a6bc4dbc7b7836fcb1b224e

      SHA1

      0b68827fbf894303055c9565abdeb85c5fa08b4d

      SHA256

      d2c9827978276132cc38a69bb87dbf7ab682d04d194271f460f3bd14d76f9c2c

      SHA512

      1b407de96390a32a8a050265fc47e1289d16c89f08cac0eb116f7fd3ba6a8644c1b80cd4a50fd14a66dcfc9fedbda3ed2c54969f94272b3d7963c4e3f2f36022

    • \Users\Public\vbc.exe
      MD5

      e28fd2c13a6bc4dbc7b7836fcb1b224e

      SHA1

      0b68827fbf894303055c9565abdeb85c5fa08b4d

      SHA256

      d2c9827978276132cc38a69bb87dbf7ab682d04d194271f460f3bd14d76f9c2c

      SHA512

      1b407de96390a32a8a050265fc47e1289d16c89f08cac0eb116f7fd3ba6a8644c1b80cd4a50fd14a66dcfc9fedbda3ed2c54969f94272b3d7963c4e3f2f36022

    • \Users\Public\vbc.exe
      MD5

      e28fd2c13a6bc4dbc7b7836fcb1b224e

      SHA1

      0b68827fbf894303055c9565abdeb85c5fa08b4d

      SHA256

      d2c9827978276132cc38a69bb87dbf7ab682d04d194271f460f3bd14d76f9c2c

      SHA512

      1b407de96390a32a8a050265fc47e1289d16c89f08cac0eb116f7fd3ba6a8644c1b80cd4a50fd14a66dcfc9fedbda3ed2c54969f94272b3d7963c4e3f2f36022

    • memory/544-83-0x0000000000BC0000-0x0000000000C50000-memory.dmp
      Filesize

      576KB

    • memory/544-81-0x0000000002370000-0x0000000002673000-memory.dmp
      Filesize

      3.0MB

    • memory/544-80-0x0000000000080000-0x00000000000A9000-memory.dmp
      Filesize

      164KB

    • memory/544-79-0x0000000000F60000-0x0000000000F69000-memory.dmp
      Filesize

      36KB

    • memory/832-57-0x0000000075891000-0x0000000075893000-memory.dmp
      Filesize

      8KB

    • memory/832-56-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

    • memory/832-55-0x0000000071681000-0x0000000071683000-memory.dmp
      Filesize

      8KB

    • memory/832-85-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

    • memory/832-54-0x000000002F051000-0x000000002F054000-memory.dmp
      Filesize

      12KB

    • memory/1416-78-0x0000000007170000-0x00000000072DD000-memory.dmp
      Filesize

      1.4MB

    • memory/1416-84-0x0000000006990000-0x0000000006AF0000-memory.dmp
      Filesize

      1.4MB

    • memory/1416-87-0x000007FF0FD80000-0x000007FF0FD8A000-memory.dmp
      Filesize

      40KB

    • memory/1416-86-0x000007FEF67B0000-0x000007FEF68F3000-memory.dmp
      Filesize

      1.3MB

    • memory/1932-77-0x0000000000180000-0x0000000000191000-memory.dmp
      Filesize

      68KB

    • memory/1932-71-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

    • memory/1932-73-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

    • memory/1932-76-0x0000000000CD0000-0x0000000000FD3000-memory.dmp
      Filesize

      3.0MB

    • memory/1932-72-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

    • memory/2004-70-0x00000000056F0000-0x000000000579C000-memory.dmp
      Filesize

      688KB

    • memory/2004-69-0x0000000000560000-0x000000000056E000-memory.dmp
      Filesize

      56KB

    • memory/2004-68-0x000000007EF40000-0x000000007EF41000-memory.dmp
      Filesize

      4KB

    • memory/2004-67-0x0000000004B20000-0x0000000004B21000-memory.dmp
      Filesize

      4KB

    • memory/2004-65-0x0000000000BB0000-0x0000000000CC4000-memory.dmp
      Filesize

      1.1MB