Overview

overview

10

Static

static

W6902.xlsx

windows7_x64

10

W6902.xlsx

windows10_x64

1

Analysis

  • max time kernel
    152s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    31-01-2022 04:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    W6902.xlsx

  • Size

    187KB

  • MD5

    69795e78fb23e13a62ebc183ef90b3ed

  • SHA1

    e16a17d9001daf722aab876d3dab010218af2a23

  • SHA256

    acc4be02b6d345725689351b0de0b19ea35f356a60df8cf92318fe9ff96e474f

  • SHA512

    77d20558c55569551b3e232a5b3f500ae5056fb13634a50bbadcda1ebdfefe6685d04479a6ae01e58c2a7ec3d0565c887a53d74000d7fe6b5c1404267fb4f651

Score
10/10
xloaderb80iloaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

b80i

Decoy

yixuan5.com

jiazheng369.com

danielleefelipe.net

micorgas.com

uvywah.com

nbjcgl.com

streets4suites.com

hempgotas.com

postmoon.xyz

gaboshoes.com

pastodwes.com

libes.asia

damusalama.com

youngliving1.com

mollyagee.com

branchwallet.com

seebuehnegoerlitz.com

inventors.community

teentykarm.quest

927291.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Xloader Payload 3 IoCs
    rat
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 12 IoCs
    installer
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1200
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\W6902.xlsx
      2⤵
      • Enumerates system info in registry
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:952
    • C:\Windows\SysWOW64\chkdsk.exe
      "C:\Windows\SysWOW64\chkdsk.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:924
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Public\vbc.exe"
        3⤵
          PID:1192
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:1624
      • C:\Users\Public\vbc.exe
        "C:\Users\Public\vbc.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1140
        • C:\Users\Public\vbc.exe
          "C:\Users\Public\vbc.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:988

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scripting

    1
    T1064

    Exploitation for Client Execution

    1
    T1203

    Persistence

    Privilege Escalation

    Defense Evasion

    Scripting

    1
    T1064

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    2
    T1082

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Public\vbc.exe
      MD5

      0e738f5922ef1bed63478ca5ccbe4ab5

      SHA1

      3518eb79082655a27598a1025d581ffdba11fb6c

      SHA256

      fc35540b602ba860b10c2b43261657a7e2b9fc1d3aa8104272f2255a664fabd7

      SHA512

      1d5038223c9e5b426ed4f8cafeefa4ec919588f6819fd3b82773c97efdf6848f45c0b05e94ee16eb27f7df23b0f4e760b05e002f54d2c591956daf06cc3b58e5

      Download Submit
    • C:\Users\Public\vbc.exe
      MD5

      0e738f5922ef1bed63478ca5ccbe4ab5

      SHA1

      3518eb79082655a27598a1025d581ffdba11fb6c

      SHA256

      fc35540b602ba860b10c2b43261657a7e2b9fc1d3aa8104272f2255a664fabd7

      SHA512

      1d5038223c9e5b426ed4f8cafeefa4ec919588f6819fd3b82773c97efdf6848f45c0b05e94ee16eb27f7df23b0f4e760b05e002f54d2c591956daf06cc3b58e5

      Download Submit
    • C:\Users\Public\vbc.exe
      MD5

      0e738f5922ef1bed63478ca5ccbe4ab5

      SHA1

      3518eb79082655a27598a1025d581ffdba11fb6c

      SHA256

      fc35540b602ba860b10c2b43261657a7e2b9fc1d3aa8104272f2255a664fabd7

      SHA512

      1d5038223c9e5b426ed4f8cafeefa4ec919588f6819fd3b82773c97efdf6848f45c0b05e94ee16eb27f7df23b0f4e760b05e002f54d2c591956daf06cc3b58e5

      Download Submit
    • \Users\Admin\AppData\Local\Temp\nst2EA1.tmp\vjajvyqaen.dll
      MD5

      7529eb937b2b5aed57e2080060610f15

      SHA1

      491873f93d62e1105d65c5c045d5d64053cc248d

      SHA256

      1fd1c12a1ee7c824471fba69a0d9e5aaf62003605a3569567a302b3df714f85a

      SHA512

      998c2aa8bb2374e121a82d5be63063d8fea379b77c9b2aa0142bedc04504ae6187563ef05602696fdc8cf2fdc9fee7c4468b5a9fe80b029ccf47d8688cefdd92

      Download Submit
    • \Users\Public\vbc.exe
      MD5

      0e738f5922ef1bed63478ca5ccbe4ab5

      SHA1

      3518eb79082655a27598a1025d581ffdba11fb6c

      SHA256

      fc35540b602ba860b10c2b43261657a7e2b9fc1d3aa8104272f2255a664fabd7

      SHA512

      1d5038223c9e5b426ed4f8cafeefa4ec919588f6819fd3b82773c97efdf6848f45c0b05e94ee16eb27f7df23b0f4e760b05e002f54d2c591956daf06cc3b58e5

      Download Submit
    • \Users\Public\vbc.exe
      MD5

      0e738f5922ef1bed63478ca5ccbe4ab5

      SHA1

      3518eb79082655a27598a1025d581ffdba11fb6c

      SHA256

      fc35540b602ba860b10c2b43261657a7e2b9fc1d3aa8104272f2255a664fabd7

      SHA512

      1d5038223c9e5b426ed4f8cafeefa4ec919588f6819fd3b82773c97efdf6848f45c0b05e94ee16eb27f7df23b0f4e760b05e002f54d2c591956daf06cc3b58e5

      Download Submit
    • \Users\Public\vbc.exe
      MD5

      0e738f5922ef1bed63478ca5ccbe4ab5

      SHA1

      3518eb79082655a27598a1025d581ffdba11fb6c

      SHA256

      fc35540b602ba860b10c2b43261657a7e2b9fc1d3aa8104272f2255a664fabd7

      SHA512

      1d5038223c9e5b426ed4f8cafeefa4ec919588f6819fd3b82773c97efdf6848f45c0b05e94ee16eb27f7df23b0f4e760b05e002f54d2c591956daf06cc3b58e5

      Download Submit
    • memory/924-75-0x0000000000060000-0x0000000000067000-memory.dmp
      Filesize

      28KB

      Download
    • memory/924-78-0x0000000001D90000-0x0000000001E20000-memory.dmp
      Filesize

      576KB

      Download
    • memory/924-77-0x0000000001EB0000-0x00000000021B3000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/924-76-0x0000000000090000-0x00000000000B9000-memory.dmp
      Filesize

      164KB

      Download
    • memory/952-54-0x000000002F121000-0x000000002F124000-memory.dmp
      Filesize

      12KB

      Download
    • memory/952-56-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/952-80-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/952-55-0x00000000710B1000-0x00000000710B3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/952-57-0x0000000076041000-0x0000000076043000-memory.dmp
      Filesize

      8KB

      Download
    • memory/988-69-0x00000000005E0000-0x00000000009E3000-memory.dmp
      Filesize

      4.0MB

      Download
    • memory/988-73-0x0000000000320000-0x0000000000331000-memory.dmp
      Filesize

      68KB

      Download
    • memory/988-72-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

      Download
    • memory/988-71-0x00000000002E0000-0x00000000002F1000-memory.dmp
      Filesize

      68KB

      Download
    • memory/988-66-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

      Download
    • memory/1200-74-0x0000000004A20000-0x0000000004AE5000-memory.dmp
      Filesize

      788KB

      Download
    • memory/1200-70-0x0000000006470000-0x0000000006544000-memory.dmp
      Filesize

      848KB

      Download
    • memory/1200-79-0x0000000002B30000-0x0000000002BC4000-memory.dmp
      Filesize

      592KB

      Download