Overview

overview

10

Static

static

Lod4.xlsx

windows7_x64

10

Lod4.xlsx

windows10_x64

1

Analysis

  • max time kernel
    157s
  • max time network
    175s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    31-01-2022 04:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Lod4.xlsx

  • Size

    186KB

  • MD5

    56ef6b1e6fd2fc1dc0f874684946e22d

  • SHA1

    933a7a76510252a38d95f66b5da8027c8e670e0d

  • SHA256

    ee125af12f2e57274d9319559690ab1c9403ddacc9bb337e7109c189ecf64a91

  • SHA512

    269c136ceb741510781a3cf0e08aea1004a84631712bdc890195c4f4d11cb2238c3e3338e659081aae2dc9ef43f0679e934734132467c6fef67c6ddea8383f28

Score
10/10
xloaderndf8loaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ndf8

Decoy

cantobait.com

theangularteam.com

qq2222.xyz

floridasteamclean.com

daffodilhilldesigns.com

mindfulagilecoaching.com

xbyll.com

jessicaepedro2021.net

ccssv.top

zenginbilgiler.com

partumball.com

1681890.com

schippermediaproductions.com

m2volleyballclub.com

ooiase.com

sharingtechnology.net

kiminplaka.com

usedgeartrader.com

cosyba.com

foodfriendshipandyou.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 2 IoCs
    rat
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 12 IoCs
    installer
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of FindShellTrayWindow 12 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1316
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Lod4.xlsx
      2⤵
      • Enumerates system info in registry
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1312
    • C:\Windows\SysWOW64\cscript.exe
      "C:\Windows\SysWOW64\cscript.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1236
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Public\vbc.exe"
        3⤵
          PID:1664
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:1228
      • C:\Users\Public\vbc.exe
        "C:\Users\Public\vbc.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1652
        • C:\Users\Public\vbc.exe
          "C:\Users\Public\vbc.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:1660

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scripting

    1
    T1064

    Exploitation for Client Execution

    1
    T1203

    Persistence

    Privilege Escalation

    Defense Evasion

    Scripting

    1
    T1064

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    2
    T1082

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Public\vbc.exe
      MD5

      fe1b3c933234d3a68d7b0722a177ba07

      SHA1

      7a2c6caf667483e57b9c183935e83c435ff5efd4

      SHA256

      89a5384b284e44d23891f6b22590f0194c4ac0b2b6507bb51fa678ede6d6069a

      SHA512

      6c348997afe6d4a559a49a93eb7e9d1d27c6b81d48ada5113f6a59ad6f7df69bb69cdc6a65e9e2a86e26b640efb39d73582a92dc43c414e06b341be7e680e22d

      Download Submit
    • C:\Users\Public\vbc.exe
      MD5

      fe1b3c933234d3a68d7b0722a177ba07

      SHA1

      7a2c6caf667483e57b9c183935e83c435ff5efd4

      SHA256

      89a5384b284e44d23891f6b22590f0194c4ac0b2b6507bb51fa678ede6d6069a

      SHA512

      6c348997afe6d4a559a49a93eb7e9d1d27c6b81d48ada5113f6a59ad6f7df69bb69cdc6a65e9e2a86e26b640efb39d73582a92dc43c414e06b341be7e680e22d

      Download Submit
    • C:\Users\Public\vbc.exe
      MD5

      fe1b3c933234d3a68d7b0722a177ba07

      SHA1

      7a2c6caf667483e57b9c183935e83c435ff5efd4

      SHA256

      89a5384b284e44d23891f6b22590f0194c4ac0b2b6507bb51fa678ede6d6069a

      SHA512

      6c348997afe6d4a559a49a93eb7e9d1d27c6b81d48ada5113f6a59ad6f7df69bb69cdc6a65e9e2a86e26b640efb39d73582a92dc43c414e06b341be7e680e22d

      Download Submit
    • \Users\Admin\AppData\Local\Temp\nst3507.tmp\pmtkix.dll
      MD5

      ce596d4e7b4b245db309b1b623224007

      SHA1

      43be7a62ec59a3840e068804b586a8a4e120eb45

      SHA256

      c8ea1dec9c0638bc133a1958552a697d6f420ccf7bde149722a01fe718926c37

      SHA512

      723625756169a56c43ddf465ad4f064684997b8a2f771979b697c717e998522553109159090d34c26ac7b202ac53128e2a177b7a55f471803e9f0cb6370e6534

      Download Submit
    • \Users\Public\vbc.exe
      MD5

      fe1b3c933234d3a68d7b0722a177ba07

      SHA1

      7a2c6caf667483e57b9c183935e83c435ff5efd4

      SHA256

      89a5384b284e44d23891f6b22590f0194c4ac0b2b6507bb51fa678ede6d6069a

      SHA512

      6c348997afe6d4a559a49a93eb7e9d1d27c6b81d48ada5113f6a59ad6f7df69bb69cdc6a65e9e2a86e26b640efb39d73582a92dc43c414e06b341be7e680e22d

      Download Submit
    • \Users\Public\vbc.exe
      MD5

      fe1b3c933234d3a68d7b0722a177ba07

      SHA1

      7a2c6caf667483e57b9c183935e83c435ff5efd4

      SHA256

      89a5384b284e44d23891f6b22590f0194c4ac0b2b6507bb51fa678ede6d6069a

      SHA512

      6c348997afe6d4a559a49a93eb7e9d1d27c6b81d48ada5113f6a59ad6f7df69bb69cdc6a65e9e2a86e26b640efb39d73582a92dc43c414e06b341be7e680e22d

      Download Submit
    • \Users\Public\vbc.exe
      MD5

      fe1b3c933234d3a68d7b0722a177ba07

      SHA1

      7a2c6caf667483e57b9c183935e83c435ff5efd4

      SHA256

      89a5384b284e44d23891f6b22590f0194c4ac0b2b6507bb51fa678ede6d6069a

      SHA512

      6c348997afe6d4a559a49a93eb7e9d1d27c6b81d48ada5113f6a59ad6f7df69bb69cdc6a65e9e2a86e26b640efb39d73582a92dc43c414e06b341be7e680e22d

      Download Submit
    • memory/1236-73-0x0000000000DE0000-0x0000000000E02000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1236-74-0x00000000000B0000-0x00000000000D9000-memory.dmp
      Filesize

      164KB

      Download
    • memory/1236-76-0x0000000000A70000-0x0000000000B00000-memory.dmp
      Filesize

      576KB

      Download
    • memory/1236-75-0x0000000002210000-0x0000000002513000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1312-55-0x0000000071881000-0x0000000071883000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1312-54-0x000000002F351000-0x000000002F354000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1312-57-0x0000000076911000-0x0000000076913000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1312-56-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1312-78-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1316-72-0x0000000006810000-0x00000000068EA000-memory.dmp
      Filesize

      872KB

      Download
    • memory/1316-77-0x0000000007050000-0x0000000007151000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/1660-70-0x0000000000770000-0x0000000000A73000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1660-71-0x00000000002D0000-0x00000000002E1000-memory.dmp
      Filesize

      68KB

      Download
    • memory/1660-67-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

      Download