Analysis
-
max time kernel
157s -
max time network
166s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
31-01-2022 04:00
General
-
Target
Lod4.xlsx
-
Size
186KB
-
MD5
56ef6b1e6fd2fc1dc0f874684946e22d
-
SHA1
933a7a76510252a38d95f66b5da8027c8e670e0d
-
SHA256
ee125af12f2e57274d9319559690ab1c9403ddacc9bb337e7109c189ecf64a91
-
SHA512
269c136ceb741510781a3cf0e08aea1004a84631712bdc890195c4f4d11cb2238c3e3338e659081aae2dc9ef43f0679e934734132467c6fef67c6ddea8383f28
Malware Config
Extracted
xloader
2.5
ndf8
cantobait.com
theangularteam.com
qq2222.xyz
floridasteamclean.com
daffodilhilldesigns.com
mindfulagilecoaching.com
xbyll.com
jessicaepedro2021.net
ccssv.top
zenginbilgiler.com
partumball.com
1681890.com
schippermediaproductions.com
m2volleyballclub.com
ooiase.com
sharingtechnology.net
kiminplaka.com
usedgeartrader.com
cosyba.com
foodfriendshipandyou.com
Signatures
-
Xloader
Xloader is a rebranded version of Formbook malware.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
-
Xloader Payload 2 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 4 IoCs
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 12 IoCs
-
Enumerates system info in registry 2 TTPs 1 IoCs
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Modifies Internet Explorer settings 1 TTPs 31 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 27 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of FindShellTrayWindow 12 IoCs
-
Suspicious use of SendNotifyMessage 6 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 22 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Lod4.xlsx2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Public\vbc.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
fe1b3c933234d3a68d7b0722a177ba07
SHA17a2c6caf667483e57b9c183935e83c435ff5efd4
SHA25689a5384b284e44d23891f6b22590f0194c4ac0b2b6507bb51fa678ede6d6069a
SHA5126c348997afe6d4a559a49a93eb7e9d1d27c6b81d48ada5113f6a59ad6f7df69bb69cdc6a65e9e2a86e26b640efb39d73582a92dc43c414e06b341be7e680e22d
-
C:\Users\Public\vbc.exeMD5
fe1b3c933234d3a68d7b0722a177ba07
SHA17a2c6caf667483e57b9c183935e83c435ff5efd4
SHA25689a5384b284e44d23891f6b22590f0194c4ac0b2b6507bb51fa678ede6d6069a
SHA5126c348997afe6d4a559a49a93eb7e9d1d27c6b81d48ada5113f6a59ad6f7df69bb69cdc6a65e9e2a86e26b640efb39d73582a92dc43c414e06b341be7e680e22d
-
C:\Users\Public\vbc.exeMD5
fe1b3c933234d3a68d7b0722a177ba07
SHA17a2c6caf667483e57b9c183935e83c435ff5efd4
SHA25689a5384b284e44d23891f6b22590f0194c4ac0b2b6507bb51fa678ede6d6069a
SHA5126c348997afe6d4a559a49a93eb7e9d1d27c6b81d48ada5113f6a59ad6f7df69bb69cdc6a65e9e2a86e26b640efb39d73582a92dc43c414e06b341be7e680e22d
-
\Users\Admin\AppData\Local\Temp\nsd4B83.tmp\pmtkix.dllMD5
ce596d4e7b4b245db309b1b623224007
SHA143be7a62ec59a3840e068804b586a8a4e120eb45
SHA256c8ea1dec9c0638bc133a1958552a697d6f420ccf7bde149722a01fe718926c37
SHA512723625756169a56c43ddf465ad4f064684997b8a2f771979b697c717e998522553109159090d34c26ac7b202ac53128e2a177b7a55f471803e9f0cb6370e6534
-
\Users\Public\vbc.exeMD5
fe1b3c933234d3a68d7b0722a177ba07
SHA17a2c6caf667483e57b9c183935e83c435ff5efd4
SHA25689a5384b284e44d23891f6b22590f0194c4ac0b2b6507bb51fa678ede6d6069a
SHA5126c348997afe6d4a559a49a93eb7e9d1d27c6b81d48ada5113f6a59ad6f7df69bb69cdc6a65e9e2a86e26b640efb39d73582a92dc43c414e06b341be7e680e22d
-
\Users\Public\vbc.exeMD5
fe1b3c933234d3a68d7b0722a177ba07
SHA17a2c6caf667483e57b9c183935e83c435ff5efd4
SHA25689a5384b284e44d23891f6b22590f0194c4ac0b2b6507bb51fa678ede6d6069a
SHA5126c348997afe6d4a559a49a93eb7e9d1d27c6b81d48ada5113f6a59ad6f7df69bb69cdc6a65e9e2a86e26b640efb39d73582a92dc43c414e06b341be7e680e22d
-
\Users\Public\vbc.exeMD5
fe1b3c933234d3a68d7b0722a177ba07
SHA17a2c6caf667483e57b9c183935e83c435ff5efd4
SHA25689a5384b284e44d23891f6b22590f0194c4ac0b2b6507bb51fa678ede6d6069a
SHA5126c348997afe6d4a559a49a93eb7e9d1d27c6b81d48ada5113f6a59ad6f7df69bb69cdc6a65e9e2a86e26b640efb39d73582a92dc43c414e06b341be7e680e22d
-
memory/984-67-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/984-70-0x0000000000850000-0x0000000000B53000-memory.dmpFilesize
3.0MB
-
memory/984-71-0x00000000002C0000-0x00000000002D1000-memory.dmpFilesize
68KB
-
memory/1360-74-0x00000000007E0000-0x00000000007F8000-memory.dmpFilesize
96KB
-
memory/1360-77-0x0000000001D90000-0x0000000001E20000-memory.dmpFilesize
576KB
-
memory/1360-76-0x0000000002060000-0x0000000002363000-memory.dmpFilesize
3.0MB
-
memory/1360-75-0x0000000000090000-0x00000000000B9000-memory.dmpFilesize
164KB
-
memory/1384-72-0x0000000006CE0000-0x0000000006E33000-memory.dmpFilesize
1.3MB
-
memory/1384-78-0x0000000006E40000-0x0000000006F41000-memory.dmpFilesize
1.0MB
-
memory/1384-81-0x000007FF56640000-0x000007FF5664A000-memory.dmpFilesize
40KB
-
memory/1384-80-0x000007FEF6BF0000-0x000007FEF6D33000-memory.dmpFilesize
1.3MB
-
memory/1632-58-0x0000000075801000-0x0000000075803000-memory.dmpFilesize
8KB
-
memory/1632-56-0x0000000071B71000-0x0000000071B73000-memory.dmpFilesize
8KB
-
memory/1632-55-0x000000002FBC1000-0x000000002FBC4000-memory.dmpFilesize
12KB
-
memory/1632-57-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1632-79-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB