Analysis

  • max time kernel
    151s
  • max time network
    165s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    09-02-2022 10:21

General

  • Target

    PAYMENT_xlsx.exe

  • Size

    260KB

  • MD5

    903f090170c015ce8a923608be5f5529

  • SHA1

    ca5ab369fa9fa10367f8d2de5530986dd5add4a1

  • SHA256

    ae912e8263a9242ff6590f2c818cdc64c3a6f2f059576dc8d760a3af93db63fc

  • SHA512

    fb716c05053f9643ebdaff1e5a5a3d9b88cee77c1753a51618ab3c8f7897cd79384250edbe49cad6cf86579b83dd317ce2922674835ea3d484a0fb0f79f3bf6b

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

dtt3

Decoy

edilononlineshop.com

cursosd.com

viellacharteredland.com

increasey0urenergylevels.codes

yjy-hotel.com

claym.xyz

reelsguide.com

gives-cardano.com

ashrafannuar.com

mammalians.com

rocketleaguedads.com

yubierp.com

minimi36.com

chn-chn.com

jagojp888.com

parsian-shetab.com

273351.com

mdtouhid.com

babedads.com

vallinam2.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

  • Xloader Payload 3 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1416
    • C:\Users\Admin\AppData\Local\Temp\PAYMENT_xlsx.exe
      "C:\Users\Admin\AppData\Local\Temp\PAYMENT_xlsx.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1404
      • C:\Users\Admin\AppData\Local\Temp\PAYMENT_xlsx.exe
        "C:\Users\Admin\AppData\Local\Temp\PAYMENT_xlsx.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:760
    • C:\Windows\SysWOW64\cmstp.exe
      "C:\Windows\SysWOW64\cmstp.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1628
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\PAYMENT_xlsx.exe"
        3⤵
        • Deletes itself
        PID:1760

Network

MITRE ATT&CK Matrix ATT&CK v6

Discovery

System Information Discovery

1
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nsyD8A.tmp\grjrgdnfat.dll
    MD5

    4f17fcc87799615ed77345f05d8c5520

    SHA1

    1f4a7f5b874c28afdb8efa185282e8276147d305

    SHA256

    42af13597bd2e5a22c31c9776403f45ddf4cded7a488fd7ae2463cfa31ba5783

    SHA512

    40f2cbac516a82bccc0a49379a361d885dc97a4cc2589c81c1b39d5d94f9857c22eddc2194c089e392b209d9cc9e177ed4f39637e09639d4a9c08e7569ae485b

  • memory/760-61-0x0000000000830000-0x0000000000B33000-memory.dmp
    Filesize

    3.0MB

  • memory/760-58-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

  • memory/760-60-0x0000000000400000-0x0000000000429000-memory.dmp
    Filesize

    164KB

  • memory/760-62-0x000000000041D000-0x000000000041E000-memory.dmp
    Filesize

    4KB

  • memory/760-63-0x00000000002C0000-0x00000000002D1000-memory.dmp
    Filesize

    68KB

  • memory/1404-57-0x00000000005E0000-0x00000000005E2000-memory.dmp
    Filesize

    8KB

  • memory/1404-55-0x0000000075F81000-0x0000000075F83000-memory.dmp
    Filesize

    8KB

  • memory/1416-64-0x00000000070B0000-0x00000000071AB000-memory.dmp
    Filesize

    1004KB

  • memory/1416-70-0x0000000008F80000-0x00000000090C7000-memory.dmp
    Filesize

    1.3MB

  • memory/1628-67-0x00000000000D0000-0x00000000000F9000-memory.dmp
    Filesize

    164KB

  • memory/1628-66-0x00000000009E0000-0x00000000009F8000-memory.dmp
    Filesize

    96KB

  • memory/1628-68-0x0000000001F90000-0x0000000002293000-memory.dmp
    Filesize

    3.0MB

  • memory/1628-69-0x0000000000810000-0x00000000008A0000-memory.dmp
    Filesize

    576KB