Overview

overview

10

Static

static

1

MV LILY SEA_xlsx.exe

windows7_x64

10

MV LILY SEA_xlsx.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    158s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    22-02-2022 09:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MV LILY SEA_xlsx.exe

  • Size

    294KB

  • MD5

    6ec38c4638933adf4e6431c599572869

  • SHA1

    7daceef37fd49f19393b9cc0c03b5bd0625b6eb4

  • SHA256

    4693178ae42f25930859574bbaa0b9eb93a011b9233c43639c53689ecd47a15c

  • SHA512

    08836096c927d30c9dc4207bbdb0468234f4c2e44eeb873ba755d8976ea578d041c708d97a97cff85cbf8ac27841cba9c1683b54b67e2da029ade8cb8e5d3257

Score
10/10
formbookxloaderdtt3loaderpersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

dtt3

Decoy

edilononlineshop.com

cursosd.com

viellacharteredland.com

increasey0urenergylevels.codes

yjy-hotel.com

claym.xyz

reelsguide.com

gives-cardano.com

ashrafannuar.com

mammalians.com

rocketleaguedads.com

yubierp.com

minimi36.com

chn-chn.com

jagojp888.com

parsian-shetab.com

273351.com

mdtouhid.com

babedads.com

vallinam2.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Xloader Payload 3 IoCs
    rat
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 49 IoCs
  • Suspicious behavior: EnumeratesProcesses 44 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Drops file in Program Files directory
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2448
    • C:\Users\Admin\AppData\Local\Temp\MV LILY SEA_xlsx.exe
      "C:\Users\Admin\AppData\Local\Temp\MV LILY SEA_xlsx.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3684
      • C:\Users\Admin\AppData\Local\Temp\dtppertj.exe
        C:\Users\Admin\AppData\Local\Temp\dtppertj.exe C:\Users\Admin\AppData\Local\Temp\gjajpuko
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1532
        • C:\Users\Admin\AppData\Local\Temp\dtppertj.exe
          C:\Users\Admin\AppData\Local\Temp\dtppertj.exe C:\Users\Admin\AppData\Local\Temp\gjajpuko
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:3688
    • C:\Windows\SysWOW64\autoconv.exe
      "C:\Windows\SysWOW64\autoconv.exe"
      2⤵
        PID:3828
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\SysWOW64\cmd.exe"
        2⤵
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Drops file in Program Files directory
        • Modifies Internet Explorer settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3968
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\dtppertj.exe"
          3⤵
            PID:1436
          • C:\Windows\SysWOW64\cmd.exe
            /c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
            3⤵
              PID:3516
          • C:\Program Files (x86)\Hmbah\crlpslite.exe
            "C:\Program Files (x86)\Hmbah\crlpslite.exe"
            2⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:1924
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 604
              3⤵
              • Program crash
              • Suspicious use of AdjustPrivilegeToken
              PID:2244
        • C:\Windows\system32\MusNotifyIcon.exe
          %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
          1⤵
          • Checks processor information in registry
          PID:2000
        • C:\Windows\System32\svchost.exe
          C:\Windows\System32\svchost.exe -k NetworkService -p
          1⤵
          • Drops file in Windows directory
          • Modifies data under HKEY_USERS
          PID:3444
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 1924 -ip 1924
          1⤵
          • Suspicious use of NtCreateProcessExOtherParentProcess
          • Suspicious use of WriteProcessMemory
          PID:3716

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        2
        T1112

        Credential Access

        Credentials in Files

        1
        T1081

        Discovery

        System Information Discovery

        2
        T1082

        Query Registry

        1
        T1012

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Hmbah\crlpslite.exe
          MD5

          5d708187202ff76979fa629b1699ea90

          SHA1

          115946ec185770a7ef6f2fd5c166a226ba43e938

          SHA256

          0055ed75bb58cdb1de19124bb69084da9e29ec5a1578390e85f73170fac44a27

          SHA512

          5a5b4641063ee4e0fbe32b1ed1f52166796f0fc31ee41b1c30e69f1cf0d3b5300033adc7dedea51c5fa24ba302fac51d5344c93316873295171139473782d39b

          Download Submit
        • C:\Program Files (x86)\Hmbah\crlpslite.exe
          MD5

          5d708187202ff76979fa629b1699ea90

          SHA1

          115946ec185770a7ef6f2fd5c166a226ba43e938

          SHA256

          0055ed75bb58cdb1de19124bb69084da9e29ec5a1578390e85f73170fac44a27

          SHA512

          5a5b4641063ee4e0fbe32b1ed1f52166796f0fc31ee41b1c30e69f1cf0d3b5300033adc7dedea51c5fa24ba302fac51d5344c93316873295171139473782d39b

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\DB1
          MD5

          b608d407fc15adea97c26936bc6f03f6

          SHA1

          953e7420801c76393902c0d6bb56148947e41571

          SHA256

          b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

          SHA512

          cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\dtppertj.exe
          MD5

          5d708187202ff76979fa629b1699ea90

          SHA1

          115946ec185770a7ef6f2fd5c166a226ba43e938

          SHA256

          0055ed75bb58cdb1de19124bb69084da9e29ec5a1578390e85f73170fac44a27

          SHA512

          5a5b4641063ee4e0fbe32b1ed1f52166796f0fc31ee41b1c30e69f1cf0d3b5300033adc7dedea51c5fa24ba302fac51d5344c93316873295171139473782d39b

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\dtppertj.exe
          MD5

          5d708187202ff76979fa629b1699ea90

          SHA1

          115946ec185770a7ef6f2fd5c166a226ba43e938

          SHA256

          0055ed75bb58cdb1de19124bb69084da9e29ec5a1578390e85f73170fac44a27

          SHA512

          5a5b4641063ee4e0fbe32b1ed1f52166796f0fc31ee41b1c30e69f1cf0d3b5300033adc7dedea51c5fa24ba302fac51d5344c93316873295171139473782d39b

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\dtppertj.exe
          MD5

          5d708187202ff76979fa629b1699ea90

          SHA1

          115946ec185770a7ef6f2fd5c166a226ba43e938

          SHA256

          0055ed75bb58cdb1de19124bb69084da9e29ec5a1578390e85f73170fac44a27

          SHA512

          5a5b4641063ee4e0fbe32b1ed1f52166796f0fc31ee41b1c30e69f1cf0d3b5300033adc7dedea51c5fa24ba302fac51d5344c93316873295171139473782d39b

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\gjajpuko
          MD5

          ae3d43c640983d2fc0eb4146c712832d

          SHA1

          5ea8807d63c462a9aaa56d75e83a92415424789c

          SHA256

          f95f89002e8a5c0a365c34e8bc5d44999cf395b8a5a148c28a4a3ddea147d77a

          SHA512

          668501d2ee8382fee0039c6056d251bfd3a7ec23b8689a8dd98ea7a21cfec354e0131ddc9a8ca1b70819672c50e24d721dcebee0437064b42d58a9c55d9a81bb

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\jx3ysnwt15tyrf7a
          MD5

          7ab27baca052a3c9073b91a47837b5f4

          SHA1

          9a65e1d87ae66b250bb7a996a1e2417c766cb5e0

          SHA256

          bebdbe0b879c05c334e50f0450a2b4442194871fe4472e618fd9b6d8937107d2

          SHA512

          06b30e6fb1fa9c91c6631405d7c33ac4a94e3dbedde78d630ebe1a516847c187655abdd9a9b9d036d9358f94a8c6ac3831761d099f106213f154be1fbeada889

          Download Submit
        • memory/2448-144-0x0000000007B40000-0x0000000007CB7000-memory.dmp
          Filesize

          1.5MB

          Download
        • memory/2448-149-0x0000000007CC0000-0x0000000007E2B000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/3688-142-0x000000000041D000-0x000000000041E000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3688-143-0x0000000001BE0000-0x0000000001BF1000-memory.dmp
          Filesize

          68KB

          Download
        • memory/3688-141-0x00000000016A0000-0x00000000019EA000-memory.dmp
          Filesize

          3.3MB

          Download
        • memory/3688-140-0x0000000000400000-0x0000000000429000-memory.dmp
          Filesize

          164KB

          Download
        • memory/3688-137-0x0000000000400000-0x0000000000429000-memory.dmp
          Filesize

          164KB

          Download
        • memory/3968-145-0x0000000000900000-0x000000000095A000-memory.dmp
          Filesize

          360KB

          Download
        • memory/3968-146-0x0000000000810000-0x0000000000839000-memory.dmp
          Filesize

          164KB

          Download
        • memory/3968-147-0x0000000003590000-0x00000000038DA000-memory.dmp
          Filesize

          3.3MB

          Download
        • memory/3968-148-0x0000000003230000-0x00000000032C0000-memory.dmp
          Filesize

          576KB

          Download