Overview

overview

10

Static

static

INQUIRY_34...4.xlsx

windows7_x64

10

INQUIRY_34...4.xlsx

windows10-2004_x64

1

Analysis

  • max time kernel
    4294211s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20220223-en
  • submitted
    02-03-2022 17:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    INQUIRY_34873773844.xlsx

  • Size

    185KB

  • MD5

    f9533cc48bd2177b91822d72fe7bc42e

  • SHA1

    f5ed45224313f6f2bc97bbf7620b70f7ecfe048a

  • SHA256

    70c5d2c3fad16c3330325710efd43277570d26a84065c26a6fc7d9a248995e5d

  • SHA512

    8a84f3762f72dacd355f07cd89100ad30f0d215ebadda15a2d51c44040299fd5621ea59ad6c21ce9863089d4b9002b33f084aa7e26ce70c7b80b09b14e36addf

Score
10/10
xloaderahc8loaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ahc8

Decoy

192451.com

wwwripostes.net

sirikhalsalaw.com

bitterbaybay.com

stella-scrubs.com

almanecermezcal.com

goodgood.online

translate-now.online

sincerefilm.com

quadrantforensics.com

johnfrenchart.com

plick-click.com

alnileen.com

tghi.xyz

172711.com

maymakita.com

punnyaseva.com

ukash-online.com

sho-yururi-blog.com

hebergement-solidaire.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • Xloader Payload 2 IoCs
    rat
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1268
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\INQUIRY_34873773844.xlsx
      2⤵
      • Enumerates system info in registry
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:744
    • C:\Windows\SysWOW64\help.exe
      "C:\Windows\SysWOW64\help.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1216
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Public\vbc.exe"
        3⤵
          PID:1392
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:1696
      • C:\Users\Public\vbc.exe
        "C:\Users\Public\vbc.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1956
        • C:\Users\Public\vbc.exe
          "C:\Users\Public\vbc.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:1600

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scripting

    1
    T1064

    Exploitation for Client Execution

    1
    T1203

    Persistence

    Privilege Escalation

    Defense Evasion

    Scripting

    1
    T1064

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Public\vbc.exe
      MD5

      7b5ad934e29d8d11c1ffed18a96cedd3

      SHA1

      68a2dc6dc49b56f25a662b5b24367fa1f4949a32

      SHA256

      757cd8cf8e9d17c61a1f5308d75ff5eae936d15f25fac859f8731b0e7030d4ad

      SHA512

      9d2d67536d3915c992b36cc5585cce52737d9309000ceee38a2a5cb6413922a9422e2d32adb65b97279f2ca2bed6e1ce04eeb738ab9c7eaf43506f58311d46dd

      Download Submit
    • C:\Users\Public\vbc.exe
      MD5

      7b5ad934e29d8d11c1ffed18a96cedd3

      SHA1

      68a2dc6dc49b56f25a662b5b24367fa1f4949a32

      SHA256

      757cd8cf8e9d17c61a1f5308d75ff5eae936d15f25fac859f8731b0e7030d4ad

      SHA512

      9d2d67536d3915c992b36cc5585cce52737d9309000ceee38a2a5cb6413922a9422e2d32adb65b97279f2ca2bed6e1ce04eeb738ab9c7eaf43506f58311d46dd

      Download Submit
    • C:\Users\Public\vbc.exe
      MD5

      7b5ad934e29d8d11c1ffed18a96cedd3

      SHA1

      68a2dc6dc49b56f25a662b5b24367fa1f4949a32

      SHA256

      757cd8cf8e9d17c61a1f5308d75ff5eae936d15f25fac859f8731b0e7030d4ad

      SHA512

      9d2d67536d3915c992b36cc5585cce52737d9309000ceee38a2a5cb6413922a9422e2d32adb65b97279f2ca2bed6e1ce04eeb738ab9c7eaf43506f58311d46dd

      Download Submit
    • \Users\Public\vbc.exe
      MD5

      7b5ad934e29d8d11c1ffed18a96cedd3

      SHA1

      68a2dc6dc49b56f25a662b5b24367fa1f4949a32

      SHA256

      757cd8cf8e9d17c61a1f5308d75ff5eae936d15f25fac859f8731b0e7030d4ad

      SHA512

      9d2d67536d3915c992b36cc5585cce52737d9309000ceee38a2a5cb6413922a9422e2d32adb65b97279f2ca2bed6e1ce04eeb738ab9c7eaf43506f58311d46dd

      Download Submit
    • \Users\Public\vbc.exe
      MD5

      7b5ad934e29d8d11c1ffed18a96cedd3

      SHA1

      68a2dc6dc49b56f25a662b5b24367fa1f4949a32

      SHA256

      757cd8cf8e9d17c61a1f5308d75ff5eae936d15f25fac859f8731b0e7030d4ad

      SHA512

      9d2d67536d3915c992b36cc5585cce52737d9309000ceee38a2a5cb6413922a9422e2d32adb65b97279f2ca2bed6e1ce04eeb738ab9c7eaf43506f58311d46dd

      Download Submit
    • \Users\Public\vbc.exe
      MD5

      7b5ad934e29d8d11c1ffed18a96cedd3

      SHA1

      68a2dc6dc49b56f25a662b5b24367fa1f4949a32

      SHA256

      757cd8cf8e9d17c61a1f5308d75ff5eae936d15f25fac859f8731b0e7030d4ad

      SHA512

      9d2d67536d3915c992b36cc5585cce52737d9309000ceee38a2a5cb6413922a9422e2d32adb65b97279f2ca2bed6e1ce04eeb738ab9c7eaf43506f58311d46dd

      Download Submit
    • \Users\Public\vbc.exe
      MD5

      7b5ad934e29d8d11c1ffed18a96cedd3

      SHA1

      68a2dc6dc49b56f25a662b5b24367fa1f4949a32

      SHA256

      757cd8cf8e9d17c61a1f5308d75ff5eae936d15f25fac859f8731b0e7030d4ad

      SHA512

      9d2d67536d3915c992b36cc5585cce52737d9309000ceee38a2a5cb6413922a9422e2d32adb65b97279f2ca2bed6e1ce04eeb738ab9c7eaf43506f58311d46dd

      Download Submit
    • memory/744-83-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/744-57-0x000000007236D000-0x0000000072378000-memory.dmp
      Filesize

      44KB

      Download
    • memory/744-56-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/744-55-0x0000000071381000-0x0000000071383000-memory.dmp
      Filesize

      8KB

      Download
    • memory/744-54-0x000000002F941000-0x000000002F944000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1216-81-0x0000000000520000-0x00000000005B0000-memory.dmp
      Filesize

      576KB

      Download
    • memory/1216-80-0x0000000000870000-0x0000000000B73000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1216-78-0x00000000006D0000-0x00000000006D6000-memory.dmp
      Filesize

      24KB

      Download
    • memory/1216-79-0x00000000000C0000-0x00000000000E9000-memory.dmp
      Filesize

      164KB

      Download
    • memory/1268-82-0x0000000006F50000-0x0000000007088000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/1268-77-0x0000000006BA0000-0x0000000006D29000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/1600-76-0x0000000000280000-0x0000000000291000-memory.dmp
      Filesize

      68KB

      Download
    • memory/1600-75-0x000000000041D000-0x000000000041E000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1600-74-0x00000000008B0000-0x0000000000BB3000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1600-71-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

      Download
    • memory/1600-70-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

      Download
    • memory/1600-69-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

      Download
    • memory/1696-58-0x0000000075131000-0x0000000075133000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1956-68-0x0000000000680000-0x000000000069E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/1956-67-0x0000000004AF0000-0x0000000004AF1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1956-66-0x000000006C50E000-0x000000006C50F000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1956-65-0x0000000000EA0000-0x0000000000EB2000-memory.dmp
      Filesize

      72KB

      Download