Overview

overview

10

Static

static

SKMB60219.xlsx

windows7_x64

10

SKMB60219.xlsx

windows10-2004_x64

1

Analysis

  • max time kernel
    4294212s
  • max time network
    157s
  • platform
    windows7_x64
  • resource
    win7-20220223-en
  • submitted
    11-03-2022 02:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SKMB60219.xlsx

  • Size

    186KB

  • MD5

    96d7d76083a4a671520fc66cef8b117c

  • SHA1

    2eb64b5ac52b4bffc75a180c051c26b2a6140f43

  • SHA256

    b3280e9402e6172764449daedc9e687fbe7b474fd7a45d9756c588d1fa2b1fe2

  • SHA512

    53b3f6f86f0fcb5eb8f3d9fb0babf94bcc358b4f9daf2aadd47c5eb2e796683b03ede312d877eaa1968b3c90ffc0d15ac958d1b0743403faf440365141bd26b9

Score
10/10
xloaderahc8loaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ahc8

Decoy

192451.com

wwwripostes.net

sirikhalsalaw.com

bitterbaybay.com

stella-scrubs.com

almanecermezcal.com

goodgood.online

translate-now.online

sincerefilm.com

quadrantforensics.com

johnfrenchart.com

plick-click.com

alnileen.com

tghi.xyz

172711.com

maymakita.com

punnyaseva.com

ukash-online.com

sho-yururi-blog.com

hebergement-solidaire.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Xloader Payload 2 IoCs
    rat
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 10 IoCs
    installer
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1388
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\SKMB60219.xlsx
      2⤵
      • Enumerates system info in registry
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1792
    • C:\Windows\SysWOW64\wininit.exe
      "C:\Windows\SysWOW64\wininit.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:376
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\bifhcp.exe"
        3⤵
          PID:2016
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:708
      • C:\Users\Public\vbc.exe
        "C:\Users\Public\vbc.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:868
        • C:\Users\Admin\AppData\Local\Temp\bifhcp.exe
          C:\Users\Admin\AppData\Local\Temp\bifhcp.exe C:\Users\Admin\AppData\Local\Temp\xvipmw
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:1628
          • C:\Users\Admin\AppData\Local\Temp\bifhcp.exe
            C:\Users\Admin\AppData\Local\Temp\bifhcp.exe C:\Users\Admin\AppData\Local\Temp\xvipmw
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            PID:1612

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\8uvc6tb2cw52
      MD5

      ad8694bf41f9cbbb4d8e671a3ce0612a

      SHA1

      60b8f572210e8112f04d165b515bd63a2eefaebc

      SHA256

      f12abecd7d300f5e0077a910f46adff553a2f3d5492cc076443345ea5c038239

      SHA512

      10c9214615a73582dda0c288d297eacbc9c655977a6a6f01b78f5d0c1c2d748a0cecaf5ce08a54de75baee760629de6c77b81d2647e6c7a22465d844142be478

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\bifhcp.exe
      MD5

      40025a502304d446b8e53205991b96c1

      SHA1

      652b3f88b0521c3abd88290c5d69049e7486312c

      SHA256

      ac6b87cea22911ecafab82748a03eab9d0ea2cfe669191cfbc61c446af809655

      SHA512

      042fb40d8d10657023cdd344f515944ae6b9df644ebe4bf6bf6ed326f0f37d88a7f09a134dc969fc29a727b997c1ee0b06ad15c02f1af0180c4cec5901eefca2

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\bifhcp.exe
      MD5

      40025a502304d446b8e53205991b96c1

      SHA1

      652b3f88b0521c3abd88290c5d69049e7486312c

      SHA256

      ac6b87cea22911ecafab82748a03eab9d0ea2cfe669191cfbc61c446af809655

      SHA512

      042fb40d8d10657023cdd344f515944ae6b9df644ebe4bf6bf6ed326f0f37d88a7f09a134dc969fc29a727b997c1ee0b06ad15c02f1af0180c4cec5901eefca2

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\bifhcp.exe
      MD5

      40025a502304d446b8e53205991b96c1

      SHA1

      652b3f88b0521c3abd88290c5d69049e7486312c

      SHA256

      ac6b87cea22911ecafab82748a03eab9d0ea2cfe669191cfbc61c446af809655

      SHA512

      042fb40d8d10657023cdd344f515944ae6b9df644ebe4bf6bf6ed326f0f37d88a7f09a134dc969fc29a727b997c1ee0b06ad15c02f1af0180c4cec5901eefca2

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\xvipmw
      MD5

      da749731ed6579052c657302b892b44b

      SHA1

      7da4156af0f1e9ef397e836e9f7a75e90bce1a07

      SHA256

      c39222c6207fd53f6836e1dd1726f4d2f3f76622208b8113ce23fcb22cb88470

      SHA512

      e05b3dbd36daabc99edccbee11e31b3cc645b04f41226e2fb1c5772342e47240383d63564955ef35fa5b530e4b404af041f89836ad4ebea8b5c3d65fa3687d92

      Download Submit
    • C:\Users\Public\vbc.exe
      MD5

      e41def555743c430d0def4a513de4d96

      SHA1

      7c90a41062f1f867a1ae0bdeb1d37ca72cd2b95e

      SHA256

      1190df73979f3dc768713f51fcf6e2eb439b95caf7c4a2b998c377ea5a35e9d5

      SHA512

      331add20592a9cd8336bc902fe0f4934f6b50866904eb60f4cc3e6046c5edf8d29b5e901cc37f1619ffed9ae83201bbb93d165297ba41dda655b533870e722b6

      Download Submit
    • C:\Users\Public\vbc.exe
      MD5

      e41def555743c430d0def4a513de4d96

      SHA1

      7c90a41062f1f867a1ae0bdeb1d37ca72cd2b95e

      SHA256

      1190df73979f3dc768713f51fcf6e2eb439b95caf7c4a2b998c377ea5a35e9d5

      SHA512

      331add20592a9cd8336bc902fe0f4934f6b50866904eb60f4cc3e6046c5edf8d29b5e901cc37f1619ffed9ae83201bbb93d165297ba41dda655b533870e722b6

      Download Submit
    • \Users\Admin\AppData\Local\Temp\bifhcp.exe
      MD5

      40025a502304d446b8e53205991b96c1

      SHA1

      652b3f88b0521c3abd88290c5d69049e7486312c

      SHA256

      ac6b87cea22911ecafab82748a03eab9d0ea2cfe669191cfbc61c446af809655

      SHA512

      042fb40d8d10657023cdd344f515944ae6b9df644ebe4bf6bf6ed326f0f37d88a7f09a134dc969fc29a727b997c1ee0b06ad15c02f1af0180c4cec5901eefca2

      Download Submit
    • \Users\Admin\AppData\Local\Temp\bifhcp.exe
      MD5

      40025a502304d446b8e53205991b96c1

      SHA1

      652b3f88b0521c3abd88290c5d69049e7486312c

      SHA256

      ac6b87cea22911ecafab82748a03eab9d0ea2cfe669191cfbc61c446af809655

      SHA512

      042fb40d8d10657023cdd344f515944ae6b9df644ebe4bf6bf6ed326f0f37d88a7f09a134dc969fc29a727b997c1ee0b06ad15c02f1af0180c4cec5901eefca2

      Download Submit
    • \Users\Public\vbc.exe
      MD5

      e41def555743c430d0def4a513de4d96

      SHA1

      7c90a41062f1f867a1ae0bdeb1d37ca72cd2b95e

      SHA256

      1190df73979f3dc768713f51fcf6e2eb439b95caf7c4a2b998c377ea5a35e9d5

      SHA512

      331add20592a9cd8336bc902fe0f4934f6b50866904eb60f4cc3e6046c5edf8d29b5e901cc37f1619ffed9ae83201bbb93d165297ba41dda655b533870e722b6

      Download Submit
    • \Users\Public\vbc.exe
      MD5

      e41def555743c430d0def4a513de4d96

      SHA1

      7c90a41062f1f867a1ae0bdeb1d37ca72cd2b95e

      SHA256

      1190df73979f3dc768713f51fcf6e2eb439b95caf7c4a2b998c377ea5a35e9d5

      SHA512

      331add20592a9cd8336bc902fe0f4934f6b50866904eb60f4cc3e6046c5edf8d29b5e901cc37f1619ffed9ae83201bbb93d165297ba41dda655b533870e722b6

      Download Submit
    • \Users\Public\vbc.exe
      MD5

      e41def555743c430d0def4a513de4d96

      SHA1

      7c90a41062f1f867a1ae0bdeb1d37ca72cd2b95e

      SHA256

      1190df73979f3dc768713f51fcf6e2eb439b95caf7c4a2b998c377ea5a35e9d5

      SHA512

      331add20592a9cd8336bc902fe0f4934f6b50866904eb60f4cc3e6046c5edf8d29b5e901cc37f1619ffed9ae83201bbb93d165297ba41dda655b533870e722b6

      Download Submit
    • memory/376-81-0x0000000000510000-0x00000000005A0000-memory.dmp
      Filesize

      576KB

      Download
    • memory/376-80-0x0000000002120000-0x0000000002423000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/376-78-0x00000000008A0000-0x00000000008BA000-memory.dmp
      Filesize

      104KB

      Download
    • memory/376-79-0x0000000000080000-0x00000000000A9000-memory.dmp
      Filesize

      164KB

      Download
    • memory/708-58-0x00000000752A1000-0x00000000752A3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1388-77-0x0000000006A90000-0x0000000006BFD000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/1388-82-0x0000000006C00000-0x0000000006CC5000-memory.dmp
      Filesize

      788KB

      Download
    • memory/1612-71-0x0000000000400000-0x0000000000429000-memory.dmp
      Filesize

      164KB

      Download
    • memory/1612-76-0x00000000001D0000-0x00000000001E1000-memory.dmp
      Filesize

      68KB

      Download
    • memory/1612-75-0x000000000041D000-0x000000000041E000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1612-74-0x00000000008B0000-0x0000000000BB3000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1792-55-0x0000000070EB1000-0x0000000070EB3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1792-56-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1792-54-0x000000002F781000-0x000000002F784000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1792-57-0x0000000071E9D000-0x0000000071EA8000-memory.dmp
      Filesize

      44KB

      Download
    • memory/1792-83-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download