Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 01:20
Static task
static1
Behavioral task
behavioral1
Sample
630377.xls .scr
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
630377.xls .scr
Resource
win10v2004-20220414-en
General
-
Target
630377.xls .scr
-
Size
535KB
-
MD5
596b08cab4dec9f4c91112410b811c22
-
SHA1
c5aa419d8d5e9ff5b7bab305d59c044e3c49a47b
-
SHA256
2cccc56f00e67c1f5a329b4d4815f736f7c866cc2b50e590341ac2e5cd0a85be
-
SHA512
f7fc7248ffbcd6cadf5ba869d6b622bf70a081687f3434f2e681c2ce89457eef07c8b0eac00dd87c04a0a641be2a69cf7b9e0c015e55865783168ba1695c71f8
Malware Config
Extracted
xloader
2.0
rcgc
allwinpressing.com
topographix.net
theraymondng.com
massvp.com
evchn.com
victorialouiseimagery.com
gallerysouthlosaltos.com
rackspaceupdate.com
genesprofile.com
vyscoxa.net
lishaobing.com
knottherapymassage.com
grappletoytether.net
thetastevegan.com
actionpaintservices.com
perdidoveteransdayparty.com
hotteo.com
tanngogia.com
xn--oy2b11lymexwcbzy.com
ap-lrco.com
mslbusgov.com
bidonmybeat.com
playdeja.com
scottwhit.com
mensnutramarket.com
vahesacandheating.com
bondbi.info
ladydriven.us
shoplivebetter.com
championactionplan.win
fundacaofranciscovicentini.com
bdtpost.com
healthandsleep.com
perdre-5-kilos.com
block-chain-wallet.site
strathmorefamilymedical.com
thesparklefactory.net
xiku.ink
xhtd24.com
qtracking.site
accessroyalb-tr.com
ozyurt.site
standinyourshoes.financial
hnyadl.com
arthurmanask.com
xrayvisionsensor.info
thetkinnycaffe.com
imagemore.net
coinsultancy.net
dreamsjournal.net
nucleoncrane.group
jojobet84.com
angeltouchny.com
presstune.graphics
gruporuido.net
simplecremationsmissouri.com
fangguan808.com
02hsi2.biz
brownskingurl.com
alyssabrandonportfolio.com
dandanhouser.date
projectpaifoundation.ventures
201993.top
weprodex.com
magentos2.info
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/976-77-0x0000000000400000-0x0000000000427000-memory.dmp xloader behavioral1/memory/976-78-0x000000000041C220-mapping.dmp xloader behavioral1/memory/976-81-0x0000000000400000-0x0000000000427000-memory.dmp xloader behavioral1/memory/840-87-0x0000000000080000-0x00000000000A7000-memory.dmp xloader -
Executes dropped EXE 2 IoCs
Processes:
mbdx.exeAddInProcess32.exepid process 280 mbdx.exe 976 AddInProcess32.exe -
Loads dropped DLL 4 IoCs
Processes:
630377.xls .scrmbdx.exepid process 1800 630377.xls .scr 1800 630377.xls .scr 280 mbdx.exe 280 mbdx.exe -
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/1800-56-0x00000000005B0000-0x00000000005D2000-memory.dmp agile_net behavioral1/memory/280-67-0x00000000004C0000-0x00000000004E2000-memory.dmp agile_net -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
reg.exesvchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\smybv = "C:\\Windows\\system32\\pcalua.exe -a C:\\Users\\Admin\\mbdx.exe" reg.exe Key created \Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VNU84HJ0 = "C:\\Program Files (x86)\\Ngjo\\ms0l58.exe" svchost.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
mbdx.exeAddInProcess32.exesvchost.exedescription pid process target process PID 280 set thread context of 976 280 mbdx.exe AddInProcess32.exe PID 976 set thread context of 1288 976 AddInProcess32.exe Explorer.EXE PID 840 set thread context of 1288 840 svchost.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Program Files (x86)\Ngjo\ms0l58.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
svchost.exedescription ioc process Key created \Registry\User\S-1-5-21-1819626980-2277161760-1023733287-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 svchost.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
630377.xls .scrmbdx.exeAddInProcess32.exesvchost.exepid process 1800 630377.xls .scr 1800 630377.xls .scr 280 mbdx.exe 280 mbdx.exe 280 mbdx.exe 976 AddInProcess32.exe 976 AddInProcess32.exe 840 svchost.exe 840 svchost.exe 840 svchost.exe 840 svchost.exe 840 svchost.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
AddInProcess32.exesvchost.exepid process 976 AddInProcess32.exe 976 AddInProcess32.exe 976 AddInProcess32.exe 840 svchost.exe 840 svchost.exe 840 svchost.exe 840 svchost.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
630377.xls .scrmbdx.exeAddInProcess32.exesvchost.exedescription pid process Token: SeDebugPrivilege 1800 630377.xls .scr Token: SeDebugPrivilege 280 mbdx.exe Token: SeDebugPrivilege 976 AddInProcess32.exe Token: SeDebugPrivilege 840 svchost.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1288 Explorer.EXE 1288 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1288 Explorer.EXE 1288 Explorer.EXE -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
630377.xls .scrcmd.exembdx.exeExplorer.EXEsvchost.exedescription pid process target process PID 1800 wrote to memory of 1576 1800 630377.xls .scr cmd.exe PID 1800 wrote to memory of 1576 1800 630377.xls .scr cmd.exe PID 1800 wrote to memory of 1576 1800 630377.xls .scr cmd.exe PID 1800 wrote to memory of 1576 1800 630377.xls .scr cmd.exe PID 1576 wrote to memory of 1400 1576 cmd.exe reg.exe PID 1576 wrote to memory of 1400 1576 cmd.exe reg.exe PID 1576 wrote to memory of 1400 1576 cmd.exe reg.exe PID 1576 wrote to memory of 1400 1576 cmd.exe reg.exe PID 1800 wrote to memory of 280 1800 630377.xls .scr mbdx.exe PID 1800 wrote to memory of 280 1800 630377.xls .scr mbdx.exe PID 1800 wrote to memory of 280 1800 630377.xls .scr mbdx.exe PID 1800 wrote to memory of 280 1800 630377.xls .scr mbdx.exe PID 280 wrote to memory of 976 280 mbdx.exe AddInProcess32.exe PID 280 wrote to memory of 976 280 mbdx.exe AddInProcess32.exe PID 280 wrote to memory of 976 280 mbdx.exe AddInProcess32.exe PID 280 wrote to memory of 976 280 mbdx.exe AddInProcess32.exe PID 280 wrote to memory of 976 280 mbdx.exe AddInProcess32.exe PID 280 wrote to memory of 976 280 mbdx.exe AddInProcess32.exe PID 280 wrote to memory of 976 280 mbdx.exe AddInProcess32.exe PID 1288 wrote to memory of 840 1288 Explorer.EXE svchost.exe PID 1288 wrote to memory of 840 1288 Explorer.EXE svchost.exe PID 1288 wrote to memory of 840 1288 Explorer.EXE svchost.exe PID 1288 wrote to memory of 840 1288 Explorer.EXE svchost.exe PID 840 wrote to memory of 636 840 svchost.exe cmd.exe PID 840 wrote to memory of 636 840 svchost.exe cmd.exe PID 840 wrote to memory of 636 840 svchost.exe cmd.exe PID 840 wrote to memory of 636 840 svchost.exe cmd.exe PID 840 wrote to memory of 1480 840 svchost.exe Firefox.exe PID 840 wrote to memory of 1480 840 svchost.exe Firefox.exe PID 840 wrote to memory of 1480 840 svchost.exe Firefox.exe PID 840 wrote to memory of 1480 840 svchost.exe Firefox.exe PID 840 wrote to memory of 1480 840 svchost.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\630377.xls .scr"C:\Users\Admin\AppData\Local\Temp\630377.xls .scr" /S2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v smybv /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\mbdx.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v smybv /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\mbdx.exe"4⤵
- Adds Run key to start application
-
C:\Users\Admin\mbdx.exe"C:\Users\Admin\mbdx.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\305ca9ce-05a7-4081-bcf5-b3110c43e68e\l.dllFilesize
94KB
MD514ff402962ad21b78ae0b4c43cd1f194
SHA1f8a510eb26666e875a5bdd1cadad40602763ad72
SHA256fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b
SHA512daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exeFilesize
41KB
MD56a673bfc3b67ae9782cb31af2f234c68
SHA17544e89566d91e84e3cd437b9a073e5f6b56566e
SHA256978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e
SHA51272c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exeFilesize
41KB
MD56a673bfc3b67ae9782cb31af2f234c68
SHA17544e89566d91e84e3cd437b9a073e5f6b56566e
SHA256978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e
SHA51272c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39
-
C:\Users\Admin\mbdx.exeFilesize
535KB
MD5596b08cab4dec9f4c91112410b811c22
SHA1c5aa419d8d5e9ff5b7bab305d59c044e3c49a47b
SHA2562cccc56f00e67c1f5a329b4d4815f736f7c866cc2b50e590341ac2e5cd0a85be
SHA512f7fc7248ffbcd6cadf5ba869d6b622bf70a081687f3434f2e681c2ce89457eef07c8b0eac00dd87c04a0a641be2a69cf7b9e0c015e55865783168ba1695c71f8
-
C:\Users\Admin\mbdx.exeFilesize
535KB
MD5596b08cab4dec9f4c91112410b811c22
SHA1c5aa419d8d5e9ff5b7bab305d59c044e3c49a47b
SHA2562cccc56f00e67c1f5a329b4d4815f736f7c866cc2b50e590341ac2e5cd0a85be
SHA512f7fc7248ffbcd6cadf5ba869d6b622bf70a081687f3434f2e681c2ce89457eef07c8b0eac00dd87c04a0a641be2a69cf7b9e0c015e55865783168ba1695c71f8
-
\Users\Admin\AppData\Local\Temp\305ca9ce-05a7-4081-bcf5-b3110c43e68e\l.dllFilesize
94KB
MD514ff402962ad21b78ae0b4c43cd1f194
SHA1f8a510eb26666e875a5bdd1cadad40602763ad72
SHA256fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b
SHA512daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b
-
\Users\Admin\AppData\Local\Temp\305ca9ce-05a7-4081-bcf5-b3110c43e68e\l.dllFilesize
94KB
MD514ff402962ad21b78ae0b4c43cd1f194
SHA1f8a510eb26666e875a5bdd1cadad40602763ad72
SHA256fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b
SHA512daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b
-
\Users\Admin\AppData\Local\Temp\AddInProcess32.exeFilesize
41KB
MD56a673bfc3b67ae9782cb31af2f234c68
SHA17544e89566d91e84e3cd437b9a073e5f6b56566e
SHA256978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e
SHA51272c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39
-
\Users\Admin\mbdx.exeFilesize
535KB
MD5596b08cab4dec9f4c91112410b811c22
SHA1c5aa419d8d5e9ff5b7bab305d59c044e3c49a47b
SHA2562cccc56f00e67c1f5a329b4d4815f736f7c866cc2b50e590341ac2e5cd0a85be
SHA512f7fc7248ffbcd6cadf5ba869d6b622bf70a081687f3434f2e681c2ce89457eef07c8b0eac00dd87c04a0a641be2a69cf7b9e0c015e55865783168ba1695c71f8
-
memory/280-62-0x0000000000000000-mapping.dmp
-
memory/280-65-0x0000000000B00000-0x0000000000B8C000-memory.dmpFilesize
560KB
-
memory/280-67-0x00000000004C0000-0x00000000004E2000-memory.dmpFilesize
136KB
-
memory/280-70-0x0000000074270000-0x00000000742F0000-memory.dmpFilesize
512KB
-
memory/280-71-0x0000000000690000-0x000000000069A000-memory.dmpFilesize
40KB
-
memory/636-88-0x0000000000000000-mapping.dmp
-
memory/840-90-0x00000000005C0000-0x000000000064F000-memory.dmpFilesize
572KB
-
memory/840-89-0x0000000000750000-0x0000000000A53000-memory.dmpFilesize
3.0MB
-
memory/840-87-0x0000000000080000-0x00000000000A7000-memory.dmpFilesize
156KB
-
memory/840-86-0x0000000000E20000-0x0000000000E28000-memory.dmpFilesize
32KB
-
memory/840-85-0x0000000000000000-mapping.dmp
-
memory/976-77-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/976-75-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/976-74-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/976-81-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/976-82-0x0000000000770000-0x0000000000A73000-memory.dmpFilesize
3.0MB
-
memory/976-83-0x0000000000200000-0x0000000000210000-memory.dmpFilesize
64KB
-
memory/976-78-0x000000000041C220-mapping.dmp
-
memory/1288-84-0x0000000004F40000-0x0000000005023000-memory.dmpFilesize
908KB
-
memory/1288-91-0x00000000068F0000-0x0000000006A1D000-memory.dmpFilesize
1.2MB
-
memory/1400-60-0x0000000000000000-mapping.dmp
-
memory/1576-59-0x0000000000000000-mapping.dmp
-
memory/1800-55-0x0000000074E91000-0x0000000074E93000-memory.dmpFilesize
8KB
-
memory/1800-56-0x00000000005B0000-0x00000000005D2000-memory.dmpFilesize
136KB
-
memory/1800-54-0x0000000001100000-0x000000000118C000-memory.dmpFilesize
560KB