Analysis
-
max time kernel
154s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
16/06/2022, 09:40
Static task
static1
Behavioral task
behavioral1
Sample
RFQ_ITEMS.xlsx
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
RFQ_ITEMS.xlsx
Resource
win10v2004-20220414-en
General
-
Target
RFQ_ITEMS.xlsx
-
Size
714KB
-
MD5
392ad9f585c56d59ed7c38f0f1fd0248
-
SHA1
6612bc1b3efcd1768ab97295c939484d1de5a2e2
-
SHA256
b23af2441730b31e7c5c5e358eb4f2a52929d14546d4cdc3bb203060d069769a
-
SHA512
37404e0a915029a528099903b10ff7196712e4b7b16b972f06cb441b72fd728be739f8d39984d0f45d9e0d89d01f31d448d6475ffbfcfc4d58403613ce71cd2f
Malware Config
Extracted
xloader
2.6
ah8e
kunmingzhaopin.com
eddymerckx.club
katiecleaningclinic.com
t36yu5tyy.com
tecnaus.com
latinaenelmetaverso.com
whicheyewear.com
hugear34.com
claybuyshomes.com
negociossanjose.online
usshopday.com
exaccept.life
lull.rest
johnkichote.com
tammysbulldogs.com
shark-protocol.com
bitdealcoin.com
onlineresultsmanager.com
ratedarrgh.com
knowperfectly.com
prestongrowers.com
christophermasters.com
dg-shengjia.com
dapurrika.com
paulboangiu.com
awenprod.com
beingwellbook.com
divideexpress.com
metacovidtracking.com
telavivyogafestival.com
israelprivate.guide
villadebiarhotel.com
dayesauto.com
bonamors.com
pasiando.com
despi.xyz
ferh23.com
ychuipost.com
codigozerobarriga.tech
gogibot.com
pinsaemortadella.com
albadr-iq.com
venacavadigital.com
musicacuerda.com
meal-duddy.com
catholicnewmedianetwork.com
1688chuangfumiji.com
pulizampa.com
suryun.com
sikuai123.com
colonyos.com
dgtaolishi.com
truerevolutionwellness.com
asagohan.com
bhuravcreations.com
siampay.world
wuweifriday.com
v-diarecruitment.com
luxurymiamiflorida.com
remaxdoral.net
jandbticketsales.com
lpd7.com
4petpetshop.com
wanyyu.com
sjexportslive.com
Signatures
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Xloader Payload 4 IoCs
resource yara_rule behavioral1/memory/1648-82-0x000000000041F260-mapping.dmp xloader behavioral1/memory/1648-81-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral1/memory/1648-85-0x0000000000400000-0x000000000042B000-memory.dmp xloader behavioral1/memory/1764-93-0x0000000000130000-0x000000000015B000-memory.dmp xloader -
Blocklisted process makes network request 1 IoCs
flow pid Process 3 2032 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 1336 name.exe 1648 name.exe -
Loads dropped DLL 1 IoCs
pid Process 884 cmd.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1336 set thread context of 1648 1336 name.exe 38 PID 1648 set thread context of 1260 1648 name.exe 15 PID 1764 set thread context of 1260 1764 msiexec.exe 15 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1536 schtasks.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
pid Process 2032 EQNEDT32.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 732 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 21 IoCs
pid Process 1336 name.exe 1336 name.exe 1336 name.exe 1336 name.exe 1336 name.exe 1336 name.exe 1336 name.exe 1336 name.exe 1336 name.exe 1336 name.exe 1336 name.exe 1336 name.exe 1336 name.exe 1336 name.exe 1336 name.exe 1648 name.exe 1648 name.exe 1080 powershell.exe 1764 msiexec.exe 1764 msiexec.exe 1764 msiexec.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 1648 name.exe 1648 name.exe 1648 name.exe 1764 msiexec.exe 1764 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 1336 name.exe Token: SeDebugPrivilege 1648 name.exe Token: SeDebugPrivilege 1080 powershell.exe Token: SeDebugPrivilege 1764 msiexec.exe Token: SeShutdownPrivilege 1260 Explorer.EXE Token: SeShutdownPrivilege 1260 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 732 EXCEL.EXE 732 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 732 EXCEL.EXE 732 EXCEL.EXE 732 EXCEL.EXE 732 EXCEL.EXE 732 EXCEL.EXE 732 EXCEL.EXE 732 EXCEL.EXE -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 2032 wrote to memory of 884 2032 EQNEDT32.EXE 31 PID 2032 wrote to memory of 884 2032 EQNEDT32.EXE 31 PID 2032 wrote to memory of 884 2032 EQNEDT32.EXE 31 PID 2032 wrote to memory of 884 2032 EQNEDT32.EXE 31 PID 884 wrote to memory of 1336 884 cmd.exe 33 PID 884 wrote to memory of 1336 884 cmd.exe 33 PID 884 wrote to memory of 1336 884 cmd.exe 33 PID 884 wrote to memory of 1336 884 cmd.exe 33 PID 1336 wrote to memory of 1080 1336 name.exe 34 PID 1336 wrote to memory of 1080 1336 name.exe 34 PID 1336 wrote to memory of 1080 1336 name.exe 34 PID 1336 wrote to memory of 1080 1336 name.exe 34 PID 1336 wrote to memory of 1536 1336 name.exe 36 PID 1336 wrote to memory of 1536 1336 name.exe 36 PID 1336 wrote to memory of 1536 1336 name.exe 36 PID 1336 wrote to memory of 1536 1336 name.exe 36 PID 1336 wrote to memory of 1648 1336 name.exe 38 PID 1336 wrote to memory of 1648 1336 name.exe 38 PID 1336 wrote to memory of 1648 1336 name.exe 38 PID 1336 wrote to memory of 1648 1336 name.exe 38 PID 1336 wrote to memory of 1648 1336 name.exe 38 PID 1336 wrote to memory of 1648 1336 name.exe 38 PID 1336 wrote to memory of 1648 1336 name.exe 38 PID 1260 wrote to memory of 1764 1260 Explorer.EXE 40 PID 1260 wrote to memory of 1764 1260 Explorer.EXE 40 PID 1260 wrote to memory of 1764 1260 Explorer.EXE 40 PID 1260 wrote to memory of 1764 1260 Explorer.EXE 40 PID 1260 wrote to memory of 1764 1260 Explorer.EXE 40 PID 1260 wrote to memory of 1764 1260 Explorer.EXE 40 PID 1260 wrote to memory of 1764 1260 Explorer.EXE 40 PID 1764 wrote to memory of 1508 1764 msiexec.exe 41 PID 1764 wrote to memory of 1508 1764 msiexec.exe 41 PID 1764 wrote to memory of 1508 1764 msiexec.exe 41 PID 1764 wrote to memory of 1508 1764 msiexec.exe 41
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\RFQ_ITEMS.xlsx2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:732
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:340
-
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Public\name.exe"3⤵PID:1508
-
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Public\name.exe2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Users\Public\name.exeC:\Users\Public\name.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\qJIUnePPGvAB.exe"4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1080
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qJIUnePPGvAB" /XML "C:\Users\Admin\AppData\Local\Temp\tmp67C9.tmp"4⤵
- Creates scheduled task(s)
PID:1536
-
-
C:\Users\Public\name.exe"C:\Users\Public\name.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1648
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD56d58c2ae39d4f0b4ac993ae6669123f1
SHA156de095bdc857e7a5e18653ef8bd04c05a4a0986
SHA256028edba0a6f5136efa91f3b2268203a25544ea92ab182c693024a29d5a803b91
SHA512f1d3b690c6e718f71ec816b26ed8464eb5954320f2aca53779b059593b9b59a37f9406374438b144397eca7811035c1e82f307c12cd2db0405cd1ad9c263ad9b
-
Filesize
633KB
MD57889400a2f8d7e9aa23d8efd8c1b122a
SHA1fd718571b73fe665839e622fc7bf6ea1c1e2d94a
SHA25615f9a1d5e931226148aabe0d2cefd56af687e0bd19e3bba2e2694fede201673a
SHA512cfb1f5999f37a62655fefb40cf0a0982ff69f94b0afd5be4af35973252c66183625b44638bc038fc3b59261a7c3ec2d535a785f1af5125cdb4fb4849a37597a4
-
Filesize
633KB
MD57889400a2f8d7e9aa23d8efd8c1b122a
SHA1fd718571b73fe665839e622fc7bf6ea1c1e2d94a
SHA25615f9a1d5e931226148aabe0d2cefd56af687e0bd19e3bba2e2694fede201673a
SHA512cfb1f5999f37a62655fefb40cf0a0982ff69f94b0afd5be4af35973252c66183625b44638bc038fc3b59261a7c3ec2d535a785f1af5125cdb4fb4849a37597a4
-
Filesize
633KB
MD57889400a2f8d7e9aa23d8efd8c1b122a
SHA1fd718571b73fe665839e622fc7bf6ea1c1e2d94a
SHA25615f9a1d5e931226148aabe0d2cefd56af687e0bd19e3bba2e2694fede201673a
SHA512cfb1f5999f37a62655fefb40cf0a0982ff69f94b0afd5be4af35973252c66183625b44638bc038fc3b59261a7c3ec2d535a785f1af5125cdb4fb4849a37597a4
-
Filesize
633KB
MD57889400a2f8d7e9aa23d8efd8c1b122a
SHA1fd718571b73fe665839e622fc7bf6ea1c1e2d94a
SHA25615f9a1d5e931226148aabe0d2cefd56af687e0bd19e3bba2e2694fede201673a
SHA512cfb1f5999f37a62655fefb40cf0a0982ff69f94b0afd5be4af35973252c66183625b44638bc038fc3b59261a7c3ec2d535a785f1af5125cdb4fb4849a37597a4