Analysis

  • max time kernel
    147s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21/06/2022, 08:21

General

  • Target

    decrypted.xlsx

  • Size

    75KB

  • MD5

    7637745419817a7d66d853585be6373e

  • SHA1

    4dcb9a7dfc259c501f53a5e05ed111fc14147496

  • SHA256

    2a1fa8f1c00738e5717268f09ff66995ceceb8528ae5b5d8cd3fd3522f502642

  • SHA512

    4a567b0072a88618a01a93bd67ad02cd9e1ae076077c7e6e7332863ad9f6e755a95922a8f8a062456d730dd688bff065f381f128b2444b2f5312e7d41d17443a

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

zgtb

Decoy

gabriellep.com

honghe4.xyz

anisaofrendas.com

happy-tile.com

thesulkies.com

international-ipo.com

tazeco.info

hhhzzz.xyz

vrmonster.xyz

theearthresidencia.com

sportape.xyz

elshadaibaterias.com

koredeiihibi.com

taxtaa.com

globalcityb.com

fxivcama.com

dagsmith.com

elmar-bhp.com

peakice.net

jhcdjewelry.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

  • Xloader Payload 5 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1384
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\decrypted.xlsx
      2⤵
      • Enumerates system info in registry
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2036
    • C:\Windows\SysWOW64\chkdsk.exe
      "C:\Windows\SysWOW64\chkdsk.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1376
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
        3⤵
          PID:1436
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:1464
      • C:\Users\Public\vbc.exe
        "C:\Users\Public\vbc.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:960
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:756

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Public\vbc.exe

            Filesize

            370KB

            MD5

            d2d37362b56af2703f2c3dcfb36b56b4

            SHA1

            06c6acc7060fb356d5bc7693f8d4bcecbbb4fb62

            SHA256

            04e6039e29e0b8f6fb1ec1502a3225c74c4c18f6c0ba1ce10eb2c834ede7f149

            SHA512

            c6dc602d4785b3e0cab4d1cfd033c13dd29b8fe0e22439f11c74381af4350eea7f7ce392c3461878f855b4e267e8c104c0a6547ff9d946c50d80731212691307

          • C:\Users\Public\vbc.exe

            Filesize

            370KB

            MD5

            d2d37362b56af2703f2c3dcfb36b56b4

            SHA1

            06c6acc7060fb356d5bc7693f8d4bcecbbb4fb62

            SHA256

            04e6039e29e0b8f6fb1ec1502a3225c74c4c18f6c0ba1ce10eb2c834ede7f149

            SHA512

            c6dc602d4785b3e0cab4d1cfd033c13dd29b8fe0e22439f11c74381af4350eea7f7ce392c3461878f855b4e267e8c104c0a6547ff9d946c50d80731212691307

          • \Users\Public\vbc.exe

            Filesize

            370KB

            MD5

            d2d37362b56af2703f2c3dcfb36b56b4

            SHA1

            06c6acc7060fb356d5bc7693f8d4bcecbbb4fb62

            SHA256

            04e6039e29e0b8f6fb1ec1502a3225c74c4c18f6c0ba1ce10eb2c834ede7f149

            SHA512

            c6dc602d4785b3e0cab4d1cfd033c13dd29b8fe0e22439f11c74381af4350eea7f7ce392c3461878f855b4e267e8c104c0a6547ff9d946c50d80731212691307

          • \Users\Public\vbc.exe

            Filesize

            370KB

            MD5

            d2d37362b56af2703f2c3dcfb36b56b4

            SHA1

            06c6acc7060fb356d5bc7693f8d4bcecbbb4fb62

            SHA256

            04e6039e29e0b8f6fb1ec1502a3225c74c4c18f6c0ba1ce10eb2c834ede7f149

            SHA512

            c6dc602d4785b3e0cab4d1cfd033c13dd29b8fe0e22439f11c74381af4350eea7f7ce392c3461878f855b4e267e8c104c0a6547ff9d946c50d80731212691307

          • \Users\Public\vbc.exe

            Filesize

            370KB

            MD5

            d2d37362b56af2703f2c3dcfb36b56b4

            SHA1

            06c6acc7060fb356d5bc7693f8d4bcecbbb4fb62

            SHA256

            04e6039e29e0b8f6fb1ec1502a3225c74c4c18f6c0ba1ce10eb2c834ede7f149

            SHA512

            c6dc602d4785b3e0cab4d1cfd033c13dd29b8fe0e22439f11c74381af4350eea7f7ce392c3461878f855b4e267e8c104c0a6547ff9d946c50d80731212691307

          • \Users\Public\vbc.exe

            Filesize

            370KB

            MD5

            d2d37362b56af2703f2c3dcfb36b56b4

            SHA1

            06c6acc7060fb356d5bc7693f8d4bcecbbb4fb62

            SHA256

            04e6039e29e0b8f6fb1ec1502a3225c74c4c18f6c0ba1ce10eb2c834ede7f149

            SHA512

            c6dc602d4785b3e0cab4d1cfd033c13dd29b8fe0e22439f11c74381af4350eea7f7ce392c3461878f855b4e267e8c104c0a6547ff9d946c50d80731212691307

          • memory/756-71-0x0000000000400000-0x000000000042B000-memory.dmp

            Filesize

            172KB

          • memory/756-70-0x0000000000400000-0x000000000042B000-memory.dmp

            Filesize

            172KB

          • memory/756-78-0x0000000000190000-0x00000000001A1000-memory.dmp

            Filesize

            68KB

          • memory/756-77-0x0000000000880000-0x0000000000B83000-memory.dmp

            Filesize

            3.0MB

          • memory/756-76-0x0000000000400000-0x000000000042B000-memory.dmp

            Filesize

            172KB

          • memory/756-73-0x0000000000400000-0x000000000042B000-memory.dmp

            Filesize

            172KB

          • memory/960-68-0x00000000010B0000-0x0000000001112000-memory.dmp

            Filesize

            392KB

          • memory/960-69-0x0000000000440000-0x0000000000474000-memory.dmp

            Filesize

            208KB

          • memory/1376-81-0x00000000001E0000-0x00000000001E7000-memory.dmp

            Filesize

            28KB

          • memory/1376-86-0x0000000000110000-0x000000000013B000-memory.dmp

            Filesize

            172KB

          • memory/1376-85-0x0000000001E10000-0x0000000001EA0000-memory.dmp

            Filesize

            576KB

          • memory/1376-84-0x0000000002050000-0x0000000002353000-memory.dmp

            Filesize

            3.0MB

          • memory/1376-82-0x0000000000110000-0x000000000013B000-memory.dmp

            Filesize

            172KB

          • memory/1384-79-0x0000000006C90000-0x0000000006D74000-memory.dmp

            Filesize

            912KB

          • memory/1384-89-0x00000000063C0000-0x0000000006481000-memory.dmp

            Filesize

            772KB

          • memory/1384-90-0x00000000063C0000-0x0000000006481000-memory.dmp

            Filesize

            772KB

          • memory/2036-58-0x0000000075521000-0x0000000075523000-memory.dmp

            Filesize

            8KB

          • memory/2036-60-0x00000000722FD000-0x0000000072308000-memory.dmp

            Filesize

            44KB

          • memory/2036-57-0x00000000722FD000-0x0000000072308000-memory.dmp

            Filesize

            44KB

          • memory/2036-54-0x000000002F8B1000-0x000000002F8B4000-memory.dmp

            Filesize

            12KB

          • memory/2036-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

          • memory/2036-55-0x0000000071311000-0x0000000071313000-memory.dmp

            Filesize

            8KB

          • memory/2036-87-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

          • memory/2036-88-0x00000000722FD000-0x0000000072308000-memory.dmp

            Filesize

            44KB