Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21/06/2022, 09:05

General

  • Target

    Doc202206201627.xlsx

  • Size

    71KB

  • MD5

    1d82383a97676c0119586294847d72c4

  • SHA1

    e235ee979b771fc57a1591c3937964e8737e6522

  • SHA256

    4a484a5d70b16a279ea706a537405a9163c26fb4fdb73ffe894ba0f424e57277

  • SHA512

    0c92bdc7e80795bbf967d49238625bee28d47b43cfc8ac266e4becc6a71f6d8dd541e40e3b776ff9b22f4fdcb096c6ed18b35755af96a5a9d015eda68ff26799

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

gd9m

Decoy

screens.ma

coachingdiary.com

cannabisconsultant.xyz

sirenonthemoon.com

gabrielatrejo.com

blumenladentampa.com

sturisticosadmcancun.com

qdygo.net

nubearies.com

thedestinationcrafter.com

fastblacktv.com

sanakatha.com

birdviewsecurityandshipping.com

waterfilterhub.xyz

92658.top

xigen.xyz

barikadcrew.com

herzogbjj.com

veminis.com

thnawya.net

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

  • suricata: ET MALWARE MSIL/GenKryptik.FQRH Download Request

    suricata: ET MALWARE MSIL/GenKryptik.FQRH Download Request

  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

  • Xloader Payload 4 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

  • Modifies Internet Explorer settings 1 TTPs 32 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1244
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Doc202206201627.xlsx
      2⤵
      • Enumerates system info in registry
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1356
    • C:\Windows\SysWOW64\help.exe
      "C:\Windows\SysWOW64\help.exe"
      2⤵
      • Adds policy Run key to start application
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:816
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Public\vbc.exe"
        3⤵
          PID:1484
        • C:\Program Files\Mozilla Firefox\Firefox.exe
          "C:\Program Files\Mozilla Firefox\Firefox.exe"
          3⤵
            PID:1644
      • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
        "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
        1⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Launches Equation Editor
        • Suspicious use of WriteProcessMemory
        PID:1644
        • C:\Users\Public\vbc.exe
          "C:\Users\Public\vbc.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1768
          • C:\Users\Public\vbc.exe
            "C:\Users\Public\vbc.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            PID:588

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Public\vbc.exe

              Filesize

              963KB

              MD5

              83dd3acd8f3e455bfd2c4711453399c3

              SHA1

              8895c917c9a3157939036647ba402f02d98f29e4

              SHA256

              ccc5f7c2dcf83d72150071b31ff3036834f0d26544e2c2c274bce95d234b14ea

              SHA512

              72fee0861dad6d8f44f450e00950bb1c486961b7f114d822f1e5e0335c7214800b1c8242a35f409220eac72f8b2dfd56a238c5e10be13d52507e521daa5cb2d2

            • C:\Users\Public\vbc.exe

              Filesize

              963KB

              MD5

              83dd3acd8f3e455bfd2c4711453399c3

              SHA1

              8895c917c9a3157939036647ba402f02d98f29e4

              SHA256

              ccc5f7c2dcf83d72150071b31ff3036834f0d26544e2c2c274bce95d234b14ea

              SHA512

              72fee0861dad6d8f44f450e00950bb1c486961b7f114d822f1e5e0335c7214800b1c8242a35f409220eac72f8b2dfd56a238c5e10be13d52507e521daa5cb2d2

            • C:\Users\Public\vbc.exe

              Filesize

              963KB

              MD5

              83dd3acd8f3e455bfd2c4711453399c3

              SHA1

              8895c917c9a3157939036647ba402f02d98f29e4

              SHA256

              ccc5f7c2dcf83d72150071b31ff3036834f0d26544e2c2c274bce95d234b14ea

              SHA512

              72fee0861dad6d8f44f450e00950bb1c486961b7f114d822f1e5e0335c7214800b1c8242a35f409220eac72f8b2dfd56a238c5e10be13d52507e521daa5cb2d2

            • \Users\Public\vbc.exe

              Filesize

              963KB

              MD5

              83dd3acd8f3e455bfd2c4711453399c3

              SHA1

              8895c917c9a3157939036647ba402f02d98f29e4

              SHA256

              ccc5f7c2dcf83d72150071b31ff3036834f0d26544e2c2c274bce95d234b14ea

              SHA512

              72fee0861dad6d8f44f450e00950bb1c486961b7f114d822f1e5e0335c7214800b1c8242a35f409220eac72f8b2dfd56a238c5e10be13d52507e521daa5cb2d2

            • \Users\Public\vbc.exe

              Filesize

              963KB

              MD5

              83dd3acd8f3e455bfd2c4711453399c3

              SHA1

              8895c917c9a3157939036647ba402f02d98f29e4

              SHA256

              ccc5f7c2dcf83d72150071b31ff3036834f0d26544e2c2c274bce95d234b14ea

              SHA512

              72fee0861dad6d8f44f450e00950bb1c486961b7f114d822f1e5e0335c7214800b1c8242a35f409220eac72f8b2dfd56a238c5e10be13d52507e521daa5cb2d2

            • \Users\Public\vbc.exe

              Filesize

              963KB

              MD5

              83dd3acd8f3e455bfd2c4711453399c3

              SHA1

              8895c917c9a3157939036647ba402f02d98f29e4

              SHA256

              ccc5f7c2dcf83d72150071b31ff3036834f0d26544e2c2c274bce95d234b14ea

              SHA512

              72fee0861dad6d8f44f450e00950bb1c486961b7f114d822f1e5e0335c7214800b1c8242a35f409220eac72f8b2dfd56a238c5e10be13d52507e521daa5cb2d2

            • \Users\Public\vbc.exe

              Filesize

              963KB

              MD5

              83dd3acd8f3e455bfd2c4711453399c3

              SHA1

              8895c917c9a3157939036647ba402f02d98f29e4

              SHA256

              ccc5f7c2dcf83d72150071b31ff3036834f0d26544e2c2c274bce95d234b14ea

              SHA512

              72fee0861dad6d8f44f450e00950bb1c486961b7f114d822f1e5e0335c7214800b1c8242a35f409220eac72f8b2dfd56a238c5e10be13d52507e521daa5cb2d2

            • \Users\Public\vbc.exe

              Filesize

              963KB

              MD5

              83dd3acd8f3e455bfd2c4711453399c3

              SHA1

              8895c917c9a3157939036647ba402f02d98f29e4

              SHA256

              ccc5f7c2dcf83d72150071b31ff3036834f0d26544e2c2c274bce95d234b14ea

              SHA512

              72fee0861dad6d8f44f450e00950bb1c486961b7f114d822f1e5e0335c7214800b1c8242a35f409220eac72f8b2dfd56a238c5e10be13d52507e521daa5cb2d2

            • memory/588-75-0x0000000000070000-0x000000000009B000-memory.dmp

              Filesize

              172KB

            • memory/588-74-0x0000000000070000-0x000000000009B000-memory.dmp

              Filesize

              172KB

            • memory/588-83-0x00000000001B0000-0x00000000001C1000-memory.dmp

              Filesize

              68KB

            • memory/588-82-0x00000000009F0000-0x0000000000CF3000-memory.dmp

              Filesize

              3.0MB

            • memory/588-80-0x0000000000070000-0x000000000009B000-memory.dmp

              Filesize

              172KB

            • memory/588-77-0x0000000000400000-0x000000000042B000-memory.dmp

              Filesize

              172KB

            • memory/816-88-0x0000000000080000-0x00000000000AB000-memory.dmp

              Filesize

              172KB

            • memory/816-91-0x0000000000080000-0x00000000000AB000-memory.dmp

              Filesize

              172KB

            • memory/816-90-0x00000000006B0000-0x0000000000740000-memory.dmp

              Filesize

              576KB

            • memory/816-87-0x00000000008A0000-0x00000000008A6000-memory.dmp

              Filesize

              24KB

            • memory/816-86-0x0000000000A40000-0x0000000000D43000-memory.dmp

              Filesize

              3.0MB

            • memory/1244-84-0x0000000006C70000-0x0000000006D30000-memory.dmp

              Filesize

              768KB

            • memory/1244-93-0x0000000007190000-0x00000000072D5000-memory.dmp

              Filesize

              1.3MB

            • memory/1244-92-0x0000000007190000-0x00000000072D5000-memory.dmp

              Filesize

              1.3MB

            • memory/1356-55-0x0000000071241000-0x0000000071243000-memory.dmp

              Filesize

              8KB

            • memory/1356-71-0x000000007222D000-0x0000000072238000-memory.dmp

              Filesize

              44KB

            • memory/1356-57-0x000000007222D000-0x0000000072238000-memory.dmp

              Filesize

              44KB

            • memory/1356-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

              Filesize

              64KB

            • memory/1356-95-0x000000007222D000-0x0000000072238000-memory.dmp

              Filesize

              44KB

            • memory/1356-94-0x000000005FFF0000-0x0000000060000000-memory.dmp

              Filesize

              64KB

            • memory/1356-58-0x0000000076191000-0x0000000076193000-memory.dmp

              Filesize

              8KB

            • memory/1356-54-0x000000002F491000-0x000000002F494000-memory.dmp

              Filesize

              12KB

            • memory/1768-70-0x00000000005E0000-0x0000000000610000-memory.dmp

              Filesize

              192KB

            • memory/1768-73-0x0000000000650000-0x0000000000656000-memory.dmp

              Filesize

              24KB

            • memory/1768-72-0x0000000000900000-0x000000000091A000-memory.dmp

              Filesize

              104KB

            • memory/1768-68-0x0000000000340000-0x0000000000436000-memory.dmp

              Filesize

              984KB