Overview

overview

10

Static

static

CRT CO.doc

windows7_x64

1

CRT CO.doc

windows10-2004_x64

1

decrypted.xlsx

windows7_x64

10

decrypted.xlsx

windows10-2004_x64

1

Analysis

  • max time kernel
    148s
  • max time network
    157s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-06-2022 14:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    decrypted.xlsx

  • Size

    74KB

  • MD5

    d6292ede597ee252272ff26b3b0921ee

  • SHA1

    c30df83b8ff4b9d170e317f77f5f11256400d7f3

  • SHA256

    cca88d823b05ff47e9bc7c2d98e4f4d7f7bb31f913edc35cf2a6b5b067a1a2fa

  • SHA512

    ad707c06b15c4f7943300cbc6047fa9bb886241a36c801ac5c443bc88b28552891380f916b9e56dd14b1591e1d71060f69719feddb37d7a2f5df1416b70f9911

Score
10/10
xloadervweqloaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

vweq

Decoy

malang-media.com

mrsfence.com

lubetops.com

aitimedia.net

montecryptocapital.com

ahwmedia.com

bvmnc.site

bggearstore.com

bcsantacoloma.online

alltimephotography.com

santacruz-roofings.com

leaplifestyleenterprises.com

censovet.com

similkameenfarms.com

undisclosed.email

thetrinityco.com

rapiturs.com

jedlersdorf.info

mh7jk12e.xyz

flygurlblogwordpress.com

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata
  • Xloader Payload 4 IoCs
    rat
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1212
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\decrypted.xlsx
      2⤵
      • Enumerates system info in registry
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1664
    • C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      PID:700
  • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    1⤵
    • Blocklisted process makes network request
    • Loads dropped DLL
    • Launches Equation Editor
    • Suspicious use of WriteProcessMemory
    PID:1692
    • C:\Users\Public\vbc.exe
      "C:\Users\Public\vbc.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2016
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1580

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\vbc.exe
    Filesize

    302KB

    MD5

    0236dcc27cfb3d09325c976002567985

    SHA1

    e1605510f182a0c6f8d3297355d9ceb00489df7c

    SHA256

    e640ade723ba4aa48f63db4293d15b61c07c05bfdd93a3a0f83f4a177306b87d

    SHA512

    512d6736ced5df8022ff26e1581f2ee7dfcef0f10c3b2e5324ac7ba16cee52f1db687a5921e8c72edc7d32a9467b161dc966c4f34f16d4ea13003e1f1f899081

    Download Submit
  • C:\Users\Public\vbc.exe
    Filesize

    302KB

    MD5

    0236dcc27cfb3d09325c976002567985

    SHA1

    e1605510f182a0c6f8d3297355d9ceb00489df7c

    SHA256

    e640ade723ba4aa48f63db4293d15b61c07c05bfdd93a3a0f83f4a177306b87d

    SHA512

    512d6736ced5df8022ff26e1581f2ee7dfcef0f10c3b2e5324ac7ba16cee52f1db687a5921e8c72edc7d32a9467b161dc966c4f34f16d4ea13003e1f1f899081

    Download Submit
  • \Users\Public\vbc.exe
    Filesize

    302KB

    MD5

    0236dcc27cfb3d09325c976002567985

    SHA1

    e1605510f182a0c6f8d3297355d9ceb00489df7c

    SHA256

    e640ade723ba4aa48f63db4293d15b61c07c05bfdd93a3a0f83f4a177306b87d

    SHA512

    512d6736ced5df8022ff26e1581f2ee7dfcef0f10c3b2e5324ac7ba16cee52f1db687a5921e8c72edc7d32a9467b161dc966c4f34f16d4ea13003e1f1f899081

    Download Submit
  • \Users\Public\vbc.exe
    Filesize

    302KB

    MD5

    0236dcc27cfb3d09325c976002567985

    SHA1

    e1605510f182a0c6f8d3297355d9ceb00489df7c

    SHA256

    e640ade723ba4aa48f63db4293d15b61c07c05bfdd93a3a0f83f4a177306b87d

    SHA512

    512d6736ced5df8022ff26e1581f2ee7dfcef0f10c3b2e5324ac7ba16cee52f1db687a5921e8c72edc7d32a9467b161dc966c4f34f16d4ea13003e1f1f899081

    Download Submit
  • \Users\Public\vbc.exe
    Filesize

    302KB

    MD5

    0236dcc27cfb3d09325c976002567985

    SHA1

    e1605510f182a0c6f8d3297355d9ceb00489df7c

    SHA256

    e640ade723ba4aa48f63db4293d15b61c07c05bfdd93a3a0f83f4a177306b87d

    SHA512

    512d6736ced5df8022ff26e1581f2ee7dfcef0f10c3b2e5324ac7ba16cee52f1db687a5921e8c72edc7d32a9467b161dc966c4f34f16d4ea13003e1f1f899081

    Download Submit
  • \Users\Public\vbc.exe
    Filesize

    302KB

    MD5

    0236dcc27cfb3d09325c976002567985

    SHA1

    e1605510f182a0c6f8d3297355d9ceb00489df7c

    SHA256

    e640ade723ba4aa48f63db4293d15b61c07c05bfdd93a3a0f83f4a177306b87d

    SHA512

    512d6736ced5df8022ff26e1581f2ee7dfcef0f10c3b2e5324ac7ba16cee52f1db687a5921e8c72edc7d32a9467b161dc966c4f34f16d4ea13003e1f1f899081

    Download Submit
  • memory/700-82-0x000000006D251000-0x000000006D253000-memory.dmp
    Filesize

    8KB

    Download
  • memory/700-86-0x0000000000A50000-0x0000000000AE0000-memory.dmp
    Filesize

    576KB

    Download
  • memory/700-85-0x00000000022B0000-0x00000000025B3000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/700-84-0x00000000000C0000-0x00000000000EB000-memory.dmp
    Filesize

    172KB

    Download
  • memory/700-83-0x0000000000C20000-0x0000000000EA1000-memory.dmp
    Filesize

    2.5MB

    Download
  • memory/700-80-0x0000000000000000-mapping.dmp
    Download
  • memory/1212-79-0x00000000063F0000-0x0000000006583000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/1212-92-0x000007FF03E90000-0x000007FF03E9A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1212-91-0x000007FEF6CD0000-0x000007FEF6E13000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/1212-88-0x0000000004D10000-0x0000000004DE4000-memory.dmp
    Filesize

    848KB

    Download
  • memory/1212-87-0x0000000004D10000-0x0000000004DE4000-memory.dmp
    Filesize

    848KB

    Download
  • memory/1580-78-0x0000000000280000-0x0000000000291000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1580-70-0x0000000000400000-0x000000000042B000-memory.dmp
    Filesize

    172KB

    Download
  • memory/1580-76-0x0000000000400000-0x000000000042B000-memory.dmp
    Filesize

    172KB

    Download
  • memory/1580-77-0x0000000000900000-0x0000000000C03000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1580-74-0x000000000041F280-mapping.dmp
    Download
  • memory/1580-73-0x0000000000400000-0x000000000042B000-memory.dmp
    Filesize

    172KB

    Download
  • memory/1580-71-0x0000000000400000-0x000000000042B000-memory.dmp
    Filesize

    172KB

    Download
  • memory/1664-69-0x0000000072BFD000-0x0000000072C08000-memory.dmp
    Filesize

    44KB

    Download
  • memory/1664-54-0x000000002F421000-0x000000002F424000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1664-58-0x0000000075AE1000-0x0000000075AE3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1664-55-0x0000000071C11000-0x0000000071C13000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1664-56-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1664-89-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1664-90-0x0000000072BFD000-0x0000000072C08000-memory.dmp
    Filesize

    44KB

    Download
  • memory/1664-57-0x0000000072BFD000-0x0000000072C08000-memory.dmp
    Filesize

    44KB

    Download
  • memory/2016-68-0x0000000000330000-0x0000000000364000-memory.dmp
    Filesize

    208KB

    Download
  • memory/2016-67-0x0000000000900000-0x0000000000952000-memory.dmp
    Filesize

    328KB

    Download
  • memory/2016-64-0x0000000000000000-mapping.dmp
    Download