Overview

overview

10

Static

static

SGLN22060220.xlsx

windows7_x64

10

SGLN22060220.xlsx

windows10-2004_x64

1

Analysis

  • max time kernel
    152s
  • max time network
    194s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    22-06-2022 14:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SGLN22060220.xlsx

  • Size

    79KB

  • MD5

    57efdb5c07a2948e09c3535d3b91fc72

  • SHA1

    974c2be9ff6499240c09b570e759e17b83061c68

  • SHA256

    a5985216525198346400da43be15f61b3ef5fcb784d6ebd43ddfc9e269704a68

  • SHA512

    e19b817387f494bea3a879e1d19a63d9a605e8d38f75e0650c64a389f78aca05245a5fdfe28f823b41439be6eabfbffcc7a5adbeeaea26bbd71b78a56135918f

Score
10/10
formbookxloadertn61loaderpersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

tn61

Decoy

ryliehorrall.art

mesdco.net

street-art-ink.com

sepetcin.com

stilghar.com

hawaiipooltiles.com

fuerst-von-falkennest.com

totalvirtue.com

xdk0blc0tqy6a7.life

zootowngravel.com

kreditkarten-optionde.com

6888tlbb.xyz

albertakleekai.com

travelnurseinfofinder3.life

valleyinnswat.com

secure-remove-devices.com

digitalswamy.com

www112casinova.com

medifasttrd.com

distritoxermar.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata
  • Xloader Payload 6 IoCs
    rat
  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 32 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1272
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\SGLN22060220.xlsx
      2⤵
      • Enumerates system info in registry
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1408
    • C:\Windows\SysWOW64\cscript.exe
      "C:\Windows\SysWOW64\cscript.exe"
      2⤵
        PID:1288
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:2000
      • C:\Users\Public\vbc.exe
        "C:\Users\Public\vbc.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1204
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
          3⤵
            PID:2028
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
            3⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1412
            • C:\Windows\SysWOW64\rundll32.exe
              "C:\Windows\SysWOW64\rundll32.exe"
              4⤵
              • Adds Run key to start application
              • Suspicious use of SetThreadContext
              • Drops file in Program Files directory
              • Modifies Internet Explorer settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:964
              • C:\Windows\SysWOW64\cmd.exe
                /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
                5⤵
                  PID:1100
                • C:\Program Files\Mozilla Firefox\Firefox.exe
                  "C:\Program Files\Mozilla Firefox\Firefox.exe"
                  5⤵
                    PID:1028

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Scripting

          1
          T1064

          Exploitation for Client Execution

          1
          T1203

          Persistence

          Registry Run Keys / Startup Folder

          1
          T1060

          Privilege Escalation

          Defense Evasion

          Scripting

          1
          T1064

          Modify Registry

          2
          T1112

          Credential Access

          Credentials in Files

          1
          T1081

          Discovery

          Query Registry

          1
          T1012

          System Information Discovery

          1
          T1082

          Lateral Movement

          Collection

          Data from Local System

          1
          T1005

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Public\vbc.exe
            Filesize

            283KB

            MD5

            3003d7f5f37555dda6aaedc46ebffb6e

            SHA1

            2fc3bfb42f58a9c1c6c9383015347b9c8935d14f

            SHA256

            2fad61e5630cde696d8ea57db27d521ed4ff87ae0c5e692c597171439ae6d01c

            SHA512

            c9df0576f1f92639c69c79cd230ce80a4b8606791e0be99660fb119e207ff894b6c10f31fbba70699dc7e296c8e061130e5eb765e2eef521e602a8918f32e050

            Download Submit
          • C:\Users\Public\vbc.exe
            Filesize

            283KB

            MD5

            3003d7f5f37555dda6aaedc46ebffb6e

            SHA1

            2fc3bfb42f58a9c1c6c9383015347b9c8935d14f

            SHA256

            2fad61e5630cde696d8ea57db27d521ed4ff87ae0c5e692c597171439ae6d01c

            SHA512

            c9df0576f1f92639c69c79cd230ce80a4b8606791e0be99660fb119e207ff894b6c10f31fbba70699dc7e296c8e061130e5eb765e2eef521e602a8918f32e050

            Download Submit
          • \Users\Public\vbc.exe
            Filesize

            283KB

            MD5

            3003d7f5f37555dda6aaedc46ebffb6e

            SHA1

            2fc3bfb42f58a9c1c6c9383015347b9c8935d14f

            SHA256

            2fad61e5630cde696d8ea57db27d521ed4ff87ae0c5e692c597171439ae6d01c

            SHA512

            c9df0576f1f92639c69c79cd230ce80a4b8606791e0be99660fb119e207ff894b6c10f31fbba70699dc7e296c8e061130e5eb765e2eef521e602a8918f32e050

            Download Submit
          • \Users\Public\vbc.exe
            Filesize

            283KB

            MD5

            3003d7f5f37555dda6aaedc46ebffb6e

            SHA1

            2fc3bfb42f58a9c1c6c9383015347b9c8935d14f

            SHA256

            2fad61e5630cde696d8ea57db27d521ed4ff87ae0c5e692c597171439ae6d01c

            SHA512

            c9df0576f1f92639c69c79cd230ce80a4b8606791e0be99660fb119e207ff894b6c10f31fbba70699dc7e296c8e061130e5eb765e2eef521e602a8918f32e050

            Download Submit
          • \Users\Public\vbc.exe
            Filesize

            283KB

            MD5

            3003d7f5f37555dda6aaedc46ebffb6e

            SHA1

            2fc3bfb42f58a9c1c6c9383015347b9c8935d14f

            SHA256

            2fad61e5630cde696d8ea57db27d521ed4ff87ae0c5e692c597171439ae6d01c

            SHA512

            c9df0576f1f92639c69c79cd230ce80a4b8606791e0be99660fb119e207ff894b6c10f31fbba70699dc7e296c8e061130e5eb765e2eef521e602a8918f32e050

            Download Submit
          • \Users\Public\vbc.exe
            Filesize

            283KB

            MD5

            3003d7f5f37555dda6aaedc46ebffb6e

            SHA1

            2fc3bfb42f58a9c1c6c9383015347b9c8935d14f

            SHA256

            2fad61e5630cde696d8ea57db27d521ed4ff87ae0c5e692c597171439ae6d01c

            SHA512

            c9df0576f1f92639c69c79cd230ce80a4b8606791e0be99660fb119e207ff894b6c10f31fbba70699dc7e296c8e061130e5eb765e2eef521e602a8918f32e050

            Download Submit
          • memory/964-93-0x0000000000960000-0x00000000009F0000-memory.dmp
            Filesize

            576KB

            Download
          • memory/964-91-0x0000000000090000-0x00000000000BB000-memory.dmp
            Filesize

            172KB

            Download
          • memory/964-88-0x00000000022E0000-0x00000000025E3000-memory.dmp
            Filesize

            3.0MB

            Download
          • memory/964-89-0x0000000000AE0000-0x0000000000AEE000-memory.dmp
            Filesize

            56KB

            Download
          • memory/964-95-0x0000000000090000-0x00000000000BB000-memory.dmp
            Filesize

            172KB

            Download
          • memory/964-84-0x0000000000000000-mapping.dmp
            Download
          • memory/1100-90-0x0000000000000000-mapping.dmp
            Download
          • memory/1204-65-0x0000000000000000-mapping.dmp
            Download
          • memory/1204-69-0x0000000000280000-0x00000000002B4000-memory.dmp
            Filesize

            208KB

            Download
          • memory/1204-68-0x0000000000960000-0x00000000009AC000-memory.dmp
            Filesize

            304KB

            Download
          • memory/1272-79-0x0000000007140000-0x0000000007273000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/1272-92-0x0000000007280000-0x000000000733A000-memory.dmp
            Filesize

            744KB

            Download
          • memory/1272-94-0x0000000007340000-0x0000000007440000-memory.dmp
            Filesize

            1024KB

            Download
          • memory/1272-96-0x0000000007340000-0x0000000007440000-memory.dmp
            Filesize

            1024KB

            Download
          • memory/1272-82-0x0000000007280000-0x000000000733A000-memory.dmp
            Filesize

            744KB

            Download
          • memory/1408-85-0x000000005FFF0000-0x0000000060000000-memory.dmp
            Filesize

            64KB

            Download
          • memory/1408-60-0x00000000729FD000-0x0000000072A08000-memory.dmp
            Filesize

            44KB

            Download
          • memory/1408-55-0x0000000071A11000-0x0000000071A13000-memory.dmp
            Filesize

            8KB

            Download
          • memory/1408-56-0x000000005FFF0000-0x0000000060000000-memory.dmp
            Filesize

            64KB

            Download
          • memory/1408-57-0x00000000729FD000-0x0000000072A08000-memory.dmp
            Filesize

            44KB

            Download
          • memory/1408-58-0x00000000765C1000-0x00000000765C3000-memory.dmp
            Filesize

            8KB

            Download
          • memory/1408-54-0x000000002F981000-0x000000002F984000-memory.dmp
            Filesize

            12KB

            Download
          • memory/1408-87-0x00000000729FD000-0x0000000072A08000-memory.dmp
            Filesize

            44KB

            Download
          • memory/1412-76-0x0000000000400000-0x000000000042B000-memory.dmp
            Filesize

            172KB

            Download
          • memory/1412-74-0x000000000041F2C0-mapping.dmp
            Download
          • memory/1412-70-0x0000000000400000-0x000000000042B000-memory.dmp
            Filesize

            172KB

            Download
          • memory/1412-71-0x0000000000400000-0x000000000042B000-memory.dmp
            Filesize

            172KB

            Download
          • memory/1412-73-0x0000000000400000-0x000000000042B000-memory.dmp
            Filesize

            172KB

            Download
          • memory/1412-78-0x0000000000570000-0x0000000000581000-memory.dmp
            Filesize

            68KB

            Download
          • memory/1412-83-0x0000000000400000-0x000000000042B000-memory.dmp
            Filesize

            172KB

            Download
          • memory/1412-77-0x00000000008F0000-0x0000000000BF3000-memory.dmp
            Filesize

            3.0MB

            Download
          • memory/1412-81-0x0000000002250000-0x0000000002261000-memory.dmp
            Filesize

            68KB

            Download