Overview

overview

10

Static

static

shipping document.exe

windows7_x64

10

shipping document.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    27-06-2022 14:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    shipping document.exe

  • Size

    521KB

  • MD5

    557350a46a849eb9ae8bc28a629bf3d5

  • SHA1

    8a773187553730b62bc9ba58457b8a97523f953e

  • SHA256

    576d080b4cab07bd5c3ef3e5d6a222b91744368ed837a3e56eb89772c1b5a1de

  • SHA512

    aee4d4881f1d20b7837f690291702c7ead7c6900f0a68fa29f6c5fbd06fc91d7d13f893b70543c172d3a3732d47262aeca3209af81cc396eddc3dd3412ccad64

Score
10/10
formbookxloaderpdrqevasionloaderpersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

pdrq

Decoy

welchsunstar.com

mppservicesllc.com

wiresofteflon.com

brabov.xyz

compnonoch.site

yourbuilderworks.com

iamsamirahman.com

eriqoes.com

eastudio.design

skyearth-est.com

teethfitness.com

razaancreates.com

shfbfs.com

joyfulbrokekids.com

kjbolden.com

howirep.com

deedeesmainecoons.website

e-powair.com

aheatea.com

shalfey0009.xyz

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Xloader Payload 6 IoCs
    rat
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1220
    • C:\Users\Admin\AppData\Local\Temp\shipping document.exe
      "C:\Users\Admin\AppData\Local\Temp\shipping document.exe"
      2⤵
      • Looks for VirtualBox Guest Additions in registry
      • Looks for VMWare Tools registry key
      • Checks BIOS information in registry
      • Maps connected drives based on registry
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1056
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ylJHrC.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1512
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ylJHrC" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6E1F.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:320
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:336
        • C:\Windows\SysWOW64\chkdsk.exe
          "C:\Windows\SysWOW64\chkdsk.exe"
          4⤵
          • Adds policy Run key to start application
          • Suspicious use of SetThreadContext
          • Drops file in Program Files directory
          • Enumerates system info in registry
          • Modifies Internet Explorer settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1368
          • C:\Windows\SysWOW64\cmd.exe
            /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
            5⤵
              PID:688
            • C:\Program Files\Mozilla Firefox\Firefox.exe
              "C:\Program Files\Mozilla Firefox\Firefox.exe"
              5⤵
                PID:1040

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmp6E1F.tmp
        Filesize

        1KB

        MD5

        8d90d1cf57addf10ccd50715c1376e78

        SHA1

        cffc59ee9f80627c3a84afabb3e37a789804a2d3

        SHA256

        4109231c719120236b9acc8d5e71e701eda99c1a810f6e8cecd80ab3c9e5fdb7

        SHA512

        7344eb7702628c3d004b60143a7ce23a34f2006018a1d7a86b6189c8c0ae6e61de17dcef149139707e2c75ee062f3e6a132a09990c0683dcee785faf17032719

        Download Submit
      • memory/320-60-0x0000000000000000-mapping.dmp
        Download
      • memory/336-72-0x0000000000A60000-0x0000000000D63000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/336-79-0x0000000000400000-0x000000000042B000-memory.dmp
        Filesize

        172KB

        Download
      • memory/336-76-0x0000000000230000-0x0000000000241000-memory.dmp
        Filesize

        68KB

        Download
      • memory/336-75-0x0000000000400000-0x000000000042B000-memory.dmp
        Filesize

        172KB

        Download
      • memory/336-73-0x00000000001F0000-0x0000000000201000-memory.dmp
        Filesize

        68KB

        Download
      • memory/336-68-0x000000000041F270-mapping.dmp
        Download
      • memory/336-67-0x0000000000400000-0x000000000042B000-memory.dmp
        Filesize

        172KB

        Download
      • memory/336-64-0x0000000000400000-0x000000000042B000-memory.dmp
        Filesize

        172KB

        Download
      • memory/336-65-0x0000000000400000-0x000000000042B000-memory.dmp
        Filesize

        172KB

        Download
      • memory/688-80-0x0000000000000000-mapping.dmp
        Download
      • memory/1056-63-0x00000000047C0000-0x00000000047F2000-memory.dmp
        Filesize

        200KB

        Download
      • memory/1056-55-0x00000000764C1000-0x00000000764C3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1056-57-0x00000000002E0000-0x00000000002EA000-memory.dmp
        Filesize

        40KB

        Download
      • memory/1056-56-0x00000000002B0000-0x00000000002CC000-memory.dmp
        Filesize

        112KB

        Download
      • memory/1056-58-0x00000000046E0000-0x000000000474A000-memory.dmp
        Filesize

        424KB

        Download
      • memory/1056-54-0x0000000000F80000-0x0000000001008000-memory.dmp
        Filesize

        544KB

        Download
      • memory/1220-85-0x0000000004DB0000-0x0000000004F2B000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/1220-74-0x0000000004B20000-0x0000000004CA6000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/1220-87-0x0000000004DB0000-0x0000000004F2B000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/1220-77-0x0000000004CB0000-0x0000000004DA3000-memory.dmp
        Filesize

        972KB

        Download
      • memory/1368-78-0x0000000000000000-mapping.dmp
        Download
      • memory/1368-81-0x0000000000D70000-0x0000000000D77000-memory.dmp
        Filesize

        28KB

        Download
      • memory/1368-82-0x0000000000080000-0x00000000000AB000-memory.dmp
        Filesize

        172KB

        Download
      • memory/1368-83-0x0000000002180000-0x0000000002483000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/1368-84-0x0000000000550000-0x00000000005E0000-memory.dmp
        Filesize

        576KB

        Download
      • memory/1368-86-0x0000000000080000-0x00000000000AB000-memory.dmp
        Filesize

        172KB

        Download
      • memory/1512-71-0x000000006E2C0000-0x000000006E86B000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/1512-69-0x000000006E2C0000-0x000000006E86B000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/1512-59-0x0000000000000000-mapping.dmp
        Download