Overview

overview

10

Static

static

tis.xlsx

windows7_x64

10

tis.xlsx

windows10-2004_x64

1

Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    29-06-2022 07:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tis.xlsx

  • Size

    163KB

  • MD5

    bfcb1b708667f051f3827417b0afd50c

  • SHA1

    95d69c432c2bc4bfa9e3bb5606343e6bc20bb8a3

  • SHA256

    41fa0a80e6b5b99e53343793ea3f8f1b2818d7012c7e82f71bad7b3f46fd632c

  • SHA512

    804b3fb392117f68b5a2b39c95ca1abe79d70c60c42400cf810253c7de5d112d1446c5906da3bb39835aa6d006b97ac768ef3f825d40edba03e60143552deeeb

Score
10/10
xloadernn40loaderratspywarestealersuricata

Malware Config

Extracted

Family

xloader

Version

2.8

Campaign

nn40

Decoy

LYAg0yANOGEAGeaFOrA/

MQWuERZplP+VZy/uszI=

CF0oDN0JimIaGy/uszI=

ltJnyC+ReohYaiTvj1qbEA==

B9OkgdctVKBAFjSUaw==

sbDVwSZVVqVB11/deow8GA==

v1gHDe0pzno=

i+/0n2vHUfGPR98k77tukZ90MQ==

SUtCnbS96Qm21g==

8X9qzyt1dpAo31jXrXfKb49fBPY=

5KlPxqHzSstuFjSUaw==

0r/Kesv/zuanroxvNQW0Gm8=

FFgS7kfPYAqpdhhgRgnBJHY=

LgusAHrkrIoWr0FWIe2o/04UXPw=

vBq9Gvxa9wbKbS/uszI=

Z+q6HAZNNeqwwQ==

wbS4fMb06SjU5Kbseow8GA==

1mZEuZvJ/m0L9bof56PkkZ90MQ==

JCJIM74lHk/o+tiFOrA/

d14FrM8rGEgIzVkT67+3XaEh

Signatures

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata
  • Xloader Payload 5 IoCs
    rat
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 32 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1280
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\tis.xlsx
      2⤵
      • Enumerates system info in registry
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:664
  • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    1⤵
    • Blocklisted process makes network request
    • Loads dropped DLL
    • Launches Equation Editor
    • Suspicious use of WriteProcessMemory
    PID:2024
    • C:\Users\Public\vbc.exe
      "C:\Users\Public\vbc.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1920
      • C:\Users\Public\vbc.exe
        "C:\Users\Public\vbc.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1828
        • C:\Windows\SysWOW64\rundll32.exe
          "C:\Windows\SysWOW64\rundll32.exe"
          4⤵
          • Suspicious use of SetThreadContext
          • Modifies Internet Explorer settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1548
          • C:\Program Files\Mozilla Firefox\Firefox.exe
            "C:\Program Files\Mozilla Firefox\Firefox.exe"
            5⤵
              PID:524

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scripting

    1
    T1064

    Exploitation for Client Execution

    1
    T1203

    Persistence

    Privilege Escalation

    Defense Evasion

    Scripting

    1
    T1064

    Modify Registry

    1
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Public\vbc.exe
      Filesize

      876KB

      MD5

      4b86af1f12bcc05b5586eec0f26e0ef9

      SHA1

      750cec00b9f8b8298436e41bf8083c7842b95b05

      SHA256

      d7dae1d41bdbc82c9162dc6d129670c05d5e80dc83783a48df90616099ca507d

      SHA512

      325426b9274b1e8e30740123f738f137d4055aae1d00cd1af3b1dd704882f0d058dc767af4cbdfb6b419b5137c4349d31cdfacb879d1c2c1d99e61dc29959418

      Download Submit
    • C:\Users\Public\vbc.exe
      Filesize

      876KB

      MD5

      4b86af1f12bcc05b5586eec0f26e0ef9

      SHA1

      750cec00b9f8b8298436e41bf8083c7842b95b05

      SHA256

      d7dae1d41bdbc82c9162dc6d129670c05d5e80dc83783a48df90616099ca507d

      SHA512

      325426b9274b1e8e30740123f738f137d4055aae1d00cd1af3b1dd704882f0d058dc767af4cbdfb6b419b5137c4349d31cdfacb879d1c2c1d99e61dc29959418

      Download Submit
    • C:\Users\Public\vbc.exe
      Filesize

      876KB

      MD5

      4b86af1f12bcc05b5586eec0f26e0ef9

      SHA1

      750cec00b9f8b8298436e41bf8083c7842b95b05

      SHA256

      d7dae1d41bdbc82c9162dc6d129670c05d5e80dc83783a48df90616099ca507d

      SHA512

      325426b9274b1e8e30740123f738f137d4055aae1d00cd1af3b1dd704882f0d058dc767af4cbdfb6b419b5137c4349d31cdfacb879d1c2c1d99e61dc29959418

      Download Submit
    • \Users\Public\vbc.exe
      Filesize

      876KB

      MD5

      4b86af1f12bcc05b5586eec0f26e0ef9

      SHA1

      750cec00b9f8b8298436e41bf8083c7842b95b05

      SHA256

      d7dae1d41bdbc82c9162dc6d129670c05d5e80dc83783a48df90616099ca507d

      SHA512

      325426b9274b1e8e30740123f738f137d4055aae1d00cd1af3b1dd704882f0d058dc767af4cbdfb6b419b5137c4349d31cdfacb879d1c2c1d99e61dc29959418

      Download Submit
    • \Users\Public\vbc.exe
      Filesize

      876KB

      MD5

      4b86af1f12bcc05b5586eec0f26e0ef9

      SHA1

      750cec00b9f8b8298436e41bf8083c7842b95b05

      SHA256

      d7dae1d41bdbc82c9162dc6d129670c05d5e80dc83783a48df90616099ca507d

      SHA512

      325426b9274b1e8e30740123f738f137d4055aae1d00cd1af3b1dd704882f0d058dc767af4cbdfb6b419b5137c4349d31cdfacb879d1c2c1d99e61dc29959418

      Download Submit
    • \Users\Public\vbc.exe
      Filesize

      876KB

      MD5

      4b86af1f12bcc05b5586eec0f26e0ef9

      SHA1

      750cec00b9f8b8298436e41bf8083c7842b95b05

      SHA256

      d7dae1d41bdbc82c9162dc6d129670c05d5e80dc83783a48df90616099ca507d

      SHA512

      325426b9274b1e8e30740123f738f137d4055aae1d00cd1af3b1dd704882f0d058dc767af4cbdfb6b419b5137c4349d31cdfacb879d1c2c1d99e61dc29959418

      Download Submit
    • \Users\Public\vbc.exe
      Filesize

      876KB

      MD5

      4b86af1f12bcc05b5586eec0f26e0ef9

      SHA1

      750cec00b9f8b8298436e41bf8083c7842b95b05

      SHA256

      d7dae1d41bdbc82c9162dc6d129670c05d5e80dc83783a48df90616099ca507d

      SHA512

      325426b9274b1e8e30740123f738f137d4055aae1d00cd1af3b1dd704882f0d058dc767af4cbdfb6b419b5137c4349d31cdfacb879d1c2c1d99e61dc29959418

      Download Submit
    • memory/664-58-0x000000007222D000-0x0000000072238000-memory.dmp
      Filesize

      44KB

      Download
    • memory/664-57-0x0000000075FC1000-0x0000000075FC3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/664-99-0x000000007222D000-0x0000000072238000-memory.dmp
      Filesize

      44KB

      Download
    • memory/664-56-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/664-55-0x0000000071241000-0x0000000071243000-memory.dmp
      Filesize

      8KB

      Download
    • memory/664-98-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/664-70-0x000000007222D000-0x0000000072238000-memory.dmp
      Filesize

      44KB

      Download
    • memory/664-54-0x000000002FCD1000-0x000000002FCD4000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1280-97-0x00000000071D0000-0x0000000007356000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/1280-96-0x00000000071D0000-0x0000000007356000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/1280-88-0x0000000006AE0000-0x0000000006BAE000-memory.dmp
      Filesize

      824KB

      Download
    • memory/1280-85-0x0000000006920000-0x00000000069F0000-memory.dmp
      Filesize

      832KB

      Download
    • memory/1548-89-0x0000000000000000-mapping.dmp
      Download
    • memory/1548-92-0x0000000000F30000-0x0000000000F3E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/1548-95-0x0000000000A00000-0x0000000000A90000-memory.dmp
      Filesize

      576KB

      Download
    • memory/1548-93-0x00000000000E0000-0x000000000010C000-memory.dmp
      Filesize

      176KB

      Download
    • memory/1548-94-0x0000000000B80000-0x0000000000E83000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1828-83-0x0000000000400000-0x000000000042C000-memory.dmp
      Filesize

      176KB

      Download
    • memory/1828-90-0x0000000000400000-0x000000000042C000-memory.dmp
      Filesize

      176KB

      Download
    • memory/1828-84-0x0000000000150000-0x0000000000161000-memory.dmp
      Filesize

      68KB

      Download
    • memory/1828-74-0x0000000000400000-0x000000000042C000-memory.dmp
      Filesize

      176KB

      Download
    • memory/1828-87-0x00000000001A0000-0x00000000001B1000-memory.dmp
      Filesize

      68KB

      Download
    • memory/1828-78-0x000000000041F640-mapping.dmp
      Download
    • memory/1828-75-0x0000000000400000-0x000000000042C000-memory.dmp
      Filesize

      176KB

      Download
    • memory/1828-77-0x0000000000400000-0x000000000042C000-memory.dmp
      Filesize

      176KB

      Download
    • memory/1828-82-0x0000000000C80000-0x0000000000F83000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1920-80-0x0000000004DF5000-0x0000000004E06000-memory.dmp
      Filesize

      68KB

      Download
    • memory/1920-72-0x0000000004D30000-0x0000000004D9A000-memory.dmp
      Filesize

      424KB

      Download
    • memory/1920-73-0x0000000001EF0000-0x0000000001F22000-memory.dmp
      Filesize

      200KB

      Download
    • memory/1920-71-0x00000000004C0000-0x00000000004CA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1920-69-0x00000000004A0000-0x00000000004B6000-memory.dmp
      Filesize

      88KB

      Download
    • memory/1920-67-0x0000000000A00000-0x0000000000AE2000-memory.dmp
      Filesize

      904KB

      Download
    • memory/1920-64-0x0000000000000000-mapping.dmp
      Download