29ab73c3458a25362a6b1dd25d77301156887f6ac2f6e9def94282bcb54631d2

General

Target

Shipping_docs.xlsx
Size

575KB
MD5

810424744a4fe0841782a3951a960289
SHA1

39482846b08dc45f293a6ef53b69e262459f747d
SHA256

29ab73c3458a25362a6b1dd25d77301156887f6ac2f6e9def94282bcb54631d2
SHA512

bc42c366891eab39fb464d736188a3b0eb60a96c0dd703015a7b6c59784763cb7099e24665e766f0547fadaad0d97601ad7e876463c78b1092aae7e42cbbb768

Score

8^/10

spyware

Malware Config

Signatures

Blacklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

4 1604 EQNEDT32.EXE
Executes dropped EXE 1 IoCs

Processes:

vbc.exe

pid process

1804 vbc.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

vbc.exeRegSvcs.exe

description pid process

Token: SeDebugPrivilege 1804 vbc.exe
Token: SeDebugPrivilege 2012 RegSvcs.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1392 EXCEL.EXE
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

1392 EXCEL.EXE
1392 EXCEL.EXE
1392 EXCEL.EXE
Suspicious use of SetThreadContext 1 IoCs

Processes:

vbc.exe

description pid process target process

PID 1804 set thread context of 2012 1804 vbc.exe RegSvcs.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
4	1604	EQNEDT32.EXE

pid	process
1804	vbc.exe

description	pid	process
Token: SeDebugPrivilege	1804	vbc.exe
Token: SeDebugPrivilege	2012	RegSvcs.exe

pid	process
1392	EXCEL.EXE

pid	process
1392	EXCEL.EXE
1392	EXCEL.EXE
1392	EXCEL.EXE

description	pid	process	target process
PID 1804 set thread context of 2012	1804	vbc.exe	RegSvcs.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

EQNEDT32.EXEvbc.exe

description	pid	process	target process
PID 1604 wrote to memory of 1804	1604	EQNEDT32.EXE	vbc.exe
PID 1604 wrote to memory of 1804	1604	EQNEDT32.EXE	vbc.exe
PID 1604 wrote to memory of 1804	1604	EQNEDT32.EXE	vbc.exe
PID 1604 wrote to memory of 1804	1604	EQNEDT32.EXE	vbc.exe
PID 1804 wrote to memory of 2004	1804	vbc.exe	RegSvcs.exe
PID 1804 wrote to memory of 2004	1804	vbc.exe	RegSvcs.exe
PID 1804 wrote to memory of 2004	1804	vbc.exe	RegSvcs.exe
PID 1804 wrote to memory of 2004	1804	vbc.exe	RegSvcs.exe
PID 1804 wrote to memory of 2004	1804	vbc.exe	RegSvcs.exe
PID 1804 wrote to memory of 2004	1804	vbc.exe	RegSvcs.exe
PID 1804 wrote to memory of 2004	1804	vbc.exe	RegSvcs.exe
PID 1804 wrote to memory of 2012	1804	vbc.exe	RegSvcs.exe
PID 1804 wrote to memory of 2012	1804	vbc.exe	RegSvcs.exe
PID 1804 wrote to memory of 2012	1804	vbc.exe	RegSvcs.exe
PID 1804 wrote to memory of 2012	1804	vbc.exe	RegSvcs.exe
PID 1804 wrote to memory of 2012	1804	vbc.exe	RegSvcs.exe
PID 1804 wrote to memory of 2012	1804	vbc.exe	RegSvcs.exe
PID 1804 wrote to memory of 2012	1804	vbc.exe	RegSvcs.exe
PID 1804 wrote to memory of 2012	1804	vbc.exe	RegSvcs.exe
PID 1804 wrote to memory of 2012	1804	vbc.exe	RegSvcs.exe
PID 1804 wrote to memory of 2012	1804	vbc.exe	RegSvcs.exe
PID 1804 wrote to memory of 2012	1804	vbc.exe	RegSvcs.exe
PID 1804 wrote to memory of 2012	1804	vbc.exe	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

vbc.exeRegSvcs.exe

pid process

1804 vbc.exe
1804 vbc.exe
1804 vbc.exe
2012 RegSvcs.exe
2012 RegSvcs.exe

pid	process
1804	vbc.exe
1804	vbc.exe
1804	vbc.exe
2012	RegSvcs.exe
2012	RegSvcs.exe

Modifies registry class 280 IoCs

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Wow6432Node\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Wow6432Node\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcOptionButton"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C05742E7-58B7-4E1F-8D05-D2C95D142D7B}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\TypeLib\{C05742E7-58B7-4E1F-8D05-D2C95D142D7B}\2.0\ = "Microsoft Forms 2.0 Object Library"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Wow6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Wow6432Node\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Wow6432Node\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLText"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents2"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\TypeLib\{C05742E7-58B7-4E1F-8D05-D2C95D142D7B}\2.0\FLAGS\ = "6"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C05742E7-58B7-4E1F-8D05-D2C95D142D7B}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Excel8.0"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Wow6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Wow6432Node\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}\ = "Tab"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLHidden"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Wow6432Node	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\TypeLib\{C05742E7-58B7-4E1F-8D05-D2C95D142D7B}\2.0\0\win32	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Wow6432Node\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcToggleButton"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Interface	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1"	EXCEL.EXE

Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1604 EQNEDT32.EXE
Loads dropped DLL 1 IoCs

Processes:

EQNEDT32.EXE

pid process

1604 EQNEDT32.EXE

pid	process
1604	EQNEDT32.EXE

pid	process
1604	EQNEDT32.EXE

C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Shipping_docs.xlsx
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Modifies registry class
PID:1392

C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blacklisted process makes network request
- Suspicious use of WriteProcessMemory
- Launches Equation Editor
- Loads dropped DLL
PID:1604

C:\Users\Admin\AppData\Roaming\vbc.exe
"C:\Users\Admin\AppData\Roaming\vbc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
PID:1804

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
3⤵
PID:2004

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:2012

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Credentials in Files

2

T1081

Discovery

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\vbc.exe

Download Submit
C:\Users\Admin\AppData\Roaming\vbc.exe

Download Submit
\Users\Admin\AppData\Roaming\vbc.exe

Download Submit
memory/1392-4-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/1392-6-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/1804-1-0x0000000000000000-mapping.dmp

Download
memory/2012-7-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2012-8-0x00000000004456EE-mapping.dmp

Download
memory/2012-9-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2012-10-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download

Analysis

Sharing