Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
31-07-2020 11:12
Static task
static1
Behavioral task
behavioral1
Sample
PO 17774.xls
Resource
win7v200722
General
-
Target
PO 17774.xls
-
Size
183KB
-
MD5
7689c98d5db51db149591210ad24c4ff
-
SHA1
4419b76003f333925f4cf84b5e679ff64d7d6d08
-
SHA256
6031b6aeab0b8c5111938e3c0819e717858aa3586bcdacea994d980ac36c5368
-
SHA512
e6eab1c3b21e3f4fd76cebd9bc849ed07eec2c26bc4df5605a3628702abc8d3b099589acaf89cc8334448bcbc25ddc3810d8ea2d0f18009e343dbc8c1124db5b
Malware Config
Signatures
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 108 EXCEL.EXE -
Executes dropped EXE 4 IoCs
Processes:
svchost32.exesvchost32.exevgaaxu.exevgaaxu.exepid process 1908 svchost32.exe 1812 svchost32.exe 1860 vgaaxu.exe 656 vgaaxu.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
svchost32.exesvchost32.exewininit.exevgaaxu.exevgaaxu.exepid process 1908 svchost32.exe 1812 svchost32.exe 1812 svchost32.exe 468 wininit.exe 468 wininit.exe 468 wininit.exe 468 wininit.exe 468 wininit.exe 468 wininit.exe 468 wininit.exe 468 wininit.exe 468 wininit.exe 468 wininit.exe 468 wininit.exe 468 wininit.exe 468 wininit.exe 468 wininit.exe 468 wininit.exe 468 wininit.exe 468 wininit.exe 468 wininit.exe 468 wininit.exe 468 wininit.exe 468 wininit.exe 468 wininit.exe 468 wininit.exe 468 wininit.exe 468 wininit.exe 1860 vgaaxu.exe 656 vgaaxu.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
wininit.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer wininit.exe -
Suspicious use of SendNotifyMessage 6 IoCs
Processes:
Explorer.EXEpid process 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
wininit.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\BX4DUJ18FPNX = "C:\\Program Files (x86)\\J_bgx\\vgaaxu.exe" wininit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wininit.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
svchost32.exesvchost32.exewininit.exevgaaxu.exedescription pid process target process PID 1908 set thread context of 1812 1908 svchost32.exe svchost32.exe PID 1812 set thread context of 1220 1812 svchost32.exe Explorer.EXE PID 468 set thread context of 1220 468 wininit.exe Explorer.EXE PID 1860 set thread context of 656 1860 vgaaxu.exe vgaaxu.exe -
Formbook Payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1812-7-0x0000000000400000-0x0000000000427000-memory.dmp formbook behavioral1/memory/1812-7-0x0000000000400000-0x0000000000427000-memory.dmp formbook behavioral1/memory/1812-8-0x000000000041C220-mapping.dmp formbook behavioral1/memory/468-10-0x0000000000000000-mapping.dmp formbook behavioral1/memory/656-29-0x000000000041C220-mapping.dmp formbook -
Office loads VBA resources, possible macro or embedded object present
-
Drops file in Program Files directory 2 IoCs
Processes:
wininit.exeExplorer.EXEdescription ioc process File opened for modification C:\Program Files (x86)\J_bgx\vgaaxu.exe wininit.exe File created C:\Program Files (x86)\J_bgx\vgaaxu.exe Explorer.EXE -
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 EXCEL.EXE -
Processes:
Explorer.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 108 EXCEL.EXE 108 EXCEL.EXE 108 EXCEL.EXE -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
EXCEL.EXEsvchost32.exeExplorer.EXEwininit.exevgaaxu.exedescription pid process target process PID 108 wrote to memory of 1908 108 EXCEL.EXE svchost32.exe PID 108 wrote to memory of 1908 108 EXCEL.EXE svchost32.exe PID 108 wrote to memory of 1908 108 EXCEL.EXE svchost32.exe PID 108 wrote to memory of 1908 108 EXCEL.EXE svchost32.exe PID 1908 wrote to memory of 1812 1908 svchost32.exe svchost32.exe PID 1908 wrote to memory of 1812 1908 svchost32.exe svchost32.exe PID 1908 wrote to memory of 1812 1908 svchost32.exe svchost32.exe PID 1908 wrote to memory of 1812 1908 svchost32.exe svchost32.exe PID 1220 wrote to memory of 468 1220 Explorer.EXE wininit.exe PID 1220 wrote to memory of 468 1220 Explorer.EXE wininit.exe PID 1220 wrote to memory of 468 1220 Explorer.EXE wininit.exe PID 1220 wrote to memory of 468 1220 Explorer.EXE wininit.exe PID 468 wrote to memory of 1512 468 wininit.exe cmd.exe PID 468 wrote to memory of 1512 468 wininit.exe cmd.exe PID 468 wrote to memory of 1512 468 wininit.exe cmd.exe PID 468 wrote to memory of 1512 468 wininit.exe cmd.exe PID 468 wrote to memory of 1144 468 wininit.exe Firefox.exe PID 468 wrote to memory of 1144 468 wininit.exe Firefox.exe PID 468 wrote to memory of 1144 468 wininit.exe Firefox.exe PID 468 wrote to memory of 1144 468 wininit.exe Firefox.exe PID 468 wrote to memory of 1144 468 wininit.exe Firefox.exe PID 1220 wrote to memory of 1860 1220 Explorer.EXE vgaaxu.exe PID 1220 wrote to memory of 1860 1220 Explorer.EXE vgaaxu.exe PID 1220 wrote to memory of 1860 1220 Explorer.EXE vgaaxu.exe PID 1220 wrote to memory of 1860 1220 Explorer.EXE vgaaxu.exe PID 1860 wrote to memory of 656 1860 vgaaxu.exe vgaaxu.exe PID 1860 wrote to memory of 656 1860 vgaaxu.exe vgaaxu.exe PID 1860 wrote to memory of 656 1860 vgaaxu.exe vgaaxu.exe PID 1860 wrote to memory of 656 1860 vgaaxu.exe vgaaxu.exe -
Suspicious behavior: MapViewOfSection 9 IoCs
Processes:
svchost32.exesvchost32.exewininit.exevgaaxu.exepid process 1908 svchost32.exe 1812 svchost32.exe 1812 svchost32.exe 1812 svchost32.exe 468 wininit.exe 468 wininit.exe 468 wininit.exe 468 wininit.exe 1860 vgaaxu.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
svchost32.exewininit.exevgaaxu.exedescription pid process Token: SeDebugPrivilege 1812 svchost32.exe Token: SeDebugPrivilege 468 wininit.exe Token: SeDebugPrivilege 656 vgaaxu.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
Processes:
Explorer.EXEpid process 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE 1220 Explorer.EXE -
Processes:
wininit.exedescription ioc process Key created \Registry\User\S-1-5-21-2090973689-680783404-4292415065-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 wininit.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of SendNotifyMessage
- Drops file in Program Files directory
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\PO 17774.xls"2⤵
- Suspicious behavior: AddClipboardFormatListener
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\svchost32.exe"C:\Users\Public\svchost32.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
-
C:\Users\Public\svchost32.exe"C:\Users\Public\svchost32.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wininit.exe"C:\Windows\SysWOW64\wininit.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- System policy modification
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Public\svchost32.exe"3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Program Files (x86)\J_bgx\vgaaxu.exe"C:\Program Files (x86)\J_bgx\vgaaxu.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
-
C:\Program Files (x86)\J_bgx\vgaaxu.exe"C:\Program Files (x86)\J_bgx\vgaaxu.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\J_bgx\vgaaxu.exe
-
C:\Program Files (x86)\J_bgx\vgaaxu.exe
-
C:\Program Files (x86)\J_bgx\vgaaxu.exe
-
C:\Users\Public\svchost32.exe
-
C:\Users\Public\svchost32.exe
-
C:\Users\Public\svchost32.exe
-
memory/108-3-0x0000000006650000-0x0000000006750000-memory.dmpFilesize
1024KB
-
memory/108-1-0x0000000006650000-0x0000000006750000-memory.dmpFilesize
1024KB
-
memory/108-2-0x0000000006650000-0x0000000006750000-memory.dmpFilesize
1024KB
-
memory/468-10-0x0000000000000000-mapping.dmp
-
memory/468-11-0x0000000000C60000-0x0000000000C7A000-memory.dmpFilesize
104KB
-
memory/468-13-0x0000000000A70000-0x0000000000B03000-memory.dmpFilesize
588KB
-
memory/468-14-0x0000000075220000-0x000000007522C000-memory.dmpFilesize
48KB
-
memory/468-15-0x0000000076970000-0x0000000076A8D000-memory.dmpFilesize
1.1MB
-
memory/468-16-0x0000000076200000-0x000000007635C000-memory.dmpFilesize
1.4MB
-
memory/468-22-0x0000000003A80000-0x0000000003BBA000-memory.dmpFilesize
1.2MB
-
memory/656-29-0x000000000041C220-mapping.dmp
-
memory/1144-24-0x000000013F5A0000-0x000000013F633000-memory.dmpFilesize
588KB
-
memory/1144-23-0x0000000000000000-mapping.dmp
-
memory/1512-12-0x0000000000000000-mapping.dmp
-
memory/1812-8-0x000000000041C220-mapping.dmp
-
memory/1812-7-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/1860-25-0x0000000000000000-mapping.dmp
-
memory/1908-4-0x0000000000000000-mapping.dmp