Analysis
-
max time kernel
71s -
max time network
13s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
26-11-2020 06:13
Static task
static1
Behavioral task
behavioral1
Sample
PI202009255687.xlsx
Resource
win7v20201028
Behavioral task
behavioral2
Sample
PI202009255687.xlsx
Resource
win10v20201028
General
-
Target
PI202009255687.xlsx
-
Size
2.5MB
-
MD5
d7c0c12c1cdf36e9f97f96cb3fe16ae0
-
SHA1
e73e8bd48f5ef68747de444e44d59745cb75b08a
-
SHA256
76b2d9b4655b8a349e1b5c7bf05ac5bb22bea988bc818e46756b17d7e22a37d1
-
SHA512
1032c3abfa95c26c00c42b5bba0ef6bfd565b9391a255f7eb36f5edee271a46fac0e1a707c23a5820a307a76c4773a8b74f0f15efa2c594d6d79e953c52d5a7b
Malware Config
Extracted
formbook
http://www.blog-cybersecurite.net/ogg/
constmotion.com
castinginiciadas.com
dalvgroup.com
dmetuningkw.com
everygrindcount.com
lovewrendley.com
yourtallahassee.com
healer-jou.com
china-gadge.com
theplatinumworld.com
rakutenlle.xyz
neroflex.com
zdysks.com
e-learningorange.com
starbleach.com
apexappsllc.com
sinteredsurface.com
upcas.info
monetizemybizadvertisers.com
tsptoolbox.net
kobeli.online
rfzhuan.com
hairbyjessiemohler.com
poshmaternityshop.com
iqfeggs.com
moneybusinessclub.com
dulichkaito.com
lordmichaelspencer.com
penislandbrewery.com
clubamericashop.com
afflict.xyz
paletciniz.com
aleksruizphotography.com
8khutpn8g3x9iy.net
deepseacrabclearwater.com
indomediasolutions.com
brokenpinesga.com
redvalleybank.com
yo1marketing.com
cmbclient.xyz
powderedsilk.com
anjmail.xyz
segredosdocopywriting.com
ryan-law-firm.com
annaothomas.com
befitptstudio.com
lygosfilms.info
shajalhasan.com
renewedwomen.net
clippingpathfloor.com
dharani.club
natucolombia.com
kenhdautunhadat.com
final-the.com
mybuildingneeds.com
ashtaylorgoodwin.com
aluarte.info
pustani.com
wraptechauto.com
rtedgarelwood.site
voetbalvandaag.net
undanganelegan.com
molting.life
depoarkasi.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1152-8-0x0000000000070000-0x000000000009E000-memory.dmp formbook behavioral1/memory/1152-9-0x000000000008EB50-mapping.dmp formbook behavioral1/memory/1152-16-0x000000000008EB50-mapping.dmp formbook -
Blacklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 6 2000 EQNEDT32.EXE -
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 1560 vbc.exe 1152 vbc.exe -
Loads dropped DLL 7 IoCs
Processes:
EQNEDT32.EXEWerFault.exepid process 2000 EQNEDT32.EXE 2000 EQNEDT32.EXE 2000 EQNEDT32.EXE 2000 EQNEDT32.EXE 1856 WerFault.exe 1856 WerFault.exe 1856 WerFault.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
vbc.exedescription pid process target process PID 1560 set thread context of 1152 1560 vbc.exe vbc.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1856 1152 WerFault.exe vbc.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1764 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 1856 WerFault.exe 1856 WerFault.exe 1856 WerFault.exe 1856 WerFault.exe 1856 WerFault.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
vbc.exepid process 1560 vbc.exe 1560 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1856 WerFault.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
EXCEL.EXEpid process 1764 EXCEL.EXE 1764 EXCEL.EXE 1764 EXCEL.EXE 1764 EXCEL.EXE 1764 EXCEL.EXE 1764 EXCEL.EXE 1764 EXCEL.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
EQNEDT32.EXEvbc.exevbc.exedescription pid process target process PID 2000 wrote to memory of 1560 2000 EQNEDT32.EXE vbc.exe PID 2000 wrote to memory of 1560 2000 EQNEDT32.EXE vbc.exe PID 2000 wrote to memory of 1560 2000 EQNEDT32.EXE vbc.exe PID 2000 wrote to memory of 1560 2000 EQNEDT32.EXE vbc.exe PID 1560 wrote to memory of 1152 1560 vbc.exe vbc.exe PID 1560 wrote to memory of 1152 1560 vbc.exe vbc.exe PID 1560 wrote to memory of 1152 1560 vbc.exe vbc.exe PID 1560 wrote to memory of 1152 1560 vbc.exe vbc.exe PID 1560 wrote to memory of 1152 1560 vbc.exe vbc.exe PID 1152 wrote to memory of 1856 1152 vbc.exe WerFault.exe PID 1152 wrote to memory of 1856 1152 vbc.exe WerFault.exe PID 1152 wrote to memory of 1856 1152 vbc.exe WerFault.exe PID 1152 wrote to memory of 1856 1152 vbc.exe WerFault.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\PI202009255687.xlsx1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blacklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 364⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
e54d832cb872b7dc086ab7a7878d38fb
SHA1dd865deaffa4558eebebcb83b5335de2b0b26327
SHA25606a0e3845d7b4c5593a9143eb1ae73223760d68f2acf0e5be631b9eeab3675f3
SHA51204a78936551df1bf62d4b256c2a5888af840d9f1fb1735810b1c5145af0795c6c84e03b66754137242691aa0ffa26ceb7295d3cdc59323b939daa8d7cb24bac0
-
C:\Users\Public\vbc.exeMD5
e54d832cb872b7dc086ab7a7878d38fb
SHA1dd865deaffa4558eebebcb83b5335de2b0b26327
SHA25606a0e3845d7b4c5593a9143eb1ae73223760d68f2acf0e5be631b9eeab3675f3
SHA51204a78936551df1bf62d4b256c2a5888af840d9f1fb1735810b1c5145af0795c6c84e03b66754137242691aa0ffa26ceb7295d3cdc59323b939daa8d7cb24bac0
-
C:\Users\Public\vbc.exeMD5
e54d832cb872b7dc086ab7a7878d38fb
SHA1dd865deaffa4558eebebcb83b5335de2b0b26327
SHA25606a0e3845d7b4c5593a9143eb1ae73223760d68f2acf0e5be631b9eeab3675f3
SHA51204a78936551df1bf62d4b256c2a5888af840d9f1fb1735810b1c5145af0795c6c84e03b66754137242691aa0ffa26ceb7295d3cdc59323b939daa8d7cb24bac0
-
\Users\Public\vbc.exeMD5
e54d832cb872b7dc086ab7a7878d38fb
SHA1dd865deaffa4558eebebcb83b5335de2b0b26327
SHA25606a0e3845d7b4c5593a9143eb1ae73223760d68f2acf0e5be631b9eeab3675f3
SHA51204a78936551df1bf62d4b256c2a5888af840d9f1fb1735810b1c5145af0795c6c84e03b66754137242691aa0ffa26ceb7295d3cdc59323b939daa8d7cb24bac0
-
\Users\Public\vbc.exeMD5
e54d832cb872b7dc086ab7a7878d38fb
SHA1dd865deaffa4558eebebcb83b5335de2b0b26327
SHA25606a0e3845d7b4c5593a9143eb1ae73223760d68f2acf0e5be631b9eeab3675f3
SHA51204a78936551df1bf62d4b256c2a5888af840d9f1fb1735810b1c5145af0795c6c84e03b66754137242691aa0ffa26ceb7295d3cdc59323b939daa8d7cb24bac0
-
\Users\Public\vbc.exeMD5
e54d832cb872b7dc086ab7a7878d38fb
SHA1dd865deaffa4558eebebcb83b5335de2b0b26327
SHA25606a0e3845d7b4c5593a9143eb1ae73223760d68f2acf0e5be631b9eeab3675f3
SHA51204a78936551df1bf62d4b256c2a5888af840d9f1fb1735810b1c5145af0795c6c84e03b66754137242691aa0ffa26ceb7295d3cdc59323b939daa8d7cb24bac0
-
\Users\Public\vbc.exeMD5
e54d832cb872b7dc086ab7a7878d38fb
SHA1dd865deaffa4558eebebcb83b5335de2b0b26327
SHA25606a0e3845d7b4c5593a9143eb1ae73223760d68f2acf0e5be631b9eeab3675f3
SHA51204a78936551df1bf62d4b256c2a5888af840d9f1fb1735810b1c5145af0795c6c84e03b66754137242691aa0ffa26ceb7295d3cdc59323b939daa8d7cb24bac0
-
\Users\Public\vbc.exeMD5
e54d832cb872b7dc086ab7a7878d38fb
SHA1dd865deaffa4558eebebcb83b5335de2b0b26327
SHA25606a0e3845d7b4c5593a9143eb1ae73223760d68f2acf0e5be631b9eeab3675f3
SHA51204a78936551df1bf62d4b256c2a5888af840d9f1fb1735810b1c5145af0795c6c84e03b66754137242691aa0ffa26ceb7295d3cdc59323b939daa8d7cb24bac0
-
\Users\Public\vbc.exeMD5
e54d832cb872b7dc086ab7a7878d38fb
SHA1dd865deaffa4558eebebcb83b5335de2b0b26327
SHA25606a0e3845d7b4c5593a9143eb1ae73223760d68f2acf0e5be631b9eeab3675f3
SHA51204a78936551df1bf62d4b256c2a5888af840d9f1fb1735810b1c5145af0795c6c84e03b66754137242691aa0ffa26ceb7295d3cdc59323b939daa8d7cb24bac0
-
\Users\Public\vbc.exeMD5
e54d832cb872b7dc086ab7a7878d38fb
SHA1dd865deaffa4558eebebcb83b5335de2b0b26327
SHA25606a0e3845d7b4c5593a9143eb1ae73223760d68f2acf0e5be631b9eeab3675f3
SHA51204a78936551df1bf62d4b256c2a5888af840d9f1fb1735810b1c5145af0795c6c84e03b66754137242691aa0ffa26ceb7295d3cdc59323b939daa8d7cb24bac0
-
memory/1152-8-0x0000000000070000-0x000000000009E000-memory.dmpFilesize
184KB
-
memory/1152-9-0x000000000008EB50-mapping.dmp
-
memory/1152-16-0x000000000008EB50-mapping.dmp
-
memory/1560-5-0x0000000000000000-mapping.dmp
-
memory/1856-12-0x0000000000000000-mapping.dmp
-
memory/1856-13-0x0000000001F80000-0x0000000001F91000-memory.dmpFilesize
68KB
-
memory/1856-17-0x00000000025A0000-0x00000000025B1000-memory.dmpFilesize
68KB
-
memory/1856-19-0x00000000025A0000-0x00000000025B1000-memory.dmpFilesize
68KB
-
memory/1888-0-0x000007FEF7F80000-0x000007FEF81FA000-memory.dmpFilesize
2.5MB