Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
10-12-2020 09:56
Static task
static1
Behavioral task
behavioral1
Sample
Companyprofile_Order_384658353.xlsx
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Companyprofile_Order_384658353.xlsx
Resource
win10v20201028
General
-
Target
Companyprofile_Order_384658353.xlsx
-
Size
2.1MB
-
MD5
c30d91c05ecd94de4ee314be1f27bf22
-
SHA1
fed9790f0ebc832445b34ef1caabe137ed15e3ce
-
SHA256
836390a3bb832e2b10fb7bf5ee0d88e7aa32179839e65b933ff2da2aabce8f89
-
SHA512
0053323cf2d7fada473a23ddaffd7be38f3015613f651c15bc10d524db3a656c7ed20d522feb9a7f3183efeb3588d53865a3a9d259c7707ce1dbbf2d2981fcfb
Malware Config
Extracted
formbook
http://www.herbmedia.net/csv8/
slgacha.com
oohdough.com
6983ylc.com
aykassociate.com
latin-hotspot.com
starrockindia.com
beamsubway.com
queensboutique1000.com
madbaddie.com
bhoomimart.com
ankitparivar.com
aldanasanchezmx.com
citest1597669833.com
cristianofreitas.com
myplantus.com
counterfeitmilk.com
8xf39.com
pregnantwomens.com
yyyut6.com
stnanguo.com
fessusesefsee.com
logansshop.net
familydalmatianhomes.com
accessible.legal
epicmassiveconcepts.com
indianfactopedia.com
exit-divorce.com
colliapse.com
nosishop.com
hayat-aljowaily.com
soundon.events
previnacovid19-br.com
traptlongview.com
splendidhotelspa.com
masterzushop.com
ednevents.com
studentdividers.com
treningi-enduro.com
hostingcoaster.com
gourmetgroceriesfast.com
thesouthbeachlife.com
teemergin.com
fixmygearfast.com
arb-invest.com
shemaledreamz.com
1819apparel.com
thedigitalsatyam.com
alparmuhendislik.com
distinctmusicproductions.com
procreditexpert.com
insights4innovation.com
jzbtl.com
1033325.com
sorteocamper.info
scheherazadelegault.com
glowportraiture.com
cleitstaapps.com
globepublishers.com
stattests.com
brainandbodystrengthcoach.com
magenx2.info
escaparati.com
wood-decor24.com
travelnetafrica.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1324-18-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1324-19-0x000000000041D0C0-mapping.dmp xloader behavioral1/memory/1788-22-0x0000000000000000-mapping.dmp xloader -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 5 1960 EQNEDT32.EXE -
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 560 vbc.exe 1324 vbc.exe -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEpid process 1960 EQNEDT32.EXE 1960 EQNEDT32.EXE 1960 EQNEDT32.EXE 1960 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
vbc.exevbc.exewuapp.exedescription pid process target process PID 560 set thread context of 1324 560 vbc.exe vbc.exe PID 1324 set thread context of 1256 1324 vbc.exe Explorer.EXE PID 1788 set thread context of 1256 1788 wuapp.exe Explorer.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 740 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 21 IoCs
Processes:
vbc.exevbc.exewuapp.exepid process 560 vbc.exe 560 vbc.exe 1324 vbc.exe 1324 vbc.exe 1788 wuapp.exe 1788 wuapp.exe 1788 wuapp.exe 1788 wuapp.exe 1788 wuapp.exe 1788 wuapp.exe 1788 wuapp.exe 1788 wuapp.exe 1788 wuapp.exe 1788 wuapp.exe 1788 wuapp.exe 1788 wuapp.exe 1788 wuapp.exe 1788 wuapp.exe 1788 wuapp.exe 1788 wuapp.exe 1788 wuapp.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
vbc.exewuapp.exepid process 1324 vbc.exe 1324 vbc.exe 1324 vbc.exe 1788 wuapp.exe 1788 wuapp.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vbc.exevbc.exewuapp.exedescription pid process Token: SeDebugPrivilege 560 vbc.exe Token: SeDebugPrivilege 1324 vbc.exe Token: SeDebugPrivilege 1788 wuapp.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 740 EXCEL.EXE 740 EXCEL.EXE 740 EXCEL.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
EQNEDT32.EXEvbc.exeExplorer.EXEwuapp.exedescription pid process target process PID 1960 wrote to memory of 560 1960 EQNEDT32.EXE vbc.exe PID 1960 wrote to memory of 560 1960 EQNEDT32.EXE vbc.exe PID 1960 wrote to memory of 560 1960 EQNEDT32.EXE vbc.exe PID 1960 wrote to memory of 560 1960 EQNEDT32.EXE vbc.exe PID 560 wrote to memory of 1324 560 vbc.exe vbc.exe PID 560 wrote to memory of 1324 560 vbc.exe vbc.exe PID 560 wrote to memory of 1324 560 vbc.exe vbc.exe PID 560 wrote to memory of 1324 560 vbc.exe vbc.exe PID 560 wrote to memory of 1324 560 vbc.exe vbc.exe PID 560 wrote to memory of 1324 560 vbc.exe vbc.exe PID 560 wrote to memory of 1324 560 vbc.exe vbc.exe PID 1256 wrote to memory of 1788 1256 Explorer.EXE wuapp.exe PID 1256 wrote to memory of 1788 1256 Explorer.EXE wuapp.exe PID 1256 wrote to memory of 1788 1256 Explorer.EXE wuapp.exe PID 1256 wrote to memory of 1788 1256 Explorer.EXE wuapp.exe PID 1256 wrote to memory of 1788 1256 Explorer.EXE wuapp.exe PID 1256 wrote to memory of 1788 1256 Explorer.EXE wuapp.exe PID 1256 wrote to memory of 1788 1256 Explorer.EXE wuapp.exe PID 1788 wrote to memory of 1328 1788 wuapp.exe cmd.exe PID 1788 wrote to memory of 1328 1788 wuapp.exe cmd.exe PID 1788 wrote to memory of 1328 1788 wuapp.exe cmd.exe PID 1788 wrote to memory of 1328 1788 wuapp.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Companyprofile_Order_384658353.xlsx2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\wuapp.exe"C:\Windows\SysWOW64\wuapp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Public\vbc.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"{path}"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
a79d979e02199dbf4e15bfd8f47d5339
SHA1f81614e383b471da2e5400fe7eb581dc6a6ef602
SHA25684afc84c836007aa963472bb7db3ad4d2440e8fd79f7a9a2311a80c380f037a9
SHA5120ef39e4e97b293623271d76b79cb8a17765ab081801313aa08b3755d395b75326f6c81a2192dec85f26cfbbe0a61366b742abfb18394b551c20fbdce25190e1a
-
C:\Users\Public\vbc.exeMD5
a79d979e02199dbf4e15bfd8f47d5339
SHA1f81614e383b471da2e5400fe7eb581dc6a6ef602
SHA25684afc84c836007aa963472bb7db3ad4d2440e8fd79f7a9a2311a80c380f037a9
SHA5120ef39e4e97b293623271d76b79cb8a17765ab081801313aa08b3755d395b75326f6c81a2192dec85f26cfbbe0a61366b742abfb18394b551c20fbdce25190e1a
-
C:\Users\Public\vbc.exeMD5
a79d979e02199dbf4e15bfd8f47d5339
SHA1f81614e383b471da2e5400fe7eb581dc6a6ef602
SHA25684afc84c836007aa963472bb7db3ad4d2440e8fd79f7a9a2311a80c380f037a9
SHA5120ef39e4e97b293623271d76b79cb8a17765ab081801313aa08b3755d395b75326f6c81a2192dec85f26cfbbe0a61366b742abfb18394b551c20fbdce25190e1a
-
\Users\Public\vbc.exeMD5
a79d979e02199dbf4e15bfd8f47d5339
SHA1f81614e383b471da2e5400fe7eb581dc6a6ef602
SHA25684afc84c836007aa963472bb7db3ad4d2440e8fd79f7a9a2311a80c380f037a9
SHA5120ef39e4e97b293623271d76b79cb8a17765ab081801313aa08b3755d395b75326f6c81a2192dec85f26cfbbe0a61366b742abfb18394b551c20fbdce25190e1a
-
\Users\Public\vbc.exeMD5
a79d979e02199dbf4e15bfd8f47d5339
SHA1f81614e383b471da2e5400fe7eb581dc6a6ef602
SHA25684afc84c836007aa963472bb7db3ad4d2440e8fd79f7a9a2311a80c380f037a9
SHA5120ef39e4e97b293623271d76b79cb8a17765ab081801313aa08b3755d395b75326f6c81a2192dec85f26cfbbe0a61366b742abfb18394b551c20fbdce25190e1a
-
\Users\Public\vbc.exeMD5
a79d979e02199dbf4e15bfd8f47d5339
SHA1f81614e383b471da2e5400fe7eb581dc6a6ef602
SHA25684afc84c836007aa963472bb7db3ad4d2440e8fd79f7a9a2311a80c380f037a9
SHA5120ef39e4e97b293623271d76b79cb8a17765ab081801313aa08b3755d395b75326f6c81a2192dec85f26cfbbe0a61366b742abfb18394b551c20fbdce25190e1a
-
\Users\Public\vbc.exeMD5
a79d979e02199dbf4e15bfd8f47d5339
SHA1f81614e383b471da2e5400fe7eb581dc6a6ef602
SHA25684afc84c836007aa963472bb7db3ad4d2440e8fd79f7a9a2311a80c380f037a9
SHA5120ef39e4e97b293623271d76b79cb8a17765ab081801313aa08b3755d395b75326f6c81a2192dec85f26cfbbe0a61366b742abfb18394b551c20fbdce25190e1a
-
memory/560-7-0x0000000000000000-mapping.dmp
-
memory/560-10-0x000000006C560000-0x000000006CC4E000-memory.dmpFilesize
6.9MB
-
memory/560-11-0x00000000008F0000-0x00000000008F1000-memory.dmpFilesize
4KB
-
memory/560-13-0x0000000000880000-0x00000000008E1000-memory.dmpFilesize
388KB
-
memory/560-16-0x0000000000640000-0x000000000064E000-memory.dmpFilesize
56KB
-
memory/560-17-0x0000000005190000-0x00000000051F1000-memory.dmpFilesize
388KB
-
memory/1220-2-0x000007FEF7E50000-0x000007FEF80CA000-memory.dmpFilesize
2.5MB
-
memory/1324-18-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1324-19-0x000000000041D0C0-mapping.dmp
-
memory/1328-24-0x0000000000000000-mapping.dmp
-
memory/1788-22-0x0000000000000000-mapping.dmp
-
memory/1788-23-0x0000000000C90000-0x0000000000C9B000-memory.dmpFilesize
44KB
-
memory/1788-25-0x00000000042E0000-0x0000000004463000-memory.dmpFilesize
1.5MB