Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
10-12-2020 10:17
Static task
static1
Behavioral task
behavioral1
Sample
836390a3bb832e2b10fb7bf5ee0d88e7aa32179839e65b933ff2da2aabce8f89.xlsx
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
836390a3bb832e2b10fb7bf5ee0d88e7aa32179839e65b933ff2da2aabce8f89.xlsx
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
836390a3bb832e2b10fb7bf5ee0d88e7aa32179839e65b933ff2da2aabce8f89.xlsx
-
Size
2.1MB
-
MD5
c30d91c05ecd94de4ee314be1f27bf22
-
SHA1
fed9790f0ebc832445b34ef1caabe137ed15e3ce
-
SHA256
836390a3bb832e2b10fb7bf5ee0d88e7aa32179839e65b933ff2da2aabce8f89
-
SHA512
0053323cf2d7fada473a23ddaffd7be38f3015613f651c15bc10d524db3a656c7ed20d522feb9a7f3183efeb3588d53865a3a9d259c7707ce1dbbf2d2981fcfb
Malware Config
Extracted
Family
formbook
C2
http://www.herbmedia.net/csv8/
Decoy
slgacha.com
oohdough.com
6983ylc.com
aykassociate.com
latin-hotspot.com
starrockindia.com
beamsubway.com
queensboutique1000.com
madbaddie.com
bhoomimart.com
ankitparivar.com
aldanasanchezmx.com
citest1597669833.com
cristianofreitas.com
myplantus.com
counterfeitmilk.com
8xf39.com
pregnantwomens.com
yyyut6.com
stnanguo.com
fessusesefsee.com
logansshop.net
familydalmatianhomes.com
accessible.legal
epicmassiveconcepts.com
indianfactopedia.com
exit-divorce.com
colliapse.com
nosishop.com
hayat-aljowaily.com
soundon.events
previnacovid19-br.com
traptlongview.com
splendidhotelspa.com
masterzushop.com
ednevents.com
studentdividers.com
treningi-enduro.com
hostingcoaster.com
gourmetgroceriesfast.com
thesouthbeachlife.com
teemergin.com
fixmygearfast.com
arb-invest.com
shemaledreamz.com
1819apparel.com
thedigitalsatyam.com
alparmuhendislik.com
distinctmusicproductions.com
procreditexpert.com
insights4innovation.com
jzbtl.com
1033325.com
sorteocamper.info
scheherazadelegault.com
glowportraiture.com
cleitstaapps.com
globepublishers.com
stattests.com
brainandbodystrengthcoach.com
magenx2.info
escaparati.com
wood-decor24.com
travelnetafrica.com
Signatures
-
Xloader Payload 3 IoCs
resource yara_rule behavioral1/memory/1996-68-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1996-69-0x000000000041D0C0-mapping.dmp xloader behavioral1/memory/912-71-0x0000000000000000-mapping.dmp xloader -
Blocklisted process makes network request 1 IoCs
flow pid Process 5 1512 EQNEDT32.EXE -
Executes dropped EXE 6 IoCs
pid Process 1424 vbc.exe 1516 vbc.exe 316 vbc.exe 1064 vbc.exe 1628 vbc.exe 1996 vbc.exe -
Loads dropped DLL 4 IoCs
pid Process 1512 EQNEDT32.EXE 1512 EQNEDT32.EXE 1512 EQNEDT32.EXE 1512 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1424 set thread context of 1996 1424 vbc.exe 37 PID 1996 set thread context of 1244 1996 vbc.exe 9 PID 1996 set thread context of 1244 1996 vbc.exe 9 PID 912 set thread context of 1244 912 colorcpl.exe 9 -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
pid Process 1512 EQNEDT32.EXE -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1824 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 1424 vbc.exe 1424 vbc.exe 1424 vbc.exe 1424 vbc.exe 1424 vbc.exe 1424 vbc.exe 1424 vbc.exe 1424 vbc.exe 1424 vbc.exe 1424 vbc.exe 1996 vbc.exe 1996 vbc.exe 1996 vbc.exe 912 colorcpl.exe 912 colorcpl.exe 912 colorcpl.exe 912 colorcpl.exe 912 colorcpl.exe 912 colorcpl.exe 912 colorcpl.exe 912 colorcpl.exe 912 colorcpl.exe 912 colorcpl.exe 912 colorcpl.exe 912 colorcpl.exe 912 colorcpl.exe 912 colorcpl.exe 912 colorcpl.exe 912 colorcpl.exe 912 colorcpl.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 1996 vbc.exe 1996 vbc.exe 1996 vbc.exe 1996 vbc.exe 912 colorcpl.exe 912 colorcpl.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 1424 vbc.exe Token: SeDebugPrivilege 1996 vbc.exe Token: SeDebugPrivilege 912 colorcpl.exe Token: SeShutdownPrivilege 1244 Explorer.EXE Token: SeShutdownPrivilege 1244 Explorer.EXE -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 1244 Explorer.EXE 1244 Explorer.EXE 1244 Explorer.EXE 1244 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 1244 Explorer.EXE 1244 Explorer.EXE 1244 Explorer.EXE 1244 Explorer.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1824 EXCEL.EXE 1824 EXCEL.EXE 1824 EXCEL.EXE -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 1512 wrote to memory of 1424 1512 EQNEDT32.EXE 32 PID 1512 wrote to memory of 1424 1512 EQNEDT32.EXE 32 PID 1512 wrote to memory of 1424 1512 EQNEDT32.EXE 32 PID 1512 wrote to memory of 1424 1512 EQNEDT32.EXE 32 PID 1424 wrote to memory of 1516 1424 vbc.exe 34 PID 1424 wrote to memory of 1516 1424 vbc.exe 34 PID 1424 wrote to memory of 1516 1424 vbc.exe 34 PID 1424 wrote to memory of 1516 1424 vbc.exe 34 PID 1424 wrote to memory of 316 1424 vbc.exe 35 PID 1424 wrote to memory of 316 1424 vbc.exe 35 PID 1424 wrote to memory of 316 1424 vbc.exe 35 PID 1424 wrote to memory of 316 1424 vbc.exe 35 PID 1424 wrote to memory of 1064 1424 vbc.exe 36 PID 1424 wrote to memory of 1064 1424 vbc.exe 36 PID 1424 wrote to memory of 1064 1424 vbc.exe 36 PID 1424 wrote to memory of 1064 1424 vbc.exe 36 PID 1424 wrote to memory of 1628 1424 vbc.exe 38 PID 1424 wrote to memory of 1628 1424 vbc.exe 38 PID 1424 wrote to memory of 1628 1424 vbc.exe 38 PID 1424 wrote to memory of 1628 1424 vbc.exe 38 PID 1424 wrote to memory of 1996 1424 vbc.exe 37 PID 1424 wrote to memory of 1996 1424 vbc.exe 37 PID 1424 wrote to memory of 1996 1424 vbc.exe 37 PID 1424 wrote to memory of 1996 1424 vbc.exe 37 PID 1424 wrote to memory of 1996 1424 vbc.exe 37 PID 1424 wrote to memory of 1996 1424 vbc.exe 37 PID 1424 wrote to memory of 1996 1424 vbc.exe 37 PID 1244 wrote to memory of 912 1244 Explorer.EXE 39 PID 1244 wrote to memory of 912 1244 Explorer.EXE 39 PID 1244 wrote to memory of 912 1244 Explorer.EXE 39 PID 1244 wrote to memory of 912 1244 Explorer.EXE 39 PID 912 wrote to memory of 1476 912 colorcpl.exe 40 PID 912 wrote to memory of 1476 912 colorcpl.exe 40 PID 912 wrote to memory of 1476 912 colorcpl.exe 40 PID 912 wrote to memory of 1476 912 colorcpl.exe 40
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\836390a3bb832e2b10fb7bf5ee0d88e7aa32179839e65b933ff2da2aabce8f89.xlsx2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1824
-
-
C:\Windows\SysWOW64\colorcpl.exe"C:\Windows\SysWOW64\colorcpl.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Public\vbc.exe"3⤵PID:1476
-
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Users\Public\vbc.exe"{path}"3⤵
- Executes dropped EXE
PID:1516
-
-
C:\Users\Public\vbc.exe"{path}"3⤵
- Executes dropped EXE
PID:316
-
-
C:\Users\Public\vbc.exe"{path}"3⤵
- Executes dropped EXE
PID:1064
-
-
C:\Users\Public\vbc.exe"{path}"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1996
-
-
C:\Users\Public\vbc.exe"{path}"3⤵
- Executes dropped EXE
PID:1628
-
-