Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
12-01-2021 16:58
Static task
static1
Behavioral task
behavioral1
Sample
PO890299700006.xlsx
Resource
win7v20201028
Behavioral task
behavioral2
Sample
PO890299700006.xlsx
Resource
win10v20201028
General
-
Target
PO890299700006.xlsx
-
Size
1.6MB
-
MD5
2103ff7e24639940bd798329f87cc01b
-
SHA1
4791c53bc2f80cc3a57e21d02af58acad7be6bd4
-
SHA256
6f5b5a509984fec1db8a161cb82c74ead7bcdd7fb2f683e3a7c0ed69c70c69b6
-
SHA512
56c5f5685de78321e67758d60184fabd47e768a37e0f78e90a13823ca61bf71517608c55d073a960f9b2e3bd726fba073ed30a427a164941bee91ab0ea26a7ad
Malware Config
Extracted
formbook
http://www.bodyfuelrtd.com/8rg4/
fakecostasunglasses.com
twinbrothers.pizza
jizhoujsp.com
qscrit.com
hotelmanise.com
fer-ua.online
europserver-simcloud.systems
redwap2.pro
betwalkoffame.com
latashalovemillionaire.com
8million-lr.com
tomatrader.com
modaluxcutabovefitness.com
shishijiazu.com
cckytx.com
reversehomeloansmiami.com
imaginenationnetwork.com
thecyclistshop.com
jorgegiljewelry.com
hlaprotiens.com
biblecourt.com
puzelhome.com
musicbychristina.com
iregentos.info
ephwehemeral.com
qubeeva.com
healingwithkarlee.com
giftasmile2day.com
ondesign03.net
argusproductionsus.com
tootleshook.com
sukien-freefire12.com
windmaske.com
futbolclubbarcelona.soccer
veteransc60.com
steambackpacktrade.info
zingnation.com
myfoodworldcup.com
playitaintso.net
crafteest.com
deutschekorrosionsschutz.net
streamcommunitty.com
gatehess.com
hechoenvegas.net
4037a.com
santanabeautycares.com
100feetpics.com
johnsroadantiques.com
improve-climbing.com
18shuwu.net
amazon-support-recovery.com
vibrarecovery.com
deskdonors.info
triagggroup.com
probysweden.com
helloinward.com
vvardown.com
kicksends.com
alwayadopt.com
modernappsllc.com
itswooby.com
med.vegas
chadwestconsulting.com
africanosworld.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1368-16-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1368-17-0x000000000041D070-mapping.dmp xloader behavioral1/memory/1648-19-0x0000000000000000-mapping.dmp xloader -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 7 1108 EQNEDT32.EXE -
Executes dropped EXE 3 IoCs
Processes:
vbc.exevbc.exevbc.exepid process 1396 vbc.exe 2044 vbc.exe 1368 vbc.exe -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEpid process 1108 EQNEDT32.EXE 1108 EQNEDT32.EXE 1108 EQNEDT32.EXE 1108 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
vbc.exevbc.execmmon32.exedescription pid process target process PID 1396 set thread context of 1368 1396 vbc.exe vbc.exe PID 1368 set thread context of 1260 1368 vbc.exe Explorer.EXE PID 1648 set thread context of 1260 1648 cmmon32.exe Explorer.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1432 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
vbc.exevbc.execmmon32.exepid process 1396 vbc.exe 1396 vbc.exe 1368 vbc.exe 1368 vbc.exe 1648 cmmon32.exe 1648 cmmon32.exe 1648 cmmon32.exe 1648 cmmon32.exe 1648 cmmon32.exe 1648 cmmon32.exe 1648 cmmon32.exe 1648 cmmon32.exe 1648 cmmon32.exe 1648 cmmon32.exe 1648 cmmon32.exe 1648 cmmon32.exe 1648 cmmon32.exe 1648 cmmon32.exe 1648 cmmon32.exe 1648 cmmon32.exe 1648 cmmon32.exe 1648 cmmon32.exe 1648 cmmon32.exe 1648 cmmon32.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
vbc.execmmon32.exepid process 1368 vbc.exe 1368 vbc.exe 1368 vbc.exe 1648 cmmon32.exe 1648 cmmon32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vbc.exevbc.execmmon32.exedescription pid process Token: SeDebugPrivilege 1396 vbc.exe Token: SeDebugPrivilege 1368 vbc.exe Token: SeDebugPrivilege 1648 cmmon32.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1260 Explorer.EXE 1260 Explorer.EXE 1260 Explorer.EXE 1260 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1260 Explorer.EXE 1260 Explorer.EXE 1260 Explorer.EXE 1260 Explorer.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1432 EXCEL.EXE 1432 EXCEL.EXE 1432 EXCEL.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
EQNEDT32.EXEvbc.exeExplorer.EXEcmmon32.exedescription pid process target process PID 1108 wrote to memory of 1396 1108 EQNEDT32.EXE vbc.exe PID 1108 wrote to memory of 1396 1108 EQNEDT32.EXE vbc.exe PID 1108 wrote to memory of 1396 1108 EQNEDT32.EXE vbc.exe PID 1108 wrote to memory of 1396 1108 EQNEDT32.EXE vbc.exe PID 1396 wrote to memory of 2044 1396 vbc.exe vbc.exe PID 1396 wrote to memory of 2044 1396 vbc.exe vbc.exe PID 1396 wrote to memory of 2044 1396 vbc.exe vbc.exe PID 1396 wrote to memory of 2044 1396 vbc.exe vbc.exe PID 1396 wrote to memory of 1368 1396 vbc.exe vbc.exe PID 1396 wrote to memory of 1368 1396 vbc.exe vbc.exe PID 1396 wrote to memory of 1368 1396 vbc.exe vbc.exe PID 1396 wrote to memory of 1368 1396 vbc.exe vbc.exe PID 1396 wrote to memory of 1368 1396 vbc.exe vbc.exe PID 1396 wrote to memory of 1368 1396 vbc.exe vbc.exe PID 1396 wrote to memory of 1368 1396 vbc.exe vbc.exe PID 1260 wrote to memory of 1648 1260 Explorer.EXE cmmon32.exe PID 1260 wrote to memory of 1648 1260 Explorer.EXE cmmon32.exe PID 1260 wrote to memory of 1648 1260 Explorer.EXE cmmon32.exe PID 1260 wrote to memory of 1648 1260 Explorer.EXE cmmon32.exe PID 1648 wrote to memory of 528 1648 cmmon32.exe cmd.exe PID 1648 wrote to memory of 528 1648 cmmon32.exe cmd.exe PID 1648 wrote to memory of 528 1648 cmmon32.exe cmd.exe PID 1648 wrote to memory of 528 1648 cmmon32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\PO890299700006.xlsx2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1432 -
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Public\vbc.exe"3⤵PID:528
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Users\Public\vbc.exe"{path}"3⤵
- Executes dropped EXE
PID:2044 -
C:\Users\Public\vbc.exe"{path}"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1368
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
5da659b378ccc31833fdd2b4fbd1d411
SHA15572df75bfefdaa9185c37c66cb99140e924bca0
SHA256cf6af1749c38b0af7660d67059470a189f593d6196c76d7739596061f8f0afc9
SHA512465d218db61a561eec9ba6da2f251d430e328ea793bc2f36c78fed59853190bce344dbc52e4f05b2bb96b4c22cf7dd538a12a91be2c9c311a6c715b8d7bdfb28
-
C:\Users\Public\vbc.exeMD5
5da659b378ccc31833fdd2b4fbd1d411
SHA15572df75bfefdaa9185c37c66cb99140e924bca0
SHA256cf6af1749c38b0af7660d67059470a189f593d6196c76d7739596061f8f0afc9
SHA512465d218db61a561eec9ba6da2f251d430e328ea793bc2f36c78fed59853190bce344dbc52e4f05b2bb96b4c22cf7dd538a12a91be2c9c311a6c715b8d7bdfb28
-
C:\Users\Public\vbc.exeMD5
5da659b378ccc31833fdd2b4fbd1d411
SHA15572df75bfefdaa9185c37c66cb99140e924bca0
SHA256cf6af1749c38b0af7660d67059470a189f593d6196c76d7739596061f8f0afc9
SHA512465d218db61a561eec9ba6da2f251d430e328ea793bc2f36c78fed59853190bce344dbc52e4f05b2bb96b4c22cf7dd538a12a91be2c9c311a6c715b8d7bdfb28
-
C:\Users\Public\vbc.exeMD5
5da659b378ccc31833fdd2b4fbd1d411
SHA15572df75bfefdaa9185c37c66cb99140e924bca0
SHA256cf6af1749c38b0af7660d67059470a189f593d6196c76d7739596061f8f0afc9
SHA512465d218db61a561eec9ba6da2f251d430e328ea793bc2f36c78fed59853190bce344dbc52e4f05b2bb96b4c22cf7dd538a12a91be2c9c311a6c715b8d7bdfb28
-
\Users\Public\vbc.exeMD5
5da659b378ccc31833fdd2b4fbd1d411
SHA15572df75bfefdaa9185c37c66cb99140e924bca0
SHA256cf6af1749c38b0af7660d67059470a189f593d6196c76d7739596061f8f0afc9
SHA512465d218db61a561eec9ba6da2f251d430e328ea793bc2f36c78fed59853190bce344dbc52e4f05b2bb96b4c22cf7dd538a12a91be2c9c311a6c715b8d7bdfb28
-
\Users\Public\vbc.exeMD5
5da659b378ccc31833fdd2b4fbd1d411
SHA15572df75bfefdaa9185c37c66cb99140e924bca0
SHA256cf6af1749c38b0af7660d67059470a189f593d6196c76d7739596061f8f0afc9
SHA512465d218db61a561eec9ba6da2f251d430e328ea793bc2f36c78fed59853190bce344dbc52e4f05b2bb96b4c22cf7dd538a12a91be2c9c311a6c715b8d7bdfb28
-
\Users\Public\vbc.exeMD5
5da659b378ccc31833fdd2b4fbd1d411
SHA15572df75bfefdaa9185c37c66cb99140e924bca0
SHA256cf6af1749c38b0af7660d67059470a189f593d6196c76d7739596061f8f0afc9
SHA512465d218db61a561eec9ba6da2f251d430e328ea793bc2f36c78fed59853190bce344dbc52e4f05b2bb96b4c22cf7dd538a12a91be2c9c311a6c715b8d7bdfb28
-
\Users\Public\vbc.exeMD5
5da659b378ccc31833fdd2b4fbd1d411
SHA15572df75bfefdaa9185c37c66cb99140e924bca0
SHA256cf6af1749c38b0af7660d67059470a189f593d6196c76d7739596061f8f0afc9
SHA512465d218db61a561eec9ba6da2f251d430e328ea793bc2f36c78fed59853190bce344dbc52e4f05b2bb96b4c22cf7dd538a12a91be2c9c311a6c715b8d7bdfb28
-
memory/528-21-0x0000000000000000-mapping.dmp
-
memory/1368-17-0x000000000041D070-mapping.dmp
-
memory/1368-16-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1396-7-0x0000000000000000-mapping.dmp
-
memory/1396-14-0x00000000007D0000-0x000000000084B000-memory.dmpFilesize
492KB
-
memory/1396-13-0x00000000004D0000-0x00000000004DE000-memory.dmpFilesize
56KB
-
memory/1396-11-0x0000000000120000-0x0000000000121000-memory.dmpFilesize
4KB
-
memory/1396-10-0x000000006C4B0000-0x000000006CB9E000-memory.dmpFilesize
6.9MB
-
memory/1648-19-0x0000000000000000-mapping.dmp
-
memory/1648-20-0x0000000000970000-0x000000000097D000-memory.dmpFilesize
52KB
-
memory/1648-22-0x0000000004A00000-0x0000000004ABA000-memory.dmpFilesize
744KB
-
memory/1940-2-0x000007FEF74A0000-0x000007FEF771A000-memory.dmpFilesize
2.5MB