Analysis
-
max time kernel
147s -
max time network
17s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
12-01-2021 16:58
Static task
static1
Behavioral task
behavioral1
Sample
Order_385647584.xlsx
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Order_385647584.xlsx
Resource
win10v20201028
General
-
Target
Order_385647584.xlsx
-
Size
1.5MB
-
MD5
d040c427703e2a2183f67742c2a5af54
-
SHA1
e88e65daa49e1dac16bd0b727943758c47057284
-
SHA256
0ac1a7ed74f413e6d39a5235038f3c2dea7956f455f37aac5e2a5770cf364690
-
SHA512
62432ed70b468c3044a635fd10e62bd2925e2967c487a7c3d067fcca065cffc43d7770ffe5b652740b7ee244f440e8934ee5f93b07cd263dc8150adce0b55b4f
Malware Config
Extracted
formbook
http://www.herbmedia.net/csv8/
slgacha.com
oohdough.com
6983ylc.com
aykassociate.com
latin-hotspot.com
starrockindia.com
beamsubway.com
queensboutique1000.com
madbaddie.com
bhoomimart.com
ankitparivar.com
aldanasanchezmx.com
citest1597669833.com
cristianofreitas.com
myplantus.com
counterfeitmilk.com
8xf39.com
pregnantwomens.com
yyyut6.com
stnanguo.com
fessusesefsee.com
logansshop.net
familydalmatianhomes.com
accessible.legal
epicmassiveconcepts.com
indianfactopedia.com
exit-divorce.com
colliapse.com
nosishop.com
hayat-aljowaily.com
soundon.events
previnacovid19-br.com
traptlongview.com
splendidhotelspa.com
masterzushop.com
ednevents.com
studentdividers.com
treningi-enduro.com
hostingcoaster.com
gourmetgroceriesfast.com
thesouthbeachlife.com
teemergin.com
fixmygearfast.com
arb-invest.com
shemaledreamz.com
1819apparel.com
thedigitalsatyam.com
alparmuhendislik.com
distinctmusicproductions.com
procreditexpert.com
insights4innovation.com
jzbtl.com
1033325.com
sorteocamper.info
scheherazadelegault.com
glowportraiture.com
cleitstaapps.com
globepublishers.com
stattests.com
brainandbodystrengthcoach.com
magenx2.info
escaparati.com
wood-decor24.com
travelnetafrica.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1484-17-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1484-18-0x000000000041D0C0-mapping.dmp xloader behavioral1/memory/440-20-0x0000000000000000-mapping.dmp xloader -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 7 1996 EQNEDT32.EXE -
Executes dropped EXE 1 IoCs
Processes:
vbc.exepid process 1072 vbc.exe -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEpid process 1996 EQNEDT32.EXE 1996 EQNEDT32.EXE 1996 EQNEDT32.EXE 1996 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
vbc.exevbc.exewscript.exedescription pid process target process PID 1072 set thread context of 1484 1072 vbc.exe vbc.exe PID 1484 set thread context of 1268 1484 vbc.exe Explorer.EXE PID 1484 set thread context of 1268 1484 vbc.exe Explorer.EXE PID 440 set thread context of 1268 440 wscript.exe Explorer.EXE -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1656 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
vbc.exevbc.exewscript.exepid process 1072 vbc.exe 1072 vbc.exe 1072 vbc.exe 1484 vbc.exe 1484 vbc.exe 1484 vbc.exe 440 wscript.exe 440 wscript.exe 440 wscript.exe 440 wscript.exe 440 wscript.exe 440 wscript.exe 440 wscript.exe 440 wscript.exe 440 wscript.exe 440 wscript.exe 440 wscript.exe 440 wscript.exe 440 wscript.exe 440 wscript.exe 440 wscript.exe 440 wscript.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
vbc.exewscript.exepid process 1484 vbc.exe 1484 vbc.exe 1484 vbc.exe 1484 vbc.exe 440 wscript.exe 440 wscript.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vbc.exevbc.exewscript.exedescription pid process Token: SeDebugPrivilege 1072 vbc.exe Token: SeDebugPrivilege 1484 vbc.exe Token: SeDebugPrivilege 440 wscript.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1268 Explorer.EXE 1268 Explorer.EXE 1268 Explorer.EXE 1268 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1268 Explorer.EXE 1268 Explorer.EXE 1268 Explorer.EXE 1268 Explorer.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1656 EXCEL.EXE 1656 EXCEL.EXE 1656 EXCEL.EXE -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
EQNEDT32.EXEvbc.exeExplorer.EXEwscript.exedescription pid process target process PID 1996 wrote to memory of 1072 1996 EQNEDT32.EXE vbc.exe PID 1996 wrote to memory of 1072 1996 EQNEDT32.EXE vbc.exe PID 1996 wrote to memory of 1072 1996 EQNEDT32.EXE vbc.exe PID 1996 wrote to memory of 1072 1996 EQNEDT32.EXE vbc.exe PID 1072 wrote to memory of 852 1072 vbc.exe schtasks.exe PID 1072 wrote to memory of 852 1072 vbc.exe schtasks.exe PID 1072 wrote to memory of 852 1072 vbc.exe schtasks.exe PID 1072 wrote to memory of 852 1072 vbc.exe schtasks.exe PID 1072 wrote to memory of 1612 1072 vbc.exe vbc.exe PID 1072 wrote to memory of 1612 1072 vbc.exe vbc.exe PID 1072 wrote to memory of 1612 1072 vbc.exe vbc.exe PID 1072 wrote to memory of 1612 1072 vbc.exe vbc.exe PID 1072 wrote to memory of 1484 1072 vbc.exe vbc.exe PID 1072 wrote to memory of 1484 1072 vbc.exe vbc.exe PID 1072 wrote to memory of 1484 1072 vbc.exe vbc.exe PID 1072 wrote to memory of 1484 1072 vbc.exe vbc.exe PID 1072 wrote to memory of 1484 1072 vbc.exe vbc.exe PID 1072 wrote to memory of 1484 1072 vbc.exe vbc.exe PID 1072 wrote to memory of 1484 1072 vbc.exe vbc.exe PID 1268 wrote to memory of 440 1268 Explorer.EXE wscript.exe PID 1268 wrote to memory of 440 1268 Explorer.EXE wscript.exe PID 1268 wrote to memory of 440 1268 Explorer.EXE wscript.exe PID 1268 wrote to memory of 440 1268 Explorer.EXE wscript.exe PID 440 wrote to memory of 1992 440 wscript.exe cmd.exe PID 440 wrote to memory of 1992 440 wscript.exe cmd.exe PID 440 wrote to memory of 1992 440 wscript.exe cmd.exe PID 440 wrote to memory of 1992 440 wscript.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Order_385647584.xlsx2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\emozgtRJhjspJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2368.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"{path}"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp2368.tmpMD5
bfda9b42afcbae510d0f9abc49ece8ed
SHA1a1f6ecfc1781869b2c27665fc464f70c3af9ec28
SHA25609d6fa3d80372e2b42cf842d864e3d335be8fae04044537f3242624e3a44904a
SHA512e5178c1cfbd2b4f66b7bba168c29dfc8ad75f988db86ffbecd25e09c233ff63dc5e1db624e9a9750c3ebd197f01aa682665d9af2807225f47226cfd2fd77e319
-
C:\Users\Public\vbc.exeMD5
4aac66abd3deb77faf44d3fb5884f0a6
SHA1a5b550d6b41ad1cd9287d2892a65ac856de1bebf
SHA2564abfdb9315d534afdc9907bcf369d15a121e02d40dc772dece65de6ee2ade651
SHA5123be81a77ffadb309689738dec4e6f235eff195492e21451d373113e531b3f516b9db2b43857577fd9257a6014934124e26bd84a80683fe3eca6666b69fe398f1
-
C:\Users\Public\vbc.exeMD5
4aac66abd3deb77faf44d3fb5884f0a6
SHA1a5b550d6b41ad1cd9287d2892a65ac856de1bebf
SHA2564abfdb9315d534afdc9907bcf369d15a121e02d40dc772dece65de6ee2ade651
SHA5123be81a77ffadb309689738dec4e6f235eff195492e21451d373113e531b3f516b9db2b43857577fd9257a6014934124e26bd84a80683fe3eca6666b69fe398f1
-
\Users\Public\vbc.exeMD5
4aac66abd3deb77faf44d3fb5884f0a6
SHA1a5b550d6b41ad1cd9287d2892a65ac856de1bebf
SHA2564abfdb9315d534afdc9907bcf369d15a121e02d40dc772dece65de6ee2ade651
SHA5123be81a77ffadb309689738dec4e6f235eff195492e21451d373113e531b3f516b9db2b43857577fd9257a6014934124e26bd84a80683fe3eca6666b69fe398f1
-
\Users\Public\vbc.exeMD5
4aac66abd3deb77faf44d3fb5884f0a6
SHA1a5b550d6b41ad1cd9287d2892a65ac856de1bebf
SHA2564abfdb9315d534afdc9907bcf369d15a121e02d40dc772dece65de6ee2ade651
SHA5123be81a77ffadb309689738dec4e6f235eff195492e21451d373113e531b3f516b9db2b43857577fd9257a6014934124e26bd84a80683fe3eca6666b69fe398f1
-
\Users\Public\vbc.exeMD5
4aac66abd3deb77faf44d3fb5884f0a6
SHA1a5b550d6b41ad1cd9287d2892a65ac856de1bebf
SHA2564abfdb9315d534afdc9907bcf369d15a121e02d40dc772dece65de6ee2ade651
SHA5123be81a77ffadb309689738dec4e6f235eff195492e21451d373113e531b3f516b9db2b43857577fd9257a6014934124e26bd84a80683fe3eca6666b69fe398f1
-
\Users\Public\vbc.exeMD5
4aac66abd3deb77faf44d3fb5884f0a6
SHA1a5b550d6b41ad1cd9287d2892a65ac856de1bebf
SHA2564abfdb9315d534afdc9907bcf369d15a121e02d40dc772dece65de6ee2ade651
SHA5123be81a77ffadb309689738dec4e6f235eff195492e21451d373113e531b3f516b9db2b43857577fd9257a6014934124e26bd84a80683fe3eca6666b69fe398f1
-
memory/440-23-0x0000000005150000-0x0000000005231000-memory.dmpFilesize
900KB
-
memory/440-21-0x0000000000E20000-0x0000000000E46000-memory.dmpFilesize
152KB
-
memory/440-20-0x0000000000000000-mapping.dmp
-
memory/852-15-0x0000000000000000-mapping.dmp
-
memory/1072-13-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/1072-14-0x0000000004650000-0x00000000046CB000-memory.dmpFilesize
492KB
-
memory/1072-11-0x0000000000E80000-0x0000000000E81000-memory.dmpFilesize
4KB
-
memory/1072-10-0x000000006BF90000-0x000000006C67E000-memory.dmpFilesize
6.9MB
-
memory/1072-7-0x0000000000000000-mapping.dmp
-
memory/1268-19-0x0000000003C10000-0x0000000003CC1000-memory.dmpFilesize
708KB
-
memory/1484-17-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1484-18-0x000000000041D0C0-mapping.dmp
-
memory/1848-2-0x000007FEF6F80000-0x000007FEF71FA000-memory.dmpFilesize
2.5MB
-
memory/1992-22-0x0000000000000000-mapping.dmp