Analysis
-
max time kernel
146s -
max time network
146s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
13-01-2021 06:20
Static task
static1
Behavioral task
behavioral1
Sample
inquiry10204168.xlsx
Resource
win7v20201028
Behavioral task
behavioral2
Sample
inquiry10204168.xlsx
Resource
win10v20201028
General
-
Target
inquiry10204168.xlsx
-
Size
1.2MB
-
MD5
07f99c2135effb00a334fdd978259cb3
-
SHA1
32bbe469f0222276b5d0a6947ba6f137221e8617
-
SHA256
69f600cd0a147b4209768992bf6c707d7ff197a6952e373cca08a9cc8bff1fd6
-
SHA512
77aabef86541d9be0e87094badf37b8f4e0342a8cfd39d7f3f865d81e0a97a8563b8c36dca18c6c0b619c36c93484ea673a0cf5153013e86bd906a74889ef918
Malware Config
Extracted
formbook
http://www.theatomicshots.com/xle/
tknbr.com
loyaloneconstruction.com
what-where.com
matebacapital.com
marriedandmore.com
qiemfsolutions.com
graececonsulting.com
www7456.com
littlefreecherokeelibrary.com
tailgatepawkinglot.com
musheet.com
tesfamariamtb.com
1728025.com
xceltechuae.com
harperandchloe.com
thepamperedbarber.com
5050alberta.com
supplychainstrainer.com
lacorte.group
ringingbear.com
dwerux.com
localeastbay.com
zhongyier.com
liamascia.com
bigdudedesign.com
agilearccreations.com
clxkxmk.com
articlesforthehome.com
prestiticadalanu.com
mayanroofingsystems.com
homeherbgardener.com
ricardoinman.com
xrhaoqilai180.xyz
queromake.com
holywaterfoundation.com
modacicekevi.com
beardeco.com
universityhysteria.com
lastguytogetcorona.com
winton.school
sanborns.xyz
bbluebay3dwdshop.com
mateingseason.com
oro-iptv.com
pdlywh.com
fallgus.com
dezignercloset.com
dasarelektronika.info
cyberparkplace.com
serenshiningarts.com
edgecase.pro
binhminhgarrden.net
fansofads.com
fortykorp.com
shastaestatesseniorliving.com
raksrecording.com
mack-soldenfx.com
freisaq.com
sesaassociates.com
calerconsult.com
sarahpyle.xyz
threepeninsulas.com
proficienthomesalesandloans.com
floridasoapwork.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1328-16-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/1328-17-0x000000000041EB90-mapping.dmp formbook behavioral1/memory/1708-20-0x0000000000000000-mapping.dmp formbook -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 6 1964 EQNEDT32.EXE -
Executes dropped EXE 3 IoCs
Processes:
vbc.exevbc.exevbc.exepid process 924 vbc.exe 1608 vbc.exe 1328 vbc.exe -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEpid process 1964 EQNEDT32.EXE 1964 EQNEDT32.EXE 1964 EQNEDT32.EXE 1964 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
vbc.exevbc.exerundll32.exedescription pid process target process PID 924 set thread context of 1328 924 vbc.exe vbc.exe PID 1328 set thread context of 1252 1328 vbc.exe Explorer.EXE PID 1328 set thread context of 1252 1328 vbc.exe Explorer.EXE PID 1708 set thread context of 1252 1708 rundll32.exe Explorer.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1068 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
vbc.exevbc.exerundll32.exepid process 924 vbc.exe 924 vbc.exe 1328 vbc.exe 1328 vbc.exe 1328 vbc.exe 1708 rundll32.exe 1708 rundll32.exe 1708 rundll32.exe 1708 rundll32.exe 1708 rundll32.exe 1708 rundll32.exe 1708 rundll32.exe 1708 rundll32.exe 1708 rundll32.exe 1708 rundll32.exe 1708 rundll32.exe 1708 rundll32.exe 1708 rundll32.exe 1708 rundll32.exe 1708 rundll32.exe 1708 rundll32.exe 1708 rundll32.exe 1708 rundll32.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
vbc.exerundll32.exepid process 1328 vbc.exe 1328 vbc.exe 1328 vbc.exe 1328 vbc.exe 1708 rundll32.exe 1708 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vbc.exevbc.exerundll32.exedescription pid process Token: SeDebugPrivilege 924 vbc.exe Token: SeDebugPrivilege 1328 vbc.exe Token: SeDebugPrivilege 1708 rundll32.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1252 Explorer.EXE 1252 Explorer.EXE 1252 Explorer.EXE 1252 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1252 Explorer.EXE 1252 Explorer.EXE 1252 Explorer.EXE 1252 Explorer.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1068 EXCEL.EXE 1068 EXCEL.EXE 1068 EXCEL.EXE -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
EQNEDT32.EXEvbc.exeExplorer.EXErundll32.exedescription pid process target process PID 1964 wrote to memory of 924 1964 EQNEDT32.EXE vbc.exe PID 1964 wrote to memory of 924 1964 EQNEDT32.EXE vbc.exe PID 1964 wrote to memory of 924 1964 EQNEDT32.EXE vbc.exe PID 1964 wrote to memory of 924 1964 EQNEDT32.EXE vbc.exe PID 924 wrote to memory of 1608 924 vbc.exe vbc.exe PID 924 wrote to memory of 1608 924 vbc.exe vbc.exe PID 924 wrote to memory of 1608 924 vbc.exe vbc.exe PID 924 wrote to memory of 1608 924 vbc.exe vbc.exe PID 924 wrote to memory of 1328 924 vbc.exe vbc.exe PID 924 wrote to memory of 1328 924 vbc.exe vbc.exe PID 924 wrote to memory of 1328 924 vbc.exe vbc.exe PID 924 wrote to memory of 1328 924 vbc.exe vbc.exe PID 924 wrote to memory of 1328 924 vbc.exe vbc.exe PID 924 wrote to memory of 1328 924 vbc.exe vbc.exe PID 924 wrote to memory of 1328 924 vbc.exe vbc.exe PID 1252 wrote to memory of 1708 1252 Explorer.EXE rundll32.exe PID 1252 wrote to memory of 1708 1252 Explorer.EXE rundll32.exe PID 1252 wrote to memory of 1708 1252 Explorer.EXE rundll32.exe PID 1252 wrote to memory of 1708 1252 Explorer.EXE rundll32.exe PID 1252 wrote to memory of 1708 1252 Explorer.EXE rundll32.exe PID 1252 wrote to memory of 1708 1252 Explorer.EXE rundll32.exe PID 1252 wrote to memory of 1708 1252 Explorer.EXE rundll32.exe PID 1708 wrote to memory of 1960 1708 rundll32.exe cmd.exe PID 1708 wrote to memory of 1960 1708 rundll32.exe cmd.exe PID 1708 wrote to memory of 1960 1708 rundll32.exe cmd.exe PID 1708 wrote to memory of 1960 1708 rundll32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\inquiry10204168.xlsx2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Public\vbc.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"{path}"3⤵
- Executes dropped EXE
-
C:\Users\Public\vbc.exe"{path}"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
7c9927846eab4ba57f762766ee567d50
SHA181351809ef5a15a84255eda23d4bdec25eafcf65
SHA2563ae1c8125ddc0d024ac1f14b9ba78e44f10bfc281ca7e9c68cec7db8af6ee9b3
SHA51277dbfa9a999a88e886107abf62f281535bd1da993f2a5ea72254d7feab9586a0d056ea4d7b218d17421cab0c1d10119ced520e643b080d7dd3a7e26b30e2d1f4
-
C:\Users\Public\vbc.exeMD5
7c9927846eab4ba57f762766ee567d50
SHA181351809ef5a15a84255eda23d4bdec25eafcf65
SHA2563ae1c8125ddc0d024ac1f14b9ba78e44f10bfc281ca7e9c68cec7db8af6ee9b3
SHA51277dbfa9a999a88e886107abf62f281535bd1da993f2a5ea72254d7feab9586a0d056ea4d7b218d17421cab0c1d10119ced520e643b080d7dd3a7e26b30e2d1f4
-
C:\Users\Public\vbc.exeMD5
7c9927846eab4ba57f762766ee567d50
SHA181351809ef5a15a84255eda23d4bdec25eafcf65
SHA2563ae1c8125ddc0d024ac1f14b9ba78e44f10bfc281ca7e9c68cec7db8af6ee9b3
SHA51277dbfa9a999a88e886107abf62f281535bd1da993f2a5ea72254d7feab9586a0d056ea4d7b218d17421cab0c1d10119ced520e643b080d7dd3a7e26b30e2d1f4
-
C:\Users\Public\vbc.exeMD5
7c9927846eab4ba57f762766ee567d50
SHA181351809ef5a15a84255eda23d4bdec25eafcf65
SHA2563ae1c8125ddc0d024ac1f14b9ba78e44f10bfc281ca7e9c68cec7db8af6ee9b3
SHA51277dbfa9a999a88e886107abf62f281535bd1da993f2a5ea72254d7feab9586a0d056ea4d7b218d17421cab0c1d10119ced520e643b080d7dd3a7e26b30e2d1f4
-
\Users\Public\vbc.exeMD5
7c9927846eab4ba57f762766ee567d50
SHA181351809ef5a15a84255eda23d4bdec25eafcf65
SHA2563ae1c8125ddc0d024ac1f14b9ba78e44f10bfc281ca7e9c68cec7db8af6ee9b3
SHA51277dbfa9a999a88e886107abf62f281535bd1da993f2a5ea72254d7feab9586a0d056ea4d7b218d17421cab0c1d10119ced520e643b080d7dd3a7e26b30e2d1f4
-
\Users\Public\vbc.exeMD5
7c9927846eab4ba57f762766ee567d50
SHA181351809ef5a15a84255eda23d4bdec25eafcf65
SHA2563ae1c8125ddc0d024ac1f14b9ba78e44f10bfc281ca7e9c68cec7db8af6ee9b3
SHA51277dbfa9a999a88e886107abf62f281535bd1da993f2a5ea72254d7feab9586a0d056ea4d7b218d17421cab0c1d10119ced520e643b080d7dd3a7e26b30e2d1f4
-
\Users\Public\vbc.exeMD5
7c9927846eab4ba57f762766ee567d50
SHA181351809ef5a15a84255eda23d4bdec25eafcf65
SHA2563ae1c8125ddc0d024ac1f14b9ba78e44f10bfc281ca7e9c68cec7db8af6ee9b3
SHA51277dbfa9a999a88e886107abf62f281535bd1da993f2a5ea72254d7feab9586a0d056ea4d7b218d17421cab0c1d10119ced520e643b080d7dd3a7e26b30e2d1f4
-
\Users\Public\vbc.exeMD5
7c9927846eab4ba57f762766ee567d50
SHA181351809ef5a15a84255eda23d4bdec25eafcf65
SHA2563ae1c8125ddc0d024ac1f14b9ba78e44f10bfc281ca7e9c68cec7db8af6ee9b3
SHA51277dbfa9a999a88e886107abf62f281535bd1da993f2a5ea72254d7feab9586a0d056ea4d7b218d17421cab0c1d10119ced520e643b080d7dd3a7e26b30e2d1f4
-
memory/924-7-0x0000000000000000-mapping.dmp
-
memory/924-11-0x0000000000E80000-0x0000000000E81000-memory.dmpFilesize
4KB
-
memory/924-13-0x0000000000460000-0x000000000046E000-memory.dmpFilesize
56KB
-
memory/924-14-0x0000000000310000-0x000000000038F000-memory.dmpFilesize
508KB
-
memory/924-10-0x000000006C370000-0x000000006CA5E000-memory.dmpFilesize
6.9MB
-
memory/1204-2-0x000007FEF6B90000-0x000007FEF6E0A000-memory.dmpFilesize
2.5MB
-
memory/1252-19-0x0000000006A40000-0x0000000006B6D000-memory.dmpFilesize
1.2MB
-
memory/1328-16-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1328-17-0x000000000041EB90-mapping.dmp
-
memory/1708-20-0x0000000000000000-mapping.dmp
-
memory/1708-21-0x00000000007A0000-0x00000000007AE000-memory.dmpFilesize
56KB
-
memory/1708-23-0x0000000001FB0000-0x000000000208D000-memory.dmpFilesize
884KB
-
memory/1960-22-0x0000000000000000-mapping.dmp