Analysis
-
max time kernel
152s -
max time network
146s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
13-01-2021 06:20
Static task
static1
Behavioral task
behavioral1
Sample
payment advice.xlsx
Resource
win7v20201028
Behavioral task
behavioral2
Sample
payment advice.xlsx
Resource
win10v20201028
General
-
Target
payment advice.xlsx
-
Size
1.2MB
-
MD5
ad817786e05c5177fbe3295d94a783b5
-
SHA1
2f6fd26a661aecb7ff82dee366fe4a089a19dd6b
-
SHA256
2e4c648b422366723d7095a3bcbe66b547c3bc61f1448bb10793cb8ea73a6390
-
SHA512
ed8a25bd90f675b64e6f50f6e3e5e5f5daab878f34826a23748f2cf7b1a2f77307db716243a25420d159d31c553f4de82476151cc64dc85c611270d0e17b6135
Malware Config
Extracted
formbook
http://www.aftabzahur.com/wgn/
kokokara-life-blog.com
faswear.com
futureleadershiptoday.com
date4done.xyz
thecouponinn.com
bbeycarpetsf.com
propolisnasalspray.com
jinjudiamond.com
goodevectors.com
nehyam.com
evalinkapuppets.com
what-if-statistics.com
rateofrisk.com
impacttestonlinne.com
servis-kaydet.info
coloniacafe.com
marcemarketing.com
aarigging.com
goddesswitchery.com
jasqblo.icu
ballotlocations.com
opulentredesign.com
nicolakwan.com
timcarecskh.online
albertaeatsfood.com
impactnwf.com
transportersolutions.com
jkfdjkdjkfjkddre.com
haslvapps.com
oakhazelnut.com
jazzyfans.net
uklcp.com
genericfreeemailservice.com
jettbay.com
utahcommunitynewsnetwork.com
vinos-online.com
lafatime.com
2438kingsland.com
groovepags.com
locationwhiz.com
edu1center.com
chronic-trauma.com
ytr.xyz
airconacademy-courses.com
gawafeqauibne.com
flowcedure.com
bwproskill.com
woodenbros.com
thesearsgroupnc.com
whoaminot.com
addvations.com
fatboidonuts.com
mobileworkforcevpn.net
offto.site
tehospedamos.com
nadinerae.com
betherightcandidate.com
ethosgov.com
cgbaran.com
xynewadmrykaa.com
socialdistancing.cool
kedalamsapi.com
hendifishing.online
geniusprosolutions.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2040-17-0x000000000041EAC0-mapping.dmp formbook behavioral1/memory/2040-16-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/1764-20-0x0000000000000000-mapping.dmp formbook -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 7 1992 EQNEDT32.EXE -
Executes dropped EXE 3 IoCs
Processes:
vbc.exevbc.exevbc.exepid process 816 vbc.exe 1512 vbc.exe 2040 vbc.exe -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEpid process 1992 EQNEDT32.EXE 1992 EQNEDT32.EXE 1992 EQNEDT32.EXE 1992 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
vbc.exevbc.execontrol.exedescription pid process target process PID 816 set thread context of 2040 816 vbc.exe vbc.exe PID 2040 set thread context of 1268 2040 vbc.exe Explorer.EXE PID 2040 set thread context of 1268 2040 vbc.exe Explorer.EXE PID 1764 set thread context of 1268 1764 control.exe Explorer.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2044 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
vbc.exevbc.execontrol.exepid process 816 vbc.exe 816 vbc.exe 2040 vbc.exe 2040 vbc.exe 2040 vbc.exe 1764 control.exe 1764 control.exe 1764 control.exe 1764 control.exe 1764 control.exe 1764 control.exe 1764 control.exe 1764 control.exe 1764 control.exe 1764 control.exe 1764 control.exe 1764 control.exe 1764 control.exe 1764 control.exe 1764 control.exe 1764 control.exe 1764 control.exe 1764 control.exe 1764 control.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
vbc.execontrol.exepid process 2040 vbc.exe 2040 vbc.exe 2040 vbc.exe 2040 vbc.exe 1764 control.exe 1764 control.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vbc.exevbc.execontrol.exedescription pid process Token: SeDebugPrivilege 816 vbc.exe Token: SeDebugPrivilege 2040 vbc.exe Token: SeDebugPrivilege 1764 control.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1268 Explorer.EXE 1268 Explorer.EXE 1268 Explorer.EXE 1268 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1268 Explorer.EXE 1268 Explorer.EXE 1268 Explorer.EXE 1268 Explorer.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 2044 EXCEL.EXE 2044 EXCEL.EXE 2044 EXCEL.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
EQNEDT32.EXEvbc.exeExplorer.EXEcontrol.exedescription pid process target process PID 1992 wrote to memory of 816 1992 EQNEDT32.EXE vbc.exe PID 1992 wrote to memory of 816 1992 EQNEDT32.EXE vbc.exe PID 1992 wrote to memory of 816 1992 EQNEDT32.EXE vbc.exe PID 1992 wrote to memory of 816 1992 EQNEDT32.EXE vbc.exe PID 816 wrote to memory of 1512 816 vbc.exe vbc.exe PID 816 wrote to memory of 1512 816 vbc.exe vbc.exe PID 816 wrote to memory of 1512 816 vbc.exe vbc.exe PID 816 wrote to memory of 1512 816 vbc.exe vbc.exe PID 816 wrote to memory of 2040 816 vbc.exe vbc.exe PID 816 wrote to memory of 2040 816 vbc.exe vbc.exe PID 816 wrote to memory of 2040 816 vbc.exe vbc.exe PID 816 wrote to memory of 2040 816 vbc.exe vbc.exe PID 816 wrote to memory of 2040 816 vbc.exe vbc.exe PID 816 wrote to memory of 2040 816 vbc.exe vbc.exe PID 816 wrote to memory of 2040 816 vbc.exe vbc.exe PID 1268 wrote to memory of 1764 1268 Explorer.EXE control.exe PID 1268 wrote to memory of 1764 1268 Explorer.EXE control.exe PID 1268 wrote to memory of 1764 1268 Explorer.EXE control.exe PID 1268 wrote to memory of 1764 1268 Explorer.EXE control.exe PID 1764 wrote to memory of 1076 1764 control.exe cmd.exe PID 1764 wrote to memory of 1076 1764 control.exe cmd.exe PID 1764 wrote to memory of 1076 1764 control.exe cmd.exe PID 1764 wrote to memory of 1076 1764 control.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\payment advice.xlsx"2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\control.exe"C:\Windows\SysWOW64\control.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Public\vbc.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"{path}"3⤵
- Executes dropped EXE
-
C:\Users\Public\vbc.exe"{path}"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
fe4641996264a889eab227341a316ae5
SHA1a9f1db191bead21f1a4e02a72370db949c8b2e72
SHA256ca49693539a7fccb4dc007ea5bd6f7c54f377bbb00079dfa177ac9c4f2a189b2
SHA512a6c7ec734569d47e425e3e742aaa12a64940e28bf2d2c0a1e241b8df3eebd841287b3830aacd528d753b8a2734d712c323c66ee22bdcd36fa926f4294acef2d3
-
C:\Users\Public\vbc.exeMD5
fe4641996264a889eab227341a316ae5
SHA1a9f1db191bead21f1a4e02a72370db949c8b2e72
SHA256ca49693539a7fccb4dc007ea5bd6f7c54f377bbb00079dfa177ac9c4f2a189b2
SHA512a6c7ec734569d47e425e3e742aaa12a64940e28bf2d2c0a1e241b8df3eebd841287b3830aacd528d753b8a2734d712c323c66ee22bdcd36fa926f4294acef2d3
-
C:\Users\Public\vbc.exeMD5
fe4641996264a889eab227341a316ae5
SHA1a9f1db191bead21f1a4e02a72370db949c8b2e72
SHA256ca49693539a7fccb4dc007ea5bd6f7c54f377bbb00079dfa177ac9c4f2a189b2
SHA512a6c7ec734569d47e425e3e742aaa12a64940e28bf2d2c0a1e241b8df3eebd841287b3830aacd528d753b8a2734d712c323c66ee22bdcd36fa926f4294acef2d3
-
C:\Users\Public\vbc.exeMD5
fe4641996264a889eab227341a316ae5
SHA1a9f1db191bead21f1a4e02a72370db949c8b2e72
SHA256ca49693539a7fccb4dc007ea5bd6f7c54f377bbb00079dfa177ac9c4f2a189b2
SHA512a6c7ec734569d47e425e3e742aaa12a64940e28bf2d2c0a1e241b8df3eebd841287b3830aacd528d753b8a2734d712c323c66ee22bdcd36fa926f4294acef2d3
-
\Users\Public\vbc.exeMD5
fe4641996264a889eab227341a316ae5
SHA1a9f1db191bead21f1a4e02a72370db949c8b2e72
SHA256ca49693539a7fccb4dc007ea5bd6f7c54f377bbb00079dfa177ac9c4f2a189b2
SHA512a6c7ec734569d47e425e3e742aaa12a64940e28bf2d2c0a1e241b8df3eebd841287b3830aacd528d753b8a2734d712c323c66ee22bdcd36fa926f4294acef2d3
-
\Users\Public\vbc.exeMD5
fe4641996264a889eab227341a316ae5
SHA1a9f1db191bead21f1a4e02a72370db949c8b2e72
SHA256ca49693539a7fccb4dc007ea5bd6f7c54f377bbb00079dfa177ac9c4f2a189b2
SHA512a6c7ec734569d47e425e3e742aaa12a64940e28bf2d2c0a1e241b8df3eebd841287b3830aacd528d753b8a2734d712c323c66ee22bdcd36fa926f4294acef2d3
-
\Users\Public\vbc.exeMD5
fe4641996264a889eab227341a316ae5
SHA1a9f1db191bead21f1a4e02a72370db949c8b2e72
SHA256ca49693539a7fccb4dc007ea5bd6f7c54f377bbb00079dfa177ac9c4f2a189b2
SHA512a6c7ec734569d47e425e3e742aaa12a64940e28bf2d2c0a1e241b8df3eebd841287b3830aacd528d753b8a2734d712c323c66ee22bdcd36fa926f4294acef2d3
-
\Users\Public\vbc.exeMD5
fe4641996264a889eab227341a316ae5
SHA1a9f1db191bead21f1a4e02a72370db949c8b2e72
SHA256ca49693539a7fccb4dc007ea5bd6f7c54f377bbb00079dfa177ac9c4f2a189b2
SHA512a6c7ec734569d47e425e3e742aaa12a64940e28bf2d2c0a1e241b8df3eebd841287b3830aacd528d753b8a2734d712c323c66ee22bdcd36fa926f4294acef2d3
-
memory/816-13-0x0000000000550000-0x000000000055E000-memory.dmpFilesize
56KB
-
memory/816-11-0x0000000001090000-0x0000000001091000-memory.dmpFilesize
4KB
-
memory/816-14-0x0000000000490000-0x000000000050F000-memory.dmpFilesize
508KB
-
memory/816-10-0x000000006C400000-0x000000006CAEE000-memory.dmpFilesize
6.9MB
-
memory/816-7-0x0000000000000000-mapping.dmp
-
memory/1076-22-0x0000000000000000-mapping.dmp
-
memory/1268-19-0x0000000005130000-0x0000000005205000-memory.dmpFilesize
852KB
-
memory/1764-20-0x0000000000000000-mapping.dmp
-
memory/1764-21-0x0000000000370000-0x000000000038F000-memory.dmpFilesize
124KB
-
memory/1764-23-0x0000000001EF0000-0x000000000206C000-memory.dmpFilesize
1.5MB
-
memory/1772-2-0x000007FEF6510000-0x000007FEF678A000-memory.dmpFilesize
2.5MB
-
memory/2040-17-0x000000000041EAC0-mapping.dmp
-
memory/2040-16-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB