Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
13-01-2021 06:20
Static task
static1
Behavioral task
behavioral1
Sample
inquiry10204168.xlsx
Resource
win7v20201028
Behavioral task
behavioral2
Sample
inquiry10204168.xlsx
Resource
win10v20201028
General
-
Target
inquiry10204168.xlsx
-
Size
1.3MB
-
MD5
78858bd1cc5cbb75c6173d867284b52b
-
SHA1
198e3be4d2334c898a97c0fa05c52c50369c42d3
-
SHA256
b8f509962aeb090743d2982087ce11853df912f24190158d11d08e6081c17fce
-
SHA512
27e410599098b11e8ba5ea6d554699720d9dc8ba303582511b7ab1d1b20bd36dbcaff1fe13f790db2eb0f01c14c76a2490b69c27e93eecc211cd0e0181d988d6
Malware Config
Extracted
formbook
http://www.zglvyouzaixian.com/nki/
igo-digiworld.com
infrahiit.com
herhealingwater.com
inspiredbytradition.com
onlinepropertyworld.com
rvwdj.com
mudahbikinsuhi.online
multipleofferonline.com
striveyouthministry.com
affectiveneuro.net
f21m.com
perfumefashion.icu
instantcash4rvs.com
help-verifiedbadge.com
solomonislandsblog.com
vipshoppingwizard.com
doggybargains.com
fjyaoxi.net
luxpropertyandassociates.com
companyfinders.com
alifeflooring.com
watermeloncrypto.com
internationalaid.global
petrosu.net
fireyourschool.com
gofawerunebe.com
lazystorage.com
tgasstore.com
adoniskitchenbath.com
it4cracks.com
revsharez.com
radioroutiers.com
szalun.com
theacademylife.com
jackcdoherty.com
theselfcaremenu.com
arentist.com
skyfun.asia
kroumoda.com
brodskikonetejneri.com
citestmansoon3445.com
laalianza.net
lwfenterprises.com
changeledger.com
x-box2send15.club
postraducion.xyz
kpybevx.icu
lolamind.com
jaipurethnic.com
candixenergy.com
degreespoint.com
311tac.com
donationwheel.com
ps3e.com
hyderabadcycles.com
nehyam.com
eversouthhangzhou.com
modaemira.com
k2bsi.com
jiopan.com
wheelerfamilyhistory.net
htaxbiz.com
somethinggotmestarted.com
aprilsbookkeeping.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1828-15-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/1828-16-0x000000000041EB70-mapping.dmp formbook behavioral1/memory/1728-19-0x0000000000000000-mapping.dmp formbook -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 7 1576 EQNEDT32.EXE -
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 1072 vbc.exe 1828 vbc.exe -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEpid process 1576 EQNEDT32.EXE 1576 EQNEDT32.EXE 1576 EQNEDT32.EXE 1576 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
vbc.exevbc.exeraserver.exedescription pid process target process PID 1072 set thread context of 1828 1072 vbc.exe vbc.exe PID 1828 set thread context of 1236 1828 vbc.exe Explorer.EXE PID 1828 set thread context of 1236 1828 vbc.exe Explorer.EXE PID 1728 set thread context of 1236 1728 raserver.exe Explorer.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1068 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
vbc.exeraserver.exepid process 1828 vbc.exe 1828 vbc.exe 1828 vbc.exe 1728 raserver.exe 1728 raserver.exe 1728 raserver.exe 1728 raserver.exe 1728 raserver.exe 1728 raserver.exe 1728 raserver.exe 1728 raserver.exe 1728 raserver.exe 1728 raserver.exe 1728 raserver.exe 1728 raserver.exe 1728 raserver.exe 1728 raserver.exe 1728 raserver.exe 1728 raserver.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
vbc.exeraserver.exepid process 1828 vbc.exe 1828 vbc.exe 1828 vbc.exe 1828 vbc.exe 1728 raserver.exe 1728 raserver.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
vbc.exeraserver.exedescription pid process Token: SeDebugPrivilege 1828 vbc.exe Token: SeDebugPrivilege 1728 raserver.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1236 Explorer.EXE 1236 Explorer.EXE 1236 Explorer.EXE 1236 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1236 Explorer.EXE 1236 Explorer.EXE 1236 Explorer.EXE 1236 Explorer.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1068 EXCEL.EXE 1068 EXCEL.EXE 1068 EXCEL.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
EQNEDT32.EXEvbc.exevbc.exeraserver.exedescription pid process target process PID 1576 wrote to memory of 1072 1576 EQNEDT32.EXE vbc.exe PID 1576 wrote to memory of 1072 1576 EQNEDT32.EXE vbc.exe PID 1576 wrote to memory of 1072 1576 EQNEDT32.EXE vbc.exe PID 1576 wrote to memory of 1072 1576 EQNEDT32.EXE vbc.exe PID 1072 wrote to memory of 1828 1072 vbc.exe vbc.exe PID 1072 wrote to memory of 1828 1072 vbc.exe vbc.exe PID 1072 wrote to memory of 1828 1072 vbc.exe vbc.exe PID 1072 wrote to memory of 1828 1072 vbc.exe vbc.exe PID 1072 wrote to memory of 1828 1072 vbc.exe vbc.exe PID 1072 wrote to memory of 1828 1072 vbc.exe vbc.exe PID 1072 wrote to memory of 1828 1072 vbc.exe vbc.exe PID 1828 wrote to memory of 1728 1828 vbc.exe raserver.exe PID 1828 wrote to memory of 1728 1828 vbc.exe raserver.exe PID 1828 wrote to memory of 1728 1828 vbc.exe raserver.exe PID 1828 wrote to memory of 1728 1828 vbc.exe raserver.exe PID 1728 wrote to memory of 1660 1728 raserver.exe cmd.exe PID 1728 wrote to memory of 1660 1728 raserver.exe cmd.exe PID 1728 wrote to memory of 1660 1728 raserver.exe cmd.exe PID 1728 wrote to memory of 1660 1728 raserver.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1236 -
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\inquiry10204168.xlsx2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1068
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Users\Public\vbc.exe"{path}"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\SysWOW64\raserver.exe"C:\Windows\SysWOW64\raserver.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Public\vbc.exe"5⤵PID:1660
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
6b0128e753b4c8eb55a0726dbdbbf35e
SHA112ab2a6cb7c26acad4ba209bafdb6fd2ff33523b
SHA2560ae22d4877231b64b2e9e1252bbe8636ea43fe5692ca899733e715ccfc82e224
SHA512152e90baebb510c397a7625ec9295ea806d4c233b00df8a938c9f62ea5966f88873b26558cb03131ba992ce7713704b2f2aeb90394bf46355eb6f16d119932f7
-
C:\Users\Public\vbc.exeMD5
6b0128e753b4c8eb55a0726dbdbbf35e
SHA112ab2a6cb7c26acad4ba209bafdb6fd2ff33523b
SHA2560ae22d4877231b64b2e9e1252bbe8636ea43fe5692ca899733e715ccfc82e224
SHA512152e90baebb510c397a7625ec9295ea806d4c233b00df8a938c9f62ea5966f88873b26558cb03131ba992ce7713704b2f2aeb90394bf46355eb6f16d119932f7
-
C:\Users\Public\vbc.exeMD5
6b0128e753b4c8eb55a0726dbdbbf35e
SHA112ab2a6cb7c26acad4ba209bafdb6fd2ff33523b
SHA2560ae22d4877231b64b2e9e1252bbe8636ea43fe5692ca899733e715ccfc82e224
SHA512152e90baebb510c397a7625ec9295ea806d4c233b00df8a938c9f62ea5966f88873b26558cb03131ba992ce7713704b2f2aeb90394bf46355eb6f16d119932f7
-
\Users\Public\vbc.exeMD5
6b0128e753b4c8eb55a0726dbdbbf35e
SHA112ab2a6cb7c26acad4ba209bafdb6fd2ff33523b
SHA2560ae22d4877231b64b2e9e1252bbe8636ea43fe5692ca899733e715ccfc82e224
SHA512152e90baebb510c397a7625ec9295ea806d4c233b00df8a938c9f62ea5966f88873b26558cb03131ba992ce7713704b2f2aeb90394bf46355eb6f16d119932f7
-
\Users\Public\vbc.exeMD5
6b0128e753b4c8eb55a0726dbdbbf35e
SHA112ab2a6cb7c26acad4ba209bafdb6fd2ff33523b
SHA2560ae22d4877231b64b2e9e1252bbe8636ea43fe5692ca899733e715ccfc82e224
SHA512152e90baebb510c397a7625ec9295ea806d4c233b00df8a938c9f62ea5966f88873b26558cb03131ba992ce7713704b2f2aeb90394bf46355eb6f16d119932f7
-
\Users\Public\vbc.exeMD5
6b0128e753b4c8eb55a0726dbdbbf35e
SHA112ab2a6cb7c26acad4ba209bafdb6fd2ff33523b
SHA2560ae22d4877231b64b2e9e1252bbe8636ea43fe5692ca899733e715ccfc82e224
SHA512152e90baebb510c397a7625ec9295ea806d4c233b00df8a938c9f62ea5966f88873b26558cb03131ba992ce7713704b2f2aeb90394bf46355eb6f16d119932f7
-
\Users\Public\vbc.exeMD5
6b0128e753b4c8eb55a0726dbdbbf35e
SHA112ab2a6cb7c26acad4ba209bafdb6fd2ff33523b
SHA2560ae22d4877231b64b2e9e1252bbe8636ea43fe5692ca899733e715ccfc82e224
SHA512152e90baebb510c397a7625ec9295ea806d4c233b00df8a938c9f62ea5966f88873b26558cb03131ba992ce7713704b2f2aeb90394bf46355eb6f16d119932f7
-
memory/756-2-0x000007FEF7800000-0x000007FEF7A7A000-memory.dmpFilesize
2.5MB
-
memory/1072-13-0x00000000003C0000-0x00000000003CE000-memory.dmpFilesize
56KB
-
memory/1072-11-0x0000000000D40000-0x0000000000D41000-memory.dmpFilesize
4KB
-
memory/1072-10-0x000000006C6A0000-0x000000006CD8E000-memory.dmpFilesize
6.9MB
-
memory/1072-14-0x0000000000980000-0x0000000000A01000-memory.dmpFilesize
516KB
-
memory/1072-7-0x0000000000000000-mapping.dmp
-
memory/1236-18-0x0000000004AA0000-0x0000000004B60000-memory.dmpFilesize
768KB
-
memory/1236-23-0x00000000069F0000-0x0000000006AD1000-memory.dmpFilesize
900KB
-
memory/1660-21-0x0000000000000000-mapping.dmp
-
memory/1728-19-0x0000000000000000-mapping.dmp
-
memory/1728-20-0x0000000000E60000-0x0000000000E7C000-memory.dmpFilesize
112KB
-
memory/1728-22-0x0000000000CF0000-0x0000000000E0D000-memory.dmpFilesize
1.1MB
-
memory/1828-15-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1828-16-0x000000000041EB70-mapping.dmp