Analysis
-
max time kernel
151s -
max time network
145s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
13-01-2021 06:21
Static task
static1
Behavioral task
behavioral1
Sample
VM ASIAN CHAMPION.xlsx
Resource
win7v20201028
Behavioral task
behavioral2
Sample
VM ASIAN CHAMPION.xlsx
Resource
win10v20201028
General
-
Target
VM ASIAN CHAMPION.xlsx
-
Size
1.8MB
-
MD5
fc2961be55b07415b4f6a712bd7736e5
-
SHA1
e1c6c4c78a6deebda2e5444bc84317658a0f5b52
-
SHA256
e2a65cc31e28a6510e974316379e8b6eb7c138d1da04cf84d0293fdc55d7d08e
-
SHA512
d8e8a3f15b21ba1824788c774116a83af1d021634a5da09dc7a5a2abba02aabfe8ae3b44f7f53fb62a8c47d6120d1fe28ccbdc6ed99b73cf647b9947bd652c02
Malware Config
Extracted
formbook
http://www.printmeroyal.com/ndm/
gamilashopping.com
thebodyerotique.com
vulcan24on-line.com
nehyam.com
retrofityapi.com
sprayld2u.com
kieronart.com
vinteebee.com
temati.club
drenaz-limfatyczny.com
zrtopway.com
acaciagardens-bh.com
myloudmylarbags.com
fejseshessete.com
total-bar.com
yourmajordomo.com
newsstarbharat.com
vongbi.asia
multipeace.space
thesmellyheifer.com
sjvvideocoaching.com
nogrudge.com
buildenergysmarthomes.com
webmailinformations.space
hau3.com
ladsereuyrlsp-online.com
malindanicholes.com
ranatrades.com
fukuwarai-0805.com
satabin-paysagiste.com
sachinenterprise.xyz
ale-hop.online
softlizer.com
magishian.xyz
justiceusers.com
unstoppablebeliefs.com
transporteshappy.com
realclaimsofamericacorp.com
dailytourtoraja.com
thewinethatsrightforyou.com
castorplanet.com
orangewoodestates.net
stealueda.com
blackenterprisegroup.com
fyipython.com
tulipabotanica.com
pinkfang.com
suyeongdongsan.com
aredstarling.com
zkyhtautm.icu
sacp-dz.com
madeira-marlin.com
recapitulatif-ids.pro
wildlandsuas.com
urbangardenlady.com
valianthomesnc.com
aps555.com
naptherobux.com
washingtoncas.com
52cy.ink
georgiagc.com
theforex.one
notrecondourbania.com
asterinfo.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/296-15-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/296-16-0x000000000041EAF0-mapping.dmp formbook behavioral1/memory/1932-18-0x0000000000000000-mapping.dmp formbook -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 6 1976 EQNEDT32.EXE -
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 1164 vbc.exe 296 vbc.exe -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEpid process 1976 EQNEDT32.EXE 1976 EQNEDT32.EXE 1976 EQNEDT32.EXE 1976 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
vbc.exevbc.exesvchost.exedescription pid process target process PID 1164 set thread context of 296 1164 vbc.exe vbc.exe PID 296 set thread context of 1264 296 vbc.exe Explorer.EXE PID 1932 set thread context of 1264 1932 svchost.exe Explorer.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 644 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
vbc.exesvchost.exepid process 296 vbc.exe 296 vbc.exe 1932 svchost.exe 1932 svchost.exe 1932 svchost.exe 1932 svchost.exe 1932 svchost.exe 1932 svchost.exe 1932 svchost.exe 1932 svchost.exe 1932 svchost.exe 1932 svchost.exe 1932 svchost.exe 1932 svchost.exe 1932 svchost.exe 1932 svchost.exe 1932 svchost.exe 1932 svchost.exe 1932 svchost.exe 1932 svchost.exe 1932 svchost.exe 1932 svchost.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
vbc.exesvchost.exepid process 296 vbc.exe 296 vbc.exe 296 vbc.exe 1932 svchost.exe 1932 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
vbc.exesvchost.exedescription pid process Token: SeDebugPrivilege 296 vbc.exe Token: SeDebugPrivilege 1932 svchost.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1264 Explorer.EXE 1264 Explorer.EXE 1264 Explorer.EXE 1264 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1264 Explorer.EXE 1264 Explorer.EXE 1264 Explorer.EXE 1264 Explorer.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 644 EXCEL.EXE 644 EXCEL.EXE 644 EXCEL.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
EQNEDT32.EXEvbc.exeExplorer.EXEsvchost.exedescription pid process target process PID 1976 wrote to memory of 1164 1976 EQNEDT32.EXE vbc.exe PID 1976 wrote to memory of 1164 1976 EQNEDT32.EXE vbc.exe PID 1976 wrote to memory of 1164 1976 EQNEDT32.EXE vbc.exe PID 1976 wrote to memory of 1164 1976 EQNEDT32.EXE vbc.exe PID 1164 wrote to memory of 296 1164 vbc.exe vbc.exe PID 1164 wrote to memory of 296 1164 vbc.exe vbc.exe PID 1164 wrote to memory of 296 1164 vbc.exe vbc.exe PID 1164 wrote to memory of 296 1164 vbc.exe vbc.exe PID 1164 wrote to memory of 296 1164 vbc.exe vbc.exe PID 1164 wrote to memory of 296 1164 vbc.exe vbc.exe PID 1164 wrote to memory of 296 1164 vbc.exe vbc.exe PID 1264 wrote to memory of 1932 1264 Explorer.EXE svchost.exe PID 1264 wrote to memory of 1932 1264 Explorer.EXE svchost.exe PID 1264 wrote to memory of 1932 1264 Explorer.EXE svchost.exe PID 1264 wrote to memory of 1932 1264 Explorer.EXE svchost.exe PID 1932 wrote to memory of 1316 1932 svchost.exe cmd.exe PID 1932 wrote to memory of 1316 1932 svchost.exe cmd.exe PID 1932 wrote to memory of 1316 1932 svchost.exe cmd.exe PID 1932 wrote to memory of 1316 1932 svchost.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\VM ASIAN CHAMPION.xlsx"2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:644 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Public\vbc.exe"3⤵PID:1316
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Users\Public\vbc.exe"{path}"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:296
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
026b337a051a03e14690154785c25b76
SHA19cedfcf4ef7f1aef400ff9ff39d31e7882757837
SHA2562570b1f0780a754b70c2ec5525da16952c9634a2da6b21c92693380529daffe2
SHA5124d32f147ea8e4e6b7c0a7ddfd0bf322029541464d6465e05bf69e483f38a0a807a6cee43ebac9385eebeed4953a2d1293da1bf124123998b054ad8eed7f00ec8
-
C:\Users\Public\vbc.exeMD5
026b337a051a03e14690154785c25b76
SHA19cedfcf4ef7f1aef400ff9ff39d31e7882757837
SHA2562570b1f0780a754b70c2ec5525da16952c9634a2da6b21c92693380529daffe2
SHA5124d32f147ea8e4e6b7c0a7ddfd0bf322029541464d6465e05bf69e483f38a0a807a6cee43ebac9385eebeed4953a2d1293da1bf124123998b054ad8eed7f00ec8
-
C:\Users\Public\vbc.exeMD5
026b337a051a03e14690154785c25b76
SHA19cedfcf4ef7f1aef400ff9ff39d31e7882757837
SHA2562570b1f0780a754b70c2ec5525da16952c9634a2da6b21c92693380529daffe2
SHA5124d32f147ea8e4e6b7c0a7ddfd0bf322029541464d6465e05bf69e483f38a0a807a6cee43ebac9385eebeed4953a2d1293da1bf124123998b054ad8eed7f00ec8
-
\Users\Public\vbc.exeMD5
026b337a051a03e14690154785c25b76
SHA19cedfcf4ef7f1aef400ff9ff39d31e7882757837
SHA2562570b1f0780a754b70c2ec5525da16952c9634a2da6b21c92693380529daffe2
SHA5124d32f147ea8e4e6b7c0a7ddfd0bf322029541464d6465e05bf69e483f38a0a807a6cee43ebac9385eebeed4953a2d1293da1bf124123998b054ad8eed7f00ec8
-
\Users\Public\vbc.exeMD5
026b337a051a03e14690154785c25b76
SHA19cedfcf4ef7f1aef400ff9ff39d31e7882757837
SHA2562570b1f0780a754b70c2ec5525da16952c9634a2da6b21c92693380529daffe2
SHA5124d32f147ea8e4e6b7c0a7ddfd0bf322029541464d6465e05bf69e483f38a0a807a6cee43ebac9385eebeed4953a2d1293da1bf124123998b054ad8eed7f00ec8
-
\Users\Public\vbc.exeMD5
026b337a051a03e14690154785c25b76
SHA19cedfcf4ef7f1aef400ff9ff39d31e7882757837
SHA2562570b1f0780a754b70c2ec5525da16952c9634a2da6b21c92693380529daffe2
SHA5124d32f147ea8e4e6b7c0a7ddfd0bf322029541464d6465e05bf69e483f38a0a807a6cee43ebac9385eebeed4953a2d1293da1bf124123998b054ad8eed7f00ec8
-
\Users\Public\vbc.exeMD5
026b337a051a03e14690154785c25b76
SHA19cedfcf4ef7f1aef400ff9ff39d31e7882757837
SHA2562570b1f0780a754b70c2ec5525da16952c9634a2da6b21c92693380529daffe2
SHA5124d32f147ea8e4e6b7c0a7ddfd0bf322029541464d6465e05bf69e483f38a0a807a6cee43ebac9385eebeed4953a2d1293da1bf124123998b054ad8eed7f00ec8
-
memory/296-15-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/296-16-0x000000000041EAF0-mapping.dmp
-
memory/1164-10-0x000000006C630000-0x000000006CD1E000-memory.dmpFilesize
6.9MB
-
memory/1164-11-0x0000000000A90000-0x0000000000A91000-memory.dmpFilesize
4KB
-
memory/1164-13-0x00000000006D0000-0x00000000006DE000-memory.dmpFilesize
56KB
-
memory/1164-14-0x00000000003A0000-0x000000000041D000-memory.dmpFilesize
500KB
-
memory/1164-7-0x0000000000000000-mapping.dmp
-
memory/1316-20-0x0000000000000000-mapping.dmp
-
memory/1776-2-0x000007FEF7790000-0x000007FEF7A0A000-memory.dmpFilesize
2.5MB
-
memory/1932-18-0x0000000000000000-mapping.dmp
-
memory/1932-19-0x00000000004B0000-0x00000000004B8000-memory.dmpFilesize
32KB
-
memory/1932-21-0x00000000007D0000-0x0000000000953000-memory.dmpFilesize
1.5MB