Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
13-01-2021 06:20
Static task
static1
Behavioral task
behavioral1
Sample
invoice.xlsx
Resource
win7v20201028
Behavioral task
behavioral2
Sample
invoice.xlsx
Resource
win10v20201028
General
-
Target
invoice.xlsx
-
Size
1.4MB
-
MD5
f797660bb4a8d43cf75e570e59ffd6a1
-
SHA1
830d68b065521d15f014677aa80acc4fc4098360
-
SHA256
8c4ecf908b97c808d8cc843ecd6c32928d3402b348b897b46629c2a96351ac39
-
SHA512
c7fdd95ec3e672ecd312d63f75876c6142676a054c594d0dcddb0c1b56c677f9f10338133ef8e38a38ea64bca2c51aa812080e2be0c70070fdb6efb0f3d794b9
Malware Config
Extracted
formbook
http://www.h-v-biz.com/c8so/
floeperformancegear.com
youtubeincreaser.com
cbb-is.com
bullsbikeusa.com
mama-asobitai.com
parkdaleliving.com
kinneintl.com
byrondramos.com
topangashaman.com
channel1057.com
nuancedigitalsolutions.com
kumheekim.com
erikating.com
ulinekorea.com
giftoes.com
blacknation.info
eventsdonevirtually.com
mx190501.com
bingent.info
seronofertilitymeds.com
homeloanswap.com
radissonusadevelopment.com
fuzionclood.com
best-datingclub.com
monjesphoto.com
kaysklittra.com
redirect.space
heliaoyixue.com
studentsafetysheild.info
automicsky.com
drsachinguptaoncologist.com
viralbisnisricis.com
ortodontx.com
lj5683.com
177braithwaite.com
peopleofpublix.com
vapesaucepro.com
zhadzc.com
yourattractionllc.net
linguafrancese.com
kindredkitchencatering.com
jikzo.com
studyspanissh.com
kidsbele.com
rainyknyght.com
cassandrastark.com
mysooners.com
catcara.com
shangxiaidea.com
vancouverjuniorgiants.com
xn--iiq68jfvffs1f.store
cfndonline.com
blenclad.net
alexroquemedia.com
escorturkiye.xyz
yurukire.com
floortak.com
rickettes.com
bubblewrapjogja.com
jayachandraadvertising.com
cleansevacco.com
magazinepodcastcce.com
mybusiness-plus.com
cleverwares.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1372-18-0x000000000041CFE0-mapping.dmp xloader behavioral1/memory/1372-17-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral1/memory/1324-21-0x0000000000000000-mapping.dmp xloader -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 7 1156 EQNEDT32.EXE -
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 928 vbc.exe 1372 vbc.exe -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEpid process 1156 EQNEDT32.EXE 1156 EQNEDT32.EXE 1156 EQNEDT32.EXE 1156 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
vbc.exevbc.exechkdsk.exedescription pid process target process PID 928 set thread context of 1372 928 vbc.exe vbc.exe PID 1372 set thread context of 1196 1372 vbc.exe Explorer.EXE PID 1372 set thread context of 1196 1372 vbc.exe Explorer.EXE PID 1324 set thread context of 1196 1324 chkdsk.exe Explorer.EXE -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
EXCEL.EXEchkdsk.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1036 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
vbc.exechkdsk.exepid process 1372 vbc.exe 1372 vbc.exe 1372 vbc.exe 1324 chkdsk.exe 1324 chkdsk.exe 1324 chkdsk.exe 1324 chkdsk.exe 1324 chkdsk.exe 1324 chkdsk.exe 1324 chkdsk.exe 1324 chkdsk.exe 1324 chkdsk.exe 1324 chkdsk.exe 1324 chkdsk.exe 1324 chkdsk.exe 1324 chkdsk.exe 1324 chkdsk.exe 1324 chkdsk.exe 1324 chkdsk.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
vbc.exechkdsk.exepid process 1372 vbc.exe 1372 vbc.exe 1372 vbc.exe 1372 vbc.exe 1324 chkdsk.exe 1324 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vbc.exevbc.exechkdsk.exedescription pid process Token: SeDebugPrivilege 928 vbc.exe Token: SeDebugPrivilege 1372 vbc.exe Token: SeDebugPrivilege 1324 chkdsk.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1196 Explorer.EXE 1196 Explorer.EXE 1196 Explorer.EXE 1196 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1196 Explorer.EXE 1196 Explorer.EXE 1196 Explorer.EXE 1196 Explorer.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1036 EXCEL.EXE 1036 EXCEL.EXE 1036 EXCEL.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
EQNEDT32.EXEvbc.exeExplorer.EXEchkdsk.exedescription pid process target process PID 1156 wrote to memory of 928 1156 EQNEDT32.EXE vbc.exe PID 1156 wrote to memory of 928 1156 EQNEDT32.EXE vbc.exe PID 1156 wrote to memory of 928 1156 EQNEDT32.EXE vbc.exe PID 1156 wrote to memory of 928 1156 EQNEDT32.EXE vbc.exe PID 928 wrote to memory of 1600 928 vbc.exe schtasks.exe PID 928 wrote to memory of 1600 928 vbc.exe schtasks.exe PID 928 wrote to memory of 1600 928 vbc.exe schtasks.exe PID 928 wrote to memory of 1600 928 vbc.exe schtasks.exe PID 928 wrote to memory of 1372 928 vbc.exe vbc.exe PID 928 wrote to memory of 1372 928 vbc.exe vbc.exe PID 928 wrote to memory of 1372 928 vbc.exe vbc.exe PID 928 wrote to memory of 1372 928 vbc.exe vbc.exe PID 928 wrote to memory of 1372 928 vbc.exe vbc.exe PID 928 wrote to memory of 1372 928 vbc.exe vbc.exe PID 928 wrote to memory of 1372 928 vbc.exe vbc.exe PID 1196 wrote to memory of 1324 1196 Explorer.EXE chkdsk.exe PID 1196 wrote to memory of 1324 1196 Explorer.EXE chkdsk.exe PID 1196 wrote to memory of 1324 1196 Explorer.EXE chkdsk.exe PID 1196 wrote to memory of 1324 1196 Explorer.EXE chkdsk.exe PID 1324 wrote to memory of 1720 1324 chkdsk.exe cmd.exe PID 1324 wrote to memory of 1720 1324 chkdsk.exe cmd.exe PID 1324 wrote to memory of 1720 1324 chkdsk.exe cmd.exe PID 1324 wrote to memory of 1720 1324 chkdsk.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\invoice.xlsx2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Public\vbc.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dromkeG" /XML "C:\Users\Admin\AppData\Local\Temp\tmp315D.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Public\vbc.exe"{path}"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp315D.tmpMD5
56b3e72ecc4d443da73ca752593fa22b
SHA1d55f157e39628e52536540d1e3b6b3024190c76d
SHA256d54974e6f93cd71f5ce1292e96a00faa287088def85846dc44e8243c78788a74
SHA512f7b8b9102a8a973124da76aac085fb35514cb3eecee8f7442d99baefebc0fb4018cbe07dab711152d954e916e7e485c5ae3cb323c01335b1e66c70aa50bc04ae
-
C:\Users\Public\vbc.exeMD5
8fb76e6c9b652646d7c1f7f377c97cbd
SHA1087721c9ad24c3895e66186c208512706b64f025
SHA25681e7927ab5ca518d06687dc18d5c4df22198011494322486e562136344d2513b
SHA512cfb1aa684ea4be725ec7c63cb6477404f7a591b017743866e77afea9f39fd1c117af614b3654d21652f43ffcad31ad63bd93981ef17dc37157e3b4be1f6bdb8b
-
C:\Users\Public\vbc.exeMD5
8fb76e6c9b652646d7c1f7f377c97cbd
SHA1087721c9ad24c3895e66186c208512706b64f025
SHA25681e7927ab5ca518d06687dc18d5c4df22198011494322486e562136344d2513b
SHA512cfb1aa684ea4be725ec7c63cb6477404f7a591b017743866e77afea9f39fd1c117af614b3654d21652f43ffcad31ad63bd93981ef17dc37157e3b4be1f6bdb8b
-
C:\Users\Public\vbc.exeMD5
8fb76e6c9b652646d7c1f7f377c97cbd
SHA1087721c9ad24c3895e66186c208512706b64f025
SHA25681e7927ab5ca518d06687dc18d5c4df22198011494322486e562136344d2513b
SHA512cfb1aa684ea4be725ec7c63cb6477404f7a591b017743866e77afea9f39fd1c117af614b3654d21652f43ffcad31ad63bd93981ef17dc37157e3b4be1f6bdb8b
-
\Users\Public\vbc.exeMD5
8fb76e6c9b652646d7c1f7f377c97cbd
SHA1087721c9ad24c3895e66186c208512706b64f025
SHA25681e7927ab5ca518d06687dc18d5c4df22198011494322486e562136344d2513b
SHA512cfb1aa684ea4be725ec7c63cb6477404f7a591b017743866e77afea9f39fd1c117af614b3654d21652f43ffcad31ad63bd93981ef17dc37157e3b4be1f6bdb8b
-
\Users\Public\vbc.exeMD5
8fb76e6c9b652646d7c1f7f377c97cbd
SHA1087721c9ad24c3895e66186c208512706b64f025
SHA25681e7927ab5ca518d06687dc18d5c4df22198011494322486e562136344d2513b
SHA512cfb1aa684ea4be725ec7c63cb6477404f7a591b017743866e77afea9f39fd1c117af614b3654d21652f43ffcad31ad63bd93981ef17dc37157e3b4be1f6bdb8b
-
\Users\Public\vbc.exeMD5
8fb76e6c9b652646d7c1f7f377c97cbd
SHA1087721c9ad24c3895e66186c208512706b64f025
SHA25681e7927ab5ca518d06687dc18d5c4df22198011494322486e562136344d2513b
SHA512cfb1aa684ea4be725ec7c63cb6477404f7a591b017743866e77afea9f39fd1c117af614b3654d21652f43ffcad31ad63bd93981ef17dc37157e3b4be1f6bdb8b
-
\Users\Public\vbc.exeMD5
8fb76e6c9b652646d7c1f7f377c97cbd
SHA1087721c9ad24c3895e66186c208512706b64f025
SHA25681e7927ab5ca518d06687dc18d5c4df22198011494322486e562136344d2513b
SHA512cfb1aa684ea4be725ec7c63cb6477404f7a591b017743866e77afea9f39fd1c117af614b3654d21652f43ffcad31ad63bd93981ef17dc37157e3b4be1f6bdb8b
-
memory/928-13-0x0000000000950000-0x000000000095E000-memory.dmpFilesize
56KB
-
memory/928-14-0x00000000002E0000-0x000000000035B000-memory.dmpFilesize
492KB
-
memory/928-10-0x000000006C8A0000-0x000000006CF8E000-memory.dmpFilesize
6.9MB
-
memory/928-7-0x0000000000000000-mapping.dmp
-
memory/928-11-0x0000000001090000-0x0000000001091000-memory.dmpFilesize
4KB
-
memory/1196-20-0x0000000006390000-0x00000000064D7000-memory.dmpFilesize
1.3MB
-
memory/1324-24-0x0000000004880000-0x0000000004923000-memory.dmpFilesize
652KB
-
memory/1324-22-0x0000000000210000-0x0000000000217000-memory.dmpFilesize
28KB
-
memory/1324-21-0x0000000000000000-mapping.dmp
-
memory/1372-18-0x000000000041CFE0-mapping.dmp
-
memory/1372-17-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1432-2-0x000007FEF6550000-0x000007FEF67CA000-memory.dmpFilesize
2.5MB
-
memory/1600-15-0x0000000000000000-mapping.dmp
-
memory/1720-23-0x0000000000000000-mapping.dmp