Analysis
-
max time kernel
148s -
max time network
142s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
14-01-2021 06:26
Static task
static1
Behavioral task
behavioral1
Sample
RFQ.xlsx
Resource
win7v20201028
Behavioral task
behavioral2
Sample
RFQ.xlsx
Resource
win10v20201028
General
-
Target
RFQ.xlsx
-
Size
1.4MB
-
MD5
c15273784bc0bf72b8c4a1118be6aa58
-
SHA1
6eca54832d4acd388a69a53ba5b8059e8cc2c29c
-
SHA256
d2139bcc2f4a4ac6e91de5f9f55d23743f61023e494fac3e13817a9f558d959e
-
SHA512
0c89c44fe4f2d9e0af857773d6a4d71e7311a1b44ea7b780cdb34f2ea38984e4d74876f0c9d608d8a30a331be295454d75baa51ef4dbdcb33e6d51c97cda1a7b
Malware Config
Extracted
formbook
http://www.bytecommunication.com/aky/
jeiksaoeklea.com
sagame-auto.net
soloseriolavoro.com
thecreatorsbook.com
superskritch.com
oroxequipment.com
heart-of-art.online
liwedfg.com
fisherofsouls.com
jota.xyz
nehyam.com
smart-contact-delivery.com
hoom.guru
dgryds.com
thesoakcpd.com
mishv.com
rings-factory.info
bero-craft-beers.com
podcastnamegenerators.com
856379813.xyz
ruinfectious.com
wdcsupport.com
youngbrokeandeducated.com
shpments75.com
louisbmartinez100th.com
shining.ink
hkexpresswaterford.com
quickcashoffersatl.com
180cliniconline.com
mainriskintl.com
clinicadosorriso.com
kuxueyunkeji.com
smart-acumen.com
maisonkerlann.com
jewishposter.com
xn--w52b77ujva.com
antoniodevivo.com
diversitypatriots.com
tiotacos.company
ventumgi.com
ip-tv.online
smithvilletexashistory.com
amruta-varshini.com
wildpositive.com
alifezap.com
nczjt.net
palmsvillaswhitneyranch.com
experiencemoretogether.com
dewitfire.com
scruffynotfluffy.online
bazarsurtidorico.com
dayscosmetics.com
tpsvegas.com
externalboard.com
2125lynchmere.com
agroplenty.com
easterneuropemall.com
whtoys888.com
writehousepoint.com
ppeaceandgloves.com
sadtire.press
jj3994.com
smokenengines.com
offplanprojects-re.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1584-15-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/1584-16-0x000000000041EB60-mapping.dmp formbook behavioral1/memory/564-18-0x0000000000000000-mapping.dmp formbook -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 6 1872 EQNEDT32.EXE -
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 956 vbc.exe 1584 vbc.exe -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEpid process 1872 EQNEDT32.EXE 1872 EQNEDT32.EXE 1872 EQNEDT32.EXE 1872 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
vbc.exevbc.exerundll32.exedescription pid process target process PID 956 set thread context of 1584 956 vbc.exe vbc.exe PID 1584 set thread context of 1236 1584 vbc.exe Explorer.EXE PID 564 set thread context of 1236 564 rundll32.exe Explorer.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1944 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
vbc.exerundll32.exepid process 1584 vbc.exe 1584 vbc.exe 564 rundll32.exe 564 rundll32.exe 564 rundll32.exe 564 rundll32.exe 564 rundll32.exe 564 rundll32.exe 564 rundll32.exe 564 rundll32.exe 564 rundll32.exe 564 rundll32.exe 564 rundll32.exe 564 rundll32.exe 564 rundll32.exe 564 rundll32.exe 564 rundll32.exe 564 rundll32.exe 564 rundll32.exe 564 rundll32.exe 564 rundll32.exe 564 rundll32.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
vbc.exerundll32.exepid process 1584 vbc.exe 1584 vbc.exe 1584 vbc.exe 564 rundll32.exe 564 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
vbc.exerundll32.exedescription pid process Token: SeDebugPrivilege 1584 vbc.exe Token: SeDebugPrivilege 564 rundll32.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1236 Explorer.EXE 1236 Explorer.EXE 1236 Explorer.EXE 1236 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1236 Explorer.EXE 1236 Explorer.EXE 1236 Explorer.EXE 1236 Explorer.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1944 EXCEL.EXE 1944 EXCEL.EXE 1944 EXCEL.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
EQNEDT32.EXEvbc.exeExplorer.EXErundll32.exedescription pid process target process PID 1872 wrote to memory of 956 1872 EQNEDT32.EXE vbc.exe PID 1872 wrote to memory of 956 1872 EQNEDT32.EXE vbc.exe PID 1872 wrote to memory of 956 1872 EQNEDT32.EXE vbc.exe PID 1872 wrote to memory of 956 1872 EQNEDT32.EXE vbc.exe PID 956 wrote to memory of 1584 956 vbc.exe vbc.exe PID 956 wrote to memory of 1584 956 vbc.exe vbc.exe PID 956 wrote to memory of 1584 956 vbc.exe vbc.exe PID 956 wrote to memory of 1584 956 vbc.exe vbc.exe PID 956 wrote to memory of 1584 956 vbc.exe vbc.exe PID 956 wrote to memory of 1584 956 vbc.exe vbc.exe PID 956 wrote to memory of 1584 956 vbc.exe vbc.exe PID 1236 wrote to memory of 564 1236 Explorer.EXE rundll32.exe PID 1236 wrote to memory of 564 1236 Explorer.EXE rundll32.exe PID 1236 wrote to memory of 564 1236 Explorer.EXE rundll32.exe PID 1236 wrote to memory of 564 1236 Explorer.EXE rundll32.exe PID 1236 wrote to memory of 564 1236 Explorer.EXE rundll32.exe PID 1236 wrote to memory of 564 1236 Explorer.EXE rundll32.exe PID 1236 wrote to memory of 564 1236 Explorer.EXE rundll32.exe PID 564 wrote to memory of 1340 564 rundll32.exe cmd.exe PID 564 wrote to memory of 1340 564 rundll32.exe cmd.exe PID 564 wrote to memory of 1340 564 rundll32.exe cmd.exe PID 564 wrote to memory of 1340 564 rundll32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\RFQ.xlsx2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Public\vbc.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"{path}"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
e58bbe8181fc690e1b6d806514afaa6d
SHA1351a819674f7293a00dfed0f9e8c08a1dadad562
SHA25630dd3160b2a93b2b20726e2707ad4781b8e6e3802865fc1f0582a3b9eb1644e0
SHA512717ff39223e387d82e7b2fee06f9866bdcf86bfbaf5c7d42c435a568d7998810dd18a8703d345657badb13a54b4620cb2201739c28b08a4c0e52185c609e64d1
-
C:\Users\Public\vbc.exeMD5
e58bbe8181fc690e1b6d806514afaa6d
SHA1351a819674f7293a00dfed0f9e8c08a1dadad562
SHA25630dd3160b2a93b2b20726e2707ad4781b8e6e3802865fc1f0582a3b9eb1644e0
SHA512717ff39223e387d82e7b2fee06f9866bdcf86bfbaf5c7d42c435a568d7998810dd18a8703d345657badb13a54b4620cb2201739c28b08a4c0e52185c609e64d1
-
C:\Users\Public\vbc.exeMD5
e58bbe8181fc690e1b6d806514afaa6d
SHA1351a819674f7293a00dfed0f9e8c08a1dadad562
SHA25630dd3160b2a93b2b20726e2707ad4781b8e6e3802865fc1f0582a3b9eb1644e0
SHA512717ff39223e387d82e7b2fee06f9866bdcf86bfbaf5c7d42c435a568d7998810dd18a8703d345657badb13a54b4620cb2201739c28b08a4c0e52185c609e64d1
-
\Users\Public\vbc.exeMD5
e58bbe8181fc690e1b6d806514afaa6d
SHA1351a819674f7293a00dfed0f9e8c08a1dadad562
SHA25630dd3160b2a93b2b20726e2707ad4781b8e6e3802865fc1f0582a3b9eb1644e0
SHA512717ff39223e387d82e7b2fee06f9866bdcf86bfbaf5c7d42c435a568d7998810dd18a8703d345657badb13a54b4620cb2201739c28b08a4c0e52185c609e64d1
-
\Users\Public\vbc.exeMD5
e58bbe8181fc690e1b6d806514afaa6d
SHA1351a819674f7293a00dfed0f9e8c08a1dadad562
SHA25630dd3160b2a93b2b20726e2707ad4781b8e6e3802865fc1f0582a3b9eb1644e0
SHA512717ff39223e387d82e7b2fee06f9866bdcf86bfbaf5c7d42c435a568d7998810dd18a8703d345657badb13a54b4620cb2201739c28b08a4c0e52185c609e64d1
-
\Users\Public\vbc.exeMD5
e58bbe8181fc690e1b6d806514afaa6d
SHA1351a819674f7293a00dfed0f9e8c08a1dadad562
SHA25630dd3160b2a93b2b20726e2707ad4781b8e6e3802865fc1f0582a3b9eb1644e0
SHA512717ff39223e387d82e7b2fee06f9866bdcf86bfbaf5c7d42c435a568d7998810dd18a8703d345657badb13a54b4620cb2201739c28b08a4c0e52185c609e64d1
-
\Users\Public\vbc.exeMD5
e58bbe8181fc690e1b6d806514afaa6d
SHA1351a819674f7293a00dfed0f9e8c08a1dadad562
SHA25630dd3160b2a93b2b20726e2707ad4781b8e6e3802865fc1f0582a3b9eb1644e0
SHA512717ff39223e387d82e7b2fee06f9866bdcf86bfbaf5c7d42c435a568d7998810dd18a8703d345657badb13a54b4620cb2201739c28b08a4c0e52185c609e64d1
-
memory/564-21-0x0000000003130000-0x0000000003210000-memory.dmpFilesize
896KB
-
memory/564-19-0x0000000000970000-0x000000000097E000-memory.dmpFilesize
56KB
-
memory/564-18-0x0000000000000000-mapping.dmp
-
memory/956-10-0x000000006C260000-0x000000006C94E000-memory.dmpFilesize
6.9MB
-
memory/956-14-0x0000000005420000-0x00000000054B3000-memory.dmpFilesize
588KB
-
memory/956-13-0x0000000000550000-0x000000000055E000-memory.dmpFilesize
56KB
-
memory/956-11-0x00000000008C0000-0x00000000008C1000-memory.dmpFilesize
4KB
-
memory/956-7-0x0000000000000000-mapping.dmp
-
memory/1340-20-0x0000000000000000-mapping.dmp
-
memory/1584-15-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1584-16-0x000000000041EB60-mapping.dmp
-
memory/1660-2-0x000007FEF6080000-0x000007FEF62FA000-memory.dmpFilesize
2.5MB