Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
14-01-2021 06:26
Static task
static1
Behavioral task
behavioral1
Sample
new order.xlsx
Resource
win7v20201028
Behavioral task
behavioral2
Sample
new order.xlsx
Resource
win10v20201028
General
-
Target
new order.xlsx
-
Size
1.4MB
-
MD5
6f72ba8da386566b04b4101c84087037
-
SHA1
8609e0eab98f629be62c8467cf89cb07e3273639
-
SHA256
cc37109e31ff6ed6792d0f9201d3a5169a51dabae5d40806195344a8f3c8ac1f
-
SHA512
8bbf675fc7cda860305c1bf491fcc2a8f456653b4bdc9d06961d1a7b5dbd429674b31715b0ebc4e03c3244587b406cc2504e024312b7b8c70470a26b41508e4d
Malware Config
Extracted
formbook
http://www.h-v-biz.com/c8so/
floeperformancegear.com
youtubeincreaser.com
cbb-is.com
bullsbikeusa.com
mama-asobitai.com
parkdaleliving.com
kinneintl.com
byrondramos.com
topangashaman.com
channel1057.com
nuancedigitalsolutions.com
kumheekim.com
erikating.com
ulinekorea.com
giftoes.com
blacknation.info
eventsdonevirtually.com
mx190501.com
bingent.info
seronofertilitymeds.com
homeloanswap.com
radissonusadevelopment.com
fuzionclood.com
best-datingclub.com
monjesphoto.com
kaysklittra.com
redirect.space
heliaoyixue.com
studentsafetysheild.info
automicsky.com
drsachinguptaoncologist.com
viralbisnisricis.com
ortodontx.com
lj5683.com
177braithwaite.com
peopleofpublix.com
vapesaucepro.com
zhadzc.com
yourattractionllc.net
linguafrancese.com
kindredkitchencatering.com
jikzo.com
studyspanissh.com
kidsbele.com
rainyknyght.com
cassandrastark.com
mysooners.com
catcara.com
shangxiaidea.com
vancouverjuniorgiants.com
xn--iiq68jfvffs1f.store
cfndonline.com
blenclad.net
alexroquemedia.com
escorturkiye.xyz
yurukire.com
floortak.com
rickettes.com
bubblewrapjogja.com
jayachandraadvertising.com
cleansevacco.com
magazinepodcastcce.com
mybusiness-plus.com
cleverwares.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1032-15-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral1/memory/1032-16-0x000000000041CFE0-mapping.dmp xloader behavioral1/memory/520-18-0x0000000000000000-mapping.dmp xloader -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 7 1640 EQNEDT32.EXE -
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 684 vbc.exe 1032 vbc.exe -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEpid process 1640 EQNEDT32.EXE 1640 EQNEDT32.EXE 1640 EQNEDT32.EXE 1640 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
vbc.exevbc.exehelp.exedescription pid process target process PID 684 set thread context of 1032 684 vbc.exe vbc.exe PID 1032 set thread context of 1204 1032 vbc.exe Explorer.EXE PID 520 set thread context of 1204 520 help.exe Explorer.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1680 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 21 IoCs
Processes:
vbc.exevbc.exehelp.exepid process 684 vbc.exe 1032 vbc.exe 1032 vbc.exe 520 help.exe 520 help.exe 520 help.exe 520 help.exe 520 help.exe 520 help.exe 520 help.exe 520 help.exe 520 help.exe 520 help.exe 520 help.exe 520 help.exe 520 help.exe 520 help.exe 520 help.exe 520 help.exe 520 help.exe 520 help.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
vbc.exehelp.exepid process 1032 vbc.exe 1032 vbc.exe 1032 vbc.exe 520 help.exe 520 help.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vbc.exevbc.exehelp.exedescription pid process Token: SeDebugPrivilege 684 vbc.exe Token: SeDebugPrivilege 1032 vbc.exe Token: SeDebugPrivilege 520 help.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1680 EXCEL.EXE 1680 EXCEL.EXE 1680 EXCEL.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
EQNEDT32.EXEvbc.exeExplorer.EXEhelp.exedescription pid process target process PID 1640 wrote to memory of 684 1640 EQNEDT32.EXE vbc.exe PID 1640 wrote to memory of 684 1640 EQNEDT32.EXE vbc.exe PID 1640 wrote to memory of 684 1640 EQNEDT32.EXE vbc.exe PID 1640 wrote to memory of 684 1640 EQNEDT32.EXE vbc.exe PID 684 wrote to memory of 1032 684 vbc.exe vbc.exe PID 684 wrote to memory of 1032 684 vbc.exe vbc.exe PID 684 wrote to memory of 1032 684 vbc.exe vbc.exe PID 684 wrote to memory of 1032 684 vbc.exe vbc.exe PID 684 wrote to memory of 1032 684 vbc.exe vbc.exe PID 684 wrote to memory of 1032 684 vbc.exe vbc.exe PID 684 wrote to memory of 1032 684 vbc.exe vbc.exe PID 1204 wrote to memory of 520 1204 Explorer.EXE help.exe PID 1204 wrote to memory of 520 1204 Explorer.EXE help.exe PID 1204 wrote to memory of 520 1204 Explorer.EXE help.exe PID 1204 wrote to memory of 520 1204 Explorer.EXE help.exe PID 520 wrote to memory of 1872 520 help.exe cmd.exe PID 520 wrote to memory of 1872 520 help.exe cmd.exe PID 520 wrote to memory of 1872 520 help.exe cmd.exe PID 520 wrote to memory of 1872 520 help.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\new order.xlsx"2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Public\vbc.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"{path}"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
cd925558146dc80ccf028ce0e9a5c542
SHA1e91a37336f7c2accce48b407f622e1c2bfb7c76f
SHA25641440a2e9db109558bde920dddba0eee3a5f269eef4c0d80eedf6a0bf0445a70
SHA51254df05cc95e14b18c85f1621960ce32e4590b6a7ff06ac365369c3609a32a9dd9559a0ffd584532a1fa6fe591579415722159ac76c1b8bdfa9400034b72a88f4
-
C:\Users\Public\vbc.exeMD5
cd925558146dc80ccf028ce0e9a5c542
SHA1e91a37336f7c2accce48b407f622e1c2bfb7c76f
SHA25641440a2e9db109558bde920dddba0eee3a5f269eef4c0d80eedf6a0bf0445a70
SHA51254df05cc95e14b18c85f1621960ce32e4590b6a7ff06ac365369c3609a32a9dd9559a0ffd584532a1fa6fe591579415722159ac76c1b8bdfa9400034b72a88f4
-
C:\Users\Public\vbc.exeMD5
cd925558146dc80ccf028ce0e9a5c542
SHA1e91a37336f7c2accce48b407f622e1c2bfb7c76f
SHA25641440a2e9db109558bde920dddba0eee3a5f269eef4c0d80eedf6a0bf0445a70
SHA51254df05cc95e14b18c85f1621960ce32e4590b6a7ff06ac365369c3609a32a9dd9559a0ffd584532a1fa6fe591579415722159ac76c1b8bdfa9400034b72a88f4
-
\Users\Public\vbc.exeMD5
cd925558146dc80ccf028ce0e9a5c542
SHA1e91a37336f7c2accce48b407f622e1c2bfb7c76f
SHA25641440a2e9db109558bde920dddba0eee3a5f269eef4c0d80eedf6a0bf0445a70
SHA51254df05cc95e14b18c85f1621960ce32e4590b6a7ff06ac365369c3609a32a9dd9559a0ffd584532a1fa6fe591579415722159ac76c1b8bdfa9400034b72a88f4
-
\Users\Public\vbc.exeMD5
cd925558146dc80ccf028ce0e9a5c542
SHA1e91a37336f7c2accce48b407f622e1c2bfb7c76f
SHA25641440a2e9db109558bde920dddba0eee3a5f269eef4c0d80eedf6a0bf0445a70
SHA51254df05cc95e14b18c85f1621960ce32e4590b6a7ff06ac365369c3609a32a9dd9559a0ffd584532a1fa6fe591579415722159ac76c1b8bdfa9400034b72a88f4
-
\Users\Public\vbc.exeMD5
cd925558146dc80ccf028ce0e9a5c542
SHA1e91a37336f7c2accce48b407f622e1c2bfb7c76f
SHA25641440a2e9db109558bde920dddba0eee3a5f269eef4c0d80eedf6a0bf0445a70
SHA51254df05cc95e14b18c85f1621960ce32e4590b6a7ff06ac365369c3609a32a9dd9559a0ffd584532a1fa6fe591579415722159ac76c1b8bdfa9400034b72a88f4
-
\Users\Public\vbc.exeMD5
cd925558146dc80ccf028ce0e9a5c542
SHA1e91a37336f7c2accce48b407f622e1c2bfb7c76f
SHA25641440a2e9db109558bde920dddba0eee3a5f269eef4c0d80eedf6a0bf0445a70
SHA51254df05cc95e14b18c85f1621960ce32e4590b6a7ff06ac365369c3609a32a9dd9559a0ffd584532a1fa6fe591579415722159ac76c1b8bdfa9400034b72a88f4
-
memory/520-21-0x0000000004320000-0x00000000044A2000-memory.dmpFilesize
1.5MB
-
memory/520-19-0x0000000000B80000-0x0000000000B86000-memory.dmpFilesize
24KB
-
memory/520-18-0x0000000000000000-mapping.dmp
-
memory/684-10-0x000000006C3E0000-0x000000006CACE000-memory.dmpFilesize
6.9MB
-
memory/684-14-0x0000000005760000-0x00000000057F1000-memory.dmpFilesize
580KB
-
memory/684-13-0x0000000000350000-0x000000000035E000-memory.dmpFilesize
56KB
-
memory/684-11-0x00000000008E0000-0x00000000008E1000-memory.dmpFilesize
4KB
-
memory/684-7-0x0000000000000000-mapping.dmp
-
memory/1032-15-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1032-16-0x000000000041CFE0-mapping.dmp
-
memory/1396-2-0x000007FEF81B0000-0x000007FEF842A000-memory.dmpFilesize
2.5MB
-
memory/1872-20-0x0000000000000000-mapping.dmp