Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
14-01-2021 06:27
Static task
static1
Behavioral task
behavioral1
Sample
VM ASIAN CHAMPION.xlsx
Resource
win7v20201028
Behavioral task
behavioral2
Sample
VM ASIAN CHAMPION.xlsx
Resource
win10v20201028
General
-
Target
VM ASIAN CHAMPION.xlsx
-
Size
2.3MB
-
MD5
70e08fe3de511ea1c49386b235f29787
-
SHA1
9f2bd146123e5f51b40300146c0151b11c84e7b2
-
SHA256
19400ad90a61f870637312b6f21305829b608cdde97e80904df1adb07793c733
-
SHA512
8994961b3d40af1b416cfb48bb403d87df36e132730020cdee48ffdcad378ab94480c14189c68458ec56aa194dcfcb4fd62b77d48da723bb72ceb0db4410b512
Malware Config
Extracted
formbook
http://www.thejusticeadvantageseminars.com/qccq/
webuynyhouses.com
love-nepal.com
gardening-mistakes.com
495honda.com
newcuus.com
alefinvest.com
delhikigully.com
aznri4z9gtky4.net
hanswiemannbyaderans.com
mecaldiesel.com
akshen.net
y-agency.net
ahrohishrestha.com
arthalvorsonforcongress.com
mvmcompany.net
qyjjsk.com
yescoop.com
esergedrghwebrgqrq.xyz
kellyharmonedconsulting.com
deliciosatentacion.com
digihomepro.com
northchinatogo.com
intimatemomentsbtq.com
rtinvestorsolutions.com
maglex.info
tudo-a-toda-hora.com
redpriestapprel.com
screenminimum.icu
reading571.com
phoenixsommer.net
kofccouncil10004.com
ngayo.com
deborahfcasey.com
junktothedumpseattle.com
ditessili.com
houserbuilders.com
new-venice-homes.com
surrealmstudios.xyz
boldercoach.com
bigblockofcheeseday.com
magicdfw.com
centralarchery.com
sentryhilllegal.com
knowledge-noodle.com
innergardenacupuncture.com
kenneyrealtyinterest.com
newdirection4nm.com
rujgyolhb.icu
rootkit.global
vendorsforproductions.com
cryptogas.net
crucifux.com
modumbasket.com
todayluckyvisitors.com
tmfacecosmetics.com
asmmacademy.com
utocloud.com
loitethirdact.com
emfsens.com
vantaihoanganh.online
icampus.info
greenearthgator.com
iwin5588.com
bax84d.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/316-15-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/316-16-0x000000000041D100-mapping.dmp xloader behavioral1/memory/1692-18-0x0000000000000000-mapping.dmp xloader -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 6 1832 EQNEDT32.EXE -
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 1416 vbc.exe 316 vbc.exe -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEpid process 1832 EQNEDT32.EXE 1832 EQNEDT32.EXE 1832 EQNEDT32.EXE 1832 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
vbc.exevbc.exewlanext.exedescription pid process target process PID 1416 set thread context of 316 1416 vbc.exe vbc.exe PID 316 set thread context of 1244 316 vbc.exe Explorer.EXE PID 316 set thread context of 1244 316 vbc.exe Explorer.EXE PID 1692 set thread context of 1244 1692 wlanext.exe Explorer.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 848 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
vbc.exewlanext.exepid process 316 vbc.exe 316 vbc.exe 316 vbc.exe 1692 wlanext.exe 1692 wlanext.exe 1692 wlanext.exe 1692 wlanext.exe 1692 wlanext.exe 1692 wlanext.exe 1692 wlanext.exe 1692 wlanext.exe 1692 wlanext.exe 1692 wlanext.exe 1692 wlanext.exe 1692 wlanext.exe 1692 wlanext.exe 1692 wlanext.exe 1692 wlanext.exe 1692 wlanext.exe 1692 wlanext.exe 1692 wlanext.exe 1692 wlanext.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
vbc.exewlanext.exepid process 316 vbc.exe 316 vbc.exe 316 vbc.exe 316 vbc.exe 1692 wlanext.exe 1692 wlanext.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
vbc.exewlanext.exedescription pid process Token: SeDebugPrivilege 316 vbc.exe Token: SeDebugPrivilege 1692 wlanext.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1244 Explorer.EXE 1244 Explorer.EXE 1244 Explorer.EXE 1244 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1244 Explorer.EXE 1244 Explorer.EXE 1244 Explorer.EXE 1244 Explorer.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 848 EXCEL.EXE 848 EXCEL.EXE 848 EXCEL.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
EQNEDT32.EXEvbc.exeExplorer.EXEwlanext.exedescription pid process target process PID 1832 wrote to memory of 1416 1832 EQNEDT32.EXE vbc.exe PID 1832 wrote to memory of 1416 1832 EQNEDT32.EXE vbc.exe PID 1832 wrote to memory of 1416 1832 EQNEDT32.EXE vbc.exe PID 1832 wrote to memory of 1416 1832 EQNEDT32.EXE vbc.exe PID 1416 wrote to memory of 316 1416 vbc.exe vbc.exe PID 1416 wrote to memory of 316 1416 vbc.exe vbc.exe PID 1416 wrote to memory of 316 1416 vbc.exe vbc.exe PID 1416 wrote to memory of 316 1416 vbc.exe vbc.exe PID 1416 wrote to memory of 316 1416 vbc.exe vbc.exe PID 1416 wrote to memory of 316 1416 vbc.exe vbc.exe PID 1416 wrote to memory of 316 1416 vbc.exe vbc.exe PID 1244 wrote to memory of 1692 1244 Explorer.EXE wlanext.exe PID 1244 wrote to memory of 1692 1244 Explorer.EXE wlanext.exe PID 1244 wrote to memory of 1692 1244 Explorer.EXE wlanext.exe PID 1244 wrote to memory of 1692 1244 Explorer.EXE wlanext.exe PID 1692 wrote to memory of 1312 1692 wlanext.exe cmd.exe PID 1692 wrote to memory of 1312 1692 wlanext.exe cmd.exe PID 1692 wrote to memory of 1312 1692 wlanext.exe cmd.exe PID 1692 wrote to memory of 1312 1692 wlanext.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\VM ASIAN CHAMPION.xlsx"2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\wlanext.exe"C:\Windows\SysWOW64\wlanext.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Public\vbc.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"{path}"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
bdcead3de71d101dc2d02676be1c9df5
SHA177d0bbdcace2954887ada67d2f6e4fa00c120a78
SHA256468a5fa19b50d02ae7d842b9892e4406bc523371b64ae599517ec04a2ec5abc7
SHA512aa3203081a1e506bc09c2d7b9f0200dfa5305224525f7aa14c9869303149b2d429a19287adca0e34aaddef92114446e9b6a0ef5fca8cf20edbadd8934a9ba044
-
C:\Users\Public\vbc.exeMD5
bdcead3de71d101dc2d02676be1c9df5
SHA177d0bbdcace2954887ada67d2f6e4fa00c120a78
SHA256468a5fa19b50d02ae7d842b9892e4406bc523371b64ae599517ec04a2ec5abc7
SHA512aa3203081a1e506bc09c2d7b9f0200dfa5305224525f7aa14c9869303149b2d429a19287adca0e34aaddef92114446e9b6a0ef5fca8cf20edbadd8934a9ba044
-
C:\Users\Public\vbc.exeMD5
bdcead3de71d101dc2d02676be1c9df5
SHA177d0bbdcace2954887ada67d2f6e4fa00c120a78
SHA256468a5fa19b50d02ae7d842b9892e4406bc523371b64ae599517ec04a2ec5abc7
SHA512aa3203081a1e506bc09c2d7b9f0200dfa5305224525f7aa14c9869303149b2d429a19287adca0e34aaddef92114446e9b6a0ef5fca8cf20edbadd8934a9ba044
-
\Users\Public\vbc.exeMD5
bdcead3de71d101dc2d02676be1c9df5
SHA177d0bbdcace2954887ada67d2f6e4fa00c120a78
SHA256468a5fa19b50d02ae7d842b9892e4406bc523371b64ae599517ec04a2ec5abc7
SHA512aa3203081a1e506bc09c2d7b9f0200dfa5305224525f7aa14c9869303149b2d429a19287adca0e34aaddef92114446e9b6a0ef5fca8cf20edbadd8934a9ba044
-
\Users\Public\vbc.exeMD5
bdcead3de71d101dc2d02676be1c9df5
SHA177d0bbdcace2954887ada67d2f6e4fa00c120a78
SHA256468a5fa19b50d02ae7d842b9892e4406bc523371b64ae599517ec04a2ec5abc7
SHA512aa3203081a1e506bc09c2d7b9f0200dfa5305224525f7aa14c9869303149b2d429a19287adca0e34aaddef92114446e9b6a0ef5fca8cf20edbadd8934a9ba044
-
\Users\Public\vbc.exeMD5
bdcead3de71d101dc2d02676be1c9df5
SHA177d0bbdcace2954887ada67d2f6e4fa00c120a78
SHA256468a5fa19b50d02ae7d842b9892e4406bc523371b64ae599517ec04a2ec5abc7
SHA512aa3203081a1e506bc09c2d7b9f0200dfa5305224525f7aa14c9869303149b2d429a19287adca0e34aaddef92114446e9b6a0ef5fca8cf20edbadd8934a9ba044
-
\Users\Public\vbc.exeMD5
bdcead3de71d101dc2d02676be1c9df5
SHA177d0bbdcace2954887ada67d2f6e4fa00c120a78
SHA256468a5fa19b50d02ae7d842b9892e4406bc523371b64ae599517ec04a2ec5abc7
SHA512aa3203081a1e506bc09c2d7b9f0200dfa5305224525f7aa14c9869303149b2d429a19287adca0e34aaddef92114446e9b6a0ef5fca8cf20edbadd8934a9ba044
-
memory/316-15-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/316-16-0x000000000041D100-mapping.dmp
-
memory/1312-20-0x0000000000000000-mapping.dmp
-
memory/1416-10-0x000000006C860000-0x000000006CF4E000-memory.dmpFilesize
6.9MB
-
memory/1416-11-0x0000000000BD0000-0x0000000000BD1000-memory.dmpFilesize
4KB
-
memory/1416-13-0x0000000000520000-0x000000000052E000-memory.dmpFilesize
56KB
-
memory/1416-14-0x00000000056E0000-0x0000000005770000-memory.dmpFilesize
576KB
-
memory/1416-7-0x0000000000000000-mapping.dmp
-
memory/1488-2-0x000007FEF6460000-0x000007FEF66DA000-memory.dmpFilesize
2.5MB
-
memory/1692-18-0x0000000000000000-mapping.dmp
-
memory/1692-19-0x0000000000B50000-0x0000000000B66000-memory.dmpFilesize
88KB
-
memory/1692-21-0x00000000042C0000-0x0000000004434000-memory.dmpFilesize
1.5MB