Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
15-01-2021 06:22
Static task
static1
Behavioral task
behavioral1
Sample
VM ASIAN CHAMPION.xlsx
Resource
win7v20201028
Behavioral task
behavioral2
Sample
VM ASIAN CHAMPION.xlsx
Resource
win10v20201028
General
-
Target
VM ASIAN CHAMPION.xlsx
-
Size
1.8MB
-
MD5
fa54fb8f1e2cb91097b66edc81c16764
-
SHA1
249aee08a090bb6c57816dce20ca968fc1a7c8d6
-
SHA256
cafc9b500bdf7058b0d77f43d5aad253eb30347d483bc9b7a507f66503d04934
-
SHA512
d08b1ed7cd1c3f57ccf89b87e8c37d8a9c4c2b81d6af9865ee05dea30c64dcecb540c34b49f2d4ccf5291a5a56431a4a4e3faf13cde251768e722e5b876e4cbd
Malware Config
Extracted
formbook
http://www.thejusticeadvantageseminars.com/qccq/
webuynyhouses.com
love-nepal.com
gardening-mistakes.com
495honda.com
newcuus.com
alefinvest.com
delhikigully.com
aznri4z9gtky4.net
hanswiemannbyaderans.com
mecaldiesel.com
akshen.net
y-agency.net
ahrohishrestha.com
arthalvorsonforcongress.com
mvmcompany.net
qyjjsk.com
yescoop.com
esergedrghwebrgqrq.xyz
kellyharmonedconsulting.com
deliciosatentacion.com
digihomepro.com
northchinatogo.com
intimatemomentsbtq.com
rtinvestorsolutions.com
maglex.info
tudo-a-toda-hora.com
redpriestapprel.com
screenminimum.icu
reading571.com
phoenixsommer.net
kofccouncil10004.com
ngayo.com
deborahfcasey.com
junktothedumpseattle.com
ditessili.com
houserbuilders.com
new-venice-homes.com
surrealmstudios.xyz
boldercoach.com
bigblockofcheeseday.com
magicdfw.com
centralarchery.com
sentryhilllegal.com
knowledge-noodle.com
innergardenacupuncture.com
kenneyrealtyinterest.com
newdirection4nm.com
rujgyolhb.icu
rootkit.global
vendorsforproductions.com
cryptogas.net
crucifux.com
modumbasket.com
todayluckyvisitors.com
tmfacecosmetics.com
asmmacademy.com
utocloud.com
loitethirdact.com
emfsens.com
vantaihoanganh.online
icampus.info
greenearthgator.com
iwin5588.com
bax84d.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1628-16-0x000000000041D100-mapping.dmp xloader behavioral1/memory/1628-15-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1592-18-0x0000000000000000-mapping.dmp xloader -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 6 1568 EQNEDT32.EXE -
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 836 vbc.exe 1628 vbc.exe -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEpid process 1568 EQNEDT32.EXE 1568 EQNEDT32.EXE 1568 EQNEDT32.EXE 1568 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
vbc.exevbc.exesystray.exedescription pid process target process PID 836 set thread context of 1628 836 vbc.exe vbc.exe PID 1628 set thread context of 1244 1628 vbc.exe Explorer.EXE PID 1592 set thread context of 1244 1592 systray.exe Explorer.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1824 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
vbc.exesystray.exepid process 1628 vbc.exe 1628 vbc.exe 1592 systray.exe 1592 systray.exe 1592 systray.exe 1592 systray.exe 1592 systray.exe 1592 systray.exe 1592 systray.exe 1592 systray.exe 1592 systray.exe 1592 systray.exe 1592 systray.exe 1592 systray.exe 1592 systray.exe 1592 systray.exe 1592 systray.exe 1592 systray.exe 1592 systray.exe 1592 systray.exe 1592 systray.exe 1592 systray.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
vbc.exesystray.exepid process 1628 vbc.exe 1628 vbc.exe 1628 vbc.exe 1592 systray.exe 1592 systray.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
vbc.exesystray.exedescription pid process Token: SeDebugPrivilege 1628 vbc.exe Token: SeDebugPrivilege 1592 systray.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1244 Explorer.EXE 1244 Explorer.EXE 1244 Explorer.EXE 1244 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1244 Explorer.EXE 1244 Explorer.EXE 1244 Explorer.EXE 1244 Explorer.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1824 EXCEL.EXE 1824 EXCEL.EXE 1824 EXCEL.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
EQNEDT32.EXEvbc.exeExplorer.EXEsystray.exedescription pid process target process PID 1568 wrote to memory of 836 1568 EQNEDT32.EXE vbc.exe PID 1568 wrote to memory of 836 1568 EQNEDT32.EXE vbc.exe PID 1568 wrote to memory of 836 1568 EQNEDT32.EXE vbc.exe PID 1568 wrote to memory of 836 1568 EQNEDT32.EXE vbc.exe PID 836 wrote to memory of 1628 836 vbc.exe vbc.exe PID 836 wrote to memory of 1628 836 vbc.exe vbc.exe PID 836 wrote to memory of 1628 836 vbc.exe vbc.exe PID 836 wrote to memory of 1628 836 vbc.exe vbc.exe PID 836 wrote to memory of 1628 836 vbc.exe vbc.exe PID 836 wrote to memory of 1628 836 vbc.exe vbc.exe PID 836 wrote to memory of 1628 836 vbc.exe vbc.exe PID 1244 wrote to memory of 1592 1244 Explorer.EXE systray.exe PID 1244 wrote to memory of 1592 1244 Explorer.EXE systray.exe PID 1244 wrote to memory of 1592 1244 Explorer.EXE systray.exe PID 1244 wrote to memory of 1592 1244 Explorer.EXE systray.exe PID 1592 wrote to memory of 1748 1592 systray.exe cmd.exe PID 1592 wrote to memory of 1748 1592 systray.exe cmd.exe PID 1592 wrote to memory of 1748 1592 systray.exe cmd.exe PID 1592 wrote to memory of 1748 1592 systray.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\VM ASIAN CHAMPION.xlsx"2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\systray.exe"C:\Windows\SysWOW64\systray.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Public\vbc.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"{path}"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
70747f5955df1f8a7012cbe5d37c516f
SHA18a4edf21b160f31bc6d9b1d02d343e3bf5fcfd2e
SHA2566a042012f4233929b8f5fbf73f4b958e39f2fb60d73c1d758753dd07508ef8e1
SHA5120d84482c736c33eb5e8fc48ef1350dde530b6fbc76440dde906e31cf681631581642cd601bffbaab31fd54296489754814548f56d6c3e2a2c532b1af37309a90
-
C:\Users\Public\vbc.exeMD5
70747f5955df1f8a7012cbe5d37c516f
SHA18a4edf21b160f31bc6d9b1d02d343e3bf5fcfd2e
SHA2566a042012f4233929b8f5fbf73f4b958e39f2fb60d73c1d758753dd07508ef8e1
SHA5120d84482c736c33eb5e8fc48ef1350dde530b6fbc76440dde906e31cf681631581642cd601bffbaab31fd54296489754814548f56d6c3e2a2c532b1af37309a90
-
C:\Users\Public\vbc.exeMD5
70747f5955df1f8a7012cbe5d37c516f
SHA18a4edf21b160f31bc6d9b1d02d343e3bf5fcfd2e
SHA2566a042012f4233929b8f5fbf73f4b958e39f2fb60d73c1d758753dd07508ef8e1
SHA5120d84482c736c33eb5e8fc48ef1350dde530b6fbc76440dde906e31cf681631581642cd601bffbaab31fd54296489754814548f56d6c3e2a2c532b1af37309a90
-
\Users\Public\vbc.exeMD5
70747f5955df1f8a7012cbe5d37c516f
SHA18a4edf21b160f31bc6d9b1d02d343e3bf5fcfd2e
SHA2566a042012f4233929b8f5fbf73f4b958e39f2fb60d73c1d758753dd07508ef8e1
SHA5120d84482c736c33eb5e8fc48ef1350dde530b6fbc76440dde906e31cf681631581642cd601bffbaab31fd54296489754814548f56d6c3e2a2c532b1af37309a90
-
\Users\Public\vbc.exeMD5
70747f5955df1f8a7012cbe5d37c516f
SHA18a4edf21b160f31bc6d9b1d02d343e3bf5fcfd2e
SHA2566a042012f4233929b8f5fbf73f4b958e39f2fb60d73c1d758753dd07508ef8e1
SHA5120d84482c736c33eb5e8fc48ef1350dde530b6fbc76440dde906e31cf681631581642cd601bffbaab31fd54296489754814548f56d6c3e2a2c532b1af37309a90
-
\Users\Public\vbc.exeMD5
70747f5955df1f8a7012cbe5d37c516f
SHA18a4edf21b160f31bc6d9b1d02d343e3bf5fcfd2e
SHA2566a042012f4233929b8f5fbf73f4b958e39f2fb60d73c1d758753dd07508ef8e1
SHA5120d84482c736c33eb5e8fc48ef1350dde530b6fbc76440dde906e31cf681631581642cd601bffbaab31fd54296489754814548f56d6c3e2a2c532b1af37309a90
-
\Users\Public\vbc.exeMD5
70747f5955df1f8a7012cbe5d37c516f
SHA18a4edf21b160f31bc6d9b1d02d343e3bf5fcfd2e
SHA2566a042012f4233929b8f5fbf73f4b958e39f2fb60d73c1d758753dd07508ef8e1
SHA5120d84482c736c33eb5e8fc48ef1350dde530b6fbc76440dde906e31cf681631581642cd601bffbaab31fd54296489754814548f56d6c3e2a2c532b1af37309a90
-
memory/836-10-0x000000006BEC0000-0x000000006C5AE000-memory.dmpFilesize
6.9MB
-
memory/836-11-0x0000000000100000-0x0000000000101000-memory.dmpFilesize
4KB
-
memory/836-13-0x0000000000360000-0x000000000036E000-memory.dmpFilesize
56KB
-
memory/836-14-0x00000000055A0000-0x000000000562D000-memory.dmpFilesize
564KB
-
memory/836-7-0x0000000000000000-mapping.dmp
-
memory/1592-18-0x0000000000000000-mapping.dmp
-
memory/1592-19-0x0000000000C70000-0x0000000000C75000-memory.dmpFilesize
20KB
-
memory/1592-21-0x00000000040F0000-0x000000000418A000-memory.dmpFilesize
616KB
-
memory/1628-16-0x000000000041D100-mapping.dmp
-
memory/1628-15-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1716-2-0x000007FEF7020000-0x000007FEF729A000-memory.dmpFilesize
2.5MB
-
memory/1748-20-0x0000000000000000-mapping.dmp