Analysis
-
max time kernel
149s -
max time network
142s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
18-01-2021 07:25
Static task
static1
Behavioral task
behavioral1
Sample
2218003603 92390-00.xlsx
Resource
win7v20201028
Behavioral task
behavioral2
Sample
2218003603 92390-00.xlsx
Resource
win10v20201028
General
-
Target
2218003603 92390-00.xlsx
-
Size
1.3MB
-
MD5
1a3223dc142b11cb7e4a2e4c42d8ba99
-
SHA1
9fb84ca1ecd5c63b776f207923af1787ec64e0e9
-
SHA256
624a702ccbc488c9702b2ff1f0e73a6606771837cd5a8516ccfd76f78fabab32
-
SHA512
fa07df7dda909fa5f44142c769ac1412633217d3de5f543ece5fd3d2836348a13496748a0f8b8d2297802694eeb449be2b985ec461ac728ec29b03fe2764c6ab
Malware Config
Extracted
formbook
http://www.theatomicshots.com/xle/
tknbr.com
loyaloneconstruction.com
what-where.com
matebacapital.com
marriedandmore.com
qiemfsolutions.com
graececonsulting.com
www7456.com
littlefreecherokeelibrary.com
tailgatepawkinglot.com
musheet.com
tesfamariamtb.com
1728025.com
xceltechuae.com
harperandchloe.com
thepamperedbarber.com
5050alberta.com
supplychainstrainer.com
lacorte.group
ringingbear.com
dwerux.com
localeastbay.com
zhongyier.com
liamascia.com
bigdudedesign.com
agilearccreations.com
clxkxmk.com
articlesforthehome.com
prestiticadalanu.com
mayanroofingsystems.com
homeherbgardener.com
ricardoinman.com
xrhaoqilai180.xyz
queromake.com
holywaterfoundation.com
modacicekevi.com
beardeco.com
universityhysteria.com
lastguytogetcorona.com
winton.school
sanborns.xyz
bbluebay3dwdshop.com
mateingseason.com
oro-iptv.com
pdlywh.com
fallgus.com
dezignercloset.com
dasarelektronika.info
cyberparkplace.com
serenshiningarts.com
edgecase.pro
binhminhgarrden.net
fansofads.com
fortykorp.com
shastaestatesseniorliving.com
raksrecording.com
mack-soldenfx.com
freisaq.com
sesaassociates.com
calerconsult.com
sarahpyle.xyz
threepeninsulas.com
proficienthomesalesandloans.com
floridasoapwork.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2040-20-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/2040-21-0x000000000041EB90-mapping.dmp formbook behavioral1/memory/1692-31-0x0000000000080000-0x00000000000AE000-memory.dmp formbook -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 6 1728 EQNEDT32.EXE -
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 640 vbc.exe 2040 vbc.exe -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEpid process 1728 EQNEDT32.EXE 1728 EQNEDT32.EXE 1728 EQNEDT32.EXE 1728 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
vbc.exevbc.exeipconfig.exedescription pid process target process PID 640 set thread context of 2040 640 vbc.exe vbc.exe PID 2040 set thread context of 1236 2040 vbc.exe Explorer.EXE PID 1692 set thread context of 1236 1692 ipconfig.exe Explorer.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 1692 ipconfig.exe -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1272 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
vbc.exeipconfig.exepid process 2040 vbc.exe 2040 vbc.exe 1692 ipconfig.exe 1692 ipconfig.exe 1692 ipconfig.exe 1692 ipconfig.exe 1692 ipconfig.exe 1692 ipconfig.exe 1692 ipconfig.exe 1692 ipconfig.exe 1692 ipconfig.exe 1692 ipconfig.exe 1692 ipconfig.exe 1692 ipconfig.exe 1692 ipconfig.exe 1692 ipconfig.exe 1692 ipconfig.exe 1692 ipconfig.exe 1692 ipconfig.exe 1692 ipconfig.exe 1692 ipconfig.exe 1692 ipconfig.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
vbc.exeipconfig.exepid process 2040 vbc.exe 2040 vbc.exe 2040 vbc.exe 1692 ipconfig.exe 1692 ipconfig.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
vbc.exeipconfig.exedescription pid process Token: SeDebugPrivilege 2040 vbc.exe Token: SeDebugPrivilege 1692 ipconfig.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1236 Explorer.EXE 1236 Explorer.EXE 1236 Explorer.EXE 1236 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1236 Explorer.EXE 1236 Explorer.EXE 1236 Explorer.EXE 1236 Explorer.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1272 EXCEL.EXE 1272 EXCEL.EXE 1272 EXCEL.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
EQNEDT32.EXEvbc.exeExplorer.EXEipconfig.exedescription pid process target process PID 1728 wrote to memory of 640 1728 EQNEDT32.EXE vbc.exe PID 1728 wrote to memory of 640 1728 EQNEDT32.EXE vbc.exe PID 1728 wrote to memory of 640 1728 EQNEDT32.EXE vbc.exe PID 1728 wrote to memory of 640 1728 EQNEDT32.EXE vbc.exe PID 640 wrote to memory of 2040 640 vbc.exe vbc.exe PID 640 wrote to memory of 2040 640 vbc.exe vbc.exe PID 640 wrote to memory of 2040 640 vbc.exe vbc.exe PID 640 wrote to memory of 2040 640 vbc.exe vbc.exe PID 640 wrote to memory of 2040 640 vbc.exe vbc.exe PID 640 wrote to memory of 2040 640 vbc.exe vbc.exe PID 640 wrote to memory of 2040 640 vbc.exe vbc.exe PID 1236 wrote to memory of 1692 1236 Explorer.EXE ipconfig.exe PID 1236 wrote to memory of 1692 1236 Explorer.EXE ipconfig.exe PID 1236 wrote to memory of 1692 1236 Explorer.EXE ipconfig.exe PID 1236 wrote to memory of 1692 1236 Explorer.EXE ipconfig.exe PID 1692 wrote to memory of 1480 1692 ipconfig.exe cmd.exe PID 1692 wrote to memory of 1480 1692 ipconfig.exe cmd.exe PID 1692 wrote to memory of 1480 1692 ipconfig.exe cmd.exe PID 1692 wrote to memory of 1480 1692 ipconfig.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\2218003603 92390-00.xlsx"2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\SysWOW64\ipconfig.exe"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Public\vbc.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"{path}"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
df8503902c4c7ed20ed1f9e6f9783e75
SHA12e81fa37efc74062d61dba361fda88a6f60e19eb
SHA2567fea4608a3f80e3b819a0564f80412183f772fed84f1323bcd7b931d1af4260a
SHA512fb1c9933e2d4f6e5a18b23164ef6268cb5f65332544af2256dc2809507ea2153b9ecf20463da70719fef99a8e9e58ab4c19963410f5ab68f57be494c8558f16f
-
C:\Users\Public\vbc.exeMD5
df8503902c4c7ed20ed1f9e6f9783e75
SHA12e81fa37efc74062d61dba361fda88a6f60e19eb
SHA2567fea4608a3f80e3b819a0564f80412183f772fed84f1323bcd7b931d1af4260a
SHA512fb1c9933e2d4f6e5a18b23164ef6268cb5f65332544af2256dc2809507ea2153b9ecf20463da70719fef99a8e9e58ab4c19963410f5ab68f57be494c8558f16f
-
C:\Users\Public\vbc.exeMD5
df8503902c4c7ed20ed1f9e6f9783e75
SHA12e81fa37efc74062d61dba361fda88a6f60e19eb
SHA2567fea4608a3f80e3b819a0564f80412183f772fed84f1323bcd7b931d1af4260a
SHA512fb1c9933e2d4f6e5a18b23164ef6268cb5f65332544af2256dc2809507ea2153b9ecf20463da70719fef99a8e9e58ab4c19963410f5ab68f57be494c8558f16f
-
\Users\Public\vbc.exeMD5
df8503902c4c7ed20ed1f9e6f9783e75
SHA12e81fa37efc74062d61dba361fda88a6f60e19eb
SHA2567fea4608a3f80e3b819a0564f80412183f772fed84f1323bcd7b931d1af4260a
SHA512fb1c9933e2d4f6e5a18b23164ef6268cb5f65332544af2256dc2809507ea2153b9ecf20463da70719fef99a8e9e58ab4c19963410f5ab68f57be494c8558f16f
-
\Users\Public\vbc.exeMD5
df8503902c4c7ed20ed1f9e6f9783e75
SHA12e81fa37efc74062d61dba361fda88a6f60e19eb
SHA2567fea4608a3f80e3b819a0564f80412183f772fed84f1323bcd7b931d1af4260a
SHA512fb1c9933e2d4f6e5a18b23164ef6268cb5f65332544af2256dc2809507ea2153b9ecf20463da70719fef99a8e9e58ab4c19963410f5ab68f57be494c8558f16f
-
\Users\Public\vbc.exeMD5
df8503902c4c7ed20ed1f9e6f9783e75
SHA12e81fa37efc74062d61dba361fda88a6f60e19eb
SHA2567fea4608a3f80e3b819a0564f80412183f772fed84f1323bcd7b931d1af4260a
SHA512fb1c9933e2d4f6e5a18b23164ef6268cb5f65332544af2256dc2809507ea2153b9ecf20463da70719fef99a8e9e58ab4c19963410f5ab68f57be494c8558f16f
-
\Users\Public\vbc.exeMD5
df8503902c4c7ed20ed1f9e6f9783e75
SHA12e81fa37efc74062d61dba361fda88a6f60e19eb
SHA2567fea4608a3f80e3b819a0564f80412183f772fed84f1323bcd7b931d1af4260a
SHA512fb1c9933e2d4f6e5a18b23164ef6268cb5f65332544af2256dc2809507ea2153b9ecf20463da70719fef99a8e9e58ab4c19963410f5ab68f57be494c8558f16f
-
memory/640-17-0x0000000004DE0000-0x0000000004DE1000-memory.dmpFilesize
4KB
-
memory/640-11-0x0000000000000000-mapping.dmp
-
memory/640-14-0x000000006C210000-0x000000006C8FE000-memory.dmpFilesize
6.9MB
-
memory/640-15-0x00000000012B0000-0x00000000012B1000-memory.dmpFilesize
4KB
-
memory/640-18-0x00000000003E0000-0x00000000003EE000-memory.dmpFilesize
56KB
-
memory/640-19-0x0000000001210000-0x0000000001269000-memory.dmpFilesize
356KB
-
memory/1236-26-0x0000000005000000-0x000000000518F000-memory.dmpFilesize
1.6MB
-
memory/1236-34-0x0000000004CC0000-0x0000000004DFF000-memory.dmpFilesize
1.2MB
-
memory/1272-4-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1272-2-0x000000002F8E1000-0x000000002F8E4000-memory.dmpFilesize
12KB
-
memory/1272-3-0x0000000071911000-0x0000000071913000-memory.dmpFilesize
8KB
-
memory/1480-29-0x0000000000000000-mapping.dmp
-
memory/1496-6-0x000007FEF7EB0000-0x000007FEF812A000-memory.dmpFilesize
2.5MB
-
memory/1692-27-0x0000000000000000-mapping.dmp
-
memory/1692-31-0x0000000000080000-0x00000000000AE000-memory.dmpFilesize
184KB
-
memory/1692-30-0x00000000005F0000-0x00000000005FA000-memory.dmpFilesize
40KB
-
memory/1692-32-0x00000000021E0000-0x00000000024E3000-memory.dmpFilesize
3.0MB
-
memory/1692-33-0x0000000000820000-0x00000000008B3000-memory.dmpFilesize
588KB
-
memory/1728-5-0x0000000076881000-0x0000000076883000-memory.dmpFilesize
8KB
-
memory/2040-25-0x0000000000450000-0x0000000000464000-memory.dmpFilesize
80KB
-
memory/2040-24-0x0000000000700000-0x0000000000A03000-memory.dmpFilesize
3.0MB
-
memory/2040-21-0x000000000041EB90-mapping.dmp
-
memory/2040-20-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB