Analysis
-
max time kernel
147s -
max time network
143s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
18-01-2021 07:25
Static task
static1
Behavioral task
behavioral1
Sample
TT Payment - 105,272.40.xlsx
Resource
win7v20201028
Behavioral task
behavioral2
Sample
TT Payment - 105,272.40.xlsx
Resource
win10v20201028
General
-
Target
TT Payment - 105,272.40.xlsx
-
Size
1.9MB
-
MD5
eaeea812b9d9bcb9aa3373449e869411
-
SHA1
4da441a80229eb466c232a0a1d05aa5a0cf7ea21
-
SHA256
9f505c683b52a195879f9836e49009f89ea1caa957327edad4b79316f72540c9
-
SHA512
d5806799f7c84a570d39ec82077b4bd2f2286d9a98e4515aa20e4b4faf91b23b1e489aa1db4ce1739ca463ce7fa1b16da7064e7d06e8fde212fb5e95c1eaae7d
Malware Config
Extracted
formbook
http://www.bytecommunication.com/aky/
jeiksaoeklea.com
sagame-auto.net
soloseriolavoro.com
thecreatorsbook.com
superskritch.com
oroxequipment.com
heart-of-art.online
liwedfg.com
fisherofsouls.com
jota.xyz
nehyam.com
smart-contact-delivery.com
hoom.guru
dgryds.com
thesoakcpd.com
mishv.com
rings-factory.info
bero-craft-beers.com
podcastnamegenerators.com
856379813.xyz
ruinfectious.com
wdcsupport.com
youngbrokeandeducated.com
shpments75.com
louisbmartinez100th.com
shining.ink
hkexpresswaterford.com
quickcashoffersatl.com
180cliniconline.com
mainriskintl.com
clinicadosorriso.com
kuxueyunkeji.com
smart-acumen.com
maisonkerlann.com
jewishposter.com
xn--w52b77ujva.com
antoniodevivo.com
diversitypatriots.com
tiotacos.company
ventumgi.com
ip-tv.online
smithvilletexashistory.com
amruta-varshini.com
wildpositive.com
alifezap.com
nczjt.net
palmsvillaswhitneyranch.com
experiencemoretogether.com
dewitfire.com
scruffynotfluffy.online
bazarsurtidorico.com
dayscosmetics.com
tpsvegas.com
externalboard.com
2125lynchmere.com
agroplenty.com
easterneuropemall.com
whtoys888.com
writehousepoint.com
ppeaceandgloves.com
sadtire.press
jj3994.com
smokenengines.com
offplanprojects-re.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1580-20-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/1580-21-0x000000000041EB60-mapping.dmp formbook behavioral1/memory/848-30-0x0000000000080000-0x00000000000AE000-memory.dmp formbook -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 6 1248 EQNEDT32.EXE -
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 388 vbc.exe 1580 vbc.exe -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEpid process 1248 EQNEDT32.EXE 1248 EQNEDT32.EXE 1248 EQNEDT32.EXE 1248 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
vbc.exevbc.exeNAPSTAT.EXEdescription pid process target process PID 388 set thread context of 1580 388 vbc.exe vbc.exe PID 1580 set thread context of 1252 1580 vbc.exe Explorer.EXE PID 848 set thread context of 1252 848 NAPSTAT.EXE Explorer.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1096 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
vbc.exeNAPSTAT.EXEpid process 1580 vbc.exe 1580 vbc.exe 848 NAPSTAT.EXE 848 NAPSTAT.EXE 848 NAPSTAT.EXE 848 NAPSTAT.EXE 848 NAPSTAT.EXE 848 NAPSTAT.EXE 848 NAPSTAT.EXE 848 NAPSTAT.EXE 848 NAPSTAT.EXE 848 NAPSTAT.EXE 848 NAPSTAT.EXE 848 NAPSTAT.EXE 848 NAPSTAT.EXE 848 NAPSTAT.EXE 848 NAPSTAT.EXE 848 NAPSTAT.EXE 848 NAPSTAT.EXE 848 NAPSTAT.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
vbc.exeNAPSTAT.EXEpid process 1580 vbc.exe 1580 vbc.exe 1580 vbc.exe 848 NAPSTAT.EXE 848 NAPSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
vbc.exeNAPSTAT.EXEdescription pid process Token: SeDebugPrivilege 1580 vbc.exe Token: SeDebugPrivilege 848 NAPSTAT.EXE -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1252 Explorer.EXE 1252 Explorer.EXE 1252 Explorer.EXE 1252 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1252 Explorer.EXE 1252 Explorer.EXE 1252 Explorer.EXE 1252 Explorer.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1096 EXCEL.EXE 1096 EXCEL.EXE 1096 EXCEL.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
EQNEDT32.EXEvbc.exeExplorer.EXENAPSTAT.EXEdescription pid process target process PID 1248 wrote to memory of 388 1248 EQNEDT32.EXE vbc.exe PID 1248 wrote to memory of 388 1248 EQNEDT32.EXE vbc.exe PID 1248 wrote to memory of 388 1248 EQNEDT32.EXE vbc.exe PID 1248 wrote to memory of 388 1248 EQNEDT32.EXE vbc.exe PID 388 wrote to memory of 1580 388 vbc.exe vbc.exe PID 388 wrote to memory of 1580 388 vbc.exe vbc.exe PID 388 wrote to memory of 1580 388 vbc.exe vbc.exe PID 388 wrote to memory of 1580 388 vbc.exe vbc.exe PID 388 wrote to memory of 1580 388 vbc.exe vbc.exe PID 388 wrote to memory of 1580 388 vbc.exe vbc.exe PID 388 wrote to memory of 1580 388 vbc.exe vbc.exe PID 1252 wrote to memory of 848 1252 Explorer.EXE NAPSTAT.EXE PID 1252 wrote to memory of 848 1252 Explorer.EXE NAPSTAT.EXE PID 1252 wrote to memory of 848 1252 Explorer.EXE NAPSTAT.EXE PID 1252 wrote to memory of 848 1252 Explorer.EXE NAPSTAT.EXE PID 848 wrote to memory of 1004 848 NAPSTAT.EXE cmd.exe PID 848 wrote to memory of 1004 848 NAPSTAT.EXE cmd.exe PID 848 wrote to memory of 1004 848 NAPSTAT.EXE cmd.exe PID 848 wrote to memory of 1004 848 NAPSTAT.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\TT Payment - 105,272.40.xlsx"2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\NAPSTAT.EXE"C:\Windows\SysWOW64\NAPSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Public\vbc.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"{path}"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
d4982ab3c53ad21f2b1b96f7ae8042d4
SHA10ecf9f1ab5b44da05a2a39bcb5b397c4ef1343ea
SHA256cf18069218b5b834227fa33133f629f24be9c582eeb0caaf0d7641520b1d9748
SHA5122cfdc207d9fc5c22ba420b06bc36fbf3aca4e9b33eb3722bff639c5631445f4c600f66b272b30a7023cb84f46997a7d73fb9a3f7bba8fb00dc88347bb10f5bb2
-
C:\Users\Public\vbc.exeMD5
d4982ab3c53ad21f2b1b96f7ae8042d4
SHA10ecf9f1ab5b44da05a2a39bcb5b397c4ef1343ea
SHA256cf18069218b5b834227fa33133f629f24be9c582eeb0caaf0d7641520b1d9748
SHA5122cfdc207d9fc5c22ba420b06bc36fbf3aca4e9b33eb3722bff639c5631445f4c600f66b272b30a7023cb84f46997a7d73fb9a3f7bba8fb00dc88347bb10f5bb2
-
C:\Users\Public\vbc.exeMD5
d4982ab3c53ad21f2b1b96f7ae8042d4
SHA10ecf9f1ab5b44da05a2a39bcb5b397c4ef1343ea
SHA256cf18069218b5b834227fa33133f629f24be9c582eeb0caaf0d7641520b1d9748
SHA5122cfdc207d9fc5c22ba420b06bc36fbf3aca4e9b33eb3722bff639c5631445f4c600f66b272b30a7023cb84f46997a7d73fb9a3f7bba8fb00dc88347bb10f5bb2
-
\Users\Public\vbc.exeMD5
d4982ab3c53ad21f2b1b96f7ae8042d4
SHA10ecf9f1ab5b44da05a2a39bcb5b397c4ef1343ea
SHA256cf18069218b5b834227fa33133f629f24be9c582eeb0caaf0d7641520b1d9748
SHA5122cfdc207d9fc5c22ba420b06bc36fbf3aca4e9b33eb3722bff639c5631445f4c600f66b272b30a7023cb84f46997a7d73fb9a3f7bba8fb00dc88347bb10f5bb2
-
\Users\Public\vbc.exeMD5
d4982ab3c53ad21f2b1b96f7ae8042d4
SHA10ecf9f1ab5b44da05a2a39bcb5b397c4ef1343ea
SHA256cf18069218b5b834227fa33133f629f24be9c582eeb0caaf0d7641520b1d9748
SHA5122cfdc207d9fc5c22ba420b06bc36fbf3aca4e9b33eb3722bff639c5631445f4c600f66b272b30a7023cb84f46997a7d73fb9a3f7bba8fb00dc88347bb10f5bb2
-
\Users\Public\vbc.exeMD5
d4982ab3c53ad21f2b1b96f7ae8042d4
SHA10ecf9f1ab5b44da05a2a39bcb5b397c4ef1343ea
SHA256cf18069218b5b834227fa33133f629f24be9c582eeb0caaf0d7641520b1d9748
SHA5122cfdc207d9fc5c22ba420b06bc36fbf3aca4e9b33eb3722bff639c5631445f4c600f66b272b30a7023cb84f46997a7d73fb9a3f7bba8fb00dc88347bb10f5bb2
-
\Users\Public\vbc.exeMD5
d4982ab3c53ad21f2b1b96f7ae8042d4
SHA10ecf9f1ab5b44da05a2a39bcb5b397c4ef1343ea
SHA256cf18069218b5b834227fa33133f629f24be9c582eeb0caaf0d7641520b1d9748
SHA5122cfdc207d9fc5c22ba420b06bc36fbf3aca4e9b33eb3722bff639c5631445f4c600f66b272b30a7023cb84f46997a7d73fb9a3f7bba8fb00dc88347bb10f5bb2
-
memory/388-17-0x0000000004DA0000-0x0000000004DA1000-memory.dmpFilesize
4KB
-
memory/388-15-0x0000000000110000-0x0000000000111000-memory.dmpFilesize
4KB
-
memory/388-11-0x0000000000000000-mapping.dmp
-
memory/388-19-0x0000000004F70000-0x0000000004FCD000-memory.dmpFilesize
372KB
-
memory/388-18-0x00000000004A0000-0x00000000004AE000-memory.dmpFilesize
56KB
-
memory/388-14-0x000000006BA10000-0x000000006C0FE000-memory.dmpFilesize
6.9MB
-
memory/848-27-0x0000000000000000-mapping.dmp
-
memory/848-32-0x0000000001EF0000-0x0000000001F83000-memory.dmpFilesize
588KB
-
memory/848-29-0x0000000000770000-0x00000000007B6000-memory.dmpFilesize
280KB
-
memory/848-31-0x0000000002020000-0x0000000002323000-memory.dmpFilesize
3.0MB
-
memory/848-30-0x0000000000080000-0x00000000000AE000-memory.dmpFilesize
184KB
-
memory/1004-28-0x0000000000000000-mapping.dmp
-
memory/1096-4-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1096-3-0x0000000071461000-0x0000000071463000-memory.dmpFilesize
8KB
-
memory/1096-2-0x000000002F7A1000-0x000000002F7A4000-memory.dmpFilesize
12KB
-
memory/1248-5-0x0000000075301000-0x0000000075303000-memory.dmpFilesize
8KB
-
memory/1252-26-0x00000000040D0000-0x000000000419D000-memory.dmpFilesize
820KB
-
memory/1252-33-0x0000000006460000-0x0000000006529000-memory.dmpFilesize
804KB
-
memory/1452-6-0x000007FEF7500000-0x000007FEF777A000-memory.dmpFilesize
2.5MB
-
memory/1580-25-0x0000000000280000-0x0000000000294000-memory.dmpFilesize
80KB
-
memory/1580-24-0x00000000009A0000-0x0000000000CA3000-memory.dmpFilesize
3.0MB
-
memory/1580-21-0x000000000041EB60-mapping.dmp
-
memory/1580-20-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB