Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
18-01-2021 07:26
Static task
static1
Behavioral task
behavioral1
Sample
arrival_notice.xlsx
Resource
win7v20201028
Behavioral task
behavioral2
Sample
arrival_notice.xlsx
Resource
win10v20201028
General
-
Target
arrival_notice.xlsx
-
Size
2.4MB
-
MD5
7391442ae2a0d3ae6df6f7552f73b753
-
SHA1
b7b24c1de89b767235b20c0574bd3fccea7a3061
-
SHA256
f535ff7416a31c3f067b61aea08aab08006eaf2dd790dcfc89c05a1f6343f17b
-
SHA512
aed9b9610a3b14ea2e393ebab73e7f6f9af1aaa9e8264496f0efdc39680a7ca2f7482e926544a12075be20e1de7fb56107f2215004c041e1ea03e61ef1958205
Malware Config
Extracted
formbook
http://www.inreachpt.com/gqx2/
calusaptamiami.com
starlinkwebservices.com
lakeviewbarbershonola.com
oaklandraidersjerseyspop.com
ohiotechreport.com
eligetucafetera.com
tu4343.com
abstract-elearning.com
thebabylashes.com
athleteshive.com
fanninhomesforless.com
sembracna.com
servicesyn.com
bellairechoice.com
tmpaas.com
eyepaa.com
stickerzblvd.com
rentfs.com
nadya-shanab.com
microwgreens.net
overnaut.net
edwinstowingservices.com
bonus189.space
xn--wgbp0b73b.com
trijjadigital.com
libraspeed.com
theofficialtoluwani.com
podborauto.pro
qyhualin.com
prayerswithmary.com
donboscohistorycorner.com
enlightenedsoil.com
osteopathegagny.com
lookingglassland.com
maglex.info
foxandgraceboutique.com
yourinfluencecoach.com
com-cancel-payment-id655.com
ppspiaggio.com
dbsadv.com
teamworkdash.com
washington-election-2020.info
creativehighagency.com
artisthenewmeditation.com
qsgasia.com
unseen-vision.com
beepybox.online
shaffglowing.com
teacher-retirement-info.info
muabandatdonganh.com
shuhan.design
5200853.com
shengmixiaoji.net
spiderofthesea.com
scionoflewisville.com
tpcvirtual.com
zhjiaxiang.com
thefanexam.com
kimscraftyresale.com
housvest.com
bukmyhotel.com
lacaverne.ovh
investorspredict.com
quicklogosireland.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1512-19-0x000000000041D070-mapping.dmp xloader behavioral1/memory/1512-18-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1508-37-0x00000000000F0000-0x0000000000119000-memory.dmp xloader -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 6 1968 EQNEDT32.EXE -
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 556 vbc.exe 1512 vbc.exe -
Loads dropped DLL 9 IoCs
Processes:
EQNEDT32.EXEWerFault.exepid process 1968 EQNEDT32.EXE 1968 EQNEDT32.EXE 1968 EQNEDT32.EXE 1968 EQNEDT32.EXE 1228 WerFault.exe 1228 WerFault.exe 1228 WerFault.exe 1228 WerFault.exe 1228 WerFault.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
vbc.exevbc.execmstp.exedescription pid process target process PID 556 set thread context of 1512 556 vbc.exe vbc.exe PID 1512 set thread context of 1252 1512 vbc.exe Explorer.EXE PID 1508 set thread context of 1252 1508 cmstp.exe Explorer.EXE -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1228 556 WerFault.exe vbc.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2032 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 35 IoCs
Processes:
vbc.exeWerFault.execmstp.exepid process 1512 vbc.exe 1512 vbc.exe 1228 WerFault.exe 1228 WerFault.exe 1228 WerFault.exe 1228 WerFault.exe 1228 WerFault.exe 1228 WerFault.exe 1508 cmstp.exe 1508 cmstp.exe 1508 cmstp.exe 1508 cmstp.exe 1508 cmstp.exe 1508 cmstp.exe 1508 cmstp.exe 1508 cmstp.exe 1508 cmstp.exe 1508 cmstp.exe 1508 cmstp.exe 1508 cmstp.exe 1508 cmstp.exe 1508 cmstp.exe 1508 cmstp.exe 1508 cmstp.exe 1508 cmstp.exe 1508 cmstp.exe 1508 cmstp.exe 1508 cmstp.exe 1508 cmstp.exe 1508 cmstp.exe 1508 cmstp.exe 1508 cmstp.exe 1508 cmstp.exe 1508 cmstp.exe 1508 cmstp.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
vbc.execmstp.exepid process 1512 vbc.exe 1512 vbc.exe 1512 vbc.exe 1508 cmstp.exe 1508 cmstp.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
vbc.exeWerFault.exeExplorer.EXEcmstp.exedescription pid process Token: SeDebugPrivilege 1512 vbc.exe Token: SeDebugPrivilege 1228 WerFault.exe Token: SeShutdownPrivilege 1252 Explorer.EXE Token: SeDebugPrivilege 1508 cmstp.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
Explorer.EXEpid process 1252 Explorer.EXE 1252 Explorer.EXE 1252 Explorer.EXE 1252 Explorer.EXE 1252 Explorer.EXE 1252 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1252 Explorer.EXE 1252 Explorer.EXE 1252 Explorer.EXE 1252 Explorer.EXE -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
EXCEL.EXEpid process 2032 EXCEL.EXE 2032 EXCEL.EXE 2032 EXCEL.EXE 2032 EXCEL.EXE 2032 EXCEL.EXE -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
EQNEDT32.EXEvbc.exeExplorer.EXEcmstp.exedescription pid process target process PID 1968 wrote to memory of 556 1968 EQNEDT32.EXE vbc.exe PID 1968 wrote to memory of 556 1968 EQNEDT32.EXE vbc.exe PID 1968 wrote to memory of 556 1968 EQNEDT32.EXE vbc.exe PID 1968 wrote to memory of 556 1968 EQNEDT32.EXE vbc.exe PID 556 wrote to memory of 1512 556 vbc.exe vbc.exe PID 556 wrote to memory of 1512 556 vbc.exe vbc.exe PID 556 wrote to memory of 1512 556 vbc.exe vbc.exe PID 556 wrote to memory of 1512 556 vbc.exe vbc.exe PID 556 wrote to memory of 1512 556 vbc.exe vbc.exe PID 556 wrote to memory of 1512 556 vbc.exe vbc.exe PID 556 wrote to memory of 1512 556 vbc.exe vbc.exe PID 1252 wrote to memory of 1508 1252 Explorer.EXE cmstp.exe PID 1252 wrote to memory of 1508 1252 Explorer.EXE cmstp.exe PID 1252 wrote to memory of 1508 1252 Explorer.EXE cmstp.exe PID 1252 wrote to memory of 1508 1252 Explorer.EXE cmstp.exe PID 1252 wrote to memory of 1508 1252 Explorer.EXE cmstp.exe PID 1252 wrote to memory of 1508 1252 Explorer.EXE cmstp.exe PID 1252 wrote to memory of 1508 1252 Explorer.EXE cmstp.exe PID 556 wrote to memory of 1228 556 vbc.exe WerFault.exe PID 556 wrote to memory of 1228 556 vbc.exe WerFault.exe PID 556 wrote to memory of 1228 556 vbc.exe WerFault.exe PID 556 wrote to memory of 1228 556 vbc.exe WerFault.exe PID 1508 wrote to memory of 1108 1508 cmstp.exe cmd.exe PID 1508 wrote to memory of 1108 1508 cmstp.exe cmd.exe PID 1508 wrote to memory of 1108 1508 cmstp.exe cmd.exe PID 1508 wrote to memory of 1108 1508 cmstp.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\arrival_notice.xlsx2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Public\vbc.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 556 -s 8483⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
3096a3c81ff6c435ded33765f5f10be1
SHA1a481af4cfdf065c318656284af26546e4d69f9f1
SHA256083210286a8bfd2e1cbd05ae990725c8d41c4a6b3bdf71c8325b9cb11781a1aa
SHA5127500f636b064d2fea3835c06845244815da35b9b9b2ca1054c317cc38b6e85c097857dbca0e25d6a68bbef047f4c858f53fa4191f20f0583417ecee66055e6df
-
C:\Users\Public\vbc.exeMD5
3096a3c81ff6c435ded33765f5f10be1
SHA1a481af4cfdf065c318656284af26546e4d69f9f1
SHA256083210286a8bfd2e1cbd05ae990725c8d41c4a6b3bdf71c8325b9cb11781a1aa
SHA5127500f636b064d2fea3835c06845244815da35b9b9b2ca1054c317cc38b6e85c097857dbca0e25d6a68bbef047f4c858f53fa4191f20f0583417ecee66055e6df
-
C:\Users\Public\vbc.exeMD5
3096a3c81ff6c435ded33765f5f10be1
SHA1a481af4cfdf065c318656284af26546e4d69f9f1
SHA256083210286a8bfd2e1cbd05ae990725c8d41c4a6b3bdf71c8325b9cb11781a1aa
SHA5127500f636b064d2fea3835c06845244815da35b9b9b2ca1054c317cc38b6e85c097857dbca0e25d6a68bbef047f4c858f53fa4191f20f0583417ecee66055e6df
-
\Users\Public\vbc.exeMD5
3096a3c81ff6c435ded33765f5f10be1
SHA1a481af4cfdf065c318656284af26546e4d69f9f1
SHA256083210286a8bfd2e1cbd05ae990725c8d41c4a6b3bdf71c8325b9cb11781a1aa
SHA5127500f636b064d2fea3835c06845244815da35b9b9b2ca1054c317cc38b6e85c097857dbca0e25d6a68bbef047f4c858f53fa4191f20f0583417ecee66055e6df
-
\Users\Public\vbc.exeMD5
3096a3c81ff6c435ded33765f5f10be1
SHA1a481af4cfdf065c318656284af26546e4d69f9f1
SHA256083210286a8bfd2e1cbd05ae990725c8d41c4a6b3bdf71c8325b9cb11781a1aa
SHA5127500f636b064d2fea3835c06845244815da35b9b9b2ca1054c317cc38b6e85c097857dbca0e25d6a68bbef047f4c858f53fa4191f20f0583417ecee66055e6df
-
\Users\Public\vbc.exeMD5
3096a3c81ff6c435ded33765f5f10be1
SHA1a481af4cfdf065c318656284af26546e4d69f9f1
SHA256083210286a8bfd2e1cbd05ae990725c8d41c4a6b3bdf71c8325b9cb11781a1aa
SHA5127500f636b064d2fea3835c06845244815da35b9b9b2ca1054c317cc38b6e85c097857dbca0e25d6a68bbef047f4c858f53fa4191f20f0583417ecee66055e6df
-
\Users\Public\vbc.exeMD5
3096a3c81ff6c435ded33765f5f10be1
SHA1a481af4cfdf065c318656284af26546e4d69f9f1
SHA256083210286a8bfd2e1cbd05ae990725c8d41c4a6b3bdf71c8325b9cb11781a1aa
SHA5127500f636b064d2fea3835c06845244815da35b9b9b2ca1054c317cc38b6e85c097857dbca0e25d6a68bbef047f4c858f53fa4191f20f0583417ecee66055e6df
-
\Users\Public\vbc.exeMD5
3096a3c81ff6c435ded33765f5f10be1
SHA1a481af4cfdf065c318656284af26546e4d69f9f1
SHA256083210286a8bfd2e1cbd05ae990725c8d41c4a6b3bdf71c8325b9cb11781a1aa
SHA5127500f636b064d2fea3835c06845244815da35b9b9b2ca1054c317cc38b6e85c097857dbca0e25d6a68bbef047f4c858f53fa4191f20f0583417ecee66055e6df
-
\Users\Public\vbc.exeMD5
3096a3c81ff6c435ded33765f5f10be1
SHA1a481af4cfdf065c318656284af26546e4d69f9f1
SHA256083210286a8bfd2e1cbd05ae990725c8d41c4a6b3bdf71c8325b9cb11781a1aa
SHA5127500f636b064d2fea3835c06845244815da35b9b9b2ca1054c317cc38b6e85c097857dbca0e25d6a68bbef047f4c858f53fa4191f20f0583417ecee66055e6df
-
\Users\Public\vbc.exeMD5
3096a3c81ff6c435ded33765f5f10be1
SHA1a481af4cfdf065c318656284af26546e4d69f9f1
SHA256083210286a8bfd2e1cbd05ae990725c8d41c4a6b3bdf71c8325b9cb11781a1aa
SHA5127500f636b064d2fea3835c06845244815da35b9b9b2ca1054c317cc38b6e85c097857dbca0e25d6a68bbef047f4c858f53fa4191f20f0583417ecee66055e6df
-
\Users\Public\vbc.exeMD5
3096a3c81ff6c435ded33765f5f10be1
SHA1a481af4cfdf065c318656284af26546e4d69f9f1
SHA256083210286a8bfd2e1cbd05ae990725c8d41c4a6b3bdf71c8325b9cb11781a1aa
SHA5127500f636b064d2fea3835c06845244815da35b9b9b2ca1054c317cc38b6e85c097857dbca0e25d6a68bbef047f4c858f53fa4191f20f0583417ecee66055e6df
-
\Users\Public\vbc.exeMD5
3096a3c81ff6c435ded33765f5f10be1
SHA1a481af4cfdf065c318656284af26546e4d69f9f1
SHA256083210286a8bfd2e1cbd05ae990725c8d41c4a6b3bdf71c8325b9cb11781a1aa
SHA5127500f636b064d2fea3835c06845244815da35b9b9b2ca1054c317cc38b6e85c097857dbca0e25d6a68bbef047f4c858f53fa4191f20f0583417ecee66055e6df
-
memory/556-11-0x0000000000000000-mapping.dmp
-
memory/556-16-0x0000000001F90000-0x0000000001FE6000-memory.dmpFilesize
344KB
-
memory/556-17-0x00000000004D0000-0x00000000004DF000-memory.dmpFilesize
60KB
-
memory/556-14-0x000000006CE70000-0x000000006D55E000-memory.dmpFilesize
6.9MB
-
memory/556-21-0x0000000001E60000-0x0000000001E61000-memory.dmpFilesize
4KB
-
memory/556-15-0x0000000000820000-0x0000000000821000-memory.dmpFilesize
4KB
-
memory/1108-39-0x0000000000000000-mapping.dmp
-
memory/1228-27-0x0000000002150000-0x0000000002161000-memory.dmpFilesize
68KB
-
memory/1228-33-0x0000000000200000-0x0000000000201000-memory.dmpFilesize
4KB
-
memory/1228-23-0x0000000000000000-mapping.dmp
-
memory/1252-41-0x0000000006CE0000-0x0000000006E11000-memory.dmpFilesize
1.2MB
-
memory/1252-26-0x0000000006980000-0x0000000006AC6000-memory.dmpFilesize
1.3MB
-
memory/1508-34-0x0000000000000000-mapping.dmp
-
memory/1508-37-0x00000000000F0000-0x0000000000119000-memory.dmpFilesize
164KB
-
memory/1508-40-0x0000000000400000-0x0000000000490000-memory.dmpFilesize
576KB
-
memory/1508-38-0x0000000002030000-0x0000000002333000-memory.dmpFilesize
3.0MB
-
memory/1508-36-0x0000000000380000-0x0000000000398000-memory.dmpFilesize
96KB
-
memory/1512-24-0x0000000000B30000-0x0000000000E33000-memory.dmpFilesize
3.0MB
-
memory/1512-25-0x0000000000190000-0x00000000001A1000-memory.dmpFilesize
68KB
-
memory/1512-18-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1512-19-0x000000000041D070-mapping.dmp
-
memory/1732-6-0x000007FEF6B90000-0x000007FEF6E0A000-memory.dmpFilesize
2.5MB
-
memory/1968-5-0x0000000075C31000-0x0000000075C33000-memory.dmpFilesize
8KB
-
memory/2032-2-0x000000002FD61000-0x000000002FD64000-memory.dmpFilesize
12KB
-
memory/2032-3-0x0000000071D11000-0x0000000071D13000-memory.dmpFilesize
8KB
-
memory/2032-4-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB