Analysis
-
max time kernel
146s -
max time network
145s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
19-01-2021 06:03
Static task
static1
Behavioral task
behavioral1
Sample
Pre-order.xlsx
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Pre-order.xlsx
Resource
win10v20201028
General
-
Target
Pre-order.xlsx
-
Size
2.2MB
-
MD5
ff38cf4d7025c0a5be3d81ac520c498b
-
SHA1
2ad3bf55a7ac4c636ecdf1b703d46afd190b9525
-
SHA256
cadb48c6d6cb9a5806bb74899c4837916538e2b9257dcc0f28640cc8179fd391
-
SHA512
039351f7634ef17c18047c4f1e4fa2be2e71660f814019c014e69900f3a4fcc4c9153a1656d4e1ae15ad5203a2db5a2679922fe6716a1ccfef316b1a7217a0f9
Malware Config
Extracted
formbook
http://www.douzhuan168.com/o8na/
www1669099.com
digitalallserv.com
thiszzzwq.info
dallasoswalt.info
ladolcefesta.com
mariamalikially.com
origenbsas.com
antichoc.watch
tropicalbirdtoys.com
bbluedotvrwdbuy.com
racevx.xyz
ut-trustandwill.com
maximumhomeoffers.com
wrapname.com
hypelighystrip.com
oshoum2020.com
parkwestmi.com
themodumall.com
tempuslawnandsnow.com
dailypromo.xyz
prebrands.com
thejoshuareport.com
coffincouturecosmetics.com
myfreshpoultry.com
vpndojo.com
ke9s.com
thediabeticsdomain.com
ukfrtff.icu
thedesertseen.com
patasasociacioncanina.com
bmw-cdsummit.com
darrelbrodkemd.com
tequilau.com
hurricanelauraclaim.net
launchangl.com
rdcwellness.com
vannityboxx.com
engage.chat
actuallyprettycosmetics.com
obluedot3dbuy.com
beaullife.com
digitalqe.com
damgarrett.com
guojiggd.com
bolder-adventure.info
seewhitefish.com
yazaerik.com
williamswalker.com
amandaemcevoy.com
pushdabutton.com
happyparentingandfamilies.com
workinghomeparents.com
patriotpointmarina.com
montserratpages.cat
marriedtwomusic.com
satjulius.com
zachthebigbear.com
pakistanread.com
bilemedim.com
prnttees.com
fxwlk.com
thepaoluccigroup.com
tompgroup.com
costadosolff.com
Signatures
-
Xloader Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/288-16-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral1/memory/288-17-0x000000000041D040-mapping.dmp xloader behavioral1/memory/552-20-0x0000000000220000-0x000000000024A000-memory.dmp xloader behavioral1/memory/1604-30-0x0000000000080000-0x00000000000A8000-memory.dmp xloader -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 6 316 EQNEDT32.EXE -
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 552 vbc.exe 288 vbc.exe -
Processes:
resource yara_rule \Users\Public\vbc.exe upx \Users\Public\vbc.exe upx \Users\Public\vbc.exe upx \Users\Public\vbc.exe upx \Users\Public\vbc.exe upx C:\Users\Public\vbc.exe upx C:\Users\Public\vbc.exe upx C:\Users\Public\vbc.exe upx -
Loads dropped DLL 5 IoCs
Processes:
EQNEDT32.EXEpid process 316 EQNEDT32.EXE 316 EQNEDT32.EXE 316 EQNEDT32.EXE 316 EQNEDT32.EXE 316 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
vbc.exevbc.exewlanext.exedescription pid process target process PID 552 set thread context of 288 552 vbc.exe vbc.exe PID 288 set thread context of 1200 288 vbc.exe Explorer.EXE PID 288 set thread context of 1200 288 vbc.exe Explorer.EXE PID 1604 set thread context of 1200 1604 wlanext.exe Explorer.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 384 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
vbc.exewlanext.exepid process 288 vbc.exe 288 vbc.exe 288 vbc.exe 1604 wlanext.exe 1604 wlanext.exe 1604 wlanext.exe 1604 wlanext.exe 1604 wlanext.exe 1604 wlanext.exe 1604 wlanext.exe 1604 wlanext.exe 1604 wlanext.exe 1604 wlanext.exe 1604 wlanext.exe 1604 wlanext.exe 1604 wlanext.exe 1604 wlanext.exe 1604 wlanext.exe 1604 wlanext.exe 1604 wlanext.exe 1604 wlanext.exe 1604 wlanext.exe 1604 wlanext.exe 1604 wlanext.exe 1604 wlanext.exe 1604 wlanext.exe 1604 wlanext.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
vbc.exewlanext.exepid process 288 vbc.exe 288 vbc.exe 288 vbc.exe 288 vbc.exe 1604 wlanext.exe 1604 wlanext.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vbc.exeExplorer.EXEwlanext.exedescription pid process Token: SeDebugPrivilege 288 vbc.exe Token: SeShutdownPrivilege 1200 Explorer.EXE Token: SeDebugPrivilege 1604 wlanext.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1200 Explorer.EXE 1200 Explorer.EXE 1200 Explorer.EXE 1200 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1200 Explorer.EXE 1200 Explorer.EXE 1200 Explorer.EXE 1200 Explorer.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 384 EXCEL.EXE 384 EXCEL.EXE 384 EXCEL.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
EQNEDT32.EXEvbc.exevbc.exewlanext.exedescription pid process target process PID 316 wrote to memory of 552 316 EQNEDT32.EXE vbc.exe PID 316 wrote to memory of 552 316 EQNEDT32.EXE vbc.exe PID 316 wrote to memory of 552 316 EQNEDT32.EXE vbc.exe PID 316 wrote to memory of 552 316 EQNEDT32.EXE vbc.exe PID 552 wrote to memory of 288 552 vbc.exe vbc.exe PID 552 wrote to memory of 288 552 vbc.exe vbc.exe PID 552 wrote to memory of 288 552 vbc.exe vbc.exe PID 552 wrote to memory of 288 552 vbc.exe vbc.exe PID 552 wrote to memory of 288 552 vbc.exe vbc.exe PID 552 wrote to memory of 288 552 vbc.exe vbc.exe PID 552 wrote to memory of 288 552 vbc.exe vbc.exe PID 288 wrote to memory of 1604 288 vbc.exe wlanext.exe PID 288 wrote to memory of 1604 288 vbc.exe wlanext.exe PID 288 wrote to memory of 1604 288 vbc.exe wlanext.exe PID 288 wrote to memory of 1604 288 vbc.exe wlanext.exe PID 1604 wrote to memory of 1708 1604 wlanext.exe cmd.exe PID 1604 wrote to memory of 1708 1604 wlanext.exe cmd.exe PID 1604 wrote to memory of 1708 1604 wlanext.exe cmd.exe PID 1604 wrote to memory of 1708 1604 wlanext.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1200 -
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Pre-order.xlsx2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:384
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:288 -
C:\Windows\SysWOW64\wlanext.exe"C:\Windows\SysWOW64\wlanext.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Public\vbc.exe"5⤵PID:1708
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
f0f1a843b50f76e7236cc32dedf1d65d
SHA1f84f30a93355d46bbdbebfedc760188879b6db0b
SHA2563ed3126cfc3094e0f1a5736369cc55f68feb9bf6c9e31ba6e00e36f11917bc18
SHA512f856db58b39aacbc858a248a7352ee20e63ac3a50966ebb9a95bcacad6221d98eff7a8f4024fae08badfc45396a7312a8bf70e69e5802777b7e34ef6e48342a2
-
C:\Users\Public\vbc.exeMD5
f0f1a843b50f76e7236cc32dedf1d65d
SHA1f84f30a93355d46bbdbebfedc760188879b6db0b
SHA2563ed3126cfc3094e0f1a5736369cc55f68feb9bf6c9e31ba6e00e36f11917bc18
SHA512f856db58b39aacbc858a248a7352ee20e63ac3a50966ebb9a95bcacad6221d98eff7a8f4024fae08badfc45396a7312a8bf70e69e5802777b7e34ef6e48342a2
-
C:\Users\Public\vbc.exeMD5
f0f1a843b50f76e7236cc32dedf1d65d
SHA1f84f30a93355d46bbdbebfedc760188879b6db0b
SHA2563ed3126cfc3094e0f1a5736369cc55f68feb9bf6c9e31ba6e00e36f11917bc18
SHA512f856db58b39aacbc858a248a7352ee20e63ac3a50966ebb9a95bcacad6221d98eff7a8f4024fae08badfc45396a7312a8bf70e69e5802777b7e34ef6e48342a2
-
\Users\Public\vbc.exeMD5
f0f1a843b50f76e7236cc32dedf1d65d
SHA1f84f30a93355d46bbdbebfedc760188879b6db0b
SHA2563ed3126cfc3094e0f1a5736369cc55f68feb9bf6c9e31ba6e00e36f11917bc18
SHA512f856db58b39aacbc858a248a7352ee20e63ac3a50966ebb9a95bcacad6221d98eff7a8f4024fae08badfc45396a7312a8bf70e69e5802777b7e34ef6e48342a2
-
\Users\Public\vbc.exeMD5
f0f1a843b50f76e7236cc32dedf1d65d
SHA1f84f30a93355d46bbdbebfedc760188879b6db0b
SHA2563ed3126cfc3094e0f1a5736369cc55f68feb9bf6c9e31ba6e00e36f11917bc18
SHA512f856db58b39aacbc858a248a7352ee20e63ac3a50966ebb9a95bcacad6221d98eff7a8f4024fae08badfc45396a7312a8bf70e69e5802777b7e34ef6e48342a2
-
\Users\Public\vbc.exeMD5
f0f1a843b50f76e7236cc32dedf1d65d
SHA1f84f30a93355d46bbdbebfedc760188879b6db0b
SHA2563ed3126cfc3094e0f1a5736369cc55f68feb9bf6c9e31ba6e00e36f11917bc18
SHA512f856db58b39aacbc858a248a7352ee20e63ac3a50966ebb9a95bcacad6221d98eff7a8f4024fae08badfc45396a7312a8bf70e69e5802777b7e34ef6e48342a2
-
\Users\Public\vbc.exeMD5
f0f1a843b50f76e7236cc32dedf1d65d
SHA1f84f30a93355d46bbdbebfedc760188879b6db0b
SHA2563ed3126cfc3094e0f1a5736369cc55f68feb9bf6c9e31ba6e00e36f11917bc18
SHA512f856db58b39aacbc858a248a7352ee20e63ac3a50966ebb9a95bcacad6221d98eff7a8f4024fae08badfc45396a7312a8bf70e69e5802777b7e34ef6e48342a2
-
\Users\Public\vbc.exeMD5
f0f1a843b50f76e7236cc32dedf1d65d
SHA1f84f30a93355d46bbdbebfedc760188879b6db0b
SHA2563ed3126cfc3094e0f1a5736369cc55f68feb9bf6c9e31ba6e00e36f11917bc18
SHA512f856db58b39aacbc858a248a7352ee20e63ac3a50966ebb9a95bcacad6221d98eff7a8f4024fae08badfc45396a7312a8bf70e69e5802777b7e34ef6e48342a2
-
memory/288-16-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/288-17-0x000000000041D040-mapping.dmp
-
memory/288-25-0x0000000000480000-0x0000000000490000-memory.dmpFilesize
64KB
-
memory/288-22-0x0000000000700000-0x0000000000A03000-memory.dmpFilesize
3.0MB
-
memory/288-23-0x00000000003E0000-0x00000000003F0000-memory.dmpFilesize
64KB
-
memory/316-5-0x0000000076241000-0x0000000076243000-memory.dmpFilesize
8KB
-
memory/384-2-0x000000002FFA1000-0x000000002FFA4000-memory.dmpFilesize
12KB
-
memory/384-4-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/384-3-0x0000000071281000-0x0000000071283000-memory.dmpFilesize
8KB
-
memory/520-6-0x000007FEF7300000-0x000007FEF757A000-memory.dmpFilesize
2.5MB
-
memory/552-12-0x0000000000000000-mapping.dmp
-
memory/552-19-0x0000000000020000-0x0000000000040000-memory.dmpFilesize
128KB
-
memory/552-20-0x0000000000220000-0x000000000024A000-memory.dmpFilesize
168KB
-
memory/552-14-0x0000000005100000-0x0000000005111000-memory.dmpFilesize
68KB
-
memory/1200-26-0x0000000004F60000-0x00000000050C6000-memory.dmpFilesize
1.4MB
-
memory/1200-24-0x00000000042E0000-0x0000000004421000-memory.dmpFilesize
1.3MB
-
memory/1200-33-0x0000000009150000-0x00000000092DD000-memory.dmpFilesize
1.6MB
-
memory/1604-27-0x0000000000000000-mapping.dmp
-
memory/1604-30-0x0000000000080000-0x00000000000A8000-memory.dmpFilesize
160KB
-
memory/1604-31-0x0000000001EE0000-0x00000000021E3000-memory.dmpFilesize
3.0MB
-
memory/1604-29-0x00000000000C0000-0x00000000000D6000-memory.dmpFilesize
88KB
-
memory/1604-32-0x0000000001C10000-0x0000000001C9F000-memory.dmpFilesize
572KB
-
memory/1708-28-0x0000000000000000-mapping.dmp