Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
19-01-2021 06:04
Static task
static1
Behavioral task
behavioral1
Sample
RFQ ORDER LIST.xlsx
Resource
win7v20201028
Behavioral task
behavioral2
Sample
RFQ ORDER LIST.xlsx
Resource
win10v20201028
General
-
Target
RFQ ORDER LIST.xlsx
-
Size
2.4MB
-
MD5
7046895bf66247768d0ea01820e10bd7
-
SHA1
6a8dd66b8cb3a4abff011d80c2ce92cae5376a76
-
SHA256
04565d469f7088f9fb122dd3b42274a84bdc1650156a815420381ef770e4373e
-
SHA512
9ee04cae283b8f5edc7cfd14afe82f62266db71c8a1d8ce131b90b1832b17f02ba624caac95e1148b6b5265dcbd76e3130d90c238152adae5efb435ad49010a2
Malware Config
Extracted
formbook
http://www.hitchhikerfab.com/qjnt/
silverlakesfootball.com
drivebymovie.com
precisedirections.com
xn--01-mlcpq1abi.xn--p1acf
landhubturkey.com
andronomicon.com
kindlyhomecare.com
tyequip.com
planfra.com
wy1197.com
blackcatbaker.com
ddhhynjy.com
sales-altigen.com
valerielimozin.com
walmamall.com
quishkambalito.com
gnbsuvm.icu
milanostorear.com
olympiaopen.com
zradydlyazhinok-ua.com
chileenswijnhuis.online
squeegeedollarclub.com
ecritech.media
jugosdelsol.com
gamersgangbd.com
globalineducation.com
newenglandredsox.com
ajackson-design.com
blupointer.com
plantfulllife.com
bebes-fertiles.com
hoqueivilasana.com
evsucks.com
ggate.club
goldiewilson.com
jtdelastomer.com
hwhrc.com
safehomeseller.com
d2clip.com
856380770.xyz
peorig.club
magnificosocial.com
masterm77.com
jejucash.com
ciancor.com
primeoneimplants.com
xn--9t4bi03a.com
vietlangcenter.com
nickelindonesia.com
crcindustrialmx.com
jswproductionsllc.com
igxadnm.icu
formationbd.net
shdajiao.com
kitamura-clinic-seta.com
racevx.xyz
xingyedk.com
misteri365.net
agedeve.com
kutuluoyun.net
yrzx61.com
6s7f8mr8yk7ji.net
sumrajuniksure.com
everlastingnewyork.com
Signatures
-
Xloader Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1152-16-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral1/memory/1152-17-0x000000000041D030-mapping.dmp xloader behavioral1/memory/1132-20-0x00000000002B0000-0x00000000002DA000-memory.dmp xloader behavioral1/memory/792-29-0x00000000000C0000-0x00000000000E8000-memory.dmp xloader -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 7 1704 EQNEDT32.EXE -
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 1132 vbc.exe 1152 vbc.exe -
Processes:
resource yara_rule \Users\Public\vbc.exe upx \Users\Public\vbc.exe upx \Users\Public\vbc.exe upx \Users\Public\vbc.exe upx \Users\Public\vbc.exe upx C:\Users\Public\vbc.exe upx C:\Users\Public\vbc.exe upx C:\Users\Public\vbc.exe upx -
Loads dropped DLL 5 IoCs
Processes:
EQNEDT32.EXEpid process 1704 EQNEDT32.EXE 1704 EQNEDT32.EXE 1704 EQNEDT32.EXE 1704 EQNEDT32.EXE 1704 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
vbc.exevbc.exerundll32.exedescription pid process target process PID 1132 set thread context of 1152 1132 vbc.exe vbc.exe PID 1152 set thread context of 1256 1152 vbc.exe Explorer.EXE PID 792 set thread context of 1256 792 rundll32.exe Explorer.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1096 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
vbc.exerundll32.exepid process 1152 vbc.exe 1152 vbc.exe 792 rundll32.exe 792 rundll32.exe 792 rundll32.exe 792 rundll32.exe 792 rundll32.exe 792 rundll32.exe 792 rundll32.exe 792 rundll32.exe 792 rundll32.exe 792 rundll32.exe 792 rundll32.exe 792 rundll32.exe 792 rundll32.exe 792 rundll32.exe 792 rundll32.exe 792 rundll32.exe 792 rundll32.exe 792 rundll32.exe 792 rundll32.exe 792 rundll32.exe 792 rundll32.exe 792 rundll32.exe 792 rundll32.exe 792 rundll32.exe 792 rundll32.exe 792 rundll32.exe 792 rundll32.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
vbc.exerundll32.exepid process 1152 vbc.exe 1152 vbc.exe 1152 vbc.exe 792 rundll32.exe 792 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
vbc.exerundll32.exedescription pid process Token: SeDebugPrivilege 1152 vbc.exe Token: SeDebugPrivilege 792 rundll32.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1096 EXCEL.EXE 1096 EXCEL.EXE 1096 EXCEL.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
EQNEDT32.EXEvbc.exeExplorer.EXErundll32.exedescription pid process target process PID 1704 wrote to memory of 1132 1704 EQNEDT32.EXE vbc.exe PID 1704 wrote to memory of 1132 1704 EQNEDT32.EXE vbc.exe PID 1704 wrote to memory of 1132 1704 EQNEDT32.EXE vbc.exe PID 1704 wrote to memory of 1132 1704 EQNEDT32.EXE vbc.exe PID 1132 wrote to memory of 1152 1132 vbc.exe vbc.exe PID 1132 wrote to memory of 1152 1132 vbc.exe vbc.exe PID 1132 wrote to memory of 1152 1132 vbc.exe vbc.exe PID 1132 wrote to memory of 1152 1132 vbc.exe vbc.exe PID 1132 wrote to memory of 1152 1132 vbc.exe vbc.exe PID 1132 wrote to memory of 1152 1132 vbc.exe vbc.exe PID 1132 wrote to memory of 1152 1132 vbc.exe vbc.exe PID 1256 wrote to memory of 792 1256 Explorer.EXE rundll32.exe PID 1256 wrote to memory of 792 1256 Explorer.EXE rundll32.exe PID 1256 wrote to memory of 792 1256 Explorer.EXE rundll32.exe PID 1256 wrote to memory of 792 1256 Explorer.EXE rundll32.exe PID 1256 wrote to memory of 792 1256 Explorer.EXE rundll32.exe PID 1256 wrote to memory of 792 1256 Explorer.EXE rundll32.exe PID 1256 wrote to memory of 792 1256 Explorer.EXE rundll32.exe PID 792 wrote to memory of 1604 792 rundll32.exe cmd.exe PID 792 wrote to memory of 1604 792 rundll32.exe cmd.exe PID 792 wrote to memory of 1604 792 rundll32.exe cmd.exe PID 792 wrote to memory of 1604 792 rundll32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\RFQ ORDER LIST.xlsx"2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1096 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Public\vbc.exe"3⤵PID:1604
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1152
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
4755bdfa1fb87c626856b33c48419201
SHA1c174cf847aa3e0a06128626c13608a3a5421e0f4
SHA256d81f4b6a0b8650415e2c2acfe4ee223f6826b3b6849393f4de2db4f3a814beaf
SHA512d7e982eb367ee0813dcdb92604f3f444c88603dc1aa6c5c14d397d7a43dfbedc7ee9280b3674a8715c4cab8c24176f4efa24d5cf206596b5e21cdc40c467c5ca
-
C:\Users\Public\vbc.exeMD5
4755bdfa1fb87c626856b33c48419201
SHA1c174cf847aa3e0a06128626c13608a3a5421e0f4
SHA256d81f4b6a0b8650415e2c2acfe4ee223f6826b3b6849393f4de2db4f3a814beaf
SHA512d7e982eb367ee0813dcdb92604f3f444c88603dc1aa6c5c14d397d7a43dfbedc7ee9280b3674a8715c4cab8c24176f4efa24d5cf206596b5e21cdc40c467c5ca
-
C:\Users\Public\vbc.exeMD5
4755bdfa1fb87c626856b33c48419201
SHA1c174cf847aa3e0a06128626c13608a3a5421e0f4
SHA256d81f4b6a0b8650415e2c2acfe4ee223f6826b3b6849393f4de2db4f3a814beaf
SHA512d7e982eb367ee0813dcdb92604f3f444c88603dc1aa6c5c14d397d7a43dfbedc7ee9280b3674a8715c4cab8c24176f4efa24d5cf206596b5e21cdc40c467c5ca
-
\Users\Public\vbc.exeMD5
4755bdfa1fb87c626856b33c48419201
SHA1c174cf847aa3e0a06128626c13608a3a5421e0f4
SHA256d81f4b6a0b8650415e2c2acfe4ee223f6826b3b6849393f4de2db4f3a814beaf
SHA512d7e982eb367ee0813dcdb92604f3f444c88603dc1aa6c5c14d397d7a43dfbedc7ee9280b3674a8715c4cab8c24176f4efa24d5cf206596b5e21cdc40c467c5ca
-
\Users\Public\vbc.exeMD5
4755bdfa1fb87c626856b33c48419201
SHA1c174cf847aa3e0a06128626c13608a3a5421e0f4
SHA256d81f4b6a0b8650415e2c2acfe4ee223f6826b3b6849393f4de2db4f3a814beaf
SHA512d7e982eb367ee0813dcdb92604f3f444c88603dc1aa6c5c14d397d7a43dfbedc7ee9280b3674a8715c4cab8c24176f4efa24d5cf206596b5e21cdc40c467c5ca
-
\Users\Public\vbc.exeMD5
4755bdfa1fb87c626856b33c48419201
SHA1c174cf847aa3e0a06128626c13608a3a5421e0f4
SHA256d81f4b6a0b8650415e2c2acfe4ee223f6826b3b6849393f4de2db4f3a814beaf
SHA512d7e982eb367ee0813dcdb92604f3f444c88603dc1aa6c5c14d397d7a43dfbedc7ee9280b3674a8715c4cab8c24176f4efa24d5cf206596b5e21cdc40c467c5ca
-
\Users\Public\vbc.exeMD5
4755bdfa1fb87c626856b33c48419201
SHA1c174cf847aa3e0a06128626c13608a3a5421e0f4
SHA256d81f4b6a0b8650415e2c2acfe4ee223f6826b3b6849393f4de2db4f3a814beaf
SHA512d7e982eb367ee0813dcdb92604f3f444c88603dc1aa6c5c14d397d7a43dfbedc7ee9280b3674a8715c4cab8c24176f4efa24d5cf206596b5e21cdc40c467c5ca
-
\Users\Public\vbc.exeMD5
4755bdfa1fb87c626856b33c48419201
SHA1c174cf847aa3e0a06128626c13608a3a5421e0f4
SHA256d81f4b6a0b8650415e2c2acfe4ee223f6826b3b6849393f4de2db4f3a814beaf
SHA512d7e982eb367ee0813dcdb92604f3f444c88603dc1aa6c5c14d397d7a43dfbedc7ee9280b3674a8715c4cab8c24176f4efa24d5cf206596b5e21cdc40c467c5ca
-
memory/792-30-0x0000000002080000-0x0000000002383000-memory.dmpFilesize
3.0MB
-
memory/792-28-0x00000000000B0000-0x00000000000BE000-memory.dmpFilesize
56KB
-
memory/792-31-0x0000000001D40000-0x0000000001DCF000-memory.dmpFilesize
572KB
-
memory/792-25-0x0000000000000000-mapping.dmp
-
memory/792-29-0x00000000000C0000-0x00000000000E8000-memory.dmpFilesize
160KB
-
memory/1096-4-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1096-2-0x000000002F371000-0x000000002F374000-memory.dmpFilesize
12KB
-
memory/1096-3-0x0000000071B21000-0x0000000071B23000-memory.dmpFilesize
8KB
-
memory/1132-12-0x0000000000000000-mapping.dmp
-
memory/1132-14-0x0000000004DF0000-0x0000000004E01000-memory.dmpFilesize
68KB
-
memory/1132-19-0x0000000000020000-0x0000000000040000-memory.dmpFilesize
128KB
-
memory/1132-20-0x00000000002B0000-0x00000000002DA000-memory.dmpFilesize
168KB
-
memory/1152-16-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1152-22-0x0000000000840000-0x0000000000B43000-memory.dmpFilesize
3.0MB
-
memory/1152-23-0x0000000000290000-0x00000000002A0000-memory.dmpFilesize
64KB
-
memory/1152-17-0x000000000041D030-mapping.dmp
-
memory/1216-6-0x000007FEF8040000-0x000007FEF82BA000-memory.dmpFilesize
2.5MB
-
memory/1256-24-0x0000000004060000-0x000000000412C000-memory.dmpFilesize
816KB
-
memory/1256-32-0x0000000006340000-0x000000000645F000-memory.dmpFilesize
1.1MB
-
memory/1604-27-0x0000000000000000-mapping.dmp
-
memory/1704-5-0x0000000075711000-0x0000000075713000-memory.dmpFilesize
8KB