Analysis
-
max time kernel
148s -
max time network
147s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
22-01-2021 07:15
Static task
static1
Behavioral task
behavioral1
Sample
SwiftMT1O3.xlsx
Resource
win7v20201028
Behavioral task
behavioral2
Sample
SwiftMT1O3.xlsx
Resource
win10v20201028
General
-
Target
SwiftMT1O3.xlsx
-
Size
2.4MB
-
MD5
01a88cf9ab93b715387c2f3ba777cf6e
-
SHA1
19fad6f30f2b31fec8708a9897c630f8065f61a5
-
SHA256
970c5c7c04d9f838897c5914b840f40c0bf1dbf61503ba093a68552336952345
-
SHA512
2dca7bbb27e320a43d04adc3d118bbb6a2c3ce0494c10a5d39805350d0cea5852b57e354aedc10b8f5d2eec54ece38caeb458d6e536166bb3958764513aba4ba
Malware Config
Extracted
formbook
http://www.huynhanhdung.com/kna/
lawrencefiredepartment.com
executivehomeoffices.com
solfed.world
oshawaexchange.com
webdavlexstore.com
youpieb.com
chiller-master.com
bearstoragetn.com
daf90x16.com
gewhacaalouine.com
simplyezi.com
cstechnologyservices.com
nosyboats.com
thecocomarie.com
vetinaryeco.club
americangoselfilm.com
gdsuhejia.com
verbunden-sein.net
the-minerva.com
loctrantv.com
casualluvonline.com
groups3usa.com
ncdcnow.com
qrastenmap.online
ltjxw.net
crystalblueboating.com
51adcn.com
abrasto.com
smokegas.com
schofieldoutpost.com
sh-ruidiclub.com
zzyxgl.com
qpremodeling.com
ayzvyeco.icu
modestartgallery.com
ref478.com
astutetopshop.com
pinebarrenfarms.com
webprofiji.com
purfect-air.com
transformesuasaude.com
oz-men.com
mpjjpwp.icu
zeinabiohouse.com
shopwaterlemon.com
radiohebron.com
americanheraldnews.com
clinicadentalfika.com
throughthelorgnette.com
carte-diem.com
elderstatesmanarchive.com
nanhulove.com
melonicwater.com
streamingdads.com
indrapandhari.com
dc-prices.com
xstarconnect.com
weninse.com
atlantavirtualmeetings.com
jobhelpseekers.com
freisaq.com
viajeaatenas.com
worldparcel.net
qcc3.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1652-20-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/1652-21-0x000000000041EAB0-mapping.dmp formbook behavioral1/memory/1544-30-0x00000000000D0000-0x00000000000FE000-memory.dmp formbook -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 7 1352 EQNEDT32.EXE -
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 1824 vbc.exe 1652 vbc.exe -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEpid process 1352 EQNEDT32.EXE 1352 EQNEDT32.EXE 1352 EQNEDT32.EXE 1352 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
vbc.exevbc.exewininit.exedescription pid process target process PID 1824 set thread context of 1652 1824 vbc.exe vbc.exe PID 1652 set thread context of 1200 1652 vbc.exe Explorer.EXE PID 1544 set thread context of 1200 1544 wininit.exe Explorer.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1812 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
vbc.exewininit.exepid process 1652 vbc.exe 1652 vbc.exe 1544 wininit.exe 1544 wininit.exe 1544 wininit.exe 1544 wininit.exe 1544 wininit.exe 1544 wininit.exe 1544 wininit.exe 1544 wininit.exe 1544 wininit.exe 1544 wininit.exe 1544 wininit.exe 1544 wininit.exe 1544 wininit.exe 1544 wininit.exe 1544 wininit.exe 1544 wininit.exe 1544 wininit.exe 1544 wininit.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
vbc.exewininit.exepid process 1652 vbc.exe 1652 vbc.exe 1652 vbc.exe 1544 wininit.exe 1544 wininit.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
vbc.exewininit.exedescription pid process Token: SeDebugPrivilege 1652 vbc.exe Token: SeDebugPrivilege 1544 wininit.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1200 Explorer.EXE 1200 Explorer.EXE 1200 Explorer.EXE 1200 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1200 Explorer.EXE 1200 Explorer.EXE 1200 Explorer.EXE 1200 Explorer.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1812 EXCEL.EXE 1812 EXCEL.EXE 1812 EXCEL.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
EQNEDT32.EXEvbc.exeExplorer.EXEwininit.exedescription pid process target process PID 1352 wrote to memory of 1824 1352 EQNEDT32.EXE vbc.exe PID 1352 wrote to memory of 1824 1352 EQNEDT32.EXE vbc.exe PID 1352 wrote to memory of 1824 1352 EQNEDT32.EXE vbc.exe PID 1352 wrote to memory of 1824 1352 EQNEDT32.EXE vbc.exe PID 1824 wrote to memory of 1652 1824 vbc.exe vbc.exe PID 1824 wrote to memory of 1652 1824 vbc.exe vbc.exe PID 1824 wrote to memory of 1652 1824 vbc.exe vbc.exe PID 1824 wrote to memory of 1652 1824 vbc.exe vbc.exe PID 1824 wrote to memory of 1652 1824 vbc.exe vbc.exe PID 1824 wrote to memory of 1652 1824 vbc.exe vbc.exe PID 1824 wrote to memory of 1652 1824 vbc.exe vbc.exe PID 1200 wrote to memory of 1544 1200 Explorer.EXE wininit.exe PID 1200 wrote to memory of 1544 1200 Explorer.EXE wininit.exe PID 1200 wrote to memory of 1544 1200 Explorer.EXE wininit.exe PID 1200 wrote to memory of 1544 1200 Explorer.EXE wininit.exe PID 1544 wrote to memory of 1128 1544 wininit.exe cmd.exe PID 1544 wrote to memory of 1128 1544 wininit.exe cmd.exe PID 1544 wrote to memory of 1128 1544 wininit.exe cmd.exe PID 1544 wrote to memory of 1128 1544 wininit.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\SwiftMT1O3.xlsx2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\wininit.exe"C:\Windows\SysWOW64\wininit.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Public\vbc.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"{path}"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
03bfef72c4d962a223cd051d1fe5bbe6
SHA1bb7097101b26eadb4af50f6e2bb21c2cad610217
SHA256f59df25daa1bbe11f38724ad0b36eebc535f1f36ae3796ce5bebe1049cbb57ed
SHA51223b1a4542eb8f530e6984f51e340699c0bda6e03e2c192ef46f61a04358c261ca1f902f5e1c2e36a081fa286f92c4061768e130f38fdca95f3865d9c8cf06874
-
C:\Users\Public\vbc.exeMD5
03bfef72c4d962a223cd051d1fe5bbe6
SHA1bb7097101b26eadb4af50f6e2bb21c2cad610217
SHA256f59df25daa1bbe11f38724ad0b36eebc535f1f36ae3796ce5bebe1049cbb57ed
SHA51223b1a4542eb8f530e6984f51e340699c0bda6e03e2c192ef46f61a04358c261ca1f902f5e1c2e36a081fa286f92c4061768e130f38fdca95f3865d9c8cf06874
-
C:\Users\Public\vbc.exeMD5
03bfef72c4d962a223cd051d1fe5bbe6
SHA1bb7097101b26eadb4af50f6e2bb21c2cad610217
SHA256f59df25daa1bbe11f38724ad0b36eebc535f1f36ae3796ce5bebe1049cbb57ed
SHA51223b1a4542eb8f530e6984f51e340699c0bda6e03e2c192ef46f61a04358c261ca1f902f5e1c2e36a081fa286f92c4061768e130f38fdca95f3865d9c8cf06874
-
\Users\Public\vbc.exeMD5
03bfef72c4d962a223cd051d1fe5bbe6
SHA1bb7097101b26eadb4af50f6e2bb21c2cad610217
SHA256f59df25daa1bbe11f38724ad0b36eebc535f1f36ae3796ce5bebe1049cbb57ed
SHA51223b1a4542eb8f530e6984f51e340699c0bda6e03e2c192ef46f61a04358c261ca1f902f5e1c2e36a081fa286f92c4061768e130f38fdca95f3865d9c8cf06874
-
\Users\Public\vbc.exeMD5
03bfef72c4d962a223cd051d1fe5bbe6
SHA1bb7097101b26eadb4af50f6e2bb21c2cad610217
SHA256f59df25daa1bbe11f38724ad0b36eebc535f1f36ae3796ce5bebe1049cbb57ed
SHA51223b1a4542eb8f530e6984f51e340699c0bda6e03e2c192ef46f61a04358c261ca1f902f5e1c2e36a081fa286f92c4061768e130f38fdca95f3865d9c8cf06874
-
\Users\Public\vbc.exeMD5
03bfef72c4d962a223cd051d1fe5bbe6
SHA1bb7097101b26eadb4af50f6e2bb21c2cad610217
SHA256f59df25daa1bbe11f38724ad0b36eebc535f1f36ae3796ce5bebe1049cbb57ed
SHA51223b1a4542eb8f530e6984f51e340699c0bda6e03e2c192ef46f61a04358c261ca1f902f5e1c2e36a081fa286f92c4061768e130f38fdca95f3865d9c8cf06874
-
\Users\Public\vbc.exeMD5
03bfef72c4d962a223cd051d1fe5bbe6
SHA1bb7097101b26eadb4af50f6e2bb21c2cad610217
SHA256f59df25daa1bbe11f38724ad0b36eebc535f1f36ae3796ce5bebe1049cbb57ed
SHA51223b1a4542eb8f530e6984f51e340699c0bda6e03e2c192ef46f61a04358c261ca1f902f5e1c2e36a081fa286f92c4061768e130f38fdca95f3865d9c8cf06874
-
memory/1128-28-0x0000000000000000-mapping.dmp
-
memory/1200-26-0x0000000004210000-0x00000000042EE000-memory.dmpFilesize
888KB
-
memory/1200-33-0x0000000004B10000-0x0000000004BF3000-memory.dmpFilesize
908KB
-
memory/1352-5-0x0000000076241000-0x0000000076243000-memory.dmpFilesize
8KB
-
memory/1544-32-0x0000000000A80000-0x0000000000B13000-memory.dmpFilesize
588KB
-
memory/1544-31-0x0000000002240000-0x0000000002543000-memory.dmpFilesize
3.0MB
-
memory/1544-30-0x00000000000D0000-0x00000000000FE000-memory.dmpFilesize
184KB
-
memory/1544-29-0x0000000000E20000-0x0000000000E3A000-memory.dmpFilesize
104KB
-
memory/1544-27-0x0000000000000000-mapping.dmp
-
memory/1652-24-0x0000000000970000-0x0000000000C73000-memory.dmpFilesize
3.0MB
-
memory/1652-20-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1652-21-0x000000000041EAB0-mapping.dmp
-
memory/1652-25-0x0000000000280000-0x0000000000294000-memory.dmpFilesize
80KB
-
memory/1740-6-0x000007FEF79D0000-0x000007FEF7C4A000-memory.dmpFilesize
2.5MB
-
memory/1812-3-0x0000000071241000-0x0000000071243000-memory.dmpFilesize
8KB
-
memory/1812-2-0x000000002F181000-0x000000002F184000-memory.dmpFilesize
12KB
-
memory/1812-4-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1824-11-0x0000000000000000-mapping.dmp
-
memory/1824-19-0x00000000056D0000-0x000000000576A000-memory.dmpFilesize
616KB
-
memory/1824-18-0x0000000000530000-0x000000000053E000-memory.dmpFilesize
56KB
-
memory/1824-17-0x0000000004650000-0x0000000004651000-memory.dmpFilesize
4KB
-
memory/1824-15-0x0000000000040000-0x0000000000041000-memory.dmpFilesize
4KB
-
memory/1824-14-0x000000006C3A0000-0x000000006CA8E000-memory.dmpFilesize
6.9MB