Analysis
-
max time kernel
149s -
max time network
141s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
23-02-2021 12:58
Static task
static1
Behavioral task
behavioral1
Sample
MT OCEAN STAR ISO 8217 2005.xlsx
Resource
win7v20201028
Behavioral task
behavioral2
Sample
MT OCEAN STAR ISO 8217 2005.xlsx
Resource
win10v20201028
General
-
Target
MT OCEAN STAR ISO 8217 2005.xlsx
-
Size
2.1MB
-
MD5
3ba4a9ceac60a4e52398ac6fbd0ebc5b
-
SHA1
19b79bcd8982634747f1dfc6804687d60baf73b0
-
SHA256
ca4c055b60e84b73461e21062fc06924897c501944ec0f2a467fc4c21f13b342
-
SHA512
ff14cc9946821af0891fb2b8ae10006ea9902f31c6cfcc5bc6739270080a3862db34e718cf82838585662a3dbad74892db78e891092a9cd0e137e86684440686
Malware Config
Extracted
formbook
http://www.aone223.com/67d/
initiationportal.com
priority1fleet.com
xn--c1abvlc0ba.xn--p1acf
foto-golyh-devushek.com
losangeles-nightlife.com
mynewbandname.com
iaiibhzsbw.net
allwest-originals.com
peakofgoodlife.com
traeespana.com
prizotinstagram.online
powerd.net
rutharroyo.com
spreadtheaimee.com
tomleefamily.com
workingcompass.net
quallateematerial.com
davizion.com
ashleeramdanfit.com
gamers-evolution.com
bohrabiz.com
twigandbloomfloral.com
nhdpartners.com
wakedcma.com
algulotomotiv.com
kocaelikiralikvinc.com
listenupfoundation.net
studiozetamilano.com
luckybluebird.net
xigo100.com
hattonpalacejewellery.com
bolsasmariabonita.com
didierjammet.com
wndslve.com
wiprideinc.com
aktiv.plus
americanseniorcarecorp.com
calmbears.com
gearsevenfitness.com
naigves.com
stremate.webcam
awakenedbyowls.com
pelican-foot.com
t-c-o-t-c.com
disinfectingcinci.com
buyrealestatewithchris.com
g-grid.net
dodadungthongminh.asia
prospect300.com
rjutilities.com
mylegalmavens.com
talalmando.com
localheroes.space
writinglover.site
brink100.com
bim3dstudio.com
absak-lab1.net
torontodo.com
repwebtools.com
films4christians.com
raptorroofingcompany.com
lrrestoration.com
zhongqinglvyou.com
jangabeach.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1960-20-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/1960-21-0x000000000041EB60-mapping.dmp formbook behavioral1/memory/1152-30-0x0000000000070000-0x000000000009E000-memory.dmp formbook -
Blocklisted process makes network request 2 IoCs
Processes:
EQNEDT32.EXEflow pid process 6 1776 EQNEDT32.EXE 8 1776 EQNEDT32.EXE -
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 1912 vbc.exe 1960 vbc.exe -
Loads dropped DLL 4 IoCs
Processes:
EQNEDT32.EXEpid process 1776 EQNEDT32.EXE 1776 EQNEDT32.EXE 1776 EQNEDT32.EXE 1776 EQNEDT32.EXE -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
vbc.exevbc.execscript.exedescription pid process target process PID 1912 set thread context of 1960 1912 vbc.exe vbc.exe PID 1960 set thread context of 1276 1960 vbc.exe Explorer.EXE PID 1152 set thread context of 1276 1152 cscript.exe Explorer.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1684 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
vbc.execscript.exepid process 1960 vbc.exe 1960 vbc.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe 1152 cscript.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
vbc.execscript.exepid process 1960 vbc.exe 1960 vbc.exe 1960 vbc.exe 1152 cscript.exe 1152 cscript.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
vbc.execscript.exedescription pid process Token: SeDebugPrivilege 1960 vbc.exe Token: SeDebugPrivilege 1152 cscript.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 1684 EXCEL.EXE 1684 EXCEL.EXE 1684 EXCEL.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
EQNEDT32.EXEvbc.exeExplorer.EXEcscript.exedescription pid process target process PID 1776 wrote to memory of 1912 1776 EQNEDT32.EXE vbc.exe PID 1776 wrote to memory of 1912 1776 EQNEDT32.EXE vbc.exe PID 1776 wrote to memory of 1912 1776 EQNEDT32.EXE vbc.exe PID 1776 wrote to memory of 1912 1776 EQNEDT32.EXE vbc.exe PID 1912 wrote to memory of 1960 1912 vbc.exe vbc.exe PID 1912 wrote to memory of 1960 1912 vbc.exe vbc.exe PID 1912 wrote to memory of 1960 1912 vbc.exe vbc.exe PID 1912 wrote to memory of 1960 1912 vbc.exe vbc.exe PID 1912 wrote to memory of 1960 1912 vbc.exe vbc.exe PID 1912 wrote to memory of 1960 1912 vbc.exe vbc.exe PID 1912 wrote to memory of 1960 1912 vbc.exe vbc.exe PID 1276 wrote to memory of 1152 1276 Explorer.EXE cscript.exe PID 1276 wrote to memory of 1152 1276 Explorer.EXE cscript.exe PID 1276 wrote to memory of 1152 1276 Explorer.EXE cscript.exe PID 1276 wrote to memory of 1152 1276 Explorer.EXE cscript.exe PID 1152 wrote to memory of 368 1152 cscript.exe cmd.exe PID 1152 wrote to memory of 368 1152 cscript.exe cmd.exe PID 1152 wrote to memory of 368 1152 cscript.exe cmd.exe PID 1152 wrote to memory of 368 1152 cscript.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\MT OCEAN STAR ISO 8217 2005.xlsx"2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Public\vbc.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"{path}"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
2201881c6cc2de12c71f906e43178ef9
SHA12b494db5e52b74df25ff068d0d2a3295aae4f658
SHA256945ebbaf8c08902ed75eb98f5cabd2dbd88708c1aac37a35762db091c1ce0476
SHA5124ddf35b3d8c49c9334fe4e32e0db68b2780ad8528dc31595ae7d63906625faa045aaed0ef84a4264a29c3b8db8c35054478898df914c3df0512618edea59f167
-
C:\Users\Public\vbc.exeMD5
2201881c6cc2de12c71f906e43178ef9
SHA12b494db5e52b74df25ff068d0d2a3295aae4f658
SHA256945ebbaf8c08902ed75eb98f5cabd2dbd88708c1aac37a35762db091c1ce0476
SHA5124ddf35b3d8c49c9334fe4e32e0db68b2780ad8528dc31595ae7d63906625faa045aaed0ef84a4264a29c3b8db8c35054478898df914c3df0512618edea59f167
-
C:\Users\Public\vbc.exeMD5
2201881c6cc2de12c71f906e43178ef9
SHA12b494db5e52b74df25ff068d0d2a3295aae4f658
SHA256945ebbaf8c08902ed75eb98f5cabd2dbd88708c1aac37a35762db091c1ce0476
SHA5124ddf35b3d8c49c9334fe4e32e0db68b2780ad8528dc31595ae7d63906625faa045aaed0ef84a4264a29c3b8db8c35054478898df914c3df0512618edea59f167
-
\Users\Public\vbc.exeMD5
2201881c6cc2de12c71f906e43178ef9
SHA12b494db5e52b74df25ff068d0d2a3295aae4f658
SHA256945ebbaf8c08902ed75eb98f5cabd2dbd88708c1aac37a35762db091c1ce0476
SHA5124ddf35b3d8c49c9334fe4e32e0db68b2780ad8528dc31595ae7d63906625faa045aaed0ef84a4264a29c3b8db8c35054478898df914c3df0512618edea59f167
-
\Users\Public\vbc.exeMD5
2201881c6cc2de12c71f906e43178ef9
SHA12b494db5e52b74df25ff068d0d2a3295aae4f658
SHA256945ebbaf8c08902ed75eb98f5cabd2dbd88708c1aac37a35762db091c1ce0476
SHA5124ddf35b3d8c49c9334fe4e32e0db68b2780ad8528dc31595ae7d63906625faa045aaed0ef84a4264a29c3b8db8c35054478898df914c3df0512618edea59f167
-
\Users\Public\vbc.exeMD5
2201881c6cc2de12c71f906e43178ef9
SHA12b494db5e52b74df25ff068d0d2a3295aae4f658
SHA256945ebbaf8c08902ed75eb98f5cabd2dbd88708c1aac37a35762db091c1ce0476
SHA5124ddf35b3d8c49c9334fe4e32e0db68b2780ad8528dc31595ae7d63906625faa045aaed0ef84a4264a29c3b8db8c35054478898df914c3df0512618edea59f167
-
\Users\Public\vbc.exeMD5
2201881c6cc2de12c71f906e43178ef9
SHA12b494db5e52b74df25ff068d0d2a3295aae4f658
SHA256945ebbaf8c08902ed75eb98f5cabd2dbd88708c1aac37a35762db091c1ce0476
SHA5124ddf35b3d8c49c9334fe4e32e0db68b2780ad8528dc31595ae7d63906625faa045aaed0ef84a4264a29c3b8db8c35054478898df914c3df0512618edea59f167
-
memory/368-28-0x0000000000000000-mapping.dmp
-
memory/1152-29-0x0000000000430000-0x0000000000452000-memory.dmpFilesize
136KB
-
memory/1152-30-0x0000000000070000-0x000000000009E000-memory.dmpFilesize
184KB
-
memory/1152-31-0x0000000001EC0000-0x00000000021C3000-memory.dmpFilesize
3.0MB
-
memory/1152-32-0x0000000002270000-0x0000000002303000-memory.dmpFilesize
588KB
-
memory/1152-27-0x0000000000000000-mapping.dmp
-
memory/1276-26-0x0000000006BC0000-0x0000000006D06000-memory.dmpFilesize
1.3MB
-
memory/1276-33-0x0000000004F10000-0x0000000005003000-memory.dmpFilesize
972KB
-
memory/1684-2-0x000000002F751000-0x000000002F754000-memory.dmpFilesize
12KB
-
memory/1684-3-0x0000000071AC1000-0x0000000071AC3000-memory.dmpFilesize
8KB
-
memory/1684-4-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1688-6-0x000007FEF68D0000-0x000007FEF6B4A000-memory.dmpFilesize
2.5MB
-
memory/1776-5-0x00000000756A1000-0x00000000756A3000-memory.dmpFilesize
8KB
-
memory/1912-15-0x0000000000300000-0x0000000000301000-memory.dmpFilesize
4KB
-
memory/1912-14-0x000000006CC20000-0x000000006D30E000-memory.dmpFilesize
6.9MB
-
memory/1912-11-0x0000000000000000-mapping.dmp
-
memory/1912-17-0x0000000000490000-0x0000000000491000-memory.dmpFilesize
4KB
-
memory/1912-19-0x0000000004470000-0x00000000044CB000-memory.dmpFilesize
364KB
-
memory/1912-18-0x00000000004D0000-0x00000000004DB000-memory.dmpFilesize
44KB
-
memory/1960-24-0x0000000000A20000-0x0000000000D23000-memory.dmpFilesize
3.0MB
-
memory/1960-25-0x00000000001F0000-0x0000000000204000-memory.dmpFilesize
80KB
-
memory/1960-21-0x000000000041EB60-mapping.dmp
-
memory/1960-20-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB