Analysis
-
max time kernel
70s -
max time network
16s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
26-02-2021 14:30
Static task
static1
Behavioral task
behavioral1
Sample
PAYMENTADVICE.xlsx
Resource
win7v20201028
Behavioral task
behavioral2
Sample
PAYMENTADVICE.xlsx
Resource
win10v20201028
General
-
Target
PAYMENTADVICE.xlsx
-
Size
2.3MB
-
MD5
6a665d2ebffb301cd53b051cf04337b3
-
SHA1
74b35d94beacfe37f41cc6891e7ddc96a442c0bd
-
SHA256
08a0ab3c46df8c30ed29ab0ab4d5cc733c421cbff42490788a34f5aba13bb37b
-
SHA512
8b19d0ffa2315b8ff74eece86ab92bc417523867291589700cf086f6a3aa0199e119fcd55a04d05e007a15bdfaceeeab6a31c1906d7bd8ca37c50fdcaea6ecae
Malware Config
Extracted
formbook
http://www.torontotel.com/4qdc/
mangpe.asia
mmstruckingllc.com
ascendingworship.com
gfeets.com
smartcbda.com
dreaminggrand.com
dohostar.com
farkindalik365.com
weareexpatwomen.com
gamereruns.com
rosesandframes.com
commagx4.info
tarpleymusic.info
szttskj.com
calatheahomeservices.com
qm7886.com
emunmous.com
deutschclub.com
39palmavenue.com
thepixxelgroup.com
buildassetswealth.com
oscarandmarina.com
zingoworks.space
edgewooddhr.net
earth-emily.com
belanjagratis.com
sandrapidal.com
btvstudios.com
aberdareroyalcottages.com
officialgiftclub.com
kerdbooks.com
havemercyinc.net
sunsitek.com
larek.store
radioapostolicadigital.com
xcuswaeheje.com
ndk168.com
pcareinc.com
beconfidentagain.com
codejunkys.com
constancescot.com
inbarrel.com
thepurepharmacy.com
finoblog.com
orderbbqculinary.com
bgshtswp.com
hezhengnet.com
clerolaustrie.com
speedysnacksbox.com
amazonia.coffee
mnkmultiservicios.com
antips.com
powerofphoto.com
trackyourvote.com
equiposddl.com
mintmobikeplus.com
grn-shop.com
fabslab.coffee
musicindustrymag.com
cyprusdivingcenters.com
sunsilify.com
rehabcareconnect.com
kingscarehospital.com
pompomlearning.com
Signatures
-
Xloader Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1324-20-0x0000000000400000-0x000000000043E000-memory.dmp xloader -
Blocklisted process makes network request 2 IoCs
Processes:
EQNEDT32.EXEflow pid process 4 2004 EQNEDT32.EXE 8 2004 EQNEDT32.EXE -
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 680 vbc.exe 1324 vbc.exe -
Loads dropped DLL 9 IoCs
Processes:
EQNEDT32.EXEvbc.exedw20.exepid process 2004 EQNEDT32.EXE 2004 EQNEDT32.EXE 2004 EQNEDT32.EXE 2004 EQNEDT32.EXE 680 vbc.exe 680 vbc.exe 2028 dw20.exe 2028 dw20.exe 2028 dw20.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
vbc.exedescription pid process target process PID 680 set thread context of 1324 680 vbc.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 20 IoCs
Processes:
resource yara_rule \Users\Public\vbc.exe nsis_installer_1 \Users\Public\vbc.exe nsis_installer_2 \Users\Public\vbc.exe nsis_installer_1 \Users\Public\vbc.exe nsis_installer_2 \Users\Public\vbc.exe nsis_installer_1 \Users\Public\vbc.exe nsis_installer_2 \Users\Public\vbc.exe nsis_installer_1 \Users\Public\vbc.exe nsis_installer_2 C:\Users\Public\vbc.exe nsis_installer_1 C:\Users\Public\vbc.exe nsis_installer_2 C:\Users\Public\vbc.exe nsis_installer_1 C:\Users\Public\vbc.exe nsis_installer_2 C:\Users\Public\vbc.exe nsis_installer_1 C:\Users\Public\vbc.exe nsis_installer_2 \Users\Public\vbc.exe nsis_installer_1 \Users\Public\vbc.exe nsis_installer_2 \Users\Public\vbc.exe nsis_installer_1 \Users\Public\vbc.exe nsis_installer_2 \Users\Public\vbc.exe nsis_installer_1 \Users\Public\vbc.exe nsis_installer_2 -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 648 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
vbc.exepid process 680 vbc.exe 680 vbc.exe 680 vbc.exe 680 vbc.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
vbc.exepid process 680 vbc.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
EXCEL.EXEpid process 648 EXCEL.EXE 648 EXCEL.EXE 648 EXCEL.EXE 648 EXCEL.EXE 648 EXCEL.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
EQNEDT32.EXEvbc.exevbc.exedescription pid process target process PID 2004 wrote to memory of 680 2004 EQNEDT32.EXE vbc.exe PID 2004 wrote to memory of 680 2004 EQNEDT32.EXE vbc.exe PID 2004 wrote to memory of 680 2004 EQNEDT32.EXE vbc.exe PID 2004 wrote to memory of 680 2004 EQNEDT32.EXE vbc.exe PID 680 wrote to memory of 1324 680 vbc.exe vbc.exe PID 680 wrote to memory of 1324 680 vbc.exe vbc.exe PID 680 wrote to memory of 1324 680 vbc.exe vbc.exe PID 680 wrote to memory of 1324 680 vbc.exe vbc.exe PID 680 wrote to memory of 1324 680 vbc.exe vbc.exe PID 1324 wrote to memory of 2028 1324 vbc.exe dw20.exe PID 1324 wrote to memory of 2028 1324 vbc.exe dw20.exe PID 1324 wrote to memory of 2028 1324 vbc.exe dw20.exe PID 1324 wrote to memory of 2028 1324 vbc.exe dw20.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\PAYMENTADVICE.xlsx1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 4004⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\vbc.exeMD5
456dfe1f5220c97f904bd4704ea34956
SHA1539cade9a33487696ec1b037c9e124af71a353e3
SHA2569ffe2705a8dc9d3d60b856b9fb9c9501d12dc57b89eaa9f1cd0ae41adb9f234e
SHA512817f7f4efb00c6e21e8f5f8e988ae25442e6035f1ba857edd283a53e5101d9d351467bd6d1a7913b3b78580bbe1176e0d51c4db689563102df33b1d67c892eda
-
C:\Users\Public\vbc.exeMD5
456dfe1f5220c97f904bd4704ea34956
SHA1539cade9a33487696ec1b037c9e124af71a353e3
SHA2569ffe2705a8dc9d3d60b856b9fb9c9501d12dc57b89eaa9f1cd0ae41adb9f234e
SHA512817f7f4efb00c6e21e8f5f8e988ae25442e6035f1ba857edd283a53e5101d9d351467bd6d1a7913b3b78580bbe1176e0d51c4db689563102df33b1d67c892eda
-
C:\Users\Public\vbc.exeMD5
456dfe1f5220c97f904bd4704ea34956
SHA1539cade9a33487696ec1b037c9e124af71a353e3
SHA2569ffe2705a8dc9d3d60b856b9fb9c9501d12dc57b89eaa9f1cd0ae41adb9f234e
SHA512817f7f4efb00c6e21e8f5f8e988ae25442e6035f1ba857edd283a53e5101d9d351467bd6d1a7913b3b78580bbe1176e0d51c4db689563102df33b1d67c892eda
-
\Users\Admin\AppData\Local\Temp\nsd9252.tmp\System.dllMD5
fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
\Users\Admin\AppData\Local\Temp\oaur7ez8.dllMD5
327cefe445fbf7dacdaf0505f6e580c4
SHA1772415ad16012ecac845a85cc97b258a7bc40db0
SHA256724328c68f60b86ff8a7ae132c4a8dde1bcf35bebe2c9c4aada13ebd5e64eef5
SHA512bfbd73a45602f481768b21a10c35c11bb44627048fa22b902cb93a3b617906e3a7accd2ce711970634708385e748ca59f0b3535e3f023b8febcc9908d8f2605e
-
\Users\Public\vbc.exeMD5
456dfe1f5220c97f904bd4704ea34956
SHA1539cade9a33487696ec1b037c9e124af71a353e3
SHA2569ffe2705a8dc9d3d60b856b9fb9c9501d12dc57b89eaa9f1cd0ae41adb9f234e
SHA512817f7f4efb00c6e21e8f5f8e988ae25442e6035f1ba857edd283a53e5101d9d351467bd6d1a7913b3b78580bbe1176e0d51c4db689563102df33b1d67c892eda
-
\Users\Public\vbc.exeMD5
456dfe1f5220c97f904bd4704ea34956
SHA1539cade9a33487696ec1b037c9e124af71a353e3
SHA2569ffe2705a8dc9d3d60b856b9fb9c9501d12dc57b89eaa9f1cd0ae41adb9f234e
SHA512817f7f4efb00c6e21e8f5f8e988ae25442e6035f1ba857edd283a53e5101d9d351467bd6d1a7913b3b78580bbe1176e0d51c4db689563102df33b1d67c892eda
-
\Users\Public\vbc.exeMD5
456dfe1f5220c97f904bd4704ea34956
SHA1539cade9a33487696ec1b037c9e124af71a353e3
SHA2569ffe2705a8dc9d3d60b856b9fb9c9501d12dc57b89eaa9f1cd0ae41adb9f234e
SHA512817f7f4efb00c6e21e8f5f8e988ae25442e6035f1ba857edd283a53e5101d9d351467bd6d1a7913b3b78580bbe1176e0d51c4db689563102df33b1d67c892eda
-
\Users\Public\vbc.exeMD5
456dfe1f5220c97f904bd4704ea34956
SHA1539cade9a33487696ec1b037c9e124af71a353e3
SHA2569ffe2705a8dc9d3d60b856b9fb9c9501d12dc57b89eaa9f1cd0ae41adb9f234e
SHA512817f7f4efb00c6e21e8f5f8e988ae25442e6035f1ba857edd283a53e5101d9d351467bd6d1a7913b3b78580bbe1176e0d51c4db689563102df33b1d67c892eda
-
\Users\Public\vbc.exeMD5
456dfe1f5220c97f904bd4704ea34956
SHA1539cade9a33487696ec1b037c9e124af71a353e3
SHA2569ffe2705a8dc9d3d60b856b9fb9c9501d12dc57b89eaa9f1cd0ae41adb9f234e
SHA512817f7f4efb00c6e21e8f5f8e988ae25442e6035f1ba857edd283a53e5101d9d351467bd6d1a7913b3b78580bbe1176e0d51c4db689563102df33b1d67c892eda
-
\Users\Public\vbc.exeMD5
456dfe1f5220c97f904bd4704ea34956
SHA1539cade9a33487696ec1b037c9e124af71a353e3
SHA2569ffe2705a8dc9d3d60b856b9fb9c9501d12dc57b89eaa9f1cd0ae41adb9f234e
SHA512817f7f4efb00c6e21e8f5f8e988ae25442e6035f1ba857edd283a53e5101d9d351467bd6d1a7913b3b78580bbe1176e0d51c4db689563102df33b1d67c892eda
-
\Users\Public\vbc.exeMD5
456dfe1f5220c97f904bd4704ea34956
SHA1539cade9a33487696ec1b037c9e124af71a353e3
SHA2569ffe2705a8dc9d3d60b856b9fb9c9501d12dc57b89eaa9f1cd0ae41adb9f234e
SHA512817f7f4efb00c6e21e8f5f8e988ae25442e6035f1ba857edd283a53e5101d9d351467bd6d1a7913b3b78580bbe1176e0d51c4db689563102df33b1d67c892eda
-
memory/624-6-0x000007FEF7500000-0x000007FEF777A000-memory.dmpFilesize
2.5MB
-
memory/648-4-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/648-2-0x000000002F0C1000-0x000000002F0C4000-memory.dmpFilesize
12KB
-
memory/648-3-0x0000000071461000-0x0000000071463000-memory.dmpFilesize
8KB
-
memory/680-11-0x0000000000000000-mapping.dmp
-
memory/1324-17-0x000000000040188B-mapping.dmp
-
memory/1324-26-0x0000000000270000-0x0000000000271000-memory.dmpFilesize
4KB
-
memory/1324-27-0x0000000000271000-0x0000000000272000-memory.dmpFilesize
4KB
-
memory/1324-20-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2004-5-0x0000000075301000-0x0000000075303000-memory.dmpFilesize
8KB
-
memory/2028-22-0x0000000001EB0000-0x0000000001EC1000-memory.dmpFilesize
68KB
-
memory/2028-21-0x0000000000000000-mapping.dmp
-
memory/2028-25-0x0000000002380000-0x0000000002391000-memory.dmpFilesize
68KB
-
memory/2028-31-0x00000000004E0000-0x00000000004E1000-memory.dmpFilesize
4KB